1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR™ Agent Administrator's Guide
    5. Cortex® XDR™ Agent 7.7 for Linux
    6. Install the Cortex® XDR™ Agent for Kubernetes Hosts

    Install the Cortex® XDR™ Agent for Kubernetes Hosts

    Learn how to install the Cortex® XDR™ agent for a Kubernetes host.
    You can deploy the Cortex XDR agent for Linux on Kubernetes Clusters as a DaemonSet on any Kubernetes cluster. To deploy the agent, you create a Cortex XDR agent YAML installation package in Cortex XDR which allows you to configure attributes such as namespace default value and nodeselector. Once the Kubernetes agent is running on the endpoint, the agent offers the same protection capabilities and operates as any standard Cortex XDR agent for Linux. Cortex XDR issues a license for every node on which the agent is running, and will revoke the license once the agent is removed or the node is deleted. The Cortex XDR management console displays the Kubernetes Cluster and includes in the causality card a visual indication on processes that are running within containers, including information about the container itself such as its name, ID, image, etc.
    Palo Alto Networks supports only Cortex XDR agent deployments carried out with the original YAML installation package generated directly from the Cortex XDR management console and carried out as a DaemonSet. If you attempt to edit the YAML settings after you created the package, the installation could fail or cause the agent to display unexpected behavior.
    The following are prerequisites to use this deployment method:
    Requirement/Limitation
    Description
    Requirements
    • A Cortex XDR agent 7.6 or later.
    • To enable User Space operation mode you must deploy YAML installer for Cortex XDR agent 7.7.
    • A Cortex XDR Cloud per Host license.
    • A supported Kubernetes deployment according to cloud provides and OS (both docker and containerd):
      • GCP—GCOS, Ubuntu.
      • Azure—Ubuntu 18 (Default >= 1.18).
      • AWS—Amazon Linux 2 (Default) , Ubuntu 18/20, RHEL 7/8.
    Limitations
    • You cannot upgrade, uninstall, or change the management server of a Cortex XDR agent running on Kubernetes Clusters directly from the Cortex XDR management console. These actions must be performed from your Kubernetes cluster.
    • If the Kubernetes clusters are based on Container-Optimized OS (GCOS) on Google Cloud Platform, the Cortex XDR agent operates in asynchronous mode without its kernel module support due to GCOS restrictions on loading 3rd party kernel modules.
    • If you are installing Cortex XDR alongside Prisma Cloud Compute, you must disable Runtime protection in Prisma Cloud Compute for as long as the two agents are working together. You can do so by either deleting any Runtime policy that exists in Prisma Cloud Compute, or moving Prisma Cloud Compute policies to
      Runtime Disabled
      .
      From the Prisma Cloud Compute console, go to
      Defend
      Runtime
       and delete or move all policies to
      Disable
       accordingly (Container policy, Host policy, Server policy, App-Embedded policy).
    To install the agent on your cluster:
    1. Download the Cortex XDR agent YAML installation file from Cortex XDR.
      If you are running a Cortex XDR agent earlier the version 7.7, you need to recreate and deploy the latest YAML file over the current file.
    2. Copy the YAML file to the Kubernetes cluster you want to deploy it on.
    3. Log on to your Kubetnetes cluster.
    4. Deploy the Yaml file. Run a standard YAML installation command line.
      For example,
      kubectl apply -f cortex-xdr.yaml
      .
    5. Verify the agents are running.
      Run
      kubectl get pods -A -owide
      , and verify the Cortex XDR agent pod is running on your target node(s).
      Run
      cat /proc/$(pidof pmd)/maps | grep bpfec
      , and verify the agent is running in user space mode by checking the operational status.
    6. Use the Cortex XDR Agent for Kubernetes.
      1. Upgrade the agent.
        The agent upgrade method depends on the settings you applied when you generated the YAML installation file in Cortex XDR and on the Agent Settings profile associated with the host:
        • When you enable
          Always deploy with latest agent version
          , and
          Agent Auto Upgrade
           is enabled, then the Cortex XDR agent will upgrade automatically whenever a new version is available.
        • Otherwise, when one or both of these settings are disabled, you must create a new YAML installation file from the Cortex XDR management console and re-install the agent.
      2. Uninstall the agent.
        To uninstall the agent, remove the DaemonSet using the standard command line, for example:
        kubectl delete -n cortex-xdr daemonset/cortex-agent
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo