Kubernetes Runtime Protection Troubleshooting

Verification of Installation

Follow these steps to verify the installation of the Runtime Protection agent:

In the CloudGuard portal, navigate to Assets and select the Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster of your interest.
Go to the Blades tab and make sure that all the agents under Runtime Protection have the OK state. This operation sometimes takes several minutes to update the information.
In the Kubernetes cluster, make sure that all agent resources are installed in the specified namespace and are in the Ready state. If your Internet connection quality is low, it sometimes takes several minutes to download all the images.
Make sure that the Runtime Protection Daemon runs on the correct number of nodes, based on the defined node selector and tolerations.
Check logs of all the agent components and make sure that there are no errors.

inventory-agent pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment.
runtime-policy pod
runtime-daemon pod (on each of the nodes):
- probe container
- daemon container

Agent Status Errors

The environment page of a Kubernetes cluster shows information about its agents' status.

The Runtime Protection agent status can show these error messages:

Error	Description
Signatures engine error	The Runtime Protection signature engine has failed to initialize
Profiling engine error	The Runtime Protection profiling engine has failed to initialize
File-Reputation engine error	The Runtime Protection file-reputation engine has failed to initialize
Container Runtime Software that is responsible for running containers. error	The Runtime Protection daemon has failed to communicate with the container runtime
Internal agent error	An undefined error occurred

Image Pulling Errors

If you configured custom images, make sure that your nodes can access them.
If the images are stored in a protected image registry (which is usual for the default EA images), make sure the credentials of the image registry specified during agent installation are correct.

Errors Log

If the logs contain errors related to access to api-cpx.dome9.com or a similar endpoint:

Make sure that your nodes need the proxy to access Internet services, refer to Cluster Behind a Gateway.
Make sure that you configured clusterID and credentials properly when you installed or upgraded the agents.

If logs contain errors related to access to the Kubernetes APIs, and a custom service account is configured, make sure it has a correct configuration.

Empty or Partial Profiles

Partial profiles do not contain processes launched during the Pod startup. To complete the process, see How to complete the profile learning.

Behavior on Profile Re-learning

Runtime Protection constructs a new behavior profile for a workload on each change of a container image related to the workload. The decision on the image change depends on the image reference string in the Pod template specification. This means that if, for example, it refers to a generic image tag, such as :latest, it does not trigger re-learning. This agrees with how Kubernetes identifies changes in Pod templates (it triggers a rollout of the new version).

Check Point does not recommend you to use the :latest image tag as it is considered insecure and does not necessarily cause profile re-learning.