Deployment Checklist

This checklist outlines the prerequisites and network requirements for deploying the ColorTokens Xshield Container Security sensor. Use it to validate your environment before installation and to ensure smooth connectivity between your clusters and the Xshield Console.

Prerequisites

Istio Service Mesh

Xshield Container Security relies on an Istio-based service mesh for traffic visibility and enforcement.

• Install Istio Service Mesh (if not already installed).
• Refer to the official Istio documentation to select the most suitable installation profile and method for your environment

Note: ColorTokens does not mandate a specific Istio installation method or profile. Any supported configuration that provides the required data plane visibility is acceptable.

Kubernetes Clusters

The following Istio deployments are supported on standard Kubernetes clusters:

1. Istio Service Mesh (sidecar)
2. Istio Ambient Mesh

Red Hat OpenShift Clusters

The following service mesh deployments are supported on Red Hat OpenShift:

1. Istio Service Mesh (sidecar)
2. Istio Ambient Mesh
3. Red Hat OpenShift Service Mesh 2 (2.5.2 and later)
4. Red Hat OpenShift Service Mesh 3

Network Whitelisting

Connection to Azure Container Registry (ACR)

Xshield Container Security images and Helm charts are published to the public ColorTokens ACR colortokenspublic. To enable seamless image and chart pulls, whitelist the following endpoints from:

• The target Kubernetes/OpenShift clusters (where the sensor is deployed), and
• Any bastion or jump host from which Helm commands will be executed.

Required endpoints:

1. https://colortokenspublic.azurecr.io
2. https://colortokenspublic.eastus.data.azurecr.io

If direct outbound access from the target cluster is not possible:

• Pre-pull the required container images and Helm charts to your private container registry.
• Ensure that both the bastion host and the target cluster can reach your private registry.

Connection to Xshield Console

The container security agent must be able to reach the Xshield Console to:

• Register with the platform
• Retrieve and refresh policies
• Upload telemetry and logs

Whitelist the following URLs from the target cluster, depending on the region in which your Xshield tenant is hosted.

US Region Cluster

• https://ng.colortokens.com
• https://telemetry.ng.colortokens.com
• https://logs.ng.colortokens.com

India Region Cluster

• https://bom.colortokens.com
• https://telemetry.bom.colortokens.com
• https://logs.bom.colortokens.com

Europe Region Cluster

• https://fra.colortokens.com
• https://telemetry-fra.colortokens.com
• https://logs-fra.colortokens.com

Australia (Sydney) Region Cluster

• https://syd.colortokens.com
• https://telemetry-syd.colortokens.com
• https://logs-syd.colortokens.com

Central US Region Cluster

• https://dsm.colortokens.com
• https://telemetry-dsm.colortokens.com
• https://logs-dsm.colortokens.com

On-Premises Xshield Deployments

For on‑premises deployments, ensure that the following URLs are reachable from the target cluster. Replace [colortokens] and [your-domain-name] with your actual deployment values.

On-Prem (Tanzu / VMware / AWS VM)

• https://[colortokens].[your-domain-name].com
• https://artifacts-[colortokens].[your-domain-name].com

On-Prem (Azure AKS)

• https://[colortokens].[your-domain-name].com
• https://telemetry-[colortokens].[your-domain-name].com
• https://logs-[colortokens].[your-domain-name].com