Installation & upgrading
WarningThe Cast AI Kubernetes Security feature set is undergoing significant changes. Some features shown in this documentation are being deprecated and others are moving to the cluster view in the console. Screenshots and navigation paths may not reflect the current product. Updated documentation is in progress.
Limited Availability FeatureThis feature is currently available through feature flags. Contact us to enable access for your organization.
Installing runtime security
Runtime security can be enabled through several methods that align with how you've deployed other Cast AI components. This section details installing and configuring Runtime security using the Cast AI console, Terraform, or Helm.
NoteRuntime security operates as a sub-feature of the Kvisor security agent. Enabling runtime security will install the Kvisor agent as a DaemonSet to ensure continuous runtime scanning across all nodes in your cluster.
Install using the Cast AI console
Enabling runtime security is simplest through the Cast AI console. Follow the steps outlined in our Getting started with Security guide to connect your cluster and enable the Security feature set, which includes runtime security capabilities.
Install using Terraform
If you manage your infrastructure as code, you can enable runtime security using our Terraform modules for GKE, EKS, and AKS. To do this:
- Set the
install_security_agentvariable totrue - Configure runtime security via the
kvisor_valuesvariable
module "castai-eks-cluster" {
// ... other configuration ...
install_security_agent = true
# Kvisor configuration with runtime security enabled
kvisor_values = [
yamlencode({
# Runtime security agent configuration
agent = {
# Enable the runtime security agent (DaemonSet)
"enabled" = true
extraArgs = {
# Recommended default settings
"ebpf-events-enabled" = true # Monitor for anomalous activity
"file-hash-enricher-enabled" = true # Enable file hash event enrichment
# Optional settings
"netflow-enabled" = false
"stats-enabled" = false
"process-tree-enabled" = false
}
}
})
]
}For complete examples, refer to our Terraform repositories:
Install using Helm
To install runtime security using Helm:
- Add the Cast AI Helm repository:
helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update
Which upgrade method to useThe Helm commands on this page use the umbrella chart (
castai-helm/castai) by default. If you need to use a different method:
- castctl: To upgrade all Cast AI components at once without managing Helm flags:
This preserves your existing configuration. See the castctl documentation for installation and authentication instructions.castctl castware upgrade- Individual charts: If you installed each component as a separate Helm release (e.g., for ArgoCD or custom GitOps), replace the release name and chart reference with the component-specific ones (e.g.,
castai-workload-autoscalerandcastai-helm/castai-workload-autoscaler) and remove theautoscaler.castai-workload-autoscaler.value prefix.Not sure which method you used? Run
helm list -n castai-agent. A single release namedcastaimeans umbrella chart; separate releases likecastai-workload-autoscalermean individual charts.
- Install the Kvisor agent with runtime security enabled:
helm upgrade castai castai-helm/castai -n castai-agent \
--reset-then-reuse-values \
--set autoscaler.castai-kvisor.castai.apiKey=<your-api-token> \
--set autoscaler.castai-kvisor.castai.clusterID=<your-cluster-id> \
--set autoscaler.castai-kvisor.controller.extraArgs.kube-linter-enabled=true \
--set autoscaler.castai-kvisor.controller.extraArgs.image-scan-enabled=true \
--set autoscaler.castai-kvisor.controller.extraArgs.kube-bench-enabled=true \
--set autoscaler.castai-kvisor.controller.extraArgs.cloud-provider=<aks|eks|gke> \
--set autoscaler.castai-kvisor.agent.enabled=true \
--set autoscaler.castai-kvisor.agent.extraArgs.ebpf-events-enabled=true \
--set autoscaler.castai-kvisor.agent.extraArgs.file-hash-enricher-enabled=trueReplace the following placeholders:
<your-api-token>with your Cast AI API token<your-cluster-id>with your cluster ID<aks|eks|gke>with your Kubernetes provider (leave empty if not using these platforms)
Key configuration options
| Option | Description | Recommendation |
|---|---|---|
ebpf-events-enabled | Monitors cluster events for anomalous activity detection | Enable by default |
file-hash-enricher-enabled | Enriches exec events with file hash information | Enable by default |
netflow-enabled | Collects Kubernetes network flows using eBPF | Optional |
stats-enabled | Collects PSI, CPU, memory, and I/O usage statistics from containers and nodes | Optional |
storage-stats-enabled | Collects ephemeral and persistent volume storage metrics per node. Requires controller.enabled=true | Optional |
process-tree-enabled | Monitors process relationships | Optional |
For a complete list of available options, see the Runtime daemon agent flags in our GitHub repository.
Upgrading runtime security
To upgrade an existing Kvisor installation:
helm repo update castai-helm
helm upgrade castai castai-helm/castai -n castai-agent --reset-then-reuse-valuesThe --reset-then-reuse-values flag preserves your existing configuration while applying the latest updates.
Upgrading runtime security using Component Control
Cast AI's Component Control dashboard provides a centralized way to manage all security components, including Kvisor:
- In the Cast AI console, select Manage Organization in the top right
- Navigate to Component control in the left menu
When Runtime Security components need updating, the dashboard will indicate this with a Warning status. To update:
- Find the Kvisor component in the list
- Click on it to view detailed information about versions across your clusters
- For any cluster showing Update needed, click the Update button
- Copy the provided script or Helm command
- Run the command in your terminal with access to your cluster
Note for Terraform-managed componentsIf you installed runtime security using Terraform, you'll need to update your Terraform configuration manually. The Component Control interface will provide links to relevant documentation to guide you through this process.
Troubleshooting
If you encounter issues with runtime security, you can check the logs and configuration:
Check Kvisor controller logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agentCheck runtime security agent logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor-agent -n castai-agentVerify applied configuration
helm get values castai -n castai-agentFor additional assistance, contact Cast AI support.
