Kubernetes Containers

Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. is an open-source container orchestration system for automating the deployment, scaling, and management of containerized applications. It operates with a range of container tools and runs containers in a cluster with images built with Docker Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers., OCI Oracle Cloud Infrastructure - cloud computing platform offered by Oracle Corporation., or Kaniko. It groups containers that make up an application into logical units for easy management and discovery.

Before you can use Kubernetes Containers features in CloudGuard, your Kubernetes cluster must already be onboarded to CloudGuard. See Onboarding Kubernetes Clusters for details on how to do this.

Supported Versions

Name	Version
Kubernetes	Version 1.21¹ and higher (with managed and unmanaged distributions)²
Kubernetes-based Container Orchestration Platforms	Red Hat OpenShift v4.6 and higher(Runtime Protection: nodes running Red Hat Enterprise Linux CoreOS) VMware Tanzu TKG v1.2 and higher, TKGI v1.10 and higher
Container Runtime	Docker v1.32 and higher containerd 1.1 and higher CRI-O A tool that lets you use OCI container runtimes with Kubernetes CRI. CRI-O is an implementation of the Container runtime interface (CRI) to enable using container runtimes that are compatible with the Open Container Initiative (OCI) runtime spec. 1.16 and higher
Node Operating System	For Runtime Protection: Amazon Linux 2 (other Linux distributions may require additional setup – see Prerequisites) Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling.-optimized: Red Hat Enterprise Linux CoreOS, AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Bottlerocket, Google Container-Optimized OS (Runtime Protection: Autopilot clusters are not supported) For other features: Any Linux with the proper container runtime
Node architecture	amd64

¹ Kubernetes versions from 1.16 to 1.20 are supported only with Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. deployment instructions, with the regular helm upgrade --install command.

² CloudGuard does not support hybrid clusters with multiple (mixed) container runtimes. You cannot change the container runtime after the service is onboarded in the cluster. For this, upgrade the solution.

Notes:

CloudGuard for Kubernetes containers is available on platforms such as: vanilla Kubernetes, AKS on Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®., EKS Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. on AWS, GKE on GCP Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube., OpenShift, Tanzu, Rancher (k3s), and others.
CloudGuard automatically detects the container runtime on onboarding with Helm.
CloudGuard automatically detects OpenShift and Tanzu platforms and adjusts the Helm deployment accordingly.

Version Deprecation

Deprecated Kubernetes versions are not supported by cloud vendors and do not get important security updates.

Important - Clusters with deprecated versions can be at risk.

Platform	Service	Supported versions
Microsoft Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®.	AKS	Link
Google Cloud Platform	GKE	Link
Amazon Web Services	EKS	Link
Oracle Cloud Infrastructure	OKE	Link
Red Hat	OpenShift	Link
Kubernetes	Kubernetes	Link

Requirements

Permission Requirements

The CloudGuard agent requires Kubernetes permissions for:

Verb	Group	Resource	Scope
get, list	-	pods services nodes nodes/proxy serviceaccounts namespaces resourcequotas	Cluster-wide
	apps	daemonsets deployments replicasets statefulsets	Cluster-wide
	networking.k8s.io	networkpolicies ingresses	Cluster-wide
	extensions	ingresses	Cluster-wide
	policy	podsecuritypolicies	Cluster-wide
	rbac.authorization.k8s.io	roles rolebindings clusterroles clusterrolebindings	Cluster-wide
	batch	cronjobs	Cluster-wide
	-	pods secrets configmaps	Agent namespace (default: checkpoint)
patch	admissionregistration.k8s.io	validatingwebhookconfigurations	Cluster-wide
all (*)	*.cloudguard.checkpoint.com	all (*)	Agent namespace (default: checkpoint)

The CloudGuard agent requires these Kubernetes permissions for OpenShift Kubernetes clusters:

Verb	Group	Resource	Scope
get, list	config.openshift.io	clusteroperators (resourceName: openshift-apiserver)	Cluster-wide
	operator.openshift.io	openshiftapiservers, kuberapiservers (resourceName: cluster)	Cluster-wide
	security.openshift.io	securitycontextconstraints	Cluster-wide
get -	-	configmaps (resourceName: config)	openshift-kube-controller-manager, openshift-apiserver, openshift-kube-apiserver
get -	-	configmaps (resourceName: kube-scheduler-pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment.)	openshift-kube-scheduler

Note - For Kubernetes clusters on OpenShift, CloudGuard creates additional roles in OpenShift namespaces. The role bindings bind these roles to the CloudGuard service account (in CloudGuard namespace used for the agent).

Pod and Container Requirements

Linux allows assigning specific capabilities to processes, thus restricting the processes to only the minimum privileges required to perform their tasks and reducing the risk of security breaches.

The CloudGuard agents require these Linux kernel capabilities:

Agent Name	Container Capabilities	Host Network	Privileged
Runtime Protection (runtime-daemon)	SYS_RESOURCE SYS_ADMIN SYS_NICE SYS_PTRACE FOWNER SYS_PACCT NET_ADMIN NET_RAW AUDIT_READ AUDIT_WRITE AUDIT_CONTROL	required	OpenShift, CRI-O, CoreOS, Bottlerocket: required
Flow Logs(flowlogs-daemon)	SYS_RESOURCE SYS_ADMIN NET_ADMIN	required	OpenShift: required
Image Assurance (imagescan-daemon)	NET_BIND_SERVICE	not required	OpenShift and CRI-O: required

Agent Name

Container Capabilities

Host Network

Privileged

Runtime Protection (runtime-daemon)

SYS_RESOURCE
SYS_ADMIN
SYS_NICE
SYS_PTRACE
FOWNER
SYS_PACCT
NET_ADMIN
NET_RAW
AUDIT_READ
AUDIT_WRITE
AUDIT_CONTROL

required

OpenShift, CRI-O, CoreOS, Bottlerocket:

required

Flow Logs(flowlogs-daemon)

SYS_RESOURCE
SYS_ADMIN
NET_ADMIN

required

OpenShift: required

Image Assurance (imagescan-daemon)

NET_BIND_SERVICE

not required

OpenShift and CRI-O:

required

Connectivity Requirements

CloudGuard agents must have connectivity to these domains:

Blade or Agent Address

CloudGuard

Image Assurance

Image Scan

.dome9.com

Notes:

The domain .dome9.com represents Check Point's Network Domain Objects.
For Image Assurance agents ver. 2.28.0 and lower, add the .checkpoint.com domain.

Runtime Protection

https://storage.googleapis.com/cos-tools

https://rep.checkpoint.com/file-rep/service/v2.0/query

Container Registry A collection of repositories used to store and access container images.

https://quay.io/checkpoint

Instead of the domain objects, you can use the region-specific URLs for your Data Center location from the table below. Add these endpoints to the allowlist.

Blade or Agent	Address
Runtime Protection	https://storage.googleapis.com/cos-tools https://rep.checkpoint.com/file-rep/service/v2.0/query
Container Registry	https://quay.io/checkpoint

Blade or Agent

Address

Runtime Protection

https://storage.googleapis.com/cos-tools

https://rep.checkpoint.com/file-rep/service/v2.0/query

Container Registry

https://quay.io/checkpoint

For Image Scan agents ver 2.28.0 and lower, you must use additional endpoints. To learn more about agent's version, see Agent Version Life Cycle.

Blade or Agent	Address
Image Assurance	https://rpm-serv.sg.iaas.checkpoint.com https://shiftleft.portal.checkpoint.com/
Image Scan	https://shiftleft-prod-bucket.sg.iaas.checkpoint.com

Blade or Agent

Address

Image Assurance

https://rpm-serv.sg.iaas.checkpoint.com

https://shiftleft.portal.checkpoint.com/

Image Scan

https://shiftleft-prod-bucket.sg.iaas.checkpoint.com

United States (US)

Blade or Agent	Address
CloudGuard	https://api-cpx.dome9.com https://api.dome9.com
Threat Intelligence	https://validator-prod-k8s.s3.amazonaws.com
Image Scan (agent ver. 2.28.0 and lower)	https://us-gw.sg.iaas.checkpoint.com

Blade or Agent

Address

CloudGuard

https://api-cpx.dome9.com

https://api.dome9.com

Threat Intelligence

https://validator-prod-k8s.s3.amazonaws.com

Image Scan

(agent ver. 2.28.0 and lower)

https://us-gw.sg.iaas.checkpoint.com

Europe (EU)

Blade or Agent	Address
CloudGuard	https://api-cpx.eu1.dome9.com https://api.eu1.dome9.com
Threat Intelligence	https://validator-prod-533924475734-k8s.s3.eu-west-1.amazonaws.com
Image Scan (agent ver. 2.28.0 and lower)	https://eu-gw.sg.iaas.checkpoint.com

Blade or Agent

Address

CloudGuard

https://api-cpx.eu1.dome9.com

https://api.eu1.dome9.com

Threat Intelligence

https://validator-prod-533924475734-k8s.s3.eu-west-1.amazonaws.com

Image Scan

(agent ver. 2.28.0 and lower)

https://eu-gw.sg.iaas.checkpoint.com

Australia (AU)

Blade or Agent	Address
CloudGuard	https://api-cpx.ap2.dome9.com https://api.ap2.dome9.com
Threat Intelligence	https://validator-prod-583664506098-k8s.s3.ap-southeast-2.amazonaws.com
Image Scan (agent ver. 2.28.0 and lower)	https://au-gw.sg.iaas.checkpoint.com

Blade or Agent

Address

CloudGuard

https://api-cpx.ap2.dome9.com

https://api.ap2.dome9.com

Threat Intelligence

https://validator-prod-583664506098-k8s.s3.ap-southeast-2.amazonaws.com

Image Scan

(agent ver. 2.28.0 and lower)

https://au-gw.sg.iaas.checkpoint.com

Canada (CA)

Blade or Agent	Address
CloudGuard	https://api-cpx.cace1.dome9.com https://api.cace1.dome9.com
Threat Intelligence	https://validator-prod-052001227150-k8s.ca-central-1.amazonaws.com
Image Scan (agent ver. 2.28.0 and lower)	https://ca-gw.sg.iaas.checkpoint.com

Blade or Agent

Address

CloudGuard

https://api-cpx.cace1.dome9.com

https://api.cace1.dome9.com

Threat Intelligence

https://validator-prod-052001227150-k8s.ca-central-1.amazonaws.com

Image Scan

(agent ver. 2.28.0 and lower)

https://ca-gw.sg.iaas.checkpoint.com

India (IN)

Blade or Agent	Address
CloudGuard	https://api-cpx.ap3.dome9.com https://api.ap3.dome9.com
Threat Intelligence	https://validator-prod-573281234161-k8s.s3.ap-south-1.amazonaws.com
Image Scan (agent ver. 2.28.0 and lower)	https://in-gw.sg.iaas.checkpoint.com

Blade or Agent

Address

CloudGuard

https://api-cpx.ap3.dome9.com

https://api.ap3.dome9.com

Threat Intelligence

https://validator-prod-573281234161-k8s.s3.ap-south-1.amazonaws.com

Image Scan

(agent ver. 2.28.0 and lower)

https://in-gw.sg.iaas.checkpoint.com

If the CloudGuard pod image is uploaded to a private repository, connectivity to Container Registry is not necessary. In this case, the Helm chart parameter image.repository must be changed to indicate the location of the image. For more information about how to set this parameter, see https://github.com/CheckPointSW/charts/tree/master/checkpoint/cloudguard.

Resource Requirements

Each CloudGuard feature can have pods that run in daemonsets and pods that run in deployments. For the pods in daemonsets, resources are shown in the table below per node. For the pods in deployments, resources are below per cluster. The pods that run in deployments can certainly run on different nodes.

You can find the default values of requests and limits in the defaults.yaml on the Helm Chart.

Basic Feature	Per cluster or node	CPU (millicores)		Memory (MiB)
Basic Feature	Per cluster or node	requests	limits	requests	limits
Posture Management	per cluster	100	200	50	50
Image Assurance	per cluster	200	1050	200	2600
	per node - Docker	50	50	50	50
	per node - containerd	200	250	150	150
	per node - CRI-O*	200	300	250	250
Admission Control	per cluster	1150	1350	330	450

* OpenShift uses the CRI-O runtime

Note - Image Assurance scanning engine (imagescan-engine) requires free ephemeral storage, which size is double maximal size of the scanned image. Maximal image size means the uncompressed, docker save output image size.

Premium Feature	Per cluster or node	CPU (millicores)		Memory (MiB)
Premium Feature	Per cluster or node	requests	limits	requests	limits
Runtime Protection	per cluster	50	50	30	50
Runtime Protection	per node*	200	400	300	800
Flow Logs	per node	100	200	30	100

* Large Nodes (above 8 vCPUs) may require additional resources in case of pod restarts.