Kubernetes Compliance FAQ
How do I check whether the node collector or cluster collector is installed?
The Collection status can be viewed in the Lacework Console from the Kubernetes Compliance page (Compliance > Kubernetes) when grouped by cluster.
- If Collection status for your cluster is displaying as Full collection, all necessary components are integrated and data is being collected.
- If Collection status for your cluster is displaying as Partial collection, ensure that you have installed the Node and Cluster Collectors.
- If Collection status for your cluster is displaying as No collection, ensure that you have completed a Configuration integration (Cloud Collector) for your cloud provider.
What does Lacework need to complete a full collection of data for Kubernetes Compliance?
Lacework requires data from three types of collectors before a complete assessment of your Kubernetes cluster can be made.
- Cloud Collector (also known as RMv2 or Cloud Resource Management)
- You must have completed a Configuration integration for your cloud account (for example: AWS Configuration).
- It is always on and runs once a day at the time defined by the Resource Management Collection Schedule (Settings > Configuration > General in the Lacework Console).
- This enumerates the list of Kubernetes clusters and can be applied to some controls.
- Data is always available after 24 hours (from when the Configuration integration was completed).
- Node Collector (extension of the Lacework Agent)
- You must complete installation/configuration on each Kubernetes cluster that you want to monitor for configuration compliance.
- Runs every hour.
- Data is sent to Lacework within 2 hours of installation.
- Cluster Collector
- You must complete installation/configuration on each Kubernetes cluster that you want to monitor for configuration compliance.
- Runs as a non-root user.
- Runs every 24 hours.
- Retrieves AWS instance metadata.
- Data is sent to Lacework within 2 hours of installation.
See Kubernetes Compliance Integrations for guidance on installing Node and Cluster collectors.
How long does it take for a full collection of data?
The compliance data is complete and available for assessment once all 3 collections have occurred at least once.
The node and cluster data is sent to Lacework within 2 hours of the collectors being installed on a cluster. Once the cloud collection has occurred, data will be visible in the Lacework platform.
In the vast majority of cases, this should take 24 hours or less.
What is the minimum version of the Lacework agent that supports EKS Compliance?
The minimum agent version for EKS Compliance functionality is v6.2.
What permissions and roles required for running the Cluster Collector on EKS clusters?
The Cluster Collector uses a ClusterRole, ClusterRoleBinding, and a service account for read only (get/list) access to the Kubernetes API server.
kind: ClusterRole
metadata:
name: cluster-{{ include "lacework-agent.name" . }}-role
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
{{- end -}}
Why can't I create a custom resource group for Kubernetes?
It is not currently possible to create custom resource groups for Kubernetes.
Until this feature becomes available, the default Kubernetes resource group (All Kubernetes Cluster Names) is used to route all alerts related to detected anomalies and policy violations in your integrated Kubernetes clusters.