Skip to main content
Skyhigh Security

Deploy the CWPP Functions on VMs, Clusters, and Containers

The CWPP Agent, or functions,  can be installed in different ways on Virtual Machines (VMs), clusters, and in containers. This topic lists some of the ways you can deploy it. 

Deploy CWPP Agent on Virtual Machines

For Virtual Machines, Skyhigh Security supports using packages to be installed with package managers such as YUM and dpkg:

  • .rpm (for example, CWPAgent-1.5.0-1061.x86_64.rpm)
  • .deb (for example,  CWPAgent-1.5.0-1061.x86_64.deb) 

To install on VMs, use the following command:

ubuntu@ip-172-31-28-242:~$ dpkg -i CWPAgent-1.5.0-316.deb

Deploy CWPP Agent in a Container

Skyhigh Security supports the CWPP Agent in container form, for example, nanosecco/cwpagent:1.5.0.803.

If your workload constitutes AWS clusters such as Amazon ECS and EKS, Azure AKS, or Google Cloud Platform GKE, then we recommend that you deploy to a container. 

The CWPP Agent container can be deployed in three modes: DaemonSet, Sidecar, and Fargate. 

DaemonSet Mode

In DaemonSet mode, a single container or pod of the CWPP Agent runs per secondary node. For example, if you have a cluster with five secondary nodes, then each secondary node will run one instance of the CWPP Agent, and it will monitor all the instances of pods or containers running on that particular secondary node.

If you want to monitor all the containers running in a cluster, or to know when the cluster administrator doesn’t have control over what pods or containers are running in the cluster,  for example, in Dev/Test environments, then we recommend deploying the CWPP Agent in DaemonSet mode. 

daemonset_mode.png

 

k8daemonset-cwp-agent.yaml:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: cwp-agent
spec
 selector:
  matchLabels:
   app: cwp
 template:
   metadata:
    labels:
     app: cwp
   spec:
    containers:
    - name: cwp-agent
      image: nanosecco/cwpagent:1.5.0.803
      imagePullPolicy: Always
      env:
      - name: CWPP_CLUSTER_NAME
        value: ${CWPP_CLUSTER_NAME}
      volumeMounts:
      - name: docker-data
        mountPath: /var/lib/docker/
      - name : dockersock
        mountPath: /var/run/docker.sock
      - name : dockershim
        mountPath: /var/run/dockershim.sock
      - name : contrd
        mountPath: /run/containerd/
      - name : criosock
        mountPath: /run/crio/crio.sock
      - name: cwpp-host-mount
        mountPath: /opt/McAfee/cwpagent/cwpp-host-mount
        readOnly: true
      - name : certs
        mountPath: /opt/McAfee/certs
   volumes:
   - name : docker-data
      hostPath:
        path: /var/lib/docker/
   - name : dockersock
      hostPath:
        path: /var/run/docker.sock
   - name : dockershim
      hostPath:
        path: /var/run/dockershim.sock
   - name : contrd
     hostPath:
        path: /run/containerd/
   - name : criosock
      hostPath:
        path: /run/crio/crio.sock
   - name: cwpp-host-mount
     hostPath:
        path: /
   - name: certs
     configMap:
       name: cicdcerts
       defaultMode: 0755
    imagePullSecrets:
    - name: nanosecco

Use the command:

Cmd: kubectl apply -f k8daemonset-cwp-agent.yaml
Sidecar Mode

In Sidecar mode, the CWPP Agent container runs along with the application container. So, each instance of the application container has a CWPP Agent container attached to it.

If you want to monitor only specific applications and not all the containers running in a cluster, then we recommend deploying the CWPP Agent in Sidecar mode.

sidecar_mode.png

 

k8sidecar-cwp-agent-sample.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:   
    metadata:
      labels:
        app: nginx
    spec:
       volumes:
       - name: mvc-certs
         configMap:
           name: cicdcerts
       - name : docker-data
         hostPath:
           path: /var/lib/docker/
       - name : dockersock
         hostPath:
           path: /var/run/docker.sock
       - name: cwpp-host-mount
         hostPath:
          path: /
       containers:
       - name: nginx
         image: nginx:latest
       - name: cwpagent
         image: nanosecco/cwpagent:1.5.0.803
      imagePullPolicy: Always
         env:
         - name: CWPP_CLUSTER_NAME
           value: ${CWPP_CLUSTER_NAME}
         volumeMounts:
         - name : mvc-certs
           mountPath: /opt/McAfee/certs
         - name: docker-data
           mountPath: /var/lib/docker/
         - name : dockersock
           mountPath: /var/run/docker.sock
         - name: cwpp-host-mount
           mountPath: /opt/McAfee/cwpagent/cwpp-host-mount
       imagePullSecrets:
   - name: nanosecco

Use the following command:

Cmd: kubectl apply -f k8sidecar-cwp-agent-sample.yaml
AWS Fargate Mode

If you are using serverless computing with EKS Fargate to deploy containers, then you can inject the CWPP Agent into the application container and start it as shown in this configuration. 

 

k8fargate-cwp-agent-sample.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 3
  template:   
    metadata:
      labels:
        app: nginx
    spec:
       volumes:
       - name: mvc-pkg
         emptyDir: {}
       - name: mvc-certs
         configMap:
           name: cicdcerts
       - name : docker-data
         hostPath:
           path: /var/lib/docker/
       - name : dockersock
         hostPath:
           path: /var/run/docker.sock
       - name: cwpp-host-mount
         hostPath:
           path: /
       containers:
       - name: nginx
         image: nginx:latest
         env:
         - name: CWPP_CLUSTER_NAME
           value: ${CWPP_CLUSTER_NAME}
         command: ["/bin/sh","-c"]
         args: [ 'cd /mvc-store && bash CWPAgent-service.sh install &&  nginx -g "daemon off;"']
         volumeMounts:
         - name: mvc-pkg
           mountPath: /mvc-store
         - name: docker-data
           mountPath: /var/lib/docker/
         - name : dockersock
           mountPath: /var/run/docker.sock
         - name: cwpp-host-mount
           mountPath: /opt/McAfee/cwpagent/cwpp-host-mount
      initContainers:
       - name: cwpagent
         image: nanosecco/cwpagent:1.5.0.803
         imagePullPolicy: Always
         command: ["/bin/sh","-c"]
         args: [ 'bash CWPAgent-service.sh build && ls -lrt /mvc-store']
         volumeMounts:
         - name: mvc-pkg
           mountPath: /mvc-store
         - name : mvc-certs
           mountPath: /opt/McAfee/certs
       imagePullSecrets:
       - name: nanosecco

Use the following command:

Cmd: kubectl apply -f k8fargate-cwp-agent-sample.yaml
  • Was this article helpful?