This guide provides step-by-step instructions for installing the Cequence Sensor within your Kubernetes cluster. The Cequence Sensor for Kubernetes captures network traffic from a Kubernetes cluster and transmits it to the Cequence Unified API Protection (UAP) platform for analysis. It includes both external and internal traffic from the Kubernetes cluster, resulting in discovery of both external-facing APIs and internl-only APIs within Cequence.
-
Cequence Sensor captures traffic to applications and sends it to the Cequence UAP platform.
-
Integration is passive and doesn't require application instrumentation.
-
Cequence Sensor for Kubernetes can be installed as a DaemonSet and/or sidecar, depending on your preferred deployment model.
Prerequisites
-
Kubernetes cluster
-
Helm (version 3.x or later)
-
kubectl
command-line tool -
Access credentials for Cequence's GitLab registry. Cequence provides these credentials. Request the credentials from your sales account team or log a Zendesk ticket.
Required permissions
Installing the Cequence Sensor in Kubernetes requires get, list, create, update, and delete permissions for the following:
- ServiceAccount
- ClusterRole
- ClusterRoleBinding
- Role
- RoleBinding
- DaemonSet
- ConfigMap
- Service
- Deployment
- MutatingWebhookConfiguration
- Secret
- Namespace
Run the following script to verify the permissions.
#!/bin/bash
# Set the user or ServiceAccount to check
USER_TO_CHECK="system:serviceaccount:kube-system:admin-user"
# Function to check permission
check_permission() {
local resource=$1
local verb=$2
local api_group=$3
if [ -z "$api_group" ]; then
kubectl auth can-i $verb $resource --as=$USER_TO_CHECK > /dev/null 2>&1
else
kubectl auth can-i $verb $resource --as=$USER_TO_CHECK --subresource=$api_group > /dev/null 2>&1
fi
if [ $? -eq 0 ]; then
echo " Pass: Can $verb $resource"
else
echo " Fail: Cannot $verb $resource"
fi
}
# Check core API resources
for resource in serviceaccounts configmaps services secrets namespaces; do
for verb in get list create update delete; do
check_permission $resource $verb
done
done
# Check RBAC resources
for resource in clusterroles clusterrolebindings roles rolebindings; do
for verb in get list create update delete; do
check_permission $resource $verb rbac.authorization.k8s.io
done
done
# Check Apps API resources
for resource in daemonsets deployments; do
for verb in get list create update delete; do
check_permission $resource $verb apps
done
done
# Check AdmissionRegistration API resources
check_permission mutatingwebhookconfigurations get admissionregistration.k8s.io
check_permission mutatingwebhookconfigurations list admissionregistration.k8s.io
check_permission mutatingwebhookconfigurations create admissionregistration.k8s.io
check_permission mutatingwebhookconfigurations update admissionregistration.k8s.io
check_permission mutatingwebhookconfigurations delete admissionregistration.k8s.io
Installation Steps
1. Add Cequence Helm Chart Repository
helm repo add cequence https://cequence.gitlab.io/helm-charts
helm repo update
2. Create Namespace
Create a dedicated namespace for the Cequence Sensor.
kubectl create ns cq-sensor
3. Create Registry Secret
Create a secret to access the Cequence images. Replace <registry_username>
and <registry_password>
with the credentials provided by the Cequence team: If sidecar injection is enabled you need to create a secret in the namespaces you want to deploy it.
kubectl create secret docker-registry regcred \
--docker-server="registry.gitlab.com" \
--docker-username=<registry_username> \
--docker-password=<registry_password> \
-n cq-sensor
4. Prepare Values Override File
Create a file named sensor-overrides.yaml
with the following content. Adjust the values according to your environment.
global:
clientId: "xxxxx"
clientSecret: "xxxxxxxxxxxxxxxxxxxxx"
reportMode: "bridge"
bridgeServer: "https://your.bridge.domain.com"
uapSubdomain: "your.subdomain.com"
imagePullSecrets:
- name: regcred
sensorDaemonset:
enabled: true
sensorSidecarInjector:
enabled: true
5. Deploy Cequence Sensor
Install the Cequence Sensor using Helm.
helm upgrade --install cequence-sensor cequence/sensor --version 5.1.0 \
-f sensor-overrides.yaml \
-n cq-sensor
6. Label Namespace for Sidecar Injection
Label the namespace where you want to inject the sensor sidecar. Replace my-test
with your application namespace.
kubectl label ns my-test cequence-sensor/enabled=true
Note: If your application pods are already running, you'll need to restart them after applying this label. If you install the application after creating the label, no restart is necessary.
Verification
To verify the installation, check the status of the Cequence Sensor pods:
kubectl get pods -n cq-sensor
Support
For additional assistance or troubleshooting, please contact Cequence support.