Snyk runtime sensor
Release status
The Snyk Runtime Sensor for Snyk AppRisk Pro is in Early Access, and is available only with Snyk Enterprise plans with Snyk AppRisk Pro. If you want to set it up in your Group, contact your Snyk account team.
The Snyk Runtime Sensor is a Kubernetes DaemonSet that watches your deployments on a Kubernetes cluster and sends the collected data to Snyk.
The following risk factors are reported from the Snyk Runtime Sensor: Deployed and Loaded package.
The Snyk Runtime Sensor reports the Loaded package risk factor only for application packages. The following ecosystems are supported:
Node.js
Java
Python
Go
.NET
Most packages are loaded into memory upon application startup, therefore they will be reported only when the Pod is initialized.
On this page, you can find the following information:
Prerequisites for Snyk Runtime Sensor
Ensure that your environment meets the following technical prerequisites to properly use the Snyk Runtime Sensor:
Kubernetes supported version - Use Kubernetes v.1.19 or higher.
Managed Kubernetes services such as EKS Fargate or GKE Autopilot, are not supported, as the cluster nodes are managed by the cloud provider.
CPU architecture - AMD64 or ARM64.
Linux kernel - version 5.8 or higher.
Privileged access - you need either root or the following Linux capabilities:
BPF
,PERFMON
,SYS_RESOURCES
,DAC_READ_SEARCH
,SYS_PTRACE
,NET_ADMIN
Cluster nodes must support BTF.
Language support - Go, Java v8 or higher, .NET v2.0.9 or higher, Node.js v10 or higher, Python 3.6 or higher.
Network policy - if your cluster does not allow all outgoing traffic, set up the policy to enable outgoing traffic on port 443 for the following hosts:
api.snyk.io
orapi.<<REGION>>.snyk.io
if hosted in a different region.api.sentry.io
kubernetes.default.svc.cluster.local
If you encounter network restrictions, ensure that port 443 is enabled and that the policy is stateful.
You also need a token for a service account. The service account must have one of the following roles:
Group Admin
Custom Group Level Role with
AppRisk edit
permission enabled.
Install Snyk Runtime Sensor
The Snyk Runtime Sensor is deployed as a Kubernetes DaemonSet, which means there's a single Pod of the sensor, per Node in the cluster.
The Snyk Runtime Sensor doesn't use any persistent storage, and its disk usage footprint is negligible.
The Snyk Runtime Sensor DaemonSet must meet the following minimum requirements:
CPU: 100m
(can be increased using Helm)Memory: 512Mi
(can be increased using Helm)
Choose one of the following methods to deploy the Snyk Runtime Sensor:
Using a Helm chart
There is a Helm chart within this repo in helm/runtime-sensor, that is hosted through GitHub pages in https://snyk.github.io/runtime-sensor
.
To install the Snyk runtime sensor using Helm Charts, you can follow these steps:
Ensure Helm is installed.
Create the
snyk-runtime-sensor
namespace:Create a secret with your service account token, which has the appropriate permissions (as instructed in the prerequisites section) under the created namespace:
Add the Helm repo:
If your data is hosted in a different region than the default region (USA), you need to set the
snykAPIBaseURL
while installing the Helm chart in the following format:api.<<REGION>>.snyk.io:443
, for exampleapi.eu.snyk.io:443
(Optional) If you want to configure custom resources (CPU/memory) for the runtime sensor image, set the following values as well when running the next step (default values are used here):
Install the Helm chart:
Upgrading to the latest version
Check the name that was given to the sensor
Update the repo (with the name from (1)):
Upgrade installation:
Using a Helm Chart and the AWS Secrets Manager
There is a Helm chart within this repo in helm/runtime-sensor, that is hosted through GitHub pages in https://snyk.github.io/runtime-sensor
.
To install the Snyk runtime sensor using Helm Charts and the AWS Secrets Manager, you can follow these steps:
Prerequisite: Install AWS Provider and CSI Secrets Store in your cluster, as instructed here.
Ensure Helm is installed.
Create the
snyk-runtime-sensor
namespace:Create the Snyk Runtime Sensor Secret containing your service account token under the
snykToken
key in your AWS account, and obtain the resulted ARN:Create an access policy for the newly created secret:
Create an IAM OIDC provider for your cluster if you haven't done so already (only run this once):
Add the Helm repo:
If your data is hosted in a different region than the default region (USA), you need to set the
snykAPIBaseURL
while installing the Helm chart in the following format:api.<<REGION>>.snyk.io:443
, for exampleapi.eu.snyk.io:443
(Optional) If you want to configure custom resources (CPU/memory) for the runtime sensor image, set the following values as well when running the next step (default values are used here):
Install the Helm chart:
Attach the ARN of the policy created in step 4 to the newly created service account, by creating a new role:
Verify that the secret was mounted successfully into the
snyk-runtime-sensor
namespace (kubectl get secrets -n snyk-runtime-sensor
), and that the sensor pods are running successfully (kubectl get pods -n snyk-runtime-sensor
).
Upgrading to the latest version
Check the name that was given to the sensor
Update the repo (with the name from (1)):
Upgrade installation:
On OpenShift
When running your Kubernetes cluster in OpenShift, you will have to apply the privileged
Security Context Constraint to the service account of the Snyk Runtime Sensor by running the following command:
Run this command after the sensor is installed as the service account will not be available until the installation is complete.
Through the AWS Marketplace as an EKS add-on
Snyk provides a straightforward process for installing the Snyk Runtime Sensor on your AWS EKS cluster. The following steps explain how to integrate this security feature into your environment, enhancing the security of your cluster.
To deploy the Snyk Runtime Sensor on Amazon EKS with EKS Add-on, you need to meet the following prerequisites:
Subscribe to Snyk Runtime Sensor on AWS Marketplace here. This should be done in each account that has clusters you want to integrate the sensor with.
Install the following tools:
kubectl
,AWS CLI
, and optionallyeksctl
.Ensure you have access to the Amazon EKS clusters where you want to install the sensor.
Ensure you have a Snyk service account token ready with the right permissions, as described in the prerequisites.
Enable the Snyk Runtime Sensor add-on from AWS console
After you have successfully set up a subscription to Snyk Runtime Sensor on AWS Marketplace and followed the on-screen instructions, you will be redirected to Amazon EKS console.
To enable the Snyk Runtime Sensor for your Amazon EKS cluster, select your cluster on the Amazon EKS console. Then, navigate to the Add-ons tab and choose "Get more add-ons". Use the search bar to find "runtime" and follow the on-screen instructions to enable the add-on for your cluster. This process should be done for each cluster you want to integrate the sensor with (i.e. for each cluster you want to collect data from).
On the next screen, select the latest version (even if already selected) and open the "Optional configuration settings".
Under the "configuration values", set the following attributes in a YAML or JSON format:
secretName
- the secret name that will be created later in the process. The default value issnyk-secret
.clusterName
- the name of the cluster where the add-on is installed.snykGroupId
- the Group ID associated with the used service account.snykAPIBaseURL
- should be configured to beapi.snyk.io:443
, unless your data is hosted in a different region than the default (US).
Here is a base configuration to copy:
After you select the Next and Create options you will see the Add-on snyk-runtimesensor successfully added to cluster <<YOUR_CLUSTER>>
notification on top of the page.
Enable Snyk Runtime Sensor add-on using AWS CLI
Run the following command on your workspace to enable the Snyk Runtime Sensor add-on for your Amazon EKS cluster. You have to set the following environment variables to match your Snyk account and your targeted EKS cluster:
$CLUSTER_NAME
$AWS_REGION
$SNYK_GROUP_ID
$SNYK_API_BASE_URL (should be set to
api.snyk.io:443
unless your account is hosted on a different region than US).
After you have added the Snyk service account token as described below, ensure installation has been completed successfully by running the following command:
Ensure the response you get is similar to this one and that the status is ACTIVE - it could take a few minutes until it reaches this status.
Add your Snyk Service Account Token to the EKS cluster
Set your
kubectl
context to control your cluster usingaws eks
:
Create a secret name
snyk-secret
under thesnyk-runtime-sensor
namespace that contains thesnykToken
. ThesnykToken
will be your service account token:
Data from your AWS EKS Cluster will be reported to Snyk using the Snyk Runtime Sensor.
Disable the Snyk Runtime Sensor add-on
You can disable the Snyk Runtime Sensor add-on by running the following command:
Troubleshooting for Snyk Runtime Sensor
If the Snyk Runtime Sensor is not properly reporting the is_loaded
risk factor, it may be caused by a non-default value of the Linux kernel perf_event_paranoid
configuration.
In such cases, install the helm chart with either --set securityContext.privileged=true
or add SYS_ADMIN
as a required Linux capability --set "securityContext.capabilities={SYS_ADMIN}"
.
The Loaded package risk factor is not supported by Snyk for operating system packages (such as Debian packages), only for packages which are hosted under package managers such as npm, Maven, or PyPI.
Release versions can be found on GitHub.
Last updated