Setting up Cloud Security Management on Kubernetes

Documentos > Datadog Security > Cloud Security Management > Configuración de Cloud Security Management > Despliegue de Cloud Security Management en el Agent > Setting up Cloud Security Management on Kubernetes

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Use the following instructions to enable Misconfigurations, Threat Detection, and Vulnerability Management.

Collecting events using Cloud Security Management will affect your billing. For more information, see Datadog Pricing.

Prerequisites

Latest Datadog Agent version. For installation instructions, see Getting Started with the Agent or install the Agent from the Datadog UI.

Note: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the Disable Image streaming section of the GKE docs.

Installation

Add the following to the spec section of the datadog-agent.yaml file:

# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    remoteConfiguration:
      enabled: true
    # Enables Threat Detection
    cws:
      enabled: true
    # Enables Misconfigurations
    cspm:
      enabled: true
      hostBenchmarks:
        enabled: true
    # Enables the image metadata collection and Software Bill of Materials (SBOM) collection
    sbom:
      enabled: true
      # Enables Container Vulnerability Management
      # Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
      containerImage:
        enabled: true

        # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
        # uncompressedLayersSupport: true

      # Enables Host Vulnerability Management
      host:
        enabled: true

Apply the changes and restart the Agent.

Add the following to the datadog section of the datadog-values.yaml file:

# datadog-values.yaml file
datadog:
  remoteConfiguration:
    enabled: true
  securityAgent:
    # Enables Threat Detection
    runtime:
      enabled: true
    # Enables Misconfigurations
    compliance:
      enabled: true
      host_benchmarks:
        enabled: true
  sbom:
    containerImage:
      enabled: true

      # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
      # uncompressedLayersSupport: true

    # Enables Host Vulnerability Management
    host:
      enabled: true

    # Enables Container Vulnerability Management
    # Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
    # containerImageCollection:
    #   enabled: true

Restart the Agent.

Add the following settings to the env section of security-agent and system-probe in the daemonset.yaml file:

  # Source: datadog/templates/daemonset.yaml
  apiVersion:app/1
  kind: DaemonSet
  [...]
  spec:
  [...]
  spec:
      [...]
        containers:
        [...]
          - name: agent
            [...]
            env:
              - name: DD_REMOTE_CONFIGURATION_ENABLED
                value: "true"
          - name: system-probe
            [...]
            env:
              - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
                value: "true"
              - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
                value: "true"
              - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
                value: "true"
          [...]