Install a Deployment Assessment Agent

Deployment assessment agents evaluate the images being deployed in Kubernetes clusters against the image metadata and vulnerability information scanned by Container Security in prior CI/CD and registry scans. You can configure policies to define the actions taken by deployment assessments.

You can install a deployment assessment agent after you create a deployment scanner in Container Security.

A deployment assessment agent runs as a dynamic admission controller in a Kubernetes cluster. It receives validating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies configured in Container Security to return results. For more information about creating policies, see Policies.

  • The agent receives an AdmissionReviewRequest for any POD CREATE/UPDATE requests in the cluster for the namespaces being monitored.

    Note: You can specify included and excluded namespaces in the helm values during installation. By default, kube-system and the namespace where the deployment assessment agent is installed are excluded from the evaluation.

  • The agent extracts all the images in pod spec provided in the AdmissionReviewRequest and reaches out the respective registry to retrieve the image metadata.

    Note: If the pod spec refers to an imagePullSecret, the deployment assessment agent attempts to use this secret to access the image in the registry.

  • The agent sends the metadata to the Container Security instance to assess the deployment.

    • If the image has not been scanned before using Container Security, the deployment is allowed.

    • If the image has been scanned before using Container Security, and there is no policy configured, the deployment is allowed.

    • If the image has been scanned before using Container Security, and there are configured policies, the policy evaluation determines whether the deployment is allowed or denied.

    • If there are multiple policies configured and at least one of them is configured to block, then the deployment is blocked.

    Note: The AdmissionReviewRequest does not indicate the architecture of the image or images being deployed. If the image in the registry is a multi-platform image, the deployment assessment agent will attempt to evaluate each architecture in the image manifest. If the policy evaluation fails for any of the platforms, the deployment will be denied.

  • The AdmissionReviewResponse is sent to the kube-apiserver.

  • The result of the deployment assessment appears in the Kubernetes events and in the Container Security UI when you view details for the related policy.

    Note: If an image being deployed has not been scanned by Container Security in previous CI/CD or registry scans, the images will not appear in the Container Security UI.

This topic describes how to install a deployment assessment agent, and how to delete a deployment assessment agent.

Before You Begin

  • The following components must be installed on the Kubernetes cluster that needs to be monitored for deployment assessment:

  • Container Security must be installed and accessible via the LoadBalancer URL from the all the Kubernetes clusters where deployment assessment needs to run.

  • Add a deployment scanner in Container Security.

Install or Upgrade a Deployment Assessment Agent

  1. In the Kubernetes cluster where you want to install the deployment assessment agent, create a namespace using the following command:

    Copy 
    kubectl create namespace tes-deployment-assessment

    In this example, the namespace is tes-deployment-assessment. If you use a different namespace, ensure that you use the same namespace every time you install or upgrade the agent.

  2. Add the Tenable Helm Charts repository with the following command:

    Copy 
    helm repo add tenable https://charts.tenable.com

  3. Update the repository:

    Copy 
    helm repo update

  4. In Container Security Container Security, add a deployment scanner and download the yaml file.

  5. Install the Helm Chart or upgrade the existing Helm Chart:

    1. Create a values.yaml file with parameters for your deployment. The following is an example values.yaml:

      Copy 
      # To override image registry and tag
      image:
        registry: tenable
        tag: 1.0.0
        
      # To override default resource
      resources:
        requests:
          memory: "500Mi"
          cpu: "500m"
        limits:
          memory: "2Gi"
          cpu: "2000m"
          
      # To override include/exclude namespace
      # By default, kube-system and the namespace where the agent is being
      # deployed is excluded from monitoring.
      validatingWebhook:
        # Namespaces to exclude from assessment.
        # release namespace is excluded by default to allow the 
        # webhook pod to be deployed.
        excludeNamespaces:
          - kube-system
          - namespace2
        # Namespaces to include in the assessment
        # includeNamespaces:
          # - namespace1

      Note: If you create a custom values.yaml file, ensure you use the same file every time you upgrade. Otherwise, Tenable uses default values that may not match your configuration.

      ValidatingAdmissionWebhook Configuration

      You can override the default ValidatingAdmissionWebhook configuration provided in the Helm Charts.

      Note: In the first release of this feature as a part of Container Security 1.5, the default validatingwebhookconfiguration failurePolicy is set to Ignore. This means that if the agent encounters failures, the agent will still allow the deployment to proceed.

      Copy 
      validatingWebhook:
        # timeoutSeconds Must be between 1 and 30
        timeoutSeconds: 15
        # Possible values for failurePolicy:
        # - Ignore : means that an error calling the webhook is ignored and the API request is allowed to continue.
        # - Fail : means that an error calling the webhook causes the admission to fail and the API request to be rejected.
        failurePolicy: Ignore
        # Namespaces to exclude from assessment.
        # release namespace is excluded by default to allow the 
        # agent pod to be deployed.
        excludeNamespaces:
          - kube-system
        # Namespaces to include in the assessment
        includeNamespaces:
          - app-test

      Specify Node Affinity

      The default Helm Chart for deployment assessment ships with an anti affinity rule to prevent replicas from getting scheduled on the same node. You can specify a node affinity in values.yaml.

      Copy 
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/name: tes-deployment-assessment
              topologyKey: kubernetes.io/hostname

      Image Registry

      You can specify a registry to pull the deployment assessment.

      Copy 
      image:
        registry: tenable

      Replica Count

      Use this option to override the default replica count of 2.

      Copy 
      replicaCount: 2

    2. Install the Helm Chart using the following command, where {cluster_name.yaml} is the file you downloaded when you created the deployment scanner:

      Copy 
      helm upgrade --install tes-deployment-assessment -n tes-deployment-assessment -f values.yaml -f {cluster_name.yaml} tenable/tes-deployment-assessment

Delete a Deployment Assessment Agent

  1. In the Kubernetes cluster where the deployment assessment agent is installed, list the charts installed in the namespace with the following command:

    Copy 
    helm list -n tes-deployment-assessment

  2. Delete the Helm Chart with the following command:

    Copy 
    helm delete tes-deployment-assessment -n tes-deployment-assessment

  3. In Container Security Container Security, delete the deployment scanner.