Before you install or upgrade Carbon Black Cloud Container Essentials, make sure your environment meets the supported requirements. To enable Container Essentials, you must install one Carbon Black Cloud Kubernetes Agent per Kubernetes cluster.

Cluster Configuration

  • The Kubernetes cluster is v1.13+ with admission control plug-in ValidatingAdmissionWebhook enabled.
  • You must have administrator privileges on the Kubernetes cluster. See the README file on


  • The Kubernetes cluster nodes can access the URL of the CBC environment for https requests on port 443. The URL is the CBC environment you are working with.
  • The Kubernetes cluster nodes can access the Event Stream URL for gRPC traffic on port 443.
    Table 1. URLs
    URL of the CBC Environment Event Stream URL
  • Cluster nodes can pull container images from the dockerhub registry.

Cluster Resource Usage

  • 600 MB of memory
  • 1 CPU core available

CLI Client for Image Scanning - cbctl

  • macOS or Linux operating systems.
  • The CLI Client requires the config file in the $HOME/.cbctl directory. You can specify other cbctl config files by setting the

    --config flag.

Roles in the Carbon Black Cloud Console

On the Carbon Black Cloud console, you must be assigned the following roles:

  • Kubernetes Security DevOps or Super Admin role
  • Kubernetes Security Developer role for view only mode.