Installing and Configuring the RapidFort Runtime Agent for Kubernetes Clusters
The Rapidfort Runtime agent enables profiling and monitoring containers in your K8 clusters without incurring performance penalties and additional overhead in container size resulting from injected instrumentation (see Instrumentation Methods). This method is especially useful when the confidence about the test coverage in a lower environment is not very high and hence prefer to profile your containers in the production environment to account for complete usage of features and corner cases.
While instrumented containers can be profiled on a K8 cluster (see Profiling & Hardening on a K8 cluster), the method requires the containers elevated privileges or, to run as root, which may not be permissible in your organization. The RapidFort runtime agent enables profiling without needing such elevated permissions
The RapidFort Runtime agent can be installed in a minimal configuration or in its full configuration. In the minimal configuration, only containers that have an ebpf wrapper around the container (see Injection Methods) will be monitored. However, in the full configuration, containers do not need to be submitted with an ebpf wrapper. Instead all containers can be profiled either at the namespace level or at the cluster level.
Installing the Minimal Configuration of the RapidFort Runtime agent:
In its minimal configuration, in Kubernetes, the RapidFort Runtime agent is a single-pod, single-container DaemonSet. It collects telemetry from only the intended containers using eBPF and sends the metadata to the RapidFort platform.
To install the DaemonSet, a Kubernetes administrator role is required for the target cluster.
Requirements
Hardware and OS
- 64-bit Intel-based Kubernetes cluster
Applications
- ‘kubeconfig’ must be set up correctly.
- kubectl, helm V3 (optional)
RapidFort Runtime DaemonSet’s required permissions
The following table details the required permissions, roles, and privileges needed by the runtime module, along with justifications:
| Section | Details | Justification |
|---|---|---|
| Networking |
| Egress access to the RapidFort platform https://us01.rapidfort.com from the DaemonSet, used for telemetry upload. |
| Containers | rfbpf | Capabilities SYS_MODULES and SYS_ADMIN are required for installing and loading BPF programs. |
Installation
The RapidFort Runtime DaemonSet is deployed using a helm chart or a Kubernetes manifest. If ‘helm install’ is unavailable or undesirable, contact the RapidFort support team for a Kubernetes manifest.
To install using helm, create an override.yaml file and paste the text from below. Make certain to review the resource requirements. A RapidFort support team member will provide the appropriate secrets to pull the images.
# RapidFort Runtime DaemonSet creates emptyDir volume
volumeName: rapidfort-rw-tmp
# Default size is 4G
volumeSize: 4Gi
# Get imagePullSecrets from RapidFort support
imagePullSecrets: {}
# Get latest image tag from RapidFort support
image: quay.io/rapidfort/rf-bpf
# Default CPU limit is 200 thousandth of a core (20% of a core)
cpu: 200m
# Default Memory limit is 400 Mi
memory: 400Mi
# RapidFort DaemonSet Verbosity (0: Error 1: Warn 2: Info 3: Debug)
verbose: 2
To Install the DaemonSet, run the following commands:
# Optional: set kubecfg to the desired cluster (if other than default)
kubectl config use-context <cluster-name>
# Review the DaemonSet deployment manifest
helm template oci://quay.io/rapidfort/runtime -f override.yaml
# Deploy the RapidFort Runtime DaemonSet
helm upgrade --install rapidfort oci://quay.io/rapidfort/runtime -f override.yaml
To Uninstall, run the following commands
# Optional: set kubecfg to desired cluster (if other than default)
kubectl config use-context <cluster-name>
# Undeploy the RF Runtime module
helm uninstall rapidfort
Installing the Full Configuration of the RapidFort Runtime agent:
The RapidFort admission controller DaemonSet can be deployed at the Kubernetes cluster or namespace levels. Only namespaces labeled with “rf-monitor=enabled” will be scanned and/or monitored when deployed at the cluster level. All pods within that namespace will be scanned and monitored when deployed at the namespace level.
Please note that installing an admission controller in Kubernetes requires the person installing the system to have cluster-level permissions. This is only an installation requirement; it does not give RapidFort Runtime cluster-level visibility if deployed with namespace scope.
Requirements
Hardware and OS
- Mac ARM64 running Mac OS
- 64-bit Intel-based computer running Linux
Applications
- ‘kubeconfig’ must be set up correctly.
- Admin privileges to deploy the runtime module to the target clusters.
Permissions, Roles & Privileges:
| Section | Details | Justification |
|---|---|---|
| Networking |
| The RapidFort server’s IP address and 443 TLS Ports must be whitelisted. You must also add a verified SSL certificate to the RapidFort deployment. |
| Kubernetes Role | | RF Runtime DaemonSet needs the following role permissions:
|
| Admission Controller | Mutating webhook | The admission controller can be scoped to a namespace at installation time. The controller enables automatic profiling using a side-agent in the pods created in the monitored namespace. |
| Containers | init-daemonset | Needed to change file permissions on the host path that is used to mount RapidFort tools on. |
| celery-worker (Image scanner) | This container is optional and not required in production environments. Image scanning can be done in CI/CD pipelines upstream using RF CLI tools, at the registry level using RF Registry Scan, or in lower environment clusters. K8s Docker runtime: No privileges are required. K8s containerd runtime: ‘privileged’ is required for mounting images for scanning. | |
| api-server | Serves information about container images. | |
| webhook | Admission controller webhook. | |
| envoy | HTTP proxy to direct API calls to the RF platform. | |
| websocat | WebSocket proxy to send profiling information to the RF platform. | |
| redis | Local cache. | |
| celery-beat | Used to send licensing information to the RF platform. | |
| bpf-proxy | Handles proxying to the correct eBPF node. | |
| Kubernetes HostPath Permissions | Containerd runtime |
|
| Docker runtime |
| |
| Common (both runtimes) - Customizable |
|
Installation
The RapidFort Runtime module is deployed via a single binary installer program. The root user must install the installer program, but any user can use it. If non-root, the user needs the ability to sudo to root for installation.
To deploy the RapidFort Runtime installer program, run the following commands. Select the appropriate commands based on your computer type:
The following instructions are also available at this URL: https://github.com/rapidfort/runtime
ARM64 Machine:
# Download Mac (ARM64) installer binary
wget https://github.com/rapidfort/runtime/releases/download/latest/rf-cmd-darwin-arm64
# Make executable
chmod +ax rf-cmd-darwin-arm64
# Install in /usr/local/bin
sudo mv rf-cmd-darwin-arm64 /usr/local/bin/rf-cmd
64-bit Intel-based Machine:
# Download Linux (64-bit Intel-based) installer binary
curl -LO https://github.com/rapidfort/runtime/releases/download/latest/rf-cmd-linux-amd64
# Make executable
chmod +x rf-cmd-linux-amd64
# Install in /usr/local/bin
sudo mv rf-cmd-linux-amd64 /usr/local/bin/rf-cmd
Run the following commands to deploy the agent if the RapidFort Platform is an On-Premises type:
# Optional: set kubecfg to desired cluster (if other than default)
kubectl config use-context <cluster-name>
# Deploy RapidFort Runtime to the cluster
rf-cmd --cmd install \
-h <rf_host> \
-u <RapidFort username> \
-p <RapidFort password> \
-ru <registry username> \
-rp <registry password>
Run the following commands to deploy the agent if the RapidFort Platform is SaaS:
# Optional: set kubecfg to desired cluster (if other than default)
kubectl config use-context <cluster-name>
# Deploy RapidFort Runtime to the cluster
rf-cmd --cmd install -u <RapidFort username> -p <RapidFort password>