Get started with CWP for Kubernetesedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This page describes how to set up Cloud Workload Protection (CWP) for Kubernetes.

Initial setupedit

First, you’ll need to deploy Elastic’s Defend for Containers integration to the Kubernetes clusters you wish to monitor.

  1. Go to Manage > Container Workload Security > Add D4C Integration.
  2. Name the integration. The default name, which you can change, is cloud_defend-1.
  3. Optional — make any desired changes to the integration’s policy by adjusting the Selectors and Responses sections. (For more information, refer to the Defend for Containers policy guide). You can also change these later.
  4. Under Where to add this integration, select an existing or new agent policy.
  5. Click Save & Continue, then Add Elastic Agent to your hosts.
  6. On the Elastic Agent policy page, click Add agent to open the Add agent flyout.
  7. In the flyout, go to step 3 (Install Elastic Agent on your host) and select the Kubernetes tab.
  8. Download or copy the manifest (elastic-agent-managed-kubernetes.yml).
  9. Open the manifest using your favorite editor, and uncomment the #capabilities section:

    #capabilities:
    #  add:
    #    - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps.
    #    - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations.
    #    - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
  10. From the directory where you saved the manifest, run the command kubectl apply -f elastic-agent-managed-kubernetes.yml.
  11. Wait for the Confirm agent enrollment dialogue to show that data has started flowing from your newly-installed agent, then click Close.

Get started with threat detectionedit

One of the default D4C policies sends process telemetry events (fork and exec) to Elasticsearch.

In order to detect threats using this data, you’ll need active detection rules. Elastic has prebuilt detection rules designed for this data. (You can also create your own custom rules.)

To install and enable the prebuilt rules:

  1. Go to Security > Rules > Detection rules (SIEM), then click Add Elastic rules.
  2. Click the Tags filter next to the search bar, and search for the Data Source: Elastic Defend for Containers tag.
  3. Select all the displayed rules, then click Install x selected rule(s).
  4. Return to the Rules page. Click the Tags filter next to the search bar, and search for the Data Source: Elastic Defend for Containers tag.
  5. Select all the rules with the tag, and then click Bulk actions > Enable.

Get started with drift detection and preventionedit

Elastic Security defines container drift as the creation or modification of an executable within a container. Blocking drift restricts the number of attack vectors available to bad actors by prohibiting them from using external tools.

To enable drift detection, you can use the default D4C policy:

  1. Make sure the default D4C policy is active.
  2. Make sure you enabled at least the "Container Workload Protection" rule, by following the steps to install prebuilt rules, above.

To enable drift prevention, create a new policy:

  1. Add a new selector called blockDrift.
  2. Go to Security > Manage > Container Workload Security > Your integration name.
  3. Under Selectors, click Add selector > File Selector. By default, it selects the operations createExecutable and modifyExecutable.
  4. Name the selector, for example: blockDrift.
  5. Scroll down to the Responses section and click Add response > File Response.
  6. Under Match selectors, add the name of your new selector, for example: blockDrift.
  7. Select the Alert and Block actions.
  8. Click Save integration.

Before you enable blocking, we strongly recommend you observe a production workload that’s using the default D4C policy to ensure that the workload does not create or modify executables as part of its normal operation.

Policy validationedit

To ensure the stability of your production workloads, you should test policy changes before implementing them in production workloads. We also recommend you test policy changes on a simulated environment with workloads similar to production. This approach allows you to test that policy changes prevent undesirable behavior without disrupting your production workloads.