Deploy and manage Kubernetes cluster sensors
Copy link

Container Runtime Security uses an eBPF -based (extended Berkeley Packet Filter) runtime sensor to detect the following activity for Kubernetes clusters you want to monitor:

  • Container runtime events
  • Syscall activity
  • Process execution chains
  • File access patterns
  • Network activity
  • Short-lived and ephemeral containers that may not appear in periodic CSPM snapshots

The runtime sensor includes anti-tampering protections to prevent:

  • Unauthorized modification of configuration
  • Disabling of detection components
  • Interference with operational state

These safeguards ensure runtime security controls remain active and reliable. The runtime detection engine includes three primary components:

Anomaly detection

Anomaly detection identifies deviations from normal application behavior.

During a learning phase, the system:

  1. Observes container activity.
  2. Records file access, network connections, system calls, and related behavior.
  3. Stores this information in ApplicationProfile or NetworkNeighborhood custom resources (CRDs).

After the learning phase completes, real-time events are compared against the stored baseline. Deviations trigger alerts.

Behavioral analysis

Behavioral analysis uses predefined rules to detect known attack patterns, such as:

  • Reverse shell activity
  • Execution of unexpected binaries
  • Suspicious system calls
  • Privilege escalation behavior
  • Execution of binaries not present in the container image

Rules can be bound to workloads using Kubernetes selectors.

By default, rules apply to all workloads unless scoped otherwise.

Malware scanning

Nodes can be scanned for malware using an integrated antivirus engine.

Scanning supports:

  • Files
  • Directories
  • Volumes

To reduce resource usage, a curated malware signature database optimized for Kubernetes environments is used.

Before you begin
Copy link

To deploy the sensor, you need the following on each Kubernetes cluster you want to monitor:

ℹ️

Large Kubernetes cluster or having resource issues?

If your Kubernetes clusters do not meet the resource requirements or you’re having trouble deploying the sensor, contact Rapid7 support.

Deploy a sensor
Copy link

After your Kubernetes cluster has been prepared for the sensor, you’re ready to deploy it using Helm.

⚠️

Use the Command Platform to access Container Runtime Security

Access Container Runtime Security from the Command Platform to authenticate and take action on findings. If you open Cloud Security outside the Command Platform, you can view detections, but some features are unavailable.

To deploy a sensor:

  1. Log in to the Command Platform .
  2. Go to Controls & Compliance > Runtime.
  3. Click Manage Rules and Policies. The Container Runtime Security feature opens to the Threat Detection page.
  4. Go to Settings > Accounts.
  5. Click Kubernetes.
  6. Click Copy.

    1. Optionally, adjust the max learning period for anomaly detection using the following line (default is 24 hours):

      --set nodeAgent.config.maxLearningPeriod=Xh
  7. Open a cloud shell or terminal with access to your Kubernetes cluster.
  8. Paste and run the helm command.
  9. When the command is finished, return to the Container Runtime Security feature.
  10. Click Verify installation. Rapid7 will verify it can connect to the cluster and automatically scan it.

The sensor first learns how your cluster typically behaves, then cluster activity will automatically begin to appear in the Command Platform.

ℹ️

Want to adjust workload-specific learning period instead?

You can also define a workload-specific learning period using a label:

metadata:
  labels:
    kubescape.io/max-sniffing-time: "5m"

Manage sensors
Copy link

After you have added a sensor, you can review or upgrade a sensor, delete a sensor, or trigger a scan.

To view sensors:

  1. Log in to the Command Platform .
  2. Go to Controls & Compliance > Runtime.
  3. Click Manage Rules and Policies. The Container Runtime Security feature opens to the Threat Detection page.
  4. Go to Settings > Accounts.

Click a table row to open sensor details.

To delete a sensor:

  1. Log in to the Command Platform .
  2. Go to Controls & Compliance > Runtime.
  3. Click Manage Rules and Policies. The Container Runtime Security feature opens to the Threat Detection page.
  4. Go to Settings > Accounts.
  5. Click Menu (…).
  6. Click Delete.
  7. Click Delete again.

To upgrade a sensor:

  1. Log in to the Command Platform .
  2. Go to Controls & Compliance > Runtime.
  3. Click Manage Rules and Policies. The Container Runtime Security feature opens to the Threat Detection page.
  4. Go to Settings > Accounts.
  5. Click Upgrade Available.
  6. Copy the code and paste it into a cloud shell or terminal for the related cluster.

To trigger a scan:

  1. Log in to the Command Platform .
  2. Go to Controls & Compliance > Runtime.
  3. Click Manage Rules and Policies. The Container Runtime Security feature opens to the Threat Detection page.
  4. Go to Settings > Accounts.
  5. Click Menu (…).
  6. Click Scan.