Installation & upgrading

⚠️

Warning

The Cast AI Kubernetes Security feature set is undergoing significant changes. Some features shown in this documentation are being deprecated and others are moving to the cluster view in the console. Screenshots and navigation paths may not reflect the current product. Updated documentation is in progress.

🚧

Limited Availability Feature

This feature is currently available through feature flags. Contact us to enable access for your organization.

Installing runtime security

Runtime security can be enabled through several methods that align with how you've deployed other Cast AI components. This section details installing and configuring Runtime security using the Cast AI console, Terraform, or Helm.

📘

Note

Runtime security operates as a sub-feature of the Kvisor security agent. Enabling runtime security will install the Kvisor agent as a DaemonSet to ensure continuous runtime scanning across all nodes in your cluster.

Install using the Cast AI console

Enabling runtime security is simplest through the Cast AI console. Follow the steps outlined in our Getting started with Security guide to connect your cluster and enable the Security feature set, which includes runtime security capabilities.

Install using Terraform

If you manage your infrastructure as code, you can enable runtime security using our Terraform modules for GKE, EKS, and AKS. To do this:

  1. Set the install_security_agent variable to true
  2. Configure runtime security via the kvisor_values variable
module "castai-eks-cluster" {
  // ... other configuration ...
  install_security_agent = true
  
  # Kvisor configuration with runtime security enabled
  kvisor_values = [
    yamlencode({
      # Runtime security agent configuration
      agent = {
        # Enable the runtime security agent (DaemonSet)
        "enabled" = true

        extraArgs = {
          # Recommended default settings
          "ebpf-events-enabled"        = true  # Monitor for anomalous activity
          "file-hash-enricher-enabled" = true  # Enable file hash event enrichment
          
          # Optional settings
          "netflow-enabled"              = false
          "stats-enabled"                = false
          "process-tree-enabled"         = false
        }
      }
    })
  ]
}

For complete examples, refer to our Terraform repositories:

Install using Helm

To install runtime security using Helm:

  1. Add the Cast AI Helm repository:
helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update
📘

Which upgrade method to use

The Helm commands on this page use the umbrella chart (castai-helm/castai) by default. If you need to use a different method:

  • castctl: To upgrade all Cast AI components at once without managing Helm flags:
    castctl castware upgrade
    This preserves your existing configuration. See the castctl documentation for installation and authentication instructions.
  • Individual charts: If you installed each component as a separate Helm release (e.g., for ArgoCD or custom GitOps), replace the release name and chart reference with the component-specific ones (e.g., castai-workload-autoscaler and castai-helm/castai-workload-autoscaler) and remove the autoscaler.castai-workload-autoscaler. value prefix.

Not sure which method you used? Run helm list -n castai-agent. A single release named castai means umbrella chart; separate releases like castai-workload-autoscaler mean individual charts.


  1. Install the Kvisor agent with runtime security enabled:
helm upgrade castai castai-helm/castai -n castai-agent \
  --reset-then-reuse-values \
  --set autoscaler.castai-kvisor.castai.apiKey=<your-api-token> \
  --set autoscaler.castai-kvisor.castai.clusterID=<your-cluster-id> \
  --set autoscaler.castai-kvisor.controller.extraArgs.kube-linter-enabled=true \
  --set autoscaler.castai-kvisor.controller.extraArgs.image-scan-enabled=true \
  --set autoscaler.castai-kvisor.controller.extraArgs.kube-bench-enabled=true \
  --set autoscaler.castai-kvisor.controller.extraArgs.cloud-provider=<aks|eks|gke> \
  --set autoscaler.castai-kvisor.agent.enabled=true \
  --set autoscaler.castai-kvisor.agent.extraArgs.ebpf-events-enabled=true \
  --set autoscaler.castai-kvisor.agent.extraArgs.file-hash-enricher-enabled=true

Replace the following placeholders:

  • <your-api-token> with your Cast AI API token
  • <your-cluster-id> with your cluster ID
  • <aks|eks|gke> with your Kubernetes provider (leave empty if not using these platforms)

Key configuration options

OptionDescriptionRecommendation
ebpf-events-enabledMonitors cluster events for anomalous activity detectionEnable by default
file-hash-enricher-enabledEnriches exec events with file hash informationEnable by default
netflow-enabledCollects Kubernetes network flows using eBPFOptional
stats-enabledCollects PSI, CPU, memory, and I/O usage statistics from containers and nodesOptional
storage-stats-enabledCollects ephemeral and persistent volume storage metrics per node. Requires controller.enabled=trueOptional
process-tree-enabledMonitors process relationshipsOptional

For a complete list of available options, see the Runtime daemon agent flags in our GitHub repository.

Upgrading runtime security

To upgrade an existing Kvisor installation:

helm repo update castai-helm
helm upgrade castai castai-helm/castai -n castai-agent --reset-then-reuse-values

The --reset-then-reuse-values flag preserves your existing configuration while applying the latest updates.

Upgrading runtime security using Component Control

Cast AI's Component Control dashboard provides a centralized way to manage all security components, including Kvisor:

  1. In the Cast AI console, select Manage Organization in the top right
  2. Navigate to Component control in the left menu

When Runtime Security components need updating, the dashboard will indicate this with a Warning status. To update:

  1. Find the Kvisor component in the list
  2. Click on it to view detailed information about versions across your clusters
  3. For any cluster showing Update needed, click the Update button
  4. Copy the provided script or Helm command
  5. Run the command in your terminal with access to your cluster
📘

Note for Terraform-managed components

If you installed runtime security using Terraform, you'll need to update your Terraform configuration manually. The Component Control interface will provide links to relevant documentation to guide you through this process.

Troubleshooting

If you encounter issues with runtime security, you can check the logs and configuration:

Check Kvisor controller logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent

Check runtime security agent logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-agent -n castai-agent

Verify applied configuration

helm get values castai -n castai-agent

For additional assistance, contact Cast AI support.