Snyk runtime sensor
Release status
The Snyk runtime sensor is available in a Closed Beta state and is applicable only to the Snyk AppRisk Pro version.
Contact your salesperson if you are interested in Snyk AppRisk Pro.
The Runtime Sensor watches your deployments on a Kubernetes cluster and sends the collected data to Snyk.
Prerequisites for Snyk Runtime Sensor
Ensure that your environment meets the following technical prerequisites to properly use the Snyk Runtime Sensor:
Kubernetes supported version - Use Kubernetes v.1.19 or higher.
Managed Kubernetes services such as EKS Fargate or GKE Autopilot, are not supported, as the cluster nodes are managed by the cloud provider.
Privileged access - you need either root or the following Linux capabilities:
BPF
,PERFMON
,SYS_RESOURCES
,DAC_READ_SEARCH
,SYS_PTRACE
,NET_ADMIN
Cluster nodes must support BTF.
Language support - Go, Java v8 or higher, .NET v2.0.9 or higher, Node.js v10 or higher, Python 3.6 or higher.
You also need a token for a service account. The service account must have one of the following roles:
Group Admin
Custom Group Level Role with
AppRisk edit
permission enabled.
Install Snyk Runtime Sensor
The Snyk Runtime Sensor is a Kubernetes DeamonSet that can be easily deployed using various methods:
Using a Helm chart
There is a Helm chart within this repo in helm/runtime-sensor, that is hosted through GitHub pages in https://snyk.github.io/runtime-sensor
.
To install the Snyk runtime sensor using Helm Charts, you can follow these steps:
Ensure Helm is installed.
Create the
snyk-runtime-sensor
namespace:Create a secret with your service account token, which has the appropriate permissions (as instructed in the prerequisites section) under the created namespace:
Add the Helm repo:
If your data is hosted in a different region than the default region (USA), you need to set the
snykAPIBaseURL
while installing the Helm chart in the following format:api.<<REGION>>.snyk.io:443
, for exampleapi.eu.snyk.io:443
Install the Helm chart:
Upgrading to the latest version
Check the name that was given to the sensor
Create a secret with your service account token, which has the appropriate permissions (as instructed in the prerequisites section) under the created namespace:
Upgrade installation:
On OpenShift
When running your Kubernetes cluster in OpenShift, you will have to apply the privileged
Security Context Constraint to the service account of the Snyk Runtime Sensor by running the following command:
Run this command after the sensor is installed as the service account will not be available until the installation is complete.
Through the AWS Marketplace as an EKS add-on
Snyk provides a straightforward process for installing the Snyk Runtime Sensor on your AWS EKS cluster. The following steps explain how to integrate this security feature into your environment, enhancing the security of your cluster.
To deploy the Snyk Runtime Sensor on Amazon EKS with EKS Add-on, you need to meet the following prerequisites:
Subscribe to Snyk Runtime Sensor on AWS Marketplace here.
Install the following tools:
kubectl
,AWS CLI
, and optionallyeksctl
.Ensure you have access to the Amazon EKS cluster where you want to install the sensor.
Ensure you have a Snyk service account token ready with the right permissions, as described in the prerequisites.
Enable the Snyk Runtime Sensor add-on from AWS console
After you have successfully set up a subscription to Snyk Runtime Sensor on AWS Marketplace and followed the on-screen instructions, you will be redirected to Amazon EKS console.
To enable the Snyk Runtime Sensor for your Amazon EKS cluster, select your cluster on the Amazon EKS console. Then, navigate to the Add-ons tab and choose "Get more add-ons". Use the search bar to find "runtime" and follow the on-screen instructions to enable the add-on for your cluster.
On the next screen, select the latest version (even if already selected) and open the "Optional configuration settings".
Under the "configuration values", set the following attributes in a YAML or JSON format:
secretName
- the secret name that will be created later in the process. The default value issnyk-secret
.clusterName
- the name of the cluster where the add-on is installed.snykGroupId
- the Group ID associated with the used service account.snykAPIBaseURL
- should be configured to beapi.snyk.io:443
.
Here is a base configuration to copy:
After you select the Next and Create options you will see the "Add-on snyk-runtimesensor successfully added to cluster <<YOUR_CLUSTER>>" notification on top of the page.
Enable Snyk Runtime Sensor add-on using AWS CLI
Run the following command on your workspace to enable the Snyk Runtime Sensor add-on for your Amazon EKS cluster. You have to set the following parameters in your targeted EKS cluster:
$CLUSTER_NAME
$AWS_REGION
$SNYK_GROUP_ID
After you have added the Snyk service account token as described below, ensure installation has been completed successfully by running the following command:
Ensure the response you get is similar to this one and that the status is ACTIVE - it could take a few minutes until it reaches this status.
Add your Snyk Service Account Token to the EKS cluster
Set your
kubectl
context to control your cluster usingaws eks
:
Create a secret name
snyk-secret
under thesnyk-runtime-sensor
namespace that contains thesnykToken
. ThesnykToken
will be your service account token:
Data from your AWS EKS Cluster will be reported to Snyk using the Snyk Runtime Sensor.
Disable the Snyk Runtime Sensor add-on
You can disable the Snyk Runtime Sensor add-on by running the following command:
Troubleshooting for Snyk Runtime Sensor
If the Snyk Runtime Sensor is not properly reporting the is_loaded
risk factor, it may be caused by a non-default value of the Linux kernel perf_event_paranoid
configuration.
In such cases, install the helm chart with either --set securityContext.privileged=true
or add SYS_ADMIN
as a required Linux capability --set "securityContext.capabilities={SYS_ADMIN}"
.
The Loaded package risk factor is not supported by Snyk for open-source packages, only for application packages such as npm, Maven, or PyPI.
Release versions can be found on GitHub.
Last updated