This topic describes the official Helm charts for installing the Carbon Black Container Agent (Operator, CRD, and Agent components).

cbcontainers-operator

The cbcontainer-operator chart (external link) is the official Helm chart for installing the Carbon Black Container Operator and CRD. Helm 3 is supported.

You can install the chart without any customizations or modifications, and you can create the Hel release in any namespace. You can customize the namespace in which the Operator is installed.

To install the Helm chart from the source:

cd charts/cbcontainers-operator
helm install cbcontainers-operator ./cbcontainers-operator-chart
Table 1. Customization
Parameter Description Default Value
spec.operator.image.repository Repository of the Operator image cbartifactory/octarine-operator
spec.operator.image.version Version of the Operator image The latest version of the Operator image
spec.operator.resources Carbon Black Container Operator resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
spec.rbacProxy.resources Kube RBAC proxy resources {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}}
spec.operator.environment Environment variables to be set to the Operator pod []

Namespace

By default, the Carbon Black Container Operator is installed in the cbcontainers-dataplane namespace.

To change the namespace, set the operatorNamespace field in your values.yaml file.

The chart automatically creates the namespace. If you do not want to do that (because you have already created the namespace), set the createOperatorNamespace field in your values.yaml file to false.

If the namespace is pre-created, then it must also be labeled properly or the Operator and Agent might not reconcile successfully. The following commands show an example of creating a custom namespace and labeling and installing the operator inside.

NAMESPACE=<your_value>
kubectl create namespace $NAMESPACE
kubectl label namespace $NAMESPACE control-plane=operator octarine=ignore
helm install cbcontainers-operator ./cbcontainers-operator-chart --set createOperatorNamespace=false,operatorNamespace=$NAMESPACE

CRD Installation

By default, installing the chart will also create the CBContainersAgent CRD.

To manage the CRD in a different way and not install it together with the chart, set the installCRD field in your values.yamlfile to false.

HTTP Proxy

To use an HTTP proxy for the communication with the Carbon Black Cloud backend, you must set 3 environment variables. These variables are exposed through the Values.operator.proxy parameters in the values.yaml file:

  • Values.operator.proxy.http
  • Values.operator.proxy.https
  • Values.operator.proxy.noProxy

See also Configuring Container Services to use HTTP Proxy.

Templates

The cbcontainers-operator chart consists of four templates (external link).

The operator.yaml file (external link) contains all resources except for the Operator deployment. It is generated by kustomize. For more info see config/default_chart (external link).

The deployment.yaml file contains the Operator Deployment resource. It is derived from this Kustomize configuration. Because it must be configurable through Helm, it is heavily templated. Therefore, it cannot be generated automatically, so it must be maintained by hand. If any changes are made to the Kustomize configuration, they must also be reflected in the deployment.yaml file.

The dataplane_rbac.yaml and dataplane_service_accounts files contain necessary RBAC objects for the Agent to work as expected.

cbcontainers-agent

The cbcontainer-agent chart (external link) is the official Helm chart for installing the Carbon Black Container Agent components. Helm 3 is supported.

Note: Before installing the Agent components, you must install the Operator and the CRD.

Installation

Before you can install the chart, you must configure it. You must provide the following eight required fields:

Parameter Description
spec.orgKey Org key of the organization using Carbon Black Cloud
spec.clusterName Name of the cluster that will be added to Carbon Black Cloud
spec.clusterGroup The group that the cluster belongs to in Carbon Black Cloud
spec.version Version of the Agent images
spec.gateways.apiGatewayHost URL of the Carbon Black Cloud API gateway
spec.gateways.coreEventsGatewayHost URL of the Carbon Black Cloud core events gateway
spec.gateways.hardeningEventsGatewayHost URL of the Carbon Black Cloud hardening events gateway
spec.gateways.runtimeEventsGatewayHost URL of the Carbon Black Cloud runtime events gateway

After setting these required fields in a values.yaml file, you can install the chart from source:

cd charts/cbcontainers-agent
helm install cbcontainers-agent ./cbcontainers-agent-chart -n cbcontainers-dataplane

Customization

The way in which the Carbon Black Container components are installed is highly customizable.

You can set different properties for the components or enable and disable components by using the spec.components section of your values.yaml file.

For a list of all possible values, see Custom Resources Definitions.

Namespace

The Carbon Black Cloud Containers Agent will run in the same namespace as the deployed Operator. This is by design because only one running agent per cluster is supported. To customize that namespace, see operator-chart (external link).

The actual namespace where Helm tracks the release (see --namespace flag, external link) is not important to the Agent chart, but the recommended approach is to also use the same namespace as the Operator chart.

The agentNamespace value is only required if the Agent chart is responsible for deploying the Agent's secret as well. If the secret is pre-created before deploying the agent, then agentNamespace has no effect.

Secret Creation

Carbon Black API Key

For the Agent components to function correctly and communicate with the Carbon Black Cloud backend, an access token is required. This token is located in a secret. By default, the secret is named cbcontainers-access-token, but that name is configurable through the accessTokenSecretName property. If that secret does not exist, the Operator will not start any of the Agent components.

To create the secret as part of the chart installation, provide the accessToken value to the chart.

Inject this value as part of your pipeline in a secure way: store the secret as plain text in your values.yaml file.

To create the secret in an alternative and more secure way, do not set the accessToken value: the chart will not create the secret objects.

Important: Do not store the token in your source code.

Carbon Black Company Codes

For the agent CNDR component to function correctly and communicate with the Carbon Black Cloud backend, a company code is required. This code is located in a secret. By default, the secret is named cbcontainers-company-code, but that name is configurable through the components.cndr.companyCodeSecretName property.

If that secret does not exist, the CNDR component will fail.

If you want to create the secret as part of the chart installation, provide the companyCode value to the chart.

Inject this value as part of your pipeline in a secure way: store the secret as plain text in your values.yaml file.

To create the secret in an alternative and more secure way, do not set the companyCode value: the chart will not create the secret objects.

Important: Do not store the code in your source code.