Create a GKE Audit Log Integration Manually
Overview
Lacework integrates with GCP Audit Logs in an event-based streaming pull mode for monitoring GKE admin read, data read, and data write events. This topic describes how to integrate with GCP manually from Google Cloud Shell.
Resources
Organization level integrations cover all existing projects in the organization, and automatically add any new projects added after the initial integration.
Project level integrations cover only specific projects and any new projects must be added as required.
To integrate at the organization or project level, Lacework requires the following resources be provisioned in Google Cloud:
- Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at the organization level, Lacework recommends creating a project specifically for Lacework resources. When integrating at the project level, all required resources for Lacework may be provisioned within the project being integrated.
- Google Pub/Sub Topic - Topic for GKE Audit Logs events
- Google Pub/Sub Subscription - Subscription for Lacework to pull the GKE Audit Log events from
- Google Logging Sink - To export Cloud Audit Logs to the Pub/Sub topic
- Service Account for Lacework - To provide Lacework read-only access to Google Cloud Platform with the following roles:
- Organization level integrations
roles/resourcemanager.organizationViewerroles/pubsub.publisherroles/pubsub.subscriberroles/browser
- Project level integrations
roles/pubsub.publisherroles/pubsub.subscriberroles/browser
- Organization level integrations
For organization level integrations, follow the steps in Integrate GCP GKE Audit Logs with Lacework at the Organization Level.
For project level integrations, follow the steps in Integrate GCP GKE Audit Logs with Lacework at the Project Level.
Requirements
Google Cloud Shell inherits the permissions of the user running Cloud Shell. Before beginning, determine whether the integration between Google Cloud and Lacework will be at the organization level or the project level, and then ensure the user account running Google Cloud Shell has the following permissions:
Organization level integrations
roles/owner- For organization level integrations, Lacework recommends creating a dedicated Google Cloud project to contain the required resources. The user account used to run Google Cloud Shell must have 'Owner' permissions for that project.roles/resourcemanager.organizationAdminroles/iam.organizationRoleAdmin
Project level integrations
roles/owner- For project level integrations, Lacework recommends using the project being integrated to store all of the required resources. The user account used to run Google Cloud Shell must have 'Owner' permissions for every project being integrated into Lacework.
Google Cloud Shell
Google Cloud Shell is an embedded terminal/command-line interface that can be used within the Google Console. Google Cloud Shell comes with tools pre-installed like the Google Cloud SDK and gcloud command-line tool pre-installed to manage and automate your projects and resources in your environment.
Deployment Scenarios
- Integrate GKE Audit Logs with Lacework at the Organization Level - This deployment scenario configures a new Lacework GKE Audit Log integration for the entire organization.
- Integrate GKE Audit Logs with Lacework at the Project Level - This deployment scenario configures a new Lacework GKE Audit Log integration at the single project level.
Integrate GKE Audit Logs with Lacework at the Organization Level
The following section covers integrating Google Cloud and Lacework for analysis of GKE Audit Logs at the organization level.
Create a GCP Project Using the GCP Console
When creating an integration at the GCP organization level, Lacework recommends having a dedicated project to provision the required resources for the integration between Google Cloud and Lacework.
Create a dedicated project for the integration. Follow the steps in Creating a project.
Configure Project Owner Permissions for User Account
Configure role/owner permission on the GCP project for the user running Google Cloud Shell.
Follow the steps in Grant a single role.
Create a Pub/Sub Topic
Create a Pub/Sub topic. Follow the steps in Create a topic.
Create a Pub/Sub Subscription
Create a subscription for the Pub/Sub topic you just created. Follow the steps in Add a subscription.
Create a Service Account for Lacework
note
You can reuse the existing service account if you already created one during GCP integration creation.
Create a service account. Follow the steps in Create service accounts.
Grant the service account the following roles:
| Role Name | Role ID |
|---|---|
| Pub/Sub Publisher | roles/pubsub.publisher |
| Pub/Sub Subscriber | roles/pubsub.subscriber |
| Organization Viewer | roles/resourcemanager.organizationViewer |
| Browser | roles/browser |
Set up Log Routing
Admin Activity logs are enabled by GCP by default. You can enable Data Access logs at an additional cost from GCP to access the following event groups:
- ADMIN_READ: access to Kubernetes metadata and configuration
- DATA_READ: access to Kubernetes resources
- DATA_WRITE: creation and changes to Kubernetes resources
- In the Google Cloud console, go to IAM & Admin > Audit Logs.
- In the Data Access audit logs configuration table next to Filter, start typing Kubernetes and select Kubernetes Engine API.
- With Kubernetes Engine API selected, select the logs and click Save.
See the following Google Cloud documentation about Configure Data Access audit logs for additional details.
Configure the Log Sink
Configure the Pub/Sub topic as the sink and add inclusion and exclusion filters. Follow the steps in Create a sink.
Add the following inclusion filter:
protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.serviceName = "k8s.io"
Add the following exclusions:
| Name | Filter |
|---|---|
| livezexclusion | protoPayload.resourceName="livez" |
| readyzexclusion | protoPayload.resourceName="readyz" |
| metricsexclusion | protoPayload.resourceName="metrics" |
| clustermetricsexclusion | protoPayload.resourceName="core/v1/namespaces/kube-system/configmaps/clustermetrics" |
Launch Google Cloud Shell within Google Console
To open Google Cloud Shell, click the Cloud Shell icon in the header bar of the Google Console, and it will launch Cloud Shell in a pane at the bottom of the browser.
Create API Key
To create a set of API keys, follow these steps:
- Log in to the Lacework Console.
- Go to Settings > Configuration > API keys and click + Add New.
- Enter a name for the key and an optional description, then click Save.
- Download the generated API key file. For more information, go to API Access Keys.
Google Cloud Shell lets you to drag-and-drop the generated KEY.json to upload it automatically.
Next, run the command:
user@cloudshell:~ $ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC.json
▸ Account: your_account_name
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC
▸ Secret Access Key: (*****************************26a0)
You are all set!
Validate the Configuration
Log in to the Lacework Console and go to Settings > Integrations > Cloud Accounts.
Integrate GKE Audit Logs with Lacework at the Project Level
The following section covers integrating Google Cloud and Lacework for analysis of GKE Audit Logs at the project level.
Configure Project Owner Permissions for User Account
Configure role/owner permission on the GCP project for the user running Google Cloud Shell.
Follow the steps in Grant a single role.
Create a Pub/Sub Topic
Create a Pub/Sub topic. Follow the steps in Create a topic.
Create a Pub/Sub Subscription
Create a subscription for the Pub/Sub topic you just created. Follow the steps in Add a subscription.
Create a Service Account for Lacework
note
You can reuse the existing service account if you already created one during GCP integration creation.
Create a service account. Follow the steps in Create service accounts.
Grant the service account the following roles:
| Role Name | Role ID |
|---|---|
| Pub/Sub Publisher | roles/pubsub.publisher |
| Pub/Sub Subscriber | roles/pubsub.subscriber |
| Browser | roles/browser |
Set up Log Routing
Admin Activity logs are enabled by GCP by default. You can enable Data Access logs at an additional cost from GCP to access the following event groups:
- ADMIN_READ: access to Kubernetes metadata and configuration
- DATA_READ: access to Kubernetes resources
- DATA_WRITE: creation and changes to Kubernetes resources
- In the Google Cloud console, go to IAM & Admin > Audit Logs.
- In the Data Access audit logs configuration table next to Filter, start typing Kubernetes and select Kubernetes Engine API.
- With Kubernetes Engine API selected, select the logs and click Save.
See the following Google Cloud documentation about Configure Data Access audit logs for additional details.
Configure the Log Sink
Configure the Pub/Sub topic as the sink and add inclusion and exclusion filters. Follow the steps in Create a sink.
Add the following inclusion filter:
protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.serviceName = "k8s.io"
Add the following exclusions:
| Name | Filter |
|---|---|
| livezexclusion | protoPayload.resourceName="livez" |
| readyzexclusion | protoPayload.resourceName="readyz" |
| metricsexclusion | protoPayload.resourceName="metrics" |
| clustermetricsexclusion | protoPayload.resourceName="core/v1/namespaces/kube-system/configmaps/clustermetrics" |
Launch Google Cloud Shell within Google Console
To open Google Cloud Shell, click the Cloud Shell icon in the header bar of the Google Console, and it will launch Cloud Shell in a pane at the bottom of the browser.
Create API Key
To create a set of API keys, follow these steps:
- Log in to the Lacework Console.
- Go to Settings > Configuration > API keys and click + Add New.
- Enter a name for the key and an optional description, then click Save.
- Download the generated API key file. For more information, go to API Access Keys.
Google Cloud Shell lets you to drag-and-drop the generated KEY.json to upload it automatically.
Next, run the command:
user@cloudshell:~ $ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC.json
▸ Account: your_account_name
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC
▸ Secret Access Key: (*****************************26a0)
You are all set!
Validate the Configuration
Log in to the Lacework Console and go to Settings > Integrations > Cloud Accounts.