Kubernetes Onboarding using CLI
The Panoptica Kubernetes controller can be deployed in any K8s cluster. Once the controller is installed, your cloud resources are integrated with the Panoptica SaaS, providing you all the benefits of Panoptica security: inventory scanning, attack path analysis, vulnerability management, root cause analysis, compliance, and more.
The Panoptica K8s CLI enables you to manage this integration via command line interface. The CLI includes all the capabilities of Kubernetes Onboarding with Console UI – Kubernetes Security, API Security, and Realtime CDR features – with greater control and scalability. The CLI utilizes the same Helm charts as the Console UI deployment, providing the flexibility to use whichever method you prefer, even interchangeably.
For more information – including prerequisites and feature details – please visit Kubernetes Controller Onboarding
Download the CLI
In order to deploy and manage the Kubernetes controller from a command line, you need to download the Panoptica K8s CLI, and you need to generate an API Key. To download the CLI, simply run this script, which will download the correct bundle for your operating system and architecture:
curl https://download.panoptica.app/cli/get_k8s_cli.sh | bash
Go ahead and explore the help menus for syntax and usage:
./panoptica-k8s --help
Generate API Key
To perform any action with Panoptica's K8s CLI, you need an API Key. To generate the key, log into the Panoptica platform and select Settings in the navigation pane, then the API Keys tab.
Click Create Key to open a popup overlay, where you can generate the key.
Permissions required
Users must have an Owner or Ops role in Panoptica to generate API Keys.
See User Management for details on User Roles
Enter a logical Key name, and click Generate Key.
Promote API Key to Ops user
Once the API Key is created, go to the Users & Scopes tab and modify its role from Viewer to Ops. This will enable the key to create and modify Panoptica K8s integrations.
See User Management for details on User Roles
We recommend storing the API Key in a config file, along with the URL of your Panoptica tenant.
api.us1.console.panoptica.app- Default URL, for US and global customersapi.eu1.console.panoptica.app- For customers in the EU
./panoptica-k8s config init --api-key <API Key> --url api.us1.console.panoptica.app
CLI Commands
Now you're ready to start managing your Kubernetes integrations using the Panoptica CLI.
Integrating Panoptica with your resources is a two-step process: when you create a new integration in the Panoptica platform, you then install the controller in your cluster, using customized Helm commands. Similarly when you update the integration on the platform, you also need to run a Helm upgrade command. And when you delete the cluster in the platform, you uninstall the controller from your cluster.
The controller can deploy three key elements of Panoptica's security platform:
- KSPM (Kubernetes Security) – KSPM is always enabled.
- Realtime CDR – CLI flag:
--cdr-enabled
See Realtime CDR for details. - API Security – CLI flag:
--apisec-enabled
See API Security for details.
Cluster permissions
Note that Admin permissions are required to install and manage the controller in your cluster.
Listed here are examples of the most common actions, to help get you started:
-
To retrieve a list of all the integrations:
./panoptica-k8s integration get -
To retrieve a specific integration in a JSON format
./panoptica-k8s integration get <integration name> -o json -
To create a new integration in the Panoptica SaaS, and deploy it. This example deploys KSPM, API Security, and Realtime CDR. Use -w to wait for installation to complete, or run installation in the background
./panoptica-k8s integration install --create "my_k8s_cluster" --kspm-enabled --apisec-enabled --cdr-enabled -w -
To update an existing integration, without upgrading the integration in the cluster:
./panoptica-k8s integration update <integration name> --cdr-enabled=falseThis will result in the configuration in the Panoptica SaaS being out of sync with your cluster. You will need to update the installation in the cluster to ensure the selected features are active.
-
To update an existing integration, and upgrade the installation in your cluster:
./panoptica-k8s integration upgrade --update --apisec-enabled=false -
To delete and uninstall an existing integration. This command will uninstall the currently-installed integration from your cluster, and delete it from the Panoptica SaaS:
./panoptica-k8s integration uninstall --delete
Advanced settings
You can further customize the controller deployment using the Helm chart values listed at Advanced Kubernetes Integration.
First retrieve the Helm command for an existing integration:
./panoptica-k8s integration install-command <integration name>
Then customize the returned Helm command to specify additional configurations. For example, if you are installing the Panoptica controller in a RedHat OpenShift cluster, append the following string to the Helm command:
--set global.isOpenShift=true
And if your containers are larger than 2GB, you need to raise the scanner memory limit by adding this setting to the Helm command. In this example, the memory is set to 5GB; adjust the parameter as needed.
--set k8sec-controller.imageAnalysis.sbom.resources.limits.memory=5000Mi
API Trace Sources
If you enabled API Security in your deployment, you need to configure Trace Sources to gain visibility into API traffic across your workloads—as well as to/from external sources. This is done by deploying a plugin to an API gateway, which communicates with the Panoptica controller deployed on the cluster.
Navigate to the API Security tab in the Settings pane, and click API Trace Sources to configure these plugins.
See API Trace Sources for details.
Accounts table
Once the controller has been deployed in your cluster, it will be listed in the Kubernetes tab of the Accounts table.
See our documentation on the Accounts table for further details,.
Updated 19 days ago