You can use Deepfence ThreatMapper to visualize and scan unlimited number of hosts, containers, and pods at runtime as well as container images out of container registries, as part of CI/CD pipelines. In last few articles, we described how to install Deepfence community edition i.e. ThreatMapper on AWS ECS, Azure AKS, Google GKE, as well as Oracle OKE, and how to use it for vulnerability scanning of hosts and containers.
Deepfence ThreatMapper also supports Bottlerocket OS on Amazon ECS and EKS. Lightweight Bottlerocket OS with its reduced attack surface provides the perfect foundation for Deepfence to build our attack detection engine and ensure security and availability of your mission critical applications. In this article will explore the usage of Deepfence ThreatMapper for visualization and scanning of Bottlerocket based clusters. The installation procedure is the same for Bottlerocket based clusters as other clusters except for a few changes in the configuration parameters.
Bottlerocket is a lightweight Linux based OS built by Amazon for running containers efficiently in a secure manner. It is a stripped down version of Linux which contains only the basic required packages to run containers and provides easy updates. Some of the benefits of using Bottlerocket OS are as follows:
To use Bottlerocket OS, first choose the Bottlerocket AMI and launch an EC2 instance. Next, you can enroll your instance into an EKS cluster using the EKS command line tool eksctl. You can manage updates to your EC2 instance seamlessly using EKS. Now, let us look at how to use Deepfence ThreatMapper to further secure your Bottlerocket based EKS cluster.
We will briefly repeat the steps for a single node installation of management console here:
docker-compose -f docker-compose.yml up -d
Give it a few seconds and you are ready to register your product installation as described here.
2. Then, provide proper IAM authorization for kubectl to connect with to your cluster. Amazon EKS uses the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI or the aws-iam-authenticator command with kubectl for cluster authentication.
3. Get the Deepfence API key from the UI for connecting sensors: Go to Settings -> User Management and copy the API key.
4. If the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, then edit the kubernetes-agent.yml file, and change the value of DF_BACKEND_IP to 192.168.1.10 and update the value of DEEPFENCE_KEY with the API key.
5. Once done, run this command to start the Deepfence sensor daemonset in all nodes in the cluster:
kubectl apply -f kubernetes-agent.yml
6. It may take few minutes for Deepfence sensors to get installed and show up on the console UI. You can check the status of sensor installation using the following command:
kubectl get ds deepfence-agent-daemon -n deepfence --watch
Once the sensors are installed you can visualize the nodes, containers, and pods from the topology tab on the console UI seamlessly – irrespective of whether they are on AKS, ECS, EKS, GKE, or OKE.
You can click on individual containers and pods in the container view of topology tab to initiate various tasks like vulnerability scanning on containers and pods in Bottlerocket based clusters. You can start the vulnerability scans after the vulnerability database is populated (it can take up to 30–60 minutes for the vulnerability database to download, and the download status of the vulnerability database is shown on the notification panel).
You can also initiate vulnerability scans on any number of number of containers or pods by using our APIs.
You can visualize the vulnerabilities found on each node by navigating to the Vulnerabilities tab. Users can also find a list of the most Exploitable Vulnerabilities across images ranked based on CVSS score, severity, attack complexity, and ease of exploitation, so that they can focus on addressing the important vulnerabilities first. Optionally, users can also tag and scan a subset of nodes, by using user defined tags.
Finally, you can seamlessly use other features like integration with SIEM tools and notification channels like Slack, PagerDuty, Splunk, ElasticSearch etc. for Bottlerocket based clusters by navigating to the Notifications tab.
Please join our community Slack to provide any feedback for improvement or if you need any additional features. If you face any issues, you can also file a ticket on our GitHub issue tracker.