Skip to content

Install Tracee on Kubernetes

In the deploy/kubernetes directory you will find Yaml files to deploy Tracee in a Kubernetes environment. These files will deploy Tracee as a DaemonSet alongside a message routing application (Postee) that will help you consume the detections in your preferred way (e.g. Slack, E-mail, JIRA and more).

Note

Although not optimal, you may consume Tracee detections through daemonset/tracee logs with kubectl logs -f daemonset/tracee -n tracee-system.

Tip

The preferred way to deploy Tracee is through its Helm chart!

  1. Install Tracee using Helm

    1. Add Aqua chart repository:

      helm repo add aqua https://aquasecurity.github.io/helm-charts/
      helm repo update
      

      or clone the Helm chart:

      git clone --depth 1 --branch v0.12.0 https://github.com/aquasecurity/tracee.git
      cd tracee
      
    2. Install the chart from the Aqua chart repository:

      helm install tracee aqua/tracee \
              --namespace tracee-system --create-namespace \
              --set hostPID=true
      

      or install the Helm chart from a local directory:

      helm repo add aqua https://aquasecurity.github.io/helm-charts/
      helm dependency update ./deploy/helm/tracee
      helm install tracee ./deploy/helm/tracee \
              --namespace tracee-system --create-namespace \
              --set hostPID=true
      
  2. Install Tracee Manually

    To install Tracee with Postee, simply run:

    kubectl create namespace tracee-system
    kubectl create -n tracee-system \
        -f https://raw.githubusercontent.com/aquasecurity/postee/main/deploy/kubernetes/postee.yaml \
        -f https://raw.githubusercontent.com/aquasecurity/tracee/v0.12.0/deploy/kubernetes/tracee-postee/tracee.yaml
    
  3. After Installation

    In order to choose how to make Postee deliver detection events from Tracee, you may edit the postee-config configMap. Follow this example.

    You can also use the Postee UI to configure integrations.

Platform Support

This approach assumes that host nodes have either BTF available or kernel headers available under conventional location. See Tracee's prerequisites for more info. For the major Kubernetes platforms this should work out-of-the-box, including GKE, EKS, AKS, minikube.