Runtime protection enables the use of policy rules to help secure deployed workloads. The cbcontainers-runtime-resolver component is responsible for the enrichment of network events together with their Kubernetes context and sending the events to the Carbon Black Cloud backend.

The cbcontainers-runtime-resolver component receives network events from the cbcontainers-runtime container within the cbcontainers-node-agent DaemonSet pods using inbound gRPC connections. The events have their Kubernetes context attached and are then batched together and sent via gRPC to the Carbon Black Cloud backend.

The Kubernetes information is taken from the API server by using standard Kubernetes in-cluster authentication and communication with the API server. List and watch operations are used with the API server; however, the information is cached locally in the cbcontainers-runtime-resolver to avoid unnecessary network traffic and improve response times.

Image cbartifactory/runtime-kubernetes-resolver
Opened ports 8080/TCP
Connects to Kubernetes services kubernetes.default.svc (Kubernetes API server)
Connects to backend runtime.events.containers.carbonblack.io:443(gRPC)

defense-prod05.conferdeploy.net:443

NO_PROXY requirements The Kubernetes API server IP addresses (resolved from kubernetes.default.svc within the cluster)
Requested resources CPU- 200m, Memory - 64Mi
Resource limits CPU- 900m, Memory - 1Gi
Replica count (min & def) Min- 1, Default - 1
Horizontal Scaling

By default, cbcontainers-runtime-resolver is scaled automatically by the operator. It uses the following formula:

<node_count>/<spec.components.runtimeProtection.resolver.nodesToReplicasRatio>

Where <node_count> is the current number of nodes in the cluster and <spec.components.runtimeProtection.resolver.nod esToReplicasRatio> is taken from the CRD (by default this value is 5, but it can be lowered to accommodate network traffic intensive clusters).

Tolerances

node.kubernetes.io/memory-pressure:NoSchedule op=Exists

node.kubernetes.io/not-ready:NoExecute op=Exists for 300s

node.kubernetes.io/unreachable:NoExecute op=Exists for 300s

Is privileged No
Note: See also cbcontainers-runtime.