Deploy the CWPP Functions on VMs, Clusters, and Containers
The CWPP Agent, or functions, can be installed in different ways on Virtual Machines (VMs), clusters, and in containers. This topic lists some of the ways you can deploy it.
Deploy CWPP Agent on Virtual Machines
For Virtual Machines, Skyhigh Security supports using packages to be installed with package managers such as YUM and dpkg:
- .rpm (for example, CWPAgent-1.5.0-1061.x86_64.rpm)
- .deb (for example, CWPAgent-1.5.0-1061.x86_64.deb)
To install on VMs, use the following command:
ubuntu@ip-172-31-28-242:~$ dpkg -i CWPAgent-1.5.0-316.deb
Deploy CWPP Agent in a Container
Skyhigh Security supports the CWPP Agent in container form, for example, nanosecco/cwpagent:1.5.0.803.
If your workload constitutes AWS clusters such as Amazon ECS and EKS, Azure AKS, or Google Cloud Platform GKE, then we recommend that you deploy to a container.
The CWPP Agent container can be deployed in three modes: DaemonSet, Sidecar, and Fargate.
DaemonSet Mode
In DaemonSet mode, a single container or pod of the CWPP Agent runs per secondary node. For example, if you have a cluster with five secondary nodes, then each secondary node will run one instance of the CWPP Agent, and it will monitor all the instances of pods or containers running on that particular secondary node.
If you want to monitor all the containers running in a cluster, or to know when the cluster administrator doesn’t have control over what pods or containers are running in the cluster, for example, in Dev/Test environments, then we recommend deploying the CWPP Agent in DaemonSet mode.
k8daemonset-cwp-agent.yaml:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cwp-agent
spec
selector:
matchLabels:
app: cwp
template:
metadata:
labels:
app: cwp
spec:
containers:
- name: cwp-agent
image: nanosecco/cwpagent:1.5.0.803
imagePullPolicy: Always
env:
- name: CWPP_CLUSTER_NAME
value: ${CWPP_CLUSTER_NAME}
volumeMounts:
- name: docker-data
mountPath: /var/lib/docker/
- name : dockersock
mountPath: /var/run/docker.sock
- name : dockershim
mountPath: /var/run/dockershim.sock
- name : contrd
mountPath: /run/containerd/
- name : criosock
mountPath: /run/crio/crio.sock
- name: cwpp-host-mount
mountPath: /opt/.../cwpagent/cwpp-host-mount
readOnly: true
- name : certs
mountPath: /opt/.../certs
volumes:
- name : docker-data
hostPath:
path: /var/lib/docker/
- name : dockersock
hostPath:
path: /var/run/docker.sock
- name : dockershim
hostPath:
path: /var/run/dockershim.sock
- name : contrd
hostPath:
path: /run/containerd/
- name : criosock
hostPath:
path: /run/crio/crio.sock
- name: cwpp-host-mount
hostPath:
path: /
- name: certs
configMap:
name: cicdcerts
defaultMode: 0755
imagePullSecrets:
- name: nanosecco
Use the command:
Cmd: kubectl apply -f k8daemonset-cwp-agent.yaml
Sidecar Mode
In Sidecar mode, the CWPP Agent container runs along with the application container. So, each instance of the application container has a CWPP Agent container attached to it.
If you want to monitor only specific applications and not all the containers running in a cluster, then we recommend deploying the CWPP Agent in Sidecar mode.
k8sidecar-cwp-agent-sample.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
volumes:
- name: mvc-certs
configMap:
name: cicdcerts
- name : docker-data
hostPath:
path: /var/lib/docker/
- name : dockersock
hostPath:
path: /var/run/docker.sock
- name: cwpp-host-mount
hostPath:
path: /
containers:
- name: nginx
image: nginx:latest
- name: cwpagent
image: nanosecco/cwpagent:1.5.0.803
imagePullPolicy: Always
env:
- name: CWPP_CLUSTER_NAME
value: ${CWPP_CLUSTER_NAME}
volumeMounts:
- name : mvc-certs
mountPath: /opt/.../certs
- name: docker-data
mountPath: /var/lib/docker/
- name : dockersock
mountPath: /var/run/docker.sock
- name: cwpp-host-mount
mountPath: /opt/.../cwpagent/cwpp-host-mount
imagePullSecrets:
- name: nanosecco
Use the following command:
Cmd: kubectl apply -f k8sidecar-cwp-agent-sample.yaml
AWS Fargate Mode
If you are using serverless computing with EKS Fargate to deploy containers, then you can inject the CWPP Agent into the application container and start it as shown in this configuration.
k8fargate-cwp-agent-sample.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 3
template:
metadata:
labels:
app: nginx
spec:
volumes:
- name: mvc-pkg
emptyDir: {}
- name: mvc-certs
configMap:
name: cicdcerts
- name : docker-data
hostPath:
path: /var/lib/docker/
- name : dockersock
hostPath:
path: /var/run/docker.sock
- name: cwpp-host-mount
hostPath:
path: /
containers:
- name: nginx
image: nginx:latest
env:
- name: CWPP_CLUSTER_NAME
value: ${CWPP_CLUSTER_NAME}
command: ["/bin/sh","-c"]
args: [ 'cd /mvc-store && bash CWPAgent-service.sh install && nginx -g "daemon off;"']
volumeMounts:
- name: mvc-pkg
mountPath: /mvc-store
- name: docker-data
mountPath: /var/lib/docker/
- name : dockersock
mountPath: /var/run/docker.sock
- name: cwpp-host-mount
mountPath: /opt/.../cwpagent/cwpp-host-mount
initContainers:
- name: cwpagent
image: nanosecco/cwpagent:1.5.0.803
imagePullPolicy: Always
command: ["/bin/sh","-c"]
args: [ 'bash CWPAgent-service.sh build && ls -lrt /mvc-store']
volumeMounts:
- name: mvc-pkg
mountPath: /mvc-store
- name : mvc-certs
mountPath: /opt/.../certs
imagePullSecrets:
- name: nanosecco
Use the following command:
Cmd: kubectl apply -f k8fargate-cwp-agent-sample.yaml