Threat Stack Containerized Agent

Deploying the Threat Stack Agent

The Threat Stack Container Agent provides visibility into file, network, and process data from within pod or container orchestrated using Kubernetes, Docker, and others.

Container Distributions


  • Access to the Threat Stack Console
  • Access to host either via CLI or RDP on a supported Operating System architecture(ARM or x86 architecture)
  • Access to a supported browser (Chrome, Edge, Safari, and Firefox)


Container enabled environments have the following rulesets by default.

  • Base Rule Set
  • Docker Rule Set
  • Kubernetes Rule Set


Challenge 8Install the Threat Stack Container Agent

Install using Helm

Helm is a package manager on top of Kubernetes. It facilitates installation, upgrades, and manages dependencies for the services you install in Kubernetes.


  • Helm installed
  • Configured Values file


Use only the command provided to install the Threat Stack Container Agent. Using UDF, establish a Terminal session with the host labelled, “K8S”.

Let’s begin by downloading the values.yaml file used to configure the Helm Chart.

vim values.yaml

In the values.yaml, lets update a couple things. First, the hostname on line 51 so lab participants can track activity easily in the lab. Next, lets update the agentDeployKey on line 67 with your previously used key.

51 additionalSetupConfig: "--hostname=**$MY_HOSTNAME**"
67 agentDeployKey: "**$MY_DEPLOY_KEY**"

Once you edit the necessary values, then exit by entering the following on vim to write and force quit.


Now that we have our values.yaml file updated, lets deploy the Threat Stack Container Agent using Helm. We start by first adding the repo following a helm install to deploy Threat Stack to the K8 Cluster.

Add the Helm Repo

helm repo add threatstack

Run Helm Install

helm install threatstack-agent --values values.yaml threatstack/threatstack-agent

K8 Error

Connection Refused

If you are experiencing the following error

Error: INSTALLATION FAILED: Kubernetes cluster unreachable: Get "http://localhost:8080/version": dial tcp connect: connection refused

Execute the following command to reload the K8 config file.

kubectl config view --raw > ~/.kube/config