Amazon Elastic Kubernetes Service (EKS) Compliance Integrations
Overview
This article describes how to integrate Lacework with your EKS cluster(s) using Helm, which is a package manager for Kubernetes.
Lacework integrates with your Amazon Elastic Kubernetes Service (EKS) to monitor configuration compliance of your cluster resources.
Optionally, Lacework can also monitor workload security on your EKS cluster. This is provided as an additional option during the installation steps in this article.
note
If you are only wanting to monitor workload security on your EKS clusters (rather than configuration compliance), see Deploy Linux Agent on Kubernetes.
Supported Versions
See Deploy on Kubernetes (Supported Versions) for the operating systems, Kubernetes, and Helm versions that are supported for Amazon EKS Compliance.
EKS Compliance Integration Components
Lacework uses three components to collect data for EKS Compliance integrations:
Node Collector - collects data on each Kubernetes node.
The Node Collector is an independent component that shares the same installation journey as the Lacework Agent. It has separate configuration to allow operation on EKS nodes.
important
If the Lacework Agent is already installed on the cluster nodes, the installation will update the Agent configuration map to enable the Node Collector functionality.
It may also upgrade the Lacework Agent to the latest available release. The minimum agent version for EKS Compliance functionality is v6.2.
This component is installed on every Kubernetes node in the cluster.
Node data is collected and sent to Lacework every hour.
If you choose to enable the datacollector component, the Node Collector will collect data relating to workload security.
Cluster Collector - collects Kubernetes cluster data from the Kubernetes API server.
- This component is installed on one container per cluster.
- The container runs as a non-root user.
- Retrieves AWS instance metadata.
- Cluster data is collected and sent to Lacework every 24 hours.
Cloud Collector (through Cloud Provider Integration) - collects data from cloud provider end points.
- This is already provided through the AWS Configuration integration type. See Integrate Lacework with AWS to set this up (if you haven't already done so).
- The cloud collection occurs every 24 hours at the scheduled time in the Lacework Console (under Settings > Configuration: General > Resource Management Collection Schedule).
Timings for first report
The EKS Compliance data is complete and available for assessment once all 3 collections have occurred at least once.
The node and cluster data is sent to Lacework within 2 hours of the collectors being installed on a cluster. Once the cloud collection has occurred, data will be visible in the Lacework platform.
Prerequisites
AWS Configuration integration has been configured and is working for your account or organization.
Lacework Linux Agent - Access Token has been created.
- Use an existing agent token or create a new one for this integration.
- If you only want to monitor compliance configuration, it is recommended that you create a new access token. You can then disable or enable the Agent token for this integration without affecting other integrations that use this token.
- If you want to monitor both compliance configuration and workload security, you may want to use an existing access token. For example, if you have an Agent token in use for workload security on Kubernetes clusters, it may be better to combine this integration with the same access token.
note
You only need to generate the access token as the Agent is installed during the Install using Helm steps.
- Use an existing agent token or create a new one for this integration.
Install using Helm
Follow these steps to install the Node and Cluster collectors on your EKS cluster.
Add the Lacework Helm Charts repository:
helm repo add lacework https://lacework.github.io/helm-charts/
Choose one of the following options to install the necessary components on your EKS cluster:
tip
Add
--debug
to this command to enter debug mode:helm upgrade --debug --install --create-namespace...
Configuration compliance integration only:
Template with Workload Security disabledhelm upgrade --install --create-namespace --namespace lacework \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.datacollector=disable \
--set clusterAgent.enable=True \
--set clusterAgent.image.repository=lacework/k8scollector \
--set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
--set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
--set image.repository=lacework/datacollector \
lacework-agent lacework/lacework-agentAdjust the parameter values to match your environment, see Configuration Parameters for guidance.
Configuration compliance and Workload Security integration:
tip
Use this option if you already have the Lacework Agent installed on your cluster nodes.
Template with Workload Security enabledhelm upgrade --install --create-namespace --namespace lacework \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
--set clusterAgent.enable=True \
--set clusterAgent.image.repository=lacework/k8scollector \
--set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
--set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
--set image.repository=lacework/datacollector \
lacework-agent lacework/lacework-agentAdjust the parameter values to match your environment, see Configuration Parameters for guidance.
Display the pods for verification:
kubectl get pods -n lacework -o wide
Configuration Parameters
Required Parameters
Adjust the following values to match your environment:
Value | Description | Example(s) |
---|---|---|
${LACEWORK_SERVER_URL} | Your Lacework Agent Server URL. | https://api.lacework.net https://api.fra.lacework.net https://auprodn1.agent.lacework.net |
${LACEWORK_AGENT_TOKEN} | Your Lacework Agent Access Token. | 0123456789abc... |
${KUBERNETES_CLUSTER_NAME} | Provide your EKS cluster name and ensure it matches the name defined in AWS. | prd01 |
${KUBERNETES_ENVIRONMENT_NAME} | Your EKS environment name (this will be shown in the Lacework Console). Only required for Workload Security integrations. | Production |
${KUBERNETES_CLUSTER_TYPE} | The Kubernetes cluster type. NOTE: For EKS integrations, the cluster type must be written as eks in lower case. | eks |
${KUBERNETES_CLUSTER_REGION} | The AWS Region of the EKS cluster. | us-west eu-west-1 |
Optional Parameters
The following parameters are optional and not required for the installation:
Parameter | Description | Example(s) |
---|---|---|
clusterAgent.image.tag | Specify a Lacework Agent tag suitable for your cluster. The default is latest when this parameter is omitted. | 5.6.0.8352-amd64 |
image.tag | Specify a Lacework Agent tag suitable for your cluster. The default is latest when this parameter is omitted. | 5.6.0.8352-amd64 |
Add these parameters when running the installation command:
helm upgrade --install --create-namespace --namespace lacework \
...
--set clusterAgent.image.tag=5.6.0.8352-amd64 \
--set image.tag=5.6.0.8352-amd64 \
...
See Helm Configuration Options for additional parameters that can also be set using Helm.
Next Steps
See Kubernetes Benchmarks for details on how to enable CIS EKS Benchmark policies.