Use case — Runtime Threat Mapping for AKS using Deepfence ThreatMapper

Use case — Runtime Threat Mapping for AKS using Deepfence ThreatMapper
July 6, 2020

Last month we had described how to install Deepfence community edition i.e. ThreatMapper on AWS ECS, and use it for vulnerability scanning of hosts and containers. Last week, we also removed all node and usage restrictions from Deepfence ThreatMapper; now you can visualize and scan unlimited number of hosts, containers and pods, at runtime as well as container images out of container registries, as a part of CI/CD pipelines. This article will delve into usage of ThreatMapper on Microsoft AKS for visualization and scanning of VMs, containers and pods at runtime as well as images from Azure container registry.

Getting Started

Deepfence installation consists of two components namely Deepfence Management Console, which is installed outside of a cluster being threat mapped (for obvious reasons!), and super lightweight Deepfence agents, which are deployed as daemonset on an AKS cluster.

Installing Deepfence Management Console

We will briefly mention the steps for a single node installation of management console here.

  1. Spin up a Linux VM instance with at least 4 cores, 16GB RAM and 120GB disk space. This configuration can support up to 250 node AKS cluster depending upon your load. For larger clusters, you may need to upgrade the console as mentioned in Pre-requisites.
  2. Download docker compose file from here
  3. Run docker-compose as follows

docker-compose -f docker-compose.yml up -d

Give it a few seconds and you are ready to register your product installation as described here.

Installing Deepfence Agent on AKS

  1. First, connect to your AKS cluster using the following command (change your cluster and resource group names appropriately). Note that Azure Command line tools have to be installed as a pre-requisite.

az aks get-credentials --name MyCluster --resource-group MyResourceGroup

2. If the IP address of the VM or host that has the Deepfence management console is, then edit the kubernetes-agent.yml file, and change the value of MGMT_CONSOLE_IP_ADDR to

3. Install ‘kubectl’ using the command:

az aks install-cli

Once done, run this command to start deepfence agent daemonset in all nodes in the AKS cluster:

kubectl apply -f kubernetes-agent.yml

4. It may take few minutes for deepfence agents to get installed and show up on the console UI. You can check the status of agent installation using the following command:

kubectl get ds deepfence-agent-daemon -n deepfence --watch

Once the agents are installed you can visualize the nodes, containers and pods from the topology tab on the console UI.

A view of the topology screen in ThreatMapper

You can click on individual nodes in the topology view to initiate various tasks like vulnerability scanning. You can scan the nodes, containers and pods for vulnerabilities after the vulnerability database is populated (it can take up to 30–60 minutes for vulnerability database to download, and the download status of the vulnerability database is shown on the notification panel).

You can also initiate vulnerability scans on any number of number of nodes by using our APIs.

A view of the options available for vulnerability scanning in ThreatMapper

You can visualize the vulnerabilities found on each node by navigating to Vulnerabilities tab. Users can also find a ranked list of the most Exploitable Vulnerabilities across images, so that they can focus on addressing the important vulnerabilities first. Optionally, users can also tag and scan a subset of nodes, by using user defined tags.

You can also scan for vulnerabilities in images stored in Azure Container Registry from the registry scanning dashboard. First, you will need to click the Azure tab and then “Add registry” button. Then, you need to add the registry name, URL, username and password to populate available images as shown the image below. After that you can select the images to scan and click the scan button.

A view of the Azure registry scan settings

Finally, you can send vulnerability scanning reports to various SIEM and notification channels like Slack, PagerDuty, Splunk, ElasticSearch etc. by navigating to the Notifications tab.

Please reply back to give any feedback for improvement or if you need any additional features. If you face any issues, you can file a ticket on GitHub issue tracker.