cbcontainers-runtime

The cbcontainers-runtime container is part of every pod within the cbcontainers-node-agent DaemonSet. It is a privileged container that uses eBPF to attach to the Linux kernel on each Kubernetes node and generate a stream of events of observed network connections. These events are batched together and sent by gRPC to the cbcontainers-runtime-resolver deployment. The cbcontainers-runtime container does not connect directly to the Carbon Black Cloud backend.

cbcontainers-cluster-scanner

The cbcontainers-cluster-scanner container is part of every pod within the cbcontainers-node-agent DaemonSet. Different container runtime endpoints (Containerd, dockershim, CRI-O) are mounted inside the pod to communicate with the container runtime of the node. The cluster scanner calls the container runtime using gRPC to list containers and images, read their contents, and perform scans on the images that detect vulnerabilities, malware, and secrets.

For clusters utilizing CRI-O, additional paths from the host are mounted and utilized. These are paths where CRI-O stores image data and are required to fully scan images because some operations are not natively supported by the CRI-O API.

Most communication from cbcontainers-cluster-scanner goes through the cbcontainers-image-scanning-reporterb efore reaching the Carbon Black Cloudbackend — except for generating certificates for mTLS connections, which is done by directly calling the Carbon Black Cloud backend.

cbcontainers-cndr

TheCNDR container contains the Carbon Black Cloud Linux Sensor. It uses eBPF probes for monitoring container process actions, file access events and network events.

Events are processed, attributed to workloads, passed through a rules engine to generate alerts if needed, and sent to the Carbon Black Cloud backend for presentation and analysis.