Installation & upgrading

🚧

Limited Availability Feature

This feature is currently available through feature flags. Contact us to enable access for your organization.

Installing runtime security

Runtime security can be enabled through several methods that align with how you've deployed other Cast AI components. This section details installing and configuring Runtime security using the Cast AI console, Terraform, or Helm.

📘

Note

Runtime security operates as a sub-feature of the Kvisor security agent. Enabling runtime security will install the Kvisor agent as a DaemonSet to ensure continuous runtime scanning across all nodes in your cluster.

Install using the Cast AI console

Enabling runtime security is simplest through the Cast AI console. Follow the steps outlined in our Getting started with Security guide to connect your cluster and enable the Security feature set, which includes runtime security capabilities.

Install using Terraform

If you manage your infrastructure as code, you can enable runtime security using our Terraform modules for GKE, EKS, and AKS. To do this:

  1. Set the install_security_agent variable to true
  2. Configure runtime security via the kvisor_values variable
module "castai-eks-cluster" {
  // ... other configuration ...
  install_security_agent = true
  
  # Kvisor configuration with runtime security enabled
  kvisor_values = [
    yamlencode({
      # Runtime security agent configuration
      agent = {
        # Enable the runtime security agent (DaemonSet)
        "enabled" = true

        extraArgs = {
          # Recommended default settings
          "ebpf-events-enabled"        = true  # Monitor for anomalous activity
          "file-hash-enricher-enabled" = true  # Enable file hash event enrichment
          
          # Optional settings
          "netflow-enabled"              = false
          "stats-enabled"                = false
          "process-tree-enabled"         = false
        }
      }
    })
  ]
}

For complete examples, refer to our Terraform repositories:

Install using Helm

To install runtime security using Helm:

  1. Add the Cast AI Helm repository:
helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update
  1. Install the Kvisor agent with runtime security enabled:
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set controller.extraArgs.kube-linter-enabled=true \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true \
  --set controller.extraArgs.cloud-provider=<aks|eks|gke> \
  --set agent.enabled=true \
  --set agent.extraArgs.ebpf-events-enabled=true \
  --set agent.extraArgs.file-hash-enricher-enabled=true

Replace the following placeholders:

  • <your-api-token> with your Cast AI API token
  • <your-cluster-id> with your cluster ID
  • <aks|eks|gke> with your Kubernetes provider (leave empty if not using these platforms)

Key configuration options

OptionDescriptionRecommendation
ebpf-events-enabledMonitors cluster events for anomalous activity detectionEnable by default
file-hash-enricher-enabledEnriches exec events with file hash informationEnable by default
netflow-enabledCollects Kubernetes network flows using eBPFOptional
stats-enabledCollects container and node resource statisticsOptional
process-tree-enabledMonitors process relationshipsOptional

For a complete list of available options, see the Runtime daemon agent flags in our GitHub repository.

Upgrading runtime security

To upgrade an existing Kvisor installation:

helm repo update castai-helm
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent --reset-then-reuse-values

The --reset-then-reuse-values flag preserves your existing configuration while applying the latest updates.

Upgrading runtime security using Component Control

Cast AI's Component Control dashboard provides a centralized way to manage all security components, including Kvisor:

  1. In the Cast AI console, select Manage Organization in the top right
  2. Navigate to Component control in the left menu

When Runtime Security components need updating, the dashboard will indicate this with a Warning status. To update:

  1. Find the Kvisor component in the list
  2. Click on it to view detailed information about versions across your clusters
  3. For any cluster showing Update needed, click the Update button
  4. Copy the provided script or Helm command
  5. Run the command in your terminal with access to your cluster

📘

Note for Terraform-managed components

If you installed runtime security using Terraform, you'll need to update your Terraform configuration manually. The Component Control interface will provide links to relevant documentation to guide you through this process.

Troubleshooting

If you encounter issues with runtime security, you can check the logs and configuration:

Check Kvisor controller logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent

Check runtime security agent logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-agent -n castai-agent

Verify applied configuration

helm get values castai-kvisor -n castai-agent

For additional assistance, contact Cast AI support.