Snyk runtime sensor

Release status

The Snyk Runtime Sensor for Snyk AppRisk Pro is in Early Access, and is available only with Snyk Enterprise plans with Snyk AppRisk Pro. If you want to set it up in your Group, contact your Snyk account team.

The Snyk Runtime Sensor is a Kubernetes DaemonSet that watches your deployments on a Kubernetes cluster and sends the collected data to Snyk.

The following risk factors are reported from the Snyk Runtime Sensor: Deployed and Loaded package.

The Snyk Runtime Sensor reports the Loaded package risk factor only for application packages. The following ecosystems are supported:

Node.js
Java
Python
Go
.NET

On this page, you can find the following information:

Prerequisites for Snyk Runtime Sensor

Ensure that your environment meets the following technical prerequisites to properly use the Snyk Runtime Sensor:

Kubernetes supported version - Use Kubernetes v.1.19 or higher.

Managed Kubernetes services such as EKS Fargate or GKE Autopilot, are not supported, as the cluster nodes are managed by the cloud provider.

CPU architecture - AMD64 or ARM64.
Linux kernel - version 5.8 or higher.
Privileged access - you need either root or the following Linux capabilities: BPF, PERFMON, SYS_RESOURCES, DAC_READ_SEARCH, SYS_PTRACE, NET_ADMIN
Cluster nodes must support BTF.
Language support - Go, Java v8 or higher, .NET v2.0.9 or higher, Node.js v10 or higher, Python 3.6 or higher.
Network policy - if your cluster does not allow all outgoing traffic, set up the policy to enable outgoing traffic on port 443 for the following hosts:
- api.snyk.io or api.<<REGION>>.snyk.io if hosted in a different region.
- api.sentry.io
- kubernetes.default.svc.cluster.local

If you encounter network restrictions, ensure that port 443 is enabled and that the policy is stateful.

You also need a token for a service account. The service account must have one of the following roles:

Group Admin
Custom Group Level Role with AppRisk edit permission enabled.

Install Snyk Runtime Sensor

The Snyk Runtime Sensor is deployed as a Kubernetes DaemonSet, which means there's a single Pod of the sensor, per Node in the cluster.
The Snyk Runtime Sensor doesn't use any persistent storage, and its disk usage footprint is negligible.

The Snyk Runtime Sensor DaemonSet must meet the following minimum requirements:
- CPU: 100m (can be increased using Helm)
- Memory: 512Mi (can be increased using Helm)
Choose one of the following methods to deploy the Snyk Runtime Sensor:

Using a Helm chart

There is a Helm chart within this repo in helm/runtime-sensor, that is hosted through GitHub pages in https://snyk.github.io/runtime-sensor.

To install the Snyk runtime sensor using Helm Charts, you can follow these steps:

Ensure Helm is installed.

Create the snyk-runtime-sensor namespace:

kubectl create namespace snyk-runtime-sensor

Create a secret with your service account token, which has the appropriate permissions (as instructed in the prerequisites section) under the created namespace:
```
kubectl create secret generic <<YOUR_SECRET_NAME>> --from-literal=snykToken=<<YOUR_TOKEN>> -n snyk-runtime-sensor
```

Add the Helm repo:

helm repo add runtime-sensor https://snyk.github.io/runtime-sensor

If your data is hosted in a different region than the default region (USA), you need to set the snykAPIBaseURL while installing the Helm chart in the following format: api.<<REGION>>.snyk.io:443, for example api.eu.snyk.io:443
(Optional) If you want to configure custom resources (CPU/memory) for the runtime sensor image, set the following values as well when running the next step (default values are used here):
```
...
--set sensor.resources.requests.memory=512Mi
--set sensor.resources.requests.cpu=100m
--set sensor.resources.limits.memory=1024Mi
--set sensor.resources.limits.cpu=500m
...
```

Install the Helm chart:

helm install my-runtime-sensor \
--set secretName=<<YOUR_SECRET_NAME>> \
--set clusterName=<<CLUSTER_NAME>> \
--set snykGroupId=<<YOUR_GROUP_ID>> \
--set snykAPIBaseURL=api.<<REGION>>.snyk.io:443 \ # Optional
-n snyk-runtime-sensor \
runtime-sensor/runtime-sensor

Upgrading to the latest version

Check the name that was given to the sensor
```
helm repo list
```
Update the repo (with the name from (1)):
```
helm repo update <<SENSOR_REPO_NAME>>
```

Upgrade installation:

helm upgrade --install <<SENSOR_REPO_NAME>> \
--set secretName=<<YOUR_SECRET_NAME>> \
--set clusterName=<<CLUSTER_NAME>> \
--set snykGroupId=<<YOUR_GROUP_ID>> \
-n snyk-runtime-sensor \
runtime-sensor/runtime-sensor

Using a Helm Chart and the AWS Secrets Manager

There is a Helm chart within this repo in helm/runtime-sensor, that is hosted through GitHub pages in https://snyk.github.io/runtime-sensor.

To install the Snyk runtime sensor using Helm Charts and the AWS Secrets Manager, you can follow these steps:

Prerequisite: Install AWS Provider and CSI Secrets Store in your cluster, as instructed here.

Ensure Helm is installed.

Create the snyk-runtime-sensor namespace:

kubectl create namespace snyk-runtime-sensor

Create the Snyk Runtime Sensor Secret containing your service account token under the snykToken key in your AWS account, and obtain the resulted ARN:
```
aws secretsmanager create-secret \
--name snyk-runtime-sensor-secret \
--secret-string '{"snykToken":"<<YOUR_SERVICE_ACCOUNT_TOKEN>>"}'
```

Create an access policy for the newly created secret:

POLICY_ARN=$(aws --query Policy.Arn --output text iam create-policy --policy-name snyk-runtime-sensor-secret-policy --policy-document '{
    "Version": "2012-10-17",
    "Statement": [ {
        "Effect": "Allow",
        "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
        "Resource": ["<<YOUR_SECRET'S_ARN>>"]
    } ]
}')

Create an IAM OIDC provider for your cluster if you haven't done so already (only run this once):
```
eksctl utils associate-iam-oidc-provider \
--cluster="<<CLUSTER_NAME>>" \
--approve
```

Add the Helm repo:

helm repo add runtime-sensor https://snyk.github.io/runtime-sensor

If your data is hosted in a different region than the default region (USA), you need to set the snykAPIBaseURL while installing the Helm chart in the following format: api.<<REGION>>.snyk.io:443, for example api.eu.snyk.io:443
(Optional) If you want to configure custom resources (CPU/memory) for the runtime sensor image, set the following values as well when running the next step (default values are used here):
```
...
--set sensor.resources.requests.memory=512Mi
--set sensor.resources.requests.cpu=100m
--set sensor.resources.limits.memory=1024Mi
--set sensor.resources.limits.cpu=500m
...
```

Install the Helm chart:

helm install my-runtime-sensor \
--set secretProvider=aws \
--set secretName=snyk-runtime-sensor-secret \
--set clusterName=<<CLUSTER_NAME>> \
--set snykGroupId=<<YOUR_GROUP_ID>> \
--set snykAPIBaseURL=api.<<REGION>>.snyk.io:443 \ # Optional
-n snyk-runtime-sensor \
runtime-sensor/runtime-sensor

Attach the ARN of the policy created in step 4 to the newly created service account, by creating a new role:

eksctl create iamserviceaccount \
--name runtime-sensor \
--region=<<REGION>> \
--cluster "<<CLUSTER_NAME>>" \
--attach-policy-arn "$POLICY_ARN" \
--approve \
--override-existing-serviceaccounts \
--namespace=snyk-runtime-sensor

Verify that the secret was mounted successfully into the snyk-runtime-sensor namespace (kubectl get secrets -n snyk-runtime-sensor), and that the sensor pods are running successfully (kubectl get pods -n snyk-runtime-sensor).

Upgrading to the latest version

Check the name that was given to the sensor
```
helm repo list
```
Update the repo (with the name from (1)):
```
helm repo update <<SENSOR_REPO_NAME>>
```

Upgrade installation:

helm upgrade --install <<SENSOR_REPO_NAME>> \
--set secretProvider=aws \
--set secretName=snyk-runtime-sensor-secret \
--set clusterName=<<CLUSTER_NAME>> \
--set snykGroupId=<<YOUR_GROUP_ID>> \
-n snyk-runtime-sensor \
runtime-sensor/runtime-sensor

On OpenShift

When running your Kubernetes cluster in OpenShift, you will have to apply the privileged Security Context Constraint to the service account of the Snyk Runtime Sensor by running the following command:

oc adm policy add-scc-to-user privileged \
system:serviceaccount:<<YOUR_NAMESPACE>>:runtime-sensor

Run this command after the sensor is installed as the service account will not be available until the installation is complete.

Through the AWS Marketplace as an EKS add-on

Snyk provides a straightforward process for installing the Snyk Runtime Sensor on your AWS EKS cluster. The following steps explain how to integrate this security feature into your environment, enhancing the security of your cluster.

To deploy the Snyk Runtime Sensor on Amazon EKS with EKS Add-on, you need to meet the following prerequisites:

Subscribe to Snyk Runtime Sensor on AWS Marketplace here. This should be done in each account that has clusters you want to integrate the sensor with.
Install the following tools: kubectl, AWS CLI, and optionally eksctl.
Ensure you have access to the Amazon EKS clusters where you want to install the sensor.
Ensure you have a Snyk service account token ready with the right permissions, as described in the prerequisites.

Enable the Snyk Runtime Sensor add-on from AWS console

After you have successfully set up a subscription to Snyk Runtime Sensor on AWS Marketplace and followed the on-screen instructions, you will be redirected to Amazon EKS console.

To enable the Snyk Runtime Sensor for your Amazon EKS cluster, select your cluster on the Amazon EKS console. Then, navigate to the Add-ons tab and choose "Get more add-ons". Use the search bar to find "runtime" and follow the on-screen instructions to enable the add-on for your cluster. This process should be done for each cluster you want to integrate the sensor with (i.e. for each cluster you want to collect data from).

On the next screen, select the latest version (even if already selected) and open the "Optional configuration settings".

Under the "configuration values", set the following attributes in a YAML or JSON format:

secretName - the secret name that will be created later in the process. The default value is snyk-secret .
clusterName - the name of the cluster where the add-on is installed.
snykGroupId - the Group ID associated with the used service account.
snykAPIBaseURL - should be configured to be api.snyk.io:443 , unless your data is hosted in a different region than the default (US).

Here is a base configuration to copy:

secretName: snyk-secret
clusterName: <<MY_CLUSTER>>
snykGroupId: <<MY_SNYK_GROUP_ID>>
snykAPIBaseURL: api.snyk.io:443

After you select the Next and Create options you will see the Add-on snyk-runtimesensor successfully added to cluster <<YOUR_CLUSTER>> notification on top of the page.

Enable Snyk Runtime Sensor add-on using AWS CLI

Run the following command on your workspace to enable the Snyk Runtime Sensor add-on for your Amazon EKS cluster. You have to set the following environment variables to match your Snyk account and your targeted EKS cluster:

$CLUSTER_NAME
$AWS_REGION
$SNYK_GROUP_ID
$SNYK_API_BASE_URL (should be set to api.snyk.io:443 unless your account is hosted on a different region than US).

aws eks create-addon \
--cluster-name $CLUSTER_NAME \
--region $AWS_REGION \
--addon-name snyk_runtime-sensor \
--configuration-values '{"secretName":"snyk-secret","clusterName":"$CLUSTER_NAME","snykGroupId":"$SNYK_GROUP_ID","snykAPIBaseURL": "$SNYK_API_BASE_URL"}' \
--resolve-conflicts OVERWRITE

After you have added the Snyk service account token as described below, ensure installation has been completed successfully by running the following command:

aws eks describe-addon --addon-name snyk_runtime-sensor --cluster-name $CLUSTER_NAME --region $AWS_REGION

Ensure the response you get is similar to this one and that the status is ACTIVE - it could take a few minutes until it reaches this status.

{
    "addon": {
        "addonName": "snyk_runtime-sensor",
        "clusterName": "<<YOUR_CLUSTER>>",
        "status": "ACTIVE",
        "addonVersion": "v1.17.2-eksbuild.1",
        "health": {
            "issues": []
        },
        "addonArn": "arn:aws:eks:us-east-1:XXXX:addon/<<YOUR_CLUSTER>>/snyk-runtimesensor/ffffffff-ffff-ffff-ffff-ffffffffffff",
        "createdAt": "2024-05-26T16:43:15.551000+03:00",
        "modifiedAt": "2024-05-26T16:43:28.714000+03:00",
        "tags": {},
        "configurationValues": "{\"secretName\":\"snyk-secret\",\"clusterName\":\"YOUR_CLUSTER\",\"snykGroupId\":\"YOUR_GROUP_ID\",\"snykAPIBaseURL\": \"api.snyk.io:443\"}"
    }
}

Add your Snyk Service Account Token to the EKS cluster

Set your kubectl context to control your cluster using aws eks:

aws eks update-kubeconfig --name $CLUSTER_NAME --region $AWS_REGION

Create a secret name snyk-secret under the snyk-runtime-sensor namespace that contains the snykToken. The snykToken will be your service account token:

kubectl create secret generic snyk-secret \
--from-literal=snykToken=$SNYK_TOKEN \
-n snyk-runtime-sensor

Data from your AWS EKS Cluster will be reported to Snyk using the Snyk Runtime Sensor.

Disable the Snyk Runtime Sensor add-on

You can disable the Snyk Runtime Sensor add-on by running the following command:

aws eks delete-addon --addon-name snyk_runtime-sensor --cluster-name $CLUSTER_NAME --region $AWS_REGION

Troubleshooting for Snyk Runtime Sensor

If the Snyk Runtime Sensor is not properly reporting the is_loaded risk factor, it may be caused by a non-default value of the Linux kernel perf_event_paranoid configuration. In such cases, install the helm chart with either --set securityContext.privileged=true or add SYS_ADMIN as a required Linux capability --set "securityContext.capabilities={SYS_ADMIN}".

The Loaded package risk factor is not supported by Snyk for operating system packages (such as Debian packages), only for packages which are hosted under package managers such as npm, Maven, or PyPI.

Release versions can be found on GitHub.

PreviousThird-party integrations for Snyk AppRisk NextJira and Slack Integrations

Last updated 2 days ago