Deploy Garnet across your clusters for comprehensive runtime security.

Why monitor Kubernetes?

  • Pod-level threats in containerized workloads
  • Container breakouts and privilege escalation
  • Crypto miners using cluster resources
  • Data exfiltration from pods
  • Supply chain attacks in container images

Setup (3 minutes)

1. Get API token

# Get token from: dashboard.garnet.ai/tokens
export GARNET_API_TOKEN="garnet_xxx"

2. Deploy via Helm

# Add Garnet Helm repository
helm repo add garnet https://charts.garnet.ai
helm repo update

# Deploy Jibril agent
helm install jibril garnet/jibril \
  --set apiToken=$GARNET_API_TOKEN \
  --namespace garnet-system \
  --create-namespace

3. Verify deployment

# Check pods are running
kubectl get pods -n garnet-system
# Expected: jibril-xxx Running (one per node)

# Check logs
kubectl logs -n garnet-system -l app=jibril
# Expected: "Connected to Garnet Platform"
Result: Garnet monitors all workloads across your cluster

Configuration

Deployment modes

Advanced configuration

# values.yaml
apiToken: "garnet_xxx"

# Resource limits
resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

# Node selector
nodeSelector:
  security.garnet.ai/monitored: "true"

# Tolerations for specific nodes
tolerations:
  - key: "security"
    operator: "Equal"
    value: "garnet"
    effect: "NoSchedule"

# Enable blocking mode
blocking:
  enabled: true
  mode: "strict"  # strict, permissive, or off

# Custom policies
policies:
  - name: "allow-internal-traffic"
    type: "network"
    action: "allow"
    pattern: "10.0.0.0/8"
Deploy with custom values: 
helm install jibril garnet/jibril \
  --values values.yaml \
  --namespace garnet-system \
  --create-namespace

What gets detected

Pod Security

  • Container breakouts
  • Privilege escalation
  • Unauthorized file access
  • Process injection

Network Threats

  • C2 communications
  • Data exfiltration
  • Lateral movement
  • DNS tunneling

Resource Abuse

  • Crypto mining
  • Resource exhaustion
  • Fork bombs
  • Compute theft

Supply Chain

  • Malicious images
  • Backdoored containers
  • Vulnerable packages
  • Runtime modifications

Verification

After deployment:
  1. Check agent status
kubectl get pods -n garnet-system -o wide
# Should show jibril pods on each node
  1. View logs
kubectl logs -n garnet-system -l app=jibril --tail=50
# Look for "Connected to Garnet Platform"
  1. Visit dashboard - agents should appear within 2 minutes
  2. Test detection (optional):
kubectl run test-pod --image=alpine --rm -it -- sh
# Inside pod:
curl http://malicious.test.garnet.ai
Helm deployment showing Jibril agents

Example detections

Crypto miner in pod

{
  "detection": "Cryptocurrency mining detected",
  "pod": "production/web-server-abc123",
  "process": "xmrig --donate-level=0 -o pool.minexmr.com:4444",
  "action": "Process killed, pod restarted"
}

Container breakout attempt

{
  "detection": "Container escape attempt", 
  "pod": "default/suspicious-pod-xyz789",
  "process": "mount /dev/sda1 /mnt/host",
  "action": "Process blocked, security team alerted"
}

Upgrading

# Update Helm repository
helm repo update garnet

# Upgrade to latest version
helm upgrade jibril garnet/jibril \
  --namespace garnet-system \
  --reuse-values

# Check upgrade status
kubectl rollout status daemonset/jibril -n garnet-system

Troubleshooting

Symptoms:
kubectl get pods -n garnet-system
# Shows CrashLoopBackOff or Pending
Fix:
  1. Check node compatibility:
kubectl describe node | grep "Kernel Version"
# Needs Linux kernel ≥5.15
  1. Verify API token:
kubectl logs -n garnet-system -l app=jibril
# Look for authentication errors
  1. Check privileges:
kubectl get pods -n garnet-system -o yaml | grep privileged
# Should show "privileged: true"
Wait 2-3 minutes for initial connection.If still missing:
  1. Check pod logs:
kubectl logs -n garnet-system -l app=jibril --tail=100
  1. Verify network connectivity:
kubectl exec -n garnet-system -l app=jibril -- nslookup api.garnet.ai
  1. Test API token:
curl -H "Authorization: Bearer $GARNET_API_TOKEN" https://api.garnet.ai/v1/agents
Symptoms: Nodes running out of CPU/memorySolutions:
  1. Reduce resource requests:
helm upgrade jibril garnet/jibril \
  --set resources.requests.cpu=50m \
  --set resources.requests.memory=64Mi \
  --namespace garnet-system
  1. Use lightweight mode:
helm upgrade jibril garnet/jibril \
  --set mode=lightweight \
  --namespace garnet-system
  1. Node selector for specific nodes:
nodeSelector:
  garnet.ai/monitor: "true"
Symptoms: Too many alerts from noisy workloadsFix: Create allowlist policies:
# In dashboard: Settings → Policies → Add Policy
# Or via kubectl:
kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: garnet-policies
  namespace: garnet-system
data:
  policies.yaml: |
    - name: allow-monitoring-tools
      type: process
      action: allow
      pattern: "prometheus|grafana|datadog"
EOF

Uninstall

# Remove Jibril agents
helm uninstall jibril --namespace garnet-system

# Remove namespace (optional)
kubectl delete namespace garnet-system

# Remove CRDs (if using policies)
kubectl delete crd garnetpolicies.security.garnet.ai

Next steps

View Detections

Monitor cluster security

Enable Blocking

Stop threats automatically

View Examples

See real detections