Cisco
Login
Search
Software Secure Workload
Activity Configure

Deploy Software Agents on Workloads Deploy Software Agents Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement Requirements and Prerequisites

Last updated: Jun 09, 2025

Requirements and Prerequisites

Operating system support information is available at Agent OS support matrix.

Requirements

  • The install script requires Kubernetes or OpenShift administrator credentials to start privileged agent pods on the cluster nodes.

  • Secure Workload entities are created in the tetration namespace.

  • The node or pod security policies must permit privileged mode pods.

  • busybox:1.33 images must either be preinstalled or be downloadable from Docker Hub.

  • For containerd run time, if the config_path is not set, modify your config.toml (default location: /etc/containerd/config.toml) as follows: 

    
```
    [plugins."io.containerd.grpc.v1.cri".registry]
    config_path = "/etc/containerd/certs.d"
 ```

    Restart the containerd daemon.

  • To run on Kubernetes or OpenShift control plane nodes, the –toleration flag can be used to pass in a toleration for the Secure Workload pods. The toleration that is usually passed is the NoSchedule toleration that normally prevents pods from running on control plane nodes.

  • For Windows worker nodes:

    • Supported Windows worker node container runtime: ContainerD.

    • ContainerD config: Configure the following containerd change.

      
```
    [plugins."io.containerd.grpc.v1.cri".registry]
    config_path = "/etc/containerd/certs.d"
 ```

      Remove configurations under registry.mirrors. The default configuration file location is C:\Program Files\containerd\config.toml.

      Restart the containerd daemon after the configuration changes.

    • The image mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 must either be preinstallated or downloadable on the Windows worker node.

    • The existing Kubernetes agent which is upgrading to the newer version includes the Windows DaemonSet agent automatically. However, the previous script does not uninstall the Windows DaemonSet agent. Download the latest installer script to uninstall the Windows DaemonSet agent.

    • Supported on:

      • Microsoft Windows Server 2022

      • Windows Server 2019

      • Kubernetes 1.27 and later

Requirements for Policy Enforcement

IPVS-based kube-proxy mode is not supported for OpenShift.

These agents should be configured with the Preserve Rules option that is enabled. For more information, see Creating an Agent Config Profile.

For enforcement to function properly, any installed CNI plug-in must:

  • Provide flat address space (IP network) between all nodes and pods. Network plug-ins that masquerade the source pod IP for intracluster communication are not supported.

  • Not interfere with Linux iptables rules or marks that are used by the Secure Workload Enforcement Agent (mark bits 21 and 20 are used to allow and deny traffic for NodePort services)

The following CNI plug-ins are tested for the above requirements:

  • Calico (3.13) with the following Felix configurations: (ChainInsertMode: Append, Ipta- blesRefreshInterval: 0) or (ChainInsertMode: Insert, IptablesFilterAllowAction: Return, IptablesMangleAllowAction: Return, IptablesRefreshInterval: 0). All other options use their default values.

For more information on setting these options, see the Felix configuration reference.

Previous topic Kubernetes or OpenShift Overview Next topic Install Kubernetes or OpenShift Agent using the Agent Script Installer Method