You can configure the Carbon Black Container to use an HTTP proxy by enabling the centralized proxy settings or by manually setting HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables.

The centralized proxy settings apply an HTTP proxy configuration for all components. The manual setting of environment variables allows you to set the configuration parameters on a per component basis. If both HTTP proxy environment variables and centralized proxy settings are provided, the environment variables take precedence. The Operator does not use the centralized proxy settings, so you must use the environment variables for it instead.

Configure Centralized Proxy Settings

To configure the proxy environment variables in the Operator, use the following command to patch the Operator deployment:

kubectl set env -n cbcontainers-dataplane deployment cbcontainers-operator HTTP_PROXY="<proxy-url>" HTTPS_PROXY="<proxy-url>" NO_PROXY="<kubernetes-api-server-ip>/<range>"

Update the CBContainersAgent CR to use the centralized proxy settings (kubectl edit cbcontainersagents.operator.containers.carbonblack.io cbcontainers-agent):

spec:
  components:
    settings:
      proxy:
        enabled: true
        httpProxy: "<proxy-url>"
        httpsProxy: "<proxy-url>"
        noProxy: "<exclusion1>,<exclusion2>"

You can disable the centralized proxy settings without deleting them by setting the enabled key to false.

By default, the centralized proxy settings determine the API server IP address(es) and the necessary proxy exclusions for the cbcontainers-dataplane namespace. These determined values are automatically appended to the noProxy values or the specified NO_PROXY environment variable for a particular component. To change those pre-determined values, you can specify the noProxySuffix key at the same level as the noProxy key. It has the same format as the noProxy key and its values are treated ias if they were pre-determined. You can also force nothing to be appended to noProxy or NO_PROXY by setting noProxySuffix to an empty string.

Configure HTTP Proxy Per-Component Environment Variables

To configure environment variables for the basic, Runtime, and Image Scanning components, update the CBContainersAgent CR using the proxy environment variables (kubectl edit cbcontainersagents.operator.containers.carbonblack.io cbcontainers-agent):

spec:
  components:
    basic:
      enforcer:
        env:
          HTTP_PROXY: "<proxy-url>"
          HTTPS_PROXY: "<proxy-url>"
          NO_PROXY: "<kubernetes-api-server-ip>/<range>"
      stateReporter:
        env:
          HTTP_PROXY: "<proxy-url>"
          HTTPS_PROXY: "<proxy-url>"
          NO_PROXY: "<kubernetes-api-server-ip>/<range>"
    runtimeProtection:
      resolver:
        env:
          HTTP_PROXY: "<proxy-url>"
          HTTPS_PROXY: "<proxy-url>"
          NO_PROXY: "<kubernetes-api-server-ip>/<range>"
      sensor:
        env:
          HTTP_PROXY: "<proxy-url>"
          HTTPS_PROXY: "<proxy-url>"
          NO_PROXY: "<kubernetes-api-server-ip>/<range>,cbcontainers-runtime-resolver.cbcontainers-dataplane.svc.cluster.local"
    clusterScanning:
      clusterScanner:
        env:
          HTTP_PROXY: "<proxy-url>"
          HTTPS_PROXY: "<proxy-url>"
          NO_PROXY: "<kubernetes-api-server-ip>/<range>,cbcontainers-image-scanning-reporter.cbcontainers-dataplane.svc.cluster.local"
      imageScanningReporter:
        env:
          HTTP_PROXY: "<proxy-url>"
          HTTPS_PROXY: "<proxy-url>"
          NO_PROXY: "<kubernetes-api-server-ip>/<range>"
Important: You must configure the NO-PROXY environment variable to use the value of the Kubernetes API server IP address. To find the API-server IP address, run the following command:
kubectl -n default get service kubernetes -o=jsonpath='{..clusterIP}'

Additional Proxy Considerations

When using a non-transparent HTTPS proxy, you must configure the agent to use the proxy certificate authority:

spec:
  gateways:
    gatewayTLS:
      rootCAsBundle: <Base64 encoded proxy CA>

Alternatively, you can allow the agent to communicate without verifying the certificate. We do not recommend this option because it exposes the agent to an MITM attack.

spec:
  gateways:
    gatewayTLS:
      insecureSkipVerify: true