Install Upwind on Kubernetes

Overview

This page provides instructions on installing the Upwind Sensor in a Kubernetes environment. By default, the Upwind Sensor runs as a DaemonSet.

Install

Helm Operator (Recommended)

Prerequisites

• Helm installed.
• Review Upwind charts .

note

If you are deploying the Upwind agent on an AWS EC2 container instance instance in AWS and using IMDSv2, it is necessary to set the hop limit to 2. This configuration allows the agent to successfully query the instance metadata service.

Step 1: Credentials

note

This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.

Select the + (plus) symbol at the top of the screen and select Connect Kubernetes Cluster. Select Generate a new one to create a new client ID and client secret. Provide a name and select Generate.

Alternatively, you can generate it in the Credentials page in the console. For more information review the documentation on Credentials.

After you have generated the secret, it will automatically be copied into step 3 and inserted into the UPWIND_CLIENT_ID and UPWIND_CLIENT_SECRET fields.

Step 2: Add Upwind Helm Repository

To add the Helm respository:

helm repo add upwind https://charts.upwind.io/ && helm repo update

Step 3: Deploy Upwind Operator

Cloud

With the Upwind Helm repository added, you can now deploy Upwind to your cluster. If you a re-using a credential be sure to add it into the UPWIND_CLIENT_ID & UPWIND_CLIENT_SECRET fields.

To install the helm chart, you should execute the install command as follows:

containerd

helm install upwind-operator upwind/upwind-operator \
    --namespace upwind \
    --set credentials.clientId="${UPWIND_CLIENT_ID}" \
    --set credentials.clientSecret="${UPWIND_CLIENT_SECRET}" \
    --create-namespace

CRI-O

helm install upwind-operator upwind/upwind-operator \
    --namespace upwind \
    --set credentials.clientId="${UPWIND_CLIENT_ID}" \
    --set credentials.clientSecret="${UPWIND_CLIENT_SECRET}" \
    --set agent.values.containerd.enabled=false \
    --set agent.values.crio.enabled=true \
    --create-namespace

BYOC

With the Upwind Helm repository added, you can now deploy Upwind to your cluster. If you a re-using a credential be sure to add it into the UPWIND_CLIENT_ID & UPWIND_CLIENT_SECRET fields.

containerd

helm install upwind-operator upwind/upwind-operator \
    --namespace upwind \
    --set credentials.clientId="${UPWIND_CLIENT_ID}" \
    --set credentials.clientSecret="${UPWIND_CLIENT_SECRET}" \
    --set agent.values.byoc.accountID=<YOUR-BYOC-ACCOUNT-NAME>
    --set agent.values.byoc.zone=<YOUR-BYOC-ZONE>
    --set clusterAgent.values.byoc.accountID=<YOUR-BYOC-ACCOUNT-NAME>
    --set clusterAgent.values.byoc.zone=<YOUR-BYOC-ZONE>
    --set extraEnv[0].name=CLOUD_PROVIDER,extraEnv[0].value=byoc --set extraEnv[1].name=CLOUD_ACCOUNT_ID,extraEnv[1].value=<YOUR-BYOC-ACCOUNT-NAME>
    --create-namespace

CRI-O

helm install upwind-operator upwind/upwind-operator \
    --namespace upwind \
    --set credentials.clientId="${UPWIND_CLIENT_ID}" \
    --set credentials.clientSecret="${UPWIND_CLIENT_SECRET}" \
    --set agent.values.byoc.accountID=<YOUR-BYOC-ACCOUNT-NAME>
    --set agent.values.byoc.zone=<YOUR-BYOC-ZONE>
    --set clusterAgent.values.byoc.accountID=<YOUR-BYOC-ACCOUNT-NAME>
    --set clusterAgent.values.byoc.zone=<YOUR-BYOC-ZONE>
    --set extraEnv[0].name=CLOUD_PROVIDER,extraEnv[0].value=byoc --set extraEnv[1].name=CLOUD_ACCOUNT_ID,extraEnv[1].value=<YOUR-BYOC-ACCOUNT-NAME>
    --set agent.values.containerd.enabled=false \
    --set agent.values.crio.enabled=true \
    --create-namespace

Step 4: Test Connectivity

It is recommended to validate that none of the resources deployed by Upwind are in a Pending/Failed or any other error state, which will prevent Upwind from operating as expected.

Run the following command to validate that all the resources are in a Running state:

kubectl get agent,clusteragent --namespace upwind

Helm Operatorless

Prerequisites

• Helm installed.
• Review Upwind charts .

Step 1: Credentials

note

This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.

Select the + (plus) symbol at the top of the screen and select Connect Kubernetes Cluster. Select Generate a new one to create a new client ID and client secret. Provide a name and select Generate.

Alternatively, you can generate it in the Credentials page in the console. For more information review the documentation on Credentials.

Step 2: Setup

1. Store Sensor credentials to environment variable:

   UPWIND_CLIENT_ID=clientID
   UPWIND_CLIENT_SECRET=clientSecret

2. Obtain an access token

   UPWIND_REGISTRY_PASSWORD=$(
     curl -s \
       --url https://auth.upwind.io/oauth/token \
       --header 'content-type: application/x-www-form-urlencoded' \
       --data grant_type=client_credentials \
       --data audience=https://registry.upwind.io \
       --data client_id=$UPWIND_CLIENT_ID \
       --data client_secret=$UPWIND_CLIENT_SECRET | \
       jq -r '.access_token'
   )

3. Authenticate with the Upwind registry

   echo $UPWIND_REGISTRY_PASSWORD | \
   docker login registry.upwind.io \
     --username upwind \
     --password-stdin

4. Add Helm repository

   helm repo add upwind https://charts.upwind.io/ && helm repo update

5. Get version information

     UPWIND_CLUSTER_AGENT_CHART_VERSION=$(helm search repo upwind/upwind-cluster-agent -l --devel -o json | jq -r '.[0].version') && \
     
     UPWIND_CLUSTER_AGENT_IMAGE_VERSION=$(helm search repo upwind/upwind-cluster-agent -l --devel -o json | jq -r '.[0].app_version') && \
     
     UPWIND_AGENT_CHART_VERSION=$(helm search repo upwind/upwind-agent -l --devel -o json | jq -r '.[0].version') && \
     
     UPWIND_AGENT_IMAGE_VERSION=$(helm search repo upwind/upwind-agent -l --devel -o json | jq -r '.[0].app_version')

6. Pull the container images

   docker pull --platform linux/amd64 \
   registry.upwind.io/images/cluster-agent:$UPWIND_CLUSTER_AGENT_IMAGE_VERSION
   
   docker pull --platform linux/amd64 \
   registry.upwind.io/images/agent:$UPWIND_AGENT_IMAGE_VERSION

7. Set the target registry

   TARGET_REGISTRY=localhost:5001 // example

8. Tag the container images with the target registry

   docker tag \
   registry.upwind.io/images/cluster-agent:$UPWIND_CLUSTER_AGENT_IMAGE_VERSION \
   $TARGET_REGISTRY/upwind-cluster-agent:$UPWIND_CLUSTER_AGENT_IMAGE_VERSION
   
   docker tag \
   registry.upwind.io/images/agent:$UPWIND_AGENT_IMAGE_VERSION \
   $TARGET_REGISTRY/upwind-agent:$UPWIND_AGENT_IMAGE_VERSION

9. Push the container images

   docker push \
   $TARGET_REGISTRY/upwind-cluster-agent:$UPWIND_CLUSTER_AGENT_IMAGE_VERSION
   
   docker push \
   $TARGET_REGISTRY/upwind-agent:$UPWIND_AGENT_IMAGE_VERSION

Step 3: Deploy Upwind

Cloud

1. Install the Upwind Cluster Manager

   helm install upwind-cluster-agent upwind/upwind-cluster-agent \
    --version $UPWIND_CLUSTER_AGENT_CHART_VERSION \
    --namespace upwind \
    --create-namespace \
    --set credentials.create=true \
    --set credentials.clientId=$UPWIND_CLIENT_ID \
    --set credentials.clientSecret=$UPWIND_CLIENT_SECRET \
    --set registry=$TARGET_REGISTRY \
    --set image.repository=upwind-cluster-agent

2. Install the Upwind Sensor

   helm install upwind-agent upwind/upwind-agent \
    --version $UPWIND_AGENT_CHART_VERSION \
    --namespace upwind \
    --set credentials.create=true \
    --set credentials.clientId=$UPWIND_CLIENT_ID \
    --set credentials.clientSecret=$UPWIND_CLIENT_SECRET \
    --set registry=$TARGET_REGISTRY \
    --set image.repository=upwind-agent

BYOC

1. Install the Upwind Cluster Manager

   helm install upwind-cluster-agent upwind/upwind-cluster-agent \
    --version $UPWIND_CLUSTER_AGENT_CHART_VERSION \
    --namespace upwind \
    --create-namespace \
    --set credentials.create=true \
    --set credentials.clientId=$UPWIND_CLIENT_ID \
    --set credentials.clientSecret=$UPWIND_CLIENT_SECRET \
    --set registry=$TARGET_REGISTRY \
    --set image.repository=upwind-cluster-agent
    --set byoc.accountID=YOUR-BYOC-ACCOUNT-NAME
    --set byoc.zone=YOUR-BYOC-ZONE

2. Install the Upwind Sensor

   helm install upwind-agent upwind/upwind-agent \
    --version $UPWIND_AGENT_CHART_VERSION \
    --namespace upwind \
    --set credentials.create=true \
    --set credentials.clientId=$UPWIND_CLIENT_ID \
    --set credentials.clientSecret=$UPWIND_CLIENT_SECRET \
    --set registry=$TARGET_REGISTRY \
    --set image.repository=upwind-agent
    --set byoc.accountID=YOUR-BYOC-ACCOUNT-NAME
    --set byoc.zone=YOUR-BYOC-ZONE

Step 4: Test Connectivity

It is recommended to validate that none of the resources deployed by Upwind are in a Pending/Failed or any other error state, which will prevent Upwind from operating as expected.

Run the following command to validate that all the resources are in a Running state:

kubectl get agent,clusteragent --namespace upwind

Helm Umbrella Chart

Prerequisites

• Helm installed.
• Review Upwind charts .

Step 1: Credentials

note

This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.

Select the + (plus) symbol at the top of the screen and select Connect Kubernetes Cluster. Select Generate a new one to create a new client ID and client secret. Provide a name and select Generate.

Alternatively, you can generate it in the Credentials page in the console. For more information review the documentation on Credentials.

Step 2: Add Upwind Helm Repository

To add the Helm respository:

helm repo add upwind https://charts.upwind.io/ && helm repo update

Step 3: Deploy Upwind Chart

With the Upwind Helm repository added, you can now deploy Upwind to your cluster. If you a re-using a credential be sure to add it into the UPWIND_CLIENT_ID & UPWIND_CLIENT_SECRET fields.

To install the helm chart, you should execute the install command as follows:

helm install upwind upwind/upwind \
  --namespace upwind \
  --set credentials.clientId="${UPWIND_CLIENT_ID}" \
  --set credentials.clientSecret="${UPWIND_CLIENT_SECRET}" \
  --set upwind-operator.extraArgs[0]="--dynamic-values-enabled=false" \
  --create-namespace

Step 4: Test Connectivity

It is recommended to validate that none of the resources deployed by Upwind are in a Pending/Failed or any other error state, which will prevent Upwind from operating as expected.

Run the following command to validate that all the resources are in a Running state:

kubectl get agent,clusteragent --namespace upwind

Amazon EKS Add-on

Amazon Elastic Kubernetes Services (Amazon EKS) is a managed container service to run and scale Kubernetes applications in the AWS cloud. In collaboration with Amazon EKS, Upwind provides a Runtime Security for Kubernetes add-on that enables customers to effortlessly deploy and configure the Upwind Operator, which in turn simplifies the installation of the Upwind Sensor.

Prerequisites

• Subscribe to Upwind Runtime-Powered Cloud Security Platform on AWS Marketplace.
• Install the following tools: kubectl , AWS CLI , and optionally eksctl .
• An existing Amazon EKS cluster . To deploy one, see Getting started with Amazon EKS .

Step 1. Generate Credentials

note

This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.

Select the + (plus) symbol at the top of the screen and select Connect Kubernetes Cluster. Select Generate a new one to create a new client ID and client secret. Provide a name and select Generate.

Alternatively, you can generate it in the Credentials page in the console. For more information review the documentation on Credentials.

Step 2. Create a Kubernetes Secret

In this step, you will create a Kubernetes secret to securely store the credentials.

1. Open a terminal window and authenticate with your Kubernetes cluster using kubectl.
2. Create a namespace for the add-on by running the following command:

kubectl create namespace upwind

3. Run the following command, replacing <UPWIND_CLIENT_ID> and <UPWIND_CLIENT_SECRET> with the credentials obtained in the first step:

kubectl create secret generic upwind-operator-client-credentials -n upwind \ 
 --from-literal=clientId=<UPWIND_CLIENT_ID> \
 --from-literal=clientSecret=<UPWIND_CLIENT_SECRET>

Step 3. Deploy the EKS Add-on

You can deploy the add-on using the Amazon EKS console , the AWS CLI , or eksctl . The add-on checks for an active subscription from AWS Marketplace and then initializes the resources in your Amazon EKS cluster.

AWS Management Console

To deploy the add-on using the AWS Management Console

1. Navigate to the Amazon EKS Console . In the left navigation pane, select Clusters, and then select the name of the cluster that you want to create the add-on for. On the cluster info page, choose the Add-ons tab.

2. Choose Get more add-ons to explore various add-on software options that can be installed from AWS Marketplace.

3. Scroll down to find the Upwind Runtime-Powered Cloud Security Platform for Amazon EKS and select it. You can also use the search box to locate the add-on. Once you have selected the add-on, choose Next.

4. If you do not have subscription to the add-on through the AWS Marketplace, you will see a callout to subscribe to the software on the Configure selected add-ons settings page. Choose View subscription options to open the Subscription options form.

5. Review the information, then choose the Subscribe button to continue.

6. Wait for the subscription processing to complete. You will receive a notification when the add-on is ready to be installed. Choose Next when the status changes to Ready to install.

7. On the Review and add page, choose Create. After the add-on installation is complete, you see your installed add-on.

8. The add-on is now deployed.

For more information about deploying directly to Amazon EKS clusters, see the AWS blog post or the official documentation on Managing Amazon EKS add-ons .

AWS CLI

To deploy the add-on using the AWS CLI

1. Create the add-on by running the following command, replacing <AWS_EKS_CLUSTER_NAME> with the cluster name:

Command

aws eks create-addon \
  --addon-name upwind-security_upwind-operator \
  --cluster-name <AWS_EKS_CLUSTER_NAME>

Example output

{
  "addon": {
    "addonName": "upwind-security_upwind-operator",
    "clusterName": "<AWS_EKS_CLUSTER_NAME>",
    "status": "CREATING",
    "addonVersion": "v0.3.0-eksbuild.1",
    "health": {
      "issues": []
    },
    "addonArn": "arn:aws:eks:<AWS_REGION>:111122223333:addon/<AWS_EKS_CLUSTER_NAME>/upwind-security_upwind-operator/...",
    "createdAt": "2024-01-01T00:00:00.000000+02:00",
    "modifiedAt": "2024-01-01T00:00:00.000000+02:00",
    "tags": {}
  }
}

2. Check the status of the deployment by running the following command, replacing <AWS_EKS_CLUSTER_NAME> with the cluster name:

Command

aws eks describe-addon \
  --addon-name upwind-security_upwind-operator \
  --cluster-name <AWS_EKS_CLUSTER_NAME>

Example output

{
  "addon": {
    "addonName": "upwind-security_upwind-operator",
    "clusterName": "<AWS_EKS_CLUSTER_NAME>",
    "status": "ACTIVE",
    "addonVersion": "v0.3.0-eksbuild.1",
    "health": {
      "issues": []
    },
    "addonArn": "arn:aws:eks:<AWS_REGION>:111122223333:addon/<AWS_EKS_CLUSTER_NAME>/upwind-security_upwind-operator/...",
    "createdAt": "2024-01-01T00:00:00.000000+02:00",
    "modifiedAt": "2024-01-01T00:00:00.000000+02:00",
    "tags": {}
  }
}

The deployment is complete when the status is ACTIVE.

eksctl

To deploy the add-on using eksctl

1. Create the add-on by running the following command, replacing <AWS_EKS_CLUSTER_NAME> with the cluster name:

Command

eksctl create addon \
  --name upwind-security_upwind-operator \
  --cluster <AWS_EKS_CLUSTER_NAME>

Example output

2024-01-01 00:00:00 [ℹ]  Kubernetes version "1.nn" in use by cluster "<AWS_EKS_CLUSTER_NAME>"
2024-01-01 00:00:00 [ℹ]  no recommended policies found, proceeding without any IAM
2024-01-01 00:00:00 [ℹ]  creating addon
2024-01-01 00:01:00 [ℹ]  addon "upwind-security_upwind-operator" active

2. Check the status of the deployment by running the following command, replacing <AWS_EKS_CLUSTER_NAME> with the cluster name:

Command

eksctl get addon \
--name upwind-security_upwind-operator \
--cluster <AWS_EKS_CLUSTER_NAME>

Example output

2024-01-01 00:01:00 [ℹ]  Kubernetes version "1.nn" in use by cluster "<AWS_EKS_CLUSTER_NAME>"
NAME				VERSION			STATUS	ISSUES	IAMROLE	UPDATE AVAILABLE	CONFIGURATION VALUES
upwind-security_upwind-operator	v0.3.0-eksbuild.1	ACTIVE	0

The deployment is complete when the status is ACTIVE.

Troubleshooting

If you encounter any issues during the installation process, please refer to the Troubleshooting page, where you can find a list of possible issues and solutions.