This topic describes the official Helm charts for installing the Carbon Black Container Agent (Operator, CRD, and Agent components).
cbcontainers-operator
The cbcontainer-operator chart (external link) is the official Helm chart for installing the Carbon Black Container Operator and CRD. Helm 3 is supported.
You can install the chart without any customizations or modifications, and you can create the Hel release in any namespace. You can customize the namespace in which the Operator is installed.
To install the Helm chart from the source:
cd charts/cbcontainers-operator helm install cbcontainers-operator ./cbcontainers-operator-chart
Parameter | Description | Default Value |
---|---|---|
spec.operator.image.repository |
Repository of the Operator image | cbartifactory/octarine-operator |
spec.operator.image.version |
Version of the Operator image | The latest version of the Operator image |
spec.operator.resources |
Carbon Black Container Operator resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}} |
spec.rbacProxy.resources |
Kube RBAC proxy resources | {requests: {memory: "64Mi", cpu: "30m"}, limits: {memory: "256Mi", cpu: "200m"}} |
spec.operator.environment |
Environment variables to be set to the Operator pod | [] |
Namespace
By default, the Carbon Black Container Operator is installed in the cbcontainers-dataplane
namespace.
To change the namespace, set the operatorNamespace
field in your values.yaml file.
The chart automatically creates the namespace. If you do not want to do that (because you have already created the namespace), set the createOperatorNamespace
field in your values.yaml file to false.
If the namespace is pre-created, then it must also be labeled properly or the Operator and Agent might not reconcile successfully. The following commands show an example of creating a custom namespace and labeling and installing the operator inside.
NAMESPACE=<your_value> kubectl create namespace $NAMESPACE kubectl label namespace $NAMESPACE control-plane=operator octarine=ignore helm install cbcontainers-operator ./cbcontainers-operator-chart --set createOperatorNamespace=false,operatorNamespace=$NAMESPACE
CRD Installation
By default, installing the chart will also create the CBContainersAgent
CRD.
To manage the CRD in a different way and not install it together with the chart, set the installCRD
field in your values.yamlfile to false
.
HTTP Proxy
To use an HTTP proxy for the communication with the Carbon Black Cloud backend, you must set 3 environment variables. These variables are exposed through the Values.operator.proxy
parameters in the values.yaml file:
Values.operator.proxy.http
Values.operator.proxy.https
Values.operator.proxy.noProxy
See also Configuring Container Services to use HTTP Proxy.
Templates
The cbcontainers-operator chart consists of four templates (external link).
The operator.yaml file (external link) contains all resources except for the Operator deployment. It is generated by kustomize. For more info see config/default_chart (external link).
The deployment.yaml file contains the Operator Deployment
resource. It is derived from this Kustomize configuration. Because it must be configurable through Helm, it is heavily templated. Therefore, it cannot be generated automatically, so it must be maintained by hand. If any changes are made to the Kustomize configuration, they must also be reflected in the deployment.yaml file.
The dataplane_rbac.yaml and dataplane_service_accounts files contain necessary RBAC objects for the Agent to work as expected.
cbcontainers-agent
The cbcontainer-agent chart (external link) is the official Helm chart for installing the Carbon Black Container Agent components. Helm 3 is supported.
Installation
Before you can install the chart, you must configure it. You must provide the following eight required fields:
Parameter | Description |
---|---|
spec.orgKey |
Org key of the organization using Carbon Black Cloud |
spec.clusterName |
Name of the cluster that will be added to Carbon Black Cloud |
spec.clusterGroup |
The group that the cluster belongs to in Carbon Black Cloud |
spec.version |
Version of the Agent images |
spec.gateways.apiGatewayHost |
URL of the Carbon Black Cloud API gateway |
spec.gateways.coreEventsGatewayHost |
URL of the Carbon Black Cloud core events gateway |
spec.gateways.hardeningEventsGatewayHost |
URL of the Carbon Black Cloud hardening events gateway |
spec.gateways.runtimeEventsGatewayHost |
URL of the Carbon Black Cloud runtime events gateway |
After setting these required fields in a values.yaml file, you can install the chart from source:
cd charts/cbcontainers-agent helm install cbcontainers-agent ./cbcontainers-agent-chart -n cbcontainers-dataplane
Customization
The way in which the Carbon Black Container components are installed is highly customizable.
You can set different properties for the components or enable and disable components by using the spec.components section of your values.yaml file.
For a list of all possible values, see Custom Resources Definitions.
Namespace
The Carbon Black Cloud Containers Agent will run in the same namespace as the deployed Operator. This is by design because only one running agent per cluster is supported. To customize that namespace, see operator-chart (external link).
The actual namespace where Helm tracks the release (see --namespace flag, external link) is not important to the Agent chart, but the recommended approach is to also use the same namespace as the Operator chart.
The agentNamespace
value is only required if the Agent chart is responsible for deploying the Agent's secret as well. If the secret is pre-created before deploying the agent, then agentNamespace
has no effect.
Secret Creation
Carbon Black API Key
For the Agent components to function correctly and communicate with the Carbon Black Cloud backend, an access token is required. This token is located in a secret. By default, the secret is named cbcontainers-access-token
, but that name is configurable through the accessTokenSecretName
property. If that secret does not exist, the Operator will not start any of the Agent components.
To create the secret as part of the chart installation, provide the accessToken
value to the chart.
Inject this value as part of your pipeline in a secure way: store the secret as plain text in your values.yaml file.
To create the secret in an alternative and more secure way, do not set the accessToken
value: the chart will not create the secret objects.
Carbon Black Company Codes
For the agent CNDR component to function correctly and communicate with the Carbon Black Cloud backend, a company code is required. This code is located in a secret. By default, the secret is named cbcontainers-company-code
, but that name is configurable through the components.cndr.companyCodeSecretName
property.
If that secret does not exist, the CNDR component will fail.
If you want to create the secret as part of the chart installation, provide the companyCode
value to the chart.
Inject this value as part of your pipeline in a secure way: store the secret as plain text in your values.yaml file.
To create the secret in an alternative and more secure way, do not set the companyCode
value: the chart will not create the secret objects.