This page is an aggregate of all OER topics onto a single page for more convenient HTML viewing.

Cluster Configuration

  • The Kubernetes cluster is v1.13+ with admission control plug-in ValidatingAdmissionWebhook enabled.
  • You must have administrator privileges on the Kubernetes cluster. See the README file on


  • The Kubernetes cluster nodes can access the URL of the CBC environment for https requests on port 443. The URL is the CBC environment you are working with.
  • The Kubernetes cluster nodes can access the Event Stream URL for gRPC traffic on port 443.
    Table 1. URLs
    URL of the CBC Environment Event Stream URL
  • Cluster nodes can pull container images from the dockerhub registry.

Cluster Resource Usage

  • 600 MB of memory
  • 1 CPU core available

CLI Client for Image Scanning - cbctl

  • macOS or Linux operating systems.
  • The CLI Client requires the config file in the $HOME/.cbctl directory. You can specify other cbctl config files by setting the

    --config flag.

Roles in the Carbon Black Cloud Console

On the Carbon Black Cloud console, you must be assigned the following roles:

  • Kubernetes Security DevOps or Super Admin role
  • Kubernetes Security Developer role for view only mode.

VMware Container Security Compatibility Matrix

The compatibility matrix provides information on the supported combination of Carbon Black Cloud Operator and Kubernetes Sensor you need to set up on your Kubernetes clusters.

The supported Kubernetes platforms for all versions are:

  • Amazon Elastic Kubernetes Service (EKS)
  • Google Kubernetes Engine (GKE)
  • Managed Kubernetes Service (AKS).

For information regarding the Operator and the Kubernetes Sensor, see Set Up the Kubernetes Sensor.

Kubernetes Version Operator Kubernetes Sensor
1.13 - 1.22 5.1 2.0-latest
1.13 - 1.22 5.0 2.0-latest
1.13 - 1.22 4.0 2.0-latest
Note: Onwards, the Kubernetes sensor version sequence changes from 21.9 to 2.0.
1.13 - 1.22 3.3 21.9
1.13 - 1.21 3.0 21.4 - 21.7
1.13 - 1.21 2.0 21.0 - 21.3