Setting up Workload Protection on Kubernetes

Docs > Datadog Security > Workload Protection > Setting up Workload Protection > Deploying Workload Protection on the Agent > Setting up Workload Protection on Kubernetes

Use the following instructions to enable Workload Protection.

Collecting events using Workload Protection will affect your billing. For more information, see Datadog Pricing.

Prerequisites

Latest Datadog Agent version. For installation instructions, see Getting Started with the Agent or install the Agent from the Datadog UI.

Note: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the Disable Image streaming section of the GKE docs.

Installation

Workload Protection's Kubernetes user session instrumentation is in Preview !

Workload Protection now integrates with Kubernetes to collect [Kubernetes user credentials][8] and enrich your events with real user identities to help you investigate signals. Follow the optional instructions below to test the preview ! [8]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#users-in-kubernetes

Add the following to the spec section of the datadog-agent.yaml file:

# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    # PREVIEW - Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
    # admissionController:
    #   enabled: true
    #   cwsInstrumentation:
    #     enabled: true
    remoteConfiguration:
      enabled: true
    # Enables Threat Detection
    cws:
      enabled: true
    # Enables Misconfigurations
    cspm:
      enabled: true
      hostBenchmarks:
        enabled: true
    # Enables the image metadata collection and Software Bill of Materials (SBOM) collection
    sbom:
      enabled: true
      # Enables Container Vulnerability Management
      # Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
      containerImage:
        enabled: true

        # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
        # uncompressedLayersSupport: true

      # Enables Host Vulnerability Management
      host:
        enabled: true

(optional) Uncomment the admissionController section if you want to test the preview of Workload Protection’s integration with Kubernetes for user identity collection.
Apply the changes and restart the Agent.

Add the following to the datadog section of the datadog-values.yaml file:

# datadog-values.yaml file

# PREVIEW - Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
# clusterAgent:
#   admissionController:
#     enabled: true
#     cwsInstrumentation:
#       enabled: true
datadog:
  remoteConfiguration:
    enabled: true
  securityAgent:
    # Enables Threat Detection
    runtime:
      enabled: true
    # Enables Misconfigurations
    compliance:
      enabled: true
      host_benchmarks:
        enabled: true
  sbom:
    containerImage:
      enabled: true

      # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
      # uncompressedLayersSupport: true

    # Enables Host Vulnerability Management
    host:
      enabled: true

    # Enables Container Vulnerability Management
    # Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
    # containerImageCollection:
    #   enabled: true

(optional) Uncomment the clusterAgent section if you want to test the preview of Workload Protection’s integration with Kubernetes for user identity collection.
Restart the Agent.

Add the following settings to the env section of security-agent and system-probe in the daemonset.yaml file:

  # Source: datadog/templates/daemonset.yaml
  apiVersion:app/1
  kind: DaemonSet
  [...]
  spec:
  [...]
  spec:
      [...]
        containers:
        [...]
          - name: agent
            [...]
            env:
              - name: DD_REMOTE_CONFIGURATION_ENABLED
                value: "true"
          - name: system-probe
            [...]
            env:
              - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
                value: "true"
              - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
                value: "true"
              - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
                value: "true"
          [...]

(optional) Add the following setting to the env section of cluster-agent in the cluster-agent-deployment.yaml file if you want to test the preview of Workload Protection’s integration with Kubernetes for user identity collection.

  # Source: datadog/templates/cluster-agent-deployment.yaml
  apiVersion:app/1
  kind: Deployment
  [...]
  spec:
    [...]
    template:
      [...]
      spec:
        [...]
        containers:
        [...]
          - name: cluster-agent
            [...]
            env:
              - name: DD_ADMISSION_CONTROLLER_ENABLED
                value: "true"
              - name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED
                value: "true"