See how to set up and deploy the Carbon Black Cloud Kubernetes Sensor on your Kubernetes clusters.

The deployment and setup of the Kubernetes Sensor is performed with the help of a Kubernetes specific extension, called operator, along with an operator resource definition. Operators consist of set of controllers that deploy and manage components, defined by the user, and report on their health. The user defines the components with a custom resource definition.

The Carbon Black Cloud Operator deploys the Kubernetes Sensor inside the cluster and manages its lifecycle. The data in the custom resource file defines which features are enabled for the sensor. The essential steps of the sensor deployment procedure are:
  • Setup and install the Carbon Black Cloud Operator
  • Allow access to the Carbon Black Cloud console and
  • Provide the Kubernetes Sensor configuration.


  1. Sign in to the Carbon Black Cloud console.
  2. On the left navigation pane, do one of the following depending on your system configuration and role:
    • If you are assigned Kubernetes Security DevOps role and your system has only Containers Security feature,

      select Inventory > Clusters.

    • If you are assigned any other role and your system has Containers Security and other Carbon Black Cloud features,

      select Inventory > Kubernetes > Clusters.

  3. To add your Kubernetes cluster to the Carbon Black Cloud console, click Add Cluster.
    The Add Cluster setup wizard appears.
  4. On the Cluster Detail page, define the cluster that you are adding to the Carbon Black Cloud console.
    Attribute Description
    Cluster name Enter the name of the cluster. The cluster name must be unique, and it cannot contain a colon (:) symbol.
    Cluster group

    You are able to create a high level grouping for your clusters, by defining cluster groups during the setup of the Kubernetes Sensor. By creating a cluster group, you can then specify a scope for your Kubernetes policies, spanning over that cluster group. The cluster group is also used for observing the network activity map of your clusters.

    • Select an already existing cluster group from the list.
    • If you don't want to create or use cluster groups, enter default.
  5. On the Authentication page, you must provide a dedicated to the Kubernetes Sensor API key to establish the communication between your Kubernetes cluster and the Carbon Black Cloud console.

    Do not reuse keys between clusters. Use a separate Carbon Black Cloud API key for each cluster. Existing keys can only be used to reinstall the Kubernetes Sensor.

    Do one of the following:

    • Click to enable the checkbox Generate a new API key and enter an API key name that is unique to your Carbon Black Cloud organization.
    • Click to enable the checkbox Use existing API key and select an existing API key.
  6. On the Sensor page, make the following selections:
    1. Define the version of the Kubernetes Sensor to install on your cluster. The latest sensor version is set by default.
    2. Define the features you want to install, for example Runtime protection.
  7. On the Finish Setup page, execute consecutively the commands in the terminal of your Kubernetes environment.
    Command Description
    First command The first command is about installing the Carbon Black Cloud Operator on your cluster, if it is not already installed, along with an operator resource definition. If the Carbon Black Cloud Operator is already installed, you can skip this command.

    To determine whether the operator is installed, in the terminal of your Kubernetes environment, run the command:

    kubectl get pods -A -l control-plane=operator

    If the Carbon Black Cloud Operator is there, you see the pod name and status.

    Important: The Carbon Black Cloud Operator resource definition might change between Kubernetes versions. The script automatically detects your Kubernetes version and determines the proper resource file to use.
    Second command The second command is about saving the API key as a Kubernetes secret in your cluster. Alternatively, you can add the secret to secrets management tool.
    Third command The third command is about installing the Kubernetes Sensor. You can alternatively use the YAML details as a command.
  8. Click Done.

    You see the cluster on the Clusters tab and the cluster status set to Pending install.

    It takes up to 5 minutes for the cluster to stabilize during the initial setup.

    During this time, the status might display as an error. We recommend waiting three to five minutes after submitting the install request to verify the correct status.


After completing the setup procedure successfully, the status changes to Running.