Use case — Runtime Threat Mapping for Bottlerocket containers using Deepfence ThreatMapper

Use case — Runtime Threat Mapping for Bottlerocket containers using Deepfence ThreatMapper
September 28, 2020

You can use Deepfence ThreatMapper to visualize and scan unlimited number of hosts, containers, and pods at runtime as well as container images out of container registries, as part of CI/CD pipelines. In last few articles, we described how to install Deepfence community edition i.e. ThreatMapper on AWS ECS, Azure AKS, Google GKE, as well as Oracle OKE, and how to use it for vulnerability scanning of hosts and containers.

Deepfence ThreatMapper also supports Bottlerocket OS on Amazon ECS and EKS. Lightweight Bottlerocket OS with its reduced attack surface provides the perfect foundation for Deepfence to build our attack detection engine and ensure security and availability of your mission critical applications. In this article will explore the usage of Deepfence ThreatMapper for visualization and scanning of Bottlerocket based clusters. The installation procedure is the same for Bottlerocket based clusters as other clusters except for a few changes in the configuration parameters.

Bottlerocket OS

Bottlerocket is a lightweight Linux based OS built by Amazon for running containers efficiently in a secure manner. It is a stripped down version of Linux which contains only the basic required packages to run containers and provides easy updates. Some of the benefits of using Bottlerocket OS are as follows:

  1. Lower management overhead: General-purpose operating systems are updated package-by-package, which makes OS updates difficult to automate. Updates to Bottlerocket are applied in a single step rather than package-by-package. This single-step update process helps reduce management overhead by making OS updates easy to automate using container orchestration services such as Amazon EKS and Amazon ECS, thus reducing operational costs.
  2. High availability: The easy single-step updates also improve uptime for container applications by minimizing update failures and enabling easy update rollbacks when failures happen.
  3. Improved security: Bottlerocket is mostly written in a memory safe language like Rust which drastically reduces security issues due to memory safety. Bottlerocket also uses a read-only file system whose integrity is validated at boot time. Further, Bottlerocket includes only the essential software to run containers, which improves resource usage and reduces the attack surface making it a lot more secure compared to general purpose OS.
  4. Better performance: Bottlerocket is also optimized to run on EC2 making it much more efficient and has built-in integrations with AWS services for container orchestration, registries etc.
  5. Open source development model: Bottlerocket’s open development model enables customers and partners to produce custom builds for their specific needs, for example, builds that support their preferred orchestrators.
How to Use Bottlerocket OS on EC2 (from:

To use Bottlerocket OS, first choose the Bottlerocket AMI and launch an EC2 instance. Next, you can enroll your instance into an EKS cluster using the EKS command line tool eksctl. You can manage updates to your EC2 instance seamlessly using EKS. Now, let us look at how to use Deepfence ThreatMapper to further secure your Bottlerocket based EKS cluster.

Installing Deepfence Management Console

We will briefly repeat the steps for a single node installation of management console here:

  1. Spin up a Linux VM instance with at least 4 cores, 16GB RAM, and 120GB disk space. This configuration can support up to 250 node cluster depending upon load. For larger clusters, you will need to upgrade the console as mentioned in the pre-requisites.
  2. Download the docker compose file from here.
  3. Run docker-compose as follows:

docker-compose -f docker-compose.yml up -d

Give it a few seconds and you are ready to register your product installation as described here.

Installing the Deepfence sensor on Bottlerocket based clusters

  1. After creating a Bottlerocket based EKS or ECS cluster, install kubectl using the following instructions to connect to your ECS or EKS cluster:

2. Then, provide proper IAM authorization for kubectl to connect with to your cluster. Amazon EKS uses the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI or the aws-iam-authenticator command with kubectl for cluster authentication.

3. Get the Deepfence API key from the UI for connecting sensors: Go to Settings -> User Management and copy the API key.

Deepfence API Key

4. If the IP address of the VM or host that has the Deepfence management console is, then edit the kubernetes-agent.yml file, and change the value of DF_BACKEND_IP to and update the value of DEEPFENCE_KEY with the API key.

5. Once done, run this command to start the Deepfence sensor daemonset in all nodes in the cluster:

kubectl apply -f kubernetes-agent.yml

6. It may take few minutes for Deepfence sensors to get installed and show up on the console UI. You can check the status of sensor installation using the following command:

kubectl get ds deepfence-agent-daemon -n deepfence --watch

Once the sensors are installed you can visualize the nodes, containers, and pods from the topology tab on the console UI seamlessly – irrespective of whether they are on AKS, ECS, EKS, GKE, or OKE.

Visualization of Bottlerocket Based Clusters (OS Type Shows Bottlerocket)

You can click on individual containers and pods in the container view of topology tab to initiate various tasks like vulnerability scanning on containers and pods in Bottlerocket based clusters. You can start the vulnerability scans after the vulnerability database is populated (it can take up to 30–60 minutes for the vulnerability database to download, and the download status of the vulnerability database is shown on the notification panel).

You can also initiate vulnerability scans on any number of number of containers or pods by using our APIs.

Start Vulnerability Scanning

You can visualize the vulnerabilities found on each node by navigating to the Vulnerabilities tab. Users can also find a list of the most Exploitable Vulnerabilities across images ranked based on CVSS score, severity, attack complexity, and ease of exploitation, so that they can focus on addressing the important vulnerabilities first. Optionally, users can also tag and scan a subset of nodes, by using user defined tags.

Vulnerability Scanning on Bottlerocket Cluster

Finally, you can seamlessly use other features like integration with SIEM tools and notification channels like Slack, PagerDuty, Splunk, ElasticSearch etc. for Bottlerocket based clusters by navigating to the Notifications tab.

Please join our community Slack to provide any feedback for improvement or if you need any additional features. If you face any issues, you can also file a ticket on our GitHub issue tracker.