Skip to content

AccuKnox Agents

AccuKnox Agents Description

Accuknox core agents Description
KubeArmor This agent is used to apply system level policies.
Cilium This agent is used to apply network level policies.
Shared Informer Agent This agent authenticates with your cluster and collects information regarding entities like Nodes, Pods, Namespaces.
Feeder Service Feeder service deployment that collects feeds from Kubearmor and Cilium.
Policy Enforcement This agent authenticates with your cluster and enforces label and policy.
Discovery Engine Agent Discovery Engine discovers the security posture for your workloads and auto-discovers the policy-set required to put the workload in least-permissive mode. The engine leverages the rich visibility provided by KubeArmor and Cilium to auto discover the systems and network security posture

Supported platforms

Deployments Deployment Type Supported version (Kubernetes)
KubeArmor DaemonSet EKS Ubuntu Server 20.04,
Minikube Cluster,
MicroK8's Cluster,
K3's Cluster,
GKE with COS and Ubuntu,
EKS Amazon Linux 2
Shared Informer Agent DaemonSet EKS Ubuntu Server 20.04,
Minikube Cluster,
MicroK8's Cluster,
K3's Cluster, GKE with COS and Ubuntu,
EKS Amazon Linux 2
Feeder Service ReplicaSet EKS Ubuntu Server 20.04,
Minikube Cluster,
MicroK8's Cluster,
K3's Cluster,
GKE with COS and Ubuntu,
EKS Amazon Linux 2
Policy Enforcement DaemonSet EKS Ubuntu Server 20.04,
Minikube Cluster,
MicroK8's Cluster,
K3's Cluster,
GKE with COS and Ubuntu,
EKS Amazon Linux 2
Discovery Engine Agent DaemonSet EKS Ubuntu Server 20.04,
Minikube Cluster,
MicroK8's Cluster,
K3's Cluster,
GKE with COS and Ubuntu,
EKS Amazon Linux 2
  • It is assumed that the user has some basic familiarity with Kubernetes, kubectl and helm. It also assumes that you are familiar with the AccuKnox opensource tool workflow. If you're new to AccuKnox itself, refer first to Getting Started.

  • It is recommended to have the following configured before onboarding:

  • Kubectl

  • Helm

Pre-requisites

Minimum Resource required

A Kubernetes cluster with

  • Number of Nodes : 3
  • Machine Type: e2-standard-2
  • Total vCPUs : 6
  • Total Memory: 24GB
Deployments Resource usage
KubeArmor CPU: 100 m, Memory: 20 Mi
Shared Informer Agent CPU: 500 m, Memory: 750 Mi
Feeder Service CPU: 1, Memory: 500 Mi
Policy Enforcement CPU: 200 m, Memory: 800 M
Ports Description
9093, 443, 80 The worker cluster will communicate with accuknox SaaS and general internet

Agents Installations

  1. Create Namespace
     kubectl create namespace accuknox-agents
    
  2. Adding AccuKnox Helm repository.
    Required incase of installing by Helm
  3. Add AccuKnox repository to install agents helm package.
    helm repo add accuknox-agents https://accuknox-agents:[email protected]/repository/accuknox-agents
    

    Note: "accuknox-agents" keys will be unique and provided through accuknox saas platform.

  4. Once repository added successfully, update the helm repository.
    helm repo update
    

1. Cilium

This agent is used to apply network policies.

Installation Guide

  1. Download Cilium CLI.
    curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
    sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
    sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
    rm cilium-linux-amd64.tar.gz{,.sha256sum}
    
  2. Install Cilium.
    cilium install
    
  3. Enable Hubble in Cilium.
    cilium hubble enable
    

2. KubeArmor

This agent is used to apply system level policies.

Installation Guide

  1. Download and install Karmor CLI.
    curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
    
  2. Install KubeArmor.
    karmor install
    

3. Feeder Service

Feeder service deployment that collects feeds from Kubearmor and Cilium.

Installation Guide

  1. To Install agents on destination cluster.
     helm upgrade --install feeder-service  accuknox-agents/feeder-service-chart -n accuknox-agents
    
  2. Set the env of Feeder Service.
     kubectl set env deploy/feeder-service tenant_id=241 cluster_id=427 cluster_name=prod-cluster-onboarding -n accuknox-agents
    

    Note: tenant_id and cluster_id will be unique from user to user, replace it with your tenant_id and cluster_id.

4. Shared Informer Agent

This agent authenticates with your cluster and collects information regarding entities like nodes, pods, namespaces.

Installation Guide

1.To Install agents on destination cluster.

helm upgrade --install shared-informer-agent-chart accuknox-agents/shared-informer-agent-chart -n accuknox-agents

5. Policy Enforcement Agent

This agent authenticates with your cluster and enforces label and policy.

Installation Guide

  1. To Install agents on destination cluster.
    helm upgrade --install policy-enforcement-agent accuknox-agents/policy-enforcement-agent-chart -n accuknox-agents
    
  2. Set the env of policy-enforcement-agent.
kubectl set env deploy/policy-enforcement-agent -n accuknox-agents workspace_id=241 cluster_name=prod-cluster-onboarding

Note: workspace_id and cluster_name will be unique from user to user, replace it with your workspace_id and cluste_name.

6. Discovery Engine Agent

Discovery Engine discovers the security posture for your workloads and auto-discovers the policy-set required to put the workload in least-permissive mode. The engine leverages the rich visibility provided by KubeArmor and Cilium to auto discover the systems and network security posture.

Installation Guide

  1. To Install agent on the destination cluster.
    kubectl apply -f https://raw.githubusercontent.com/accuknox/discovery-engine/dev/deployments/k8s/deployment.yaml -n accuknox-agents
    
  2. Set the env of policy-enforcement-agent.
    kubectl set env deploy/knoxautopolicy -n accuknox-agents workspace_id=147 cluster_name=accuknox-e2e-01
    

    Note: workspace_id and cluster_name will be unique from user to user, replace your workspace_id and cluster_name.

Back to top