You can configure the Carbon Black Container to use an HTTP proxy by enabling the centralized proxy settings or by manually setting HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environment variables.
The centralized proxy settings apply an HTTP proxy configuration for all components. The manual setting of environment variables allows you to set the configuration parameters on a per component basis. If both HTTP proxy environment variables and centralized proxy settings are provided, the environment variables take precedence. The Operator does not use the centralized proxy settings, so you must use the environment variables for it instead.
Configure Centralized Proxy Settings
To configure the proxy environment variables in the Operator, use the following command to patch the Operator deployment:
kubectl set env -n cbcontainers-dataplane deployment cbcontainers-operator HTTP_PROXY="<proxy-url>" HTTPS_PROXY="<proxy-url>" NO_PROXY="<kubernetes-api-server-ip>/<range>"
Update the CBContainersAgent
CR to use the centralized proxy settings (kubectl edit cbcontainersagents.operator.containers.carbonblack.io cbcontainers-agent
):
spec: components: settings: proxy: enabled: true httpProxy: "<proxy-url>" httpsProxy: "<proxy-url>" noProxy: "<exclusion1>,<exclusion2>"
You can disable the centralized proxy settings without deleting them by setting the enabled
key to false
.
By default, the centralized proxy settings determine the API server IP address(es) and the necessary proxy exclusions for the cbcontainers-dataplane
namespace. These determined values are automatically appended to the noProxy
values or the specified NO_PROXY
environment variable for a particular component. To change those pre-determined values, you can specify the noProxySuffix
key at the same level as the noProxy
key. It has the same format as the noProxy
key and its values are treated ias if they were pre-determined. You can also force nothing to be appended to noProxy
or NO_PROXY
by setting noProxySuffix
to an empty string.
Configure HTTP Proxy Per-Component Environment Variables
To configure environment variables for the basic
, Runtime
, and Image Scanning
components, update the CBContainersAgent
CR using the proxy environment variables (kubectl edit cbcontainersagents.operator.containers.carbonblack.io cbcontainers-agent
):
spec: components: basic: enforcer: env: HTTP_PROXY: "<proxy-url>" HTTPS_PROXY: "<proxy-url>" NO_PROXY: "<kubernetes-api-server-ip>/<range>" stateReporter: env: HTTP_PROXY: "<proxy-url>" HTTPS_PROXY: "<proxy-url>" NO_PROXY: "<kubernetes-api-server-ip>/<range>" runtimeProtection: resolver: env: HTTP_PROXY: "<proxy-url>" HTTPS_PROXY: "<proxy-url>" NO_PROXY: "<kubernetes-api-server-ip>/<range>" sensor: env: HTTP_PROXY: "<proxy-url>" HTTPS_PROXY: "<proxy-url>" NO_PROXY: "<kubernetes-api-server-ip>/<range>,cbcontainers-runtime-resolver.cbcontainers-dataplane.svc.cluster.local" clusterScanning: clusterScanner: env: HTTP_PROXY: "<proxy-url>" HTTPS_PROXY: "<proxy-url>" NO_PROXY: "<kubernetes-api-server-ip>/<range>,cbcontainers-image-scanning-reporter.cbcontainers-dataplane.svc.cluster.local" imageScanningReporter: env: HTTP_PROXY: "<proxy-url>" HTTPS_PROXY: "<proxy-url>" NO_PROXY: "<kubernetes-api-server-ip>/<range>"
NO-PROXY
environment variable to use the value of the Kubernetes API server IP address. To find the API-server IP address, run the following command:
kubectl -n default get service kubernetes -o=jsonpath='{..clusterIP}'
Additional Proxy Considerations
When using a non-transparent HTTPS proxy, you must configure the agent to use the proxy certificate authority:
spec: gateways: gatewayTLS: rootCAsBundle: <Base64 encoded proxy CA>
Alternatively, you can allow the agent to communicate without verifying the certificate. We do not recommend this option because it exposes the agent to an MITM attack.
spec: gateways: gatewayTLS: insecureSkipVerify: true