Host Agent Capabilities
- Updated on Apr 19, 2023
- Host Agent Mode and Directory of Workloads
- Applying Labels & EnvVars to your Workloads
- Clock Synchronization
- Network Visibility Module
Host Agent Mode and Directory of Workloads
In Banyan, the exact same security controls applied to user entities can also be applied to workload entities.
Workloads are automatically discovered on your hosts as soon as you install the Banyan Netagent in Host Agent mode. Roles and Policies can then be applied to transparently encrypt service-to-service traffic and for application segmentation.
Applying Labels & EnvVars to your Workloads
Banyan annotates workloads (containers or processes) with metadata that can later be used for visualization, policy definition and alerts.
These annotations are labels on containers. Processes do not support labels; we use environment variables to annotate processes. In our documentation, when we mention labels, we refer to container labels as well as process env vars.
To annotate a workload with the label myspeciallabel
, you would do:
# Container
docker run --label myspeciallabel={LABEL_VALUE} {YOUR_CONTAINER}
# Process
env myspeciallabel={LABEL_VALUE} {YOUR_NORMAL_PROCESS_LAUNCH_SCRIPT}
Banyan Labels
Banyan agents automatically recognize labels that are in the form com.banyanops.labelname
, and use them to annotate your workloads (containers or processes).
com.banyanops.app
The com.banyanops.app
label is used to indicate a given container or process is part of an application. The com.banyanops.app
label is used in the Network Map visualization in the Dashboard, so you can focus in on a given application running in a cluster.
com.banyanops.servicename
The com.banyanops.servicename
label is used to indicate a given container or process is part of a Service. This is used in both Network Map visualization and to set up service-level security policies.
Clock Synchronization
Banyan requires clocks on all the Hosts to be reasonably accurate. To avoid clock synchronization problems, we recommend setting time on every host using ntp.
# e.g., on Ubuntu run:
ntpdate -s ntp.ubuntu.com.
Network Visibility Module
Netagent’s network visibility capabilities have the following limitations:
- only tracks TCP connections, it does not track UDP connections
- understands only the following Layer 6/7 protocols - HTTP, TLS, and MySQL
Service Definition Limitations for Host Agents
When Banyan Netagent is run in Host Agent mode, you cannot apply multiple Services definitions onto the same Workload (container or process).
This is because Banyan Netagent in Host Agent mode will associate every Service definition with a Workload running on that Host, and procure a unique short-lived X.509 Server Certificate for that specific Service-Workload. If you define more than Service to map to the same Workload, Netagent will try to procure multiple Server Certificates and fall into an inconsistent state.
To work around this issue, combine your multiple Service definitions into a single Service definition. A Service’s spec.attributes.frontend_addresses
and spec.attributes.host_tag_selector
fields are arrays that can support multiple values. Once you have a single Service definition mapped to a Workload, Netagent will function as normal.