Skip to main content

Deploy the VRM runtime agent

The Veracode Risk Manager (VRM) runtime agent operates as a pod within Kubernetes environments to collect minimal metadata about other containers in runtime. Specifically, this agent helps VRM understand specific image IDs that are running in specific clusters, and can provide overall counts back to VRM to help contextualize vulnerabilities.

With the runtime agent deployed, VRM allows the user to prioritize and filter both issues or assets with a new factor that tracks whether the issue or asset is in runtime.

The runtime agent operates with minimal resource consumption, utilizing an estimated 0.1% of a single CPU core, 15 MiB of memory, and experiencing a peak bandwidth usage of up to 2 kB/s during request spikes.

Prerequisites

To deploy the VRM runtime agent, you must have:

  • An existing Veracode organization.

    NOTE: If you are a VRM-only customer, please reach out to your customer success representative to configure this for you at no cost.

  • A running Veracode connector for your VRM tenant.
  • Cluster-admin access to Kubernetes runtime environments via Helm deployment.
  • If you want to customize the permissions of the Veracode API service account used by the agent, a Veracode API service account.

    NOTE: By default, VRM will propose the default token for your organization, but this may have excessive permissions for the agent.*

Configure and deploy the agent

  1. In VRM, from the left navigation menu, select the Settings icon settings_icon.png.

  2. Click on your Veracode connector.

  3. On the Connection Details tab, select the Enable Kubernetes Runtime Agent checkbox.

  4. Enter a descriptive name for your Kubernetes cluster.

  5. Select one of the following to generate the appropriate helm command to deploy the agent:

    • I’ll create a new Veracode org user myself if you want to use a Veracode API service account with customized permissions.
    • Include credentials with default permissions if you want to accept the default permissions using an automatically generated API service account.

    Runtime agent settings

  6. Copy the provided helm command provided.

  7. If you selected I’ll create a new Veracode org user myself, replace <VERACODE_API_ID> and <VERACODE_API_KEY> in the command with the ID and secret key for your API service account.

  8. Run the helm command in the Kubernetes environment where you want to deploy the agent.

The deployed agent has the following set of Kubernetes permissions:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: {{ .Values.serviceAccount.name | default "vrm-runtime-agent" }}-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
Last updated on