Skip to main content

Create a GKE Audit Log Integration Manually

Overview

Lacework integrates with GCP Audit Logs in an event-based streaming pull mode for monitoring GKE admin read, data read, and data write events. This topic describes how to integrate with GCP manually from Google Cloud Shell.

Resources

Organization level integrations cover all existing projects in the organization, and automatically add any new projects added after the initial integration.

Project level integrations cover only specific projects and any new projects must be added as required.

To integrate at the organization or project level, Lacework requires the following resources be provisioned in Google Cloud:

  • Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at the organization level, Lacework recommends creating a project specifically for Lacework resources. When integrating at the project level, all required resources for Lacework may be provisioned within the project being integrated.
  • Google Pub/Sub Topic - Topic for GKE Audit Logs events
  • Google Pub/Sub Subscription - Subscription for Lacework to pull the GKE Audit Log events from
  • Google Logging Sink - To export Cloud Audit Logs to the Pub/Sub topic
  • Service Account for Lacework - To provide Lacework read-only access to Google Cloud Platform with the following roles:
    • Organization level integrations
      • roles/resourcemanager.organizationViewer
      • roles/pubsub.publisher
      • roles/pubsub.subscriber
      • roles/browser
    • Project level integrations
      • roles/pubsub.publisher
      • roles/pubsub.subscriber
      • roles/browser

For organization level integrations, follow the steps in Integrate GCP GKE Audit Logs with Lacework at the Organization Level.

For project level integrations, follow the steps in Integrate GCP GKE Audit Logs with Lacework at the Project Level.

Requirements

Google Cloud Shell inherits the permissions of the user running Cloud Shell. Before beginning, determine whether the integration between Google Cloud and Lacework will be at the organization level or the project level, and then ensure the user account running Google Cloud Shell has the following permissions:

  • Organization level integrations

    • roles/owner - For organization level integrations, Lacework recommends creating a dedicated Google Cloud project to contain the required resources. The user account used to run Google Cloud Shell must have 'Owner' permissions for that project.
    • roles/resourcemanager.organizationAdmin
    • roles/iam.organizationRoleAdmin
  • Project level integrations

    • roles/owner - For project level integrations, Lacework recommends using the project being integrated to store all of the required resources. The user account used to run Google Cloud Shell must have 'Owner' permissions for every project being integrated into Lacework.

Google Cloud Shell

Google Cloud Shell is an embedded terminal/command-line interface that can be used within the Google Console. Google Cloud Shell comes with tools pre-installed like the Google Cloud SDK and gcloud command-line tool pre-installed to manage and automate your projects and resources in your environment.

Deployment Scenarios

Integrate GKE Audit Logs with Lacework at the Organization Level

The following section covers integrating Google Cloud and Lacework for analysis of GKE Audit Logs at the organization level.

Create a GCP Project Using the GCP Console

When creating an integration at the GCP organization level, Lacework recommends having a dedicated project to provision the required resources for the integration between Google Cloud and Lacework.

Create a dedicated project for the integration. Follow the steps in Creating a project.

Configure Project Owner Permissions for User Account

Configure role/owner permission on the GCP project for the user running Google Cloud Shell.

Follow the steps in Grant a single role.

Create a Pub/Sub Topic

Create a Pub/Sub topic. Follow the steps in Create a topic.

Create a Pub/Sub Subscription

Create a subscription for the Pub/Sub topic you just created. Follow the steps in Add a subscription.

Create a Service Account for Lacework

note

You can reuse the existing service account if you already created one during GCP integration creation.

Create a service account. Follow the steps in Create service accounts.

Grant the service account the following roles:

Role NameRole ID
Pub/Sub Publisherroles/pubsub.publisher
Pub/Sub Subscriberroles/pubsub.subscriber
Organization Viewerroles/resourcemanager.organizationViewer
Browserroles/browser

Set up Log Routing

Admin Activity logs are enabled by GCP by default. You can enable Data Access logs at an additional cost from GCP to access the following event groups:

  • ADMIN_READ: access to Kubernetes metadata and configuration
  • DATA_READ: access to Kubernetes resources
  • DATA_WRITE: creation and changes to Kubernetes resources
  1. In the Google Cloud console, go to IAM & Admin > Audit Logs.
  2. In the Data Access audit logs configuration table next to Filter, start typing Kubernetes and select Kubernetes Engine API.
    gke log routing
  3. With Kubernetes Engine API selected, select the logs and click Save.
    gke log routing selected

See the following Google Cloud documentation about Configure Data Access audit logs for additional details.

Configure the Log Sink

Configure the Pub/Sub topic as the sink and add inclusion and exclusion filters. Follow the steps in Create a sink.

Add the following inclusion filter:

protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.serviceName = "k8s.io"

Add the following exclusions:

NameFilter
livezexclusionprotoPayload.resourceName="livez"
readyzexclusionprotoPayload.resourceName="readyz"
metricsexclusionprotoPayload.resourceName="metrics"
clustermetricsexclusionprotoPayload.resourceName="core/v1/namespaces/kube-system/configmaps/clustermetrics"

Launch Google Cloud Shell within Google Console

To open Google Cloud Shell, click the Cloud Shell icon in the header bar of the Google Console, and it will launch Cloud Shell in a pane at the bottom of the browser.

Create API Key

To create a set of API keys, follow these steps:

  1. Log in to the Lacework Console.
  2. Go to Settings > Configuration > API keys and click + Add New.
  3. Enter a name for the key and an optional description, then click Save.
  4. Download the generated API key file. For more information, go to API Access Keys.

Google Cloud Shell lets you to drag-and-drop the generated KEY.json to upload it automatically.

Next, run the command:

user@cloudshell:~ $ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC.json
▸ Account: your_account_name
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC
▸ Secret Access Key: (*****************************26a0)

You are all set!

Validate the Configuration

Log in to the Lacework Console and go to Settings > Integrations > Cloud Accounts.

Integrate GKE Audit Logs with Lacework at the Project Level

The following section covers integrating Google Cloud and Lacework for analysis of GKE Audit Logs at the project level.

Configure Project Owner Permissions for User Account

Configure role/owner permission on the GCP project for the user running Google Cloud Shell.

Follow the steps in Grant a single role.

Create a Pub/Sub Topic

Create a Pub/Sub topic. Follow the steps in Create a topic.

Create a Pub/Sub Subscription

Create a subscription for the Pub/Sub topic you just created. Follow the steps in Add a subscription.

Create a Service Account for Lacework

note

You can reuse the existing service account if you already created one during GCP integration creation.

Create a service account. Follow the steps in Create service accounts.

Grant the service account the following roles:

Role NameRole ID
Pub/Sub Publisherroles/pubsub.publisher
Pub/Sub Subscriberroles/pubsub.subscriber
Browserroles/browser

Set up Log Routing

Admin Activity logs are enabled by GCP by default. You can enable Data Access logs at an additional cost from GCP to access the following event groups:

  • ADMIN_READ: access to Kubernetes metadata and configuration
  • DATA_READ: access to Kubernetes resources
  • DATA_WRITE: creation and changes to Kubernetes resources
  1. In the Google Cloud console, go to IAM & Admin > Audit Logs.
  2. In the Data Access audit logs configuration table next to Filter, start typing Kubernetes and select Kubernetes Engine API.
    gke log routing
  3. With Kubernetes Engine API selected, select the logs and click Save.
    gke log routing selected

See the following Google Cloud documentation about Configure Data Access audit logs for additional details.

Configure the Log Sink

Configure the Pub/Sub topic as the sink and add inclusion and exclusion filters. Follow the steps in Create a sink.

Add the following inclusion filter:

protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog" AND protoPayload.serviceName = "k8s.io"

Add the following exclusions:

NameFilter
livezexclusionprotoPayload.resourceName="livez"
readyzexclusionprotoPayload.resourceName="readyz"
metricsexclusionprotoPayload.resourceName="metrics"
clustermetricsexclusionprotoPayload.resourceName="core/v1/namespaces/kube-system/configmaps/clustermetrics"

Launch Google Cloud Shell within Google Console

To open Google Cloud Shell, click the Cloud Shell icon in the header bar of the Google Console, and it will launch Cloud Shell in a pane at the bottom of the browser.

Create API Key

To create a set of API keys, follow these steps:

  1. Log in to the Lacework Console.
  2. Go to Settings > Configuration > API keys and click + Add New.
  3. Enter a name for the key and an optional description, then click Save.
  4. Download the generated API key file. For more information, go to API Access Keys.

Google Cloud Shell lets you to drag-and-drop the generated KEY.json to upload it automatically.

Next, run the command:

user@cloudshell:~ $ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC.json
▸ Account: your_account_name
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC
▸ Secret Access Key: (*****************************26a0)

You are all set!

Validate the Configuration

Log in to the Lacework Console and go to Settings > Integrations > Cloud Accounts.