Archive: Run your Kubernetes workload with Deepfactor < 2.2

The following document is applicable for Deepfactor 2.1 and earlier releases.
See the latest support document here:
– Run your Kubernetes workload with Deepfactor

Deepfactor provides a mutating admission webhook to seamlessly run your K8s workloads with Deepfactor. If you would like to read more about the mutating admission webhook, you can refer to the following Kubernetes documentation article.

Mutating Admission Webhook K8s Documentation

Deepfactor admission webhook controller works with K8s v1.16, v1.17, v1.18, v1.19, v1.20, and v1.21.

 

To install the Deepfactor admission webhook in your K8s cluster, please follow the below instructions:

1. Install Deepfactor admission controller. Deepfactor webhook is deployed in df-registration namespace.

bash -c “$(curl -L https://repo.deepfactor.io/deploy-df-adm-webhook.sh)”
Note: Although, mutating admission controllers are enabled by default in the latest versions of K8s, if you get an error, please run the following command before installing the Deepfactor admission webhook.

kube-apiserver --enable-admission-plugins=MutatingAdmissionWebhook,ValidatingAdmissionWebhook

 

2. Add the following annotations to your pod specs

  • df.k8-app.registration/inject
    (Required) This should be set to “enabled” to enable Deepfactor instrumentation for the pod
  • df.k8-app.name
    (Required) This will be the name of the application on Deepfactor Portal UI
  • app-image/repo-details
    (Required) This should be set to the path of your container image
  • df.k8-app.run.token/runtoken
    (Required) You can get this token from the Deepfactor portal UI.
  • df.k8-app.comp/name
    (Optional) This will be the name of the component on Deepfactor Portal UI.
  • df.k8-app.lsa
    (Optional) Deepfactor can enhance alerts by enabling language specific probes. Read more about it here: Language Specific Agents
  • df.k8-app.alert/policy
    (Optional) Please enter the name of the alert policy. If not set, the default policy will be used to generate alerts.
  • df.k8-app.imageid
    (Optional) Please enter the hash of the image. e.g.
    imageid=`docker inspect ${APP_IMAGE} –format ‘{{.Id}}’`

3. Add the following environment variables to your pod specs

- name: LD_PRELOAD
value: /opt/deepfactor/lib/libdf.so
- name: DF_MANIFEST
value: /opt/deepfactor/manifest/df-manifest.json

 

The admission webhook controller injects two init containers.

  1. The first init container copies Deepfactor runtime code into an ephemeral pod volume.
  2. The second init container uses the same image as your component. It registers your component with the Deepfactor portal using the annotations specified in the pod spec. It will also perform a compatibility test.
    Deepfactor libraries and manifest file are mounted as a volume on your pod at /opt/deepfactor.

You can now run your K8s workload and it will be observed by Deepfactor. You can log in to the Deepfactor Portal UI and view the insights found by Deepfactor for your application.

Was this article helpful?

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a developer security platform that enables engineering teams to quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing.

Product Pricing Resources Company Documentation Login Demo

SUBSCRIBE TO OUR NEWSLETTER!

© 2023 Deepfactor, Inc. All Rights Reserved.

Privacy Policy | Terms of Service | Open Source Disclosure