Deploy Windows Agent on AKS and EKS Clusters
You can deploy the Windows agent on an Azure Kubernetes Service (AKS) or Amazon Elastic Kubernetes Service (EKS) cluster with a Helm chart. The Helm chart enables you to automatically deploy a Kubernetes pod containing the agent onto every node in your cluster.
note
The Windows agent running on AKS and EKS clusters currently does not support host vulnerability assessment.
Prerequisites
An AKS or EKS cluster with Windows Server nodes that meet the system requirements specified in Supported Kubernetes Environments.
Lacework Windows agent version 1.5 or later for AKS.
Lacework Windows agent version 1.4 or later for EKS.
Ensure that the agent has access to tags in your AWS account. For more information, see Configure Access to Tags in AWS.
Note: The agent can automatically access tags in Microsoft Azure. Hence, no special configuration is required for Microsoft Azure.
Install the following on your machine:
- Docker
- Helm
- kubectl command-line tool
- For AKS, install:
- For EKS, install:
Supported Kubernetes Environments
Environment | Environment Name / Version |
---|---|
Kubernetes | Version 1.23, 1.24 |
K8s orchestrator | Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS) |
Supported Windows OS for Nodes |
|
Container runtime | containerd version 1.6 or later |
Container isolation mode | Process isolation mode Note: Hyper-V isolation mode is not supported. |
Helm | Version 3.8x, 3.9.x, 3.10.x |
Deploy Agent with a Helm Chart
To deploy the agent with a Helm chart:
Add the Lacework Helm Charts repository:
helm repo add lacework https://lacework.github.io/helm-charts/
Do the following:
If you are using AKS, run the
az login
command to use the Azure CLI with your Azure account.If you are using EKS, run the
aws configure
command to use the AWS CLI with your AWS account.Ensure that you have connected to the AWS region that contains your EKS cluster.
Use Helm to install the agent.
If you are using a tenant located in North America, run the following command:
helm upgrade --install lw-agent lacework-agent-windows \
--set windowsAgent.agentConfig.accessToken=LACEWORK_AGENT_TOKEN \
--set windowsAgent.agentConfig.kubernetesCluster=CLUSTER_NAME \If you are using a tenant located outside of North America, run the following command:
helm upgrade --install lw-agent lacework-agent-windows \
--set windowsAgent.agentConfig.accessToken=LACEWORK_AGENT_TOKEN \
--set windowsAgent.agentConfig.serverUrl=LACEWORK_SERVER_URL \
--set windowsAgent.agentConfig.kubernetesCluster=CLUSTER_NAME \- Replace
LACEWORK_AGENT_TOKEN
with your agent access token. For more information, see Obtain an Access Token for the Windows Agent. - Replace
LACEWORK_SERVER_URL
with your Lacework server URL. For more information, see serverurl Property. - Replace
CLUSTER_NAME
with the name of your cluster.
- Replace
Verify that the pods for the Windows agent have the Running status.
kubectl get pods
Confirm if the Windows agent is installed successfully.
kubectl logs POD_NAME | grep 'MSI Installation successful'
Where
POD_NAME
is the name of your agent POD.
After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents. You can also view your cluster in the Lacework Console under Resources > Kubernetes.
Configure Agent with a Helm Chart
You can do one of the following to configure the agent with a Helm chart:
- Use command-line options for the
helm install
orhelm upgrade
command. - Modify the parameters in the
values.yaml
file in your Helm chart to configure the agent and use thehelm install
orhelm upgrade
command to apply the configuration.
See the following sections for more information about the command-line options and values.yaml
parameters that you can use to configure the agent.
Specify Lacework Agent Access Token
You can specify your Lacework agent access token in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.accessToken=AGENT_ACCESS_TOKEN
- Modify the
values.yaml
file and add data similar to the following:For more information, see Obtain an Access Token for the Windows Agent.accessToken: AGENT_ACCESS_TOKEN
Specify Lacework Server URL
You can specify your Lacework server URL in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.serverUrl=LACEWORK_SERVER_URL
- Modify the
values.yaml
file and add data similar to the following:serverUrl: LACEWORK_SERVER_URL
note
The default server URL is https://api.lacework.net and the default region is US. If you do not specify this property, the agent assumes that the default region is US and uses the default URL https://api.lacework.net. For more information, see serverurl Property.
Specify CPU Requests and Limits
CPU requests specify the minimum CPU resources available to containers. CPU limits specify the maximum CPU resources available to containers. For more information, see Resource Management for Pods and Containers.
The default CPU request is 200m
. The default CPU limit is 500m
.
You can specify the CPU requests and limits in one of the following ways:
- Use the following options with
helm install
orhelm upgrade
command:--set windowsAgent.resources.requests.cpu=300m
--set windowsAgent.resources.limits.cpu=500m - Modify the
values.yaml
file in your Helm chart and add data similar to the following:resources:
requests:
cpu: 300m
limits:
cpu: 500m
note
The CPU requests and limits are currently not applied to the Windows agent.
Specify Memory Requests and Limits
Memory requests specify the minimum memory available to containers. Memory limits specify the maximum memory available to containers. For more information, see Resource Management for Pods and Containers.
The default memory request is 64Mi
. The default memory limit is 1024Mi
.
You can specify the memory requests and limits in one of the following ways:
- Use the following options with the
helm install
orhelm upgrade
command:--set windowsAgent.resources.requests.memory=384Mi
--set windowsAgent.resources.limits.memory=512Mi - Modify the
values.yaml
file and add data similar to the following:resources:
requests:
memory: 384Mi
limits:
memory: 512Mi
note
The memory requests and limits are currently not applied to the Windows agent.
Specify Image Pull Secrets
Image pull secrets enable fetching the Lacework agent image from private repositories and/or allow bypassing rate limits.
You can configure image pull secrets in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.image.imagePullSecrets.name=<registrySecret>
- Modify the
values.yaml
file and add data similar to the following:imagePullSecrets:
- name: <registrySecret>
Where <registrySecret>
is the name of the secret that contains the credentials necessary to fetch the Lacework Windows agent image.
Specify a Proxy URL
Proxy servers allow you to specify a URL to route agent traffic.
You can set the proxy server URL in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.proxyUrl=LACEWORK_PROXY_URL
- Modify the
values.yaml
file and add data similar to the following:proxyUrl: value
For more information, see Use a Network Proxy for Windows Agent Traffic.
Configure File Integrity Monitoring Properties
Disable or Enable FIM
File Integrity Monitoring (FIM) is enabled by default. You can disable FIM in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.enable=false
- Modify the
values.yaml
file and add data similar to the following:fim:
enable: false
If FIM is disabled, you can enable it in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.enable=true
- Modify the
values.yaml
file and add data similar to the following:fim:
enable: true
For more information, see File Integrity Monitoring for Windows Overview.
Override Default File Paths for FIM
You can override default file paths for FIM in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.filePath={C:\\users,C:\\data}
- Modify the
values.yaml
file and add data similar to the following:fim:
filePath: [C:\\users,C:\\data]
For more information, see filepath Property.
Specify the File Paths to Ignore for FIM
You can specify file paths to ignore for FIM in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.fileIgnore={C:\\backup,C:\\test}
- Modify the
values.yaml
file and add data similar to the following:fim:
fileIgnore: [C:\\backup,C:\\test]
For more information, see fileignore Property.
Specify the FIM Scan Start Time
You can specify a start time for the daily FIM scan. For example, to start the FIM scan at 7:30 PM every day, do one of the following:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.runAt=19:30
- Modify the
values.yaml
file and add data similar to the following:fim:
runAt: 19:30
For more information, see runat Property.
Override the Default Maximum Number of Files to Scan
By default, Lacework runs the FIM scan on up to 500000 files.
You can increase or decrease the maximum number of files to scan. For example, to limit the FIM scan to 20000 files, do one of the following:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.maxscanfiles=20000
- Modify the
values.yaml
file and add data similar to the following:fim:
maxscanfiles: 20000
For more information, see maxscanfiles Property.
Prevent File Access Timestamp from Being Used in Hash Computation
You can prevent the file access timestamp from being used in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.noAtime=true
- Modify the
values.yaml
file and add data similar to the following:fim:
noAtime: true
Alternatively, you can enable file access timestamp to be used in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.fim.noAtime=false
- Modify the
values.yaml
file and add data similar to the following:fim:
noAtime: false
For more information, see noatime Property.
Disable or Enable Windows Registry Monitoring
Windows registry monitoring is enabled by default.
You can disable registry monitoring in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.registry=disable
- Modify the
values.yaml
file and add data similar to the following:registry: disable
If registry monitoring is disabled, you can enable it in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.registry=enable
- Modify the
values.yaml
file and add data similar to the following:registry: enable
For more information, see Monitor Windows Registry Changes.
Disable or Enable Automatic Upgrade of the Agent
By default, the Windows agent is automatically upgraded when a new version is available.
You can disable automatic upgrade in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.autoUpgrade=disabled
- Modify the
values.yaml
file and add data similar to the following:autoUpgrade: disabled
If automatic upgrade is disabled, you can enable it in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.autoUpgrade=enable
- Modify the
values.yaml
file and add data similar to the following:autoUpgrade: enable
Specify Custom Annotations
Annotations are a way of adding non-identifying metadata to Kubernetes objects. They are used by external tools to provide extra functionalities. For more information, see Annotations.
You can set annotations in one of the following ways:
Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.annotations.<key1>=<value1>
--set windowsAgent.agentConfig.annotations.<key2>=<value2>For example:
--set windowsAgent.agentConfig.annotations.owner=pete
--set windowsAgent.agentConfig.annotations.repository=https://github.com/lacework-testModify the
values.yaml
file and add data similar to the following:annotations:
<key1>: <value1>
<key2>: <value2>For example:
annotations:
owner: pete
repository: https://github.com/lacework-test
Specify Custom Labels
Similar to custom annotations, custom labels are a way of adding non-identifying metadata to Kubernetes objects. They are used by external tools to provide extra functionalities. For more information, see Labels and Selectors.
You can set labels in one of the following ways:
Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.labels.<key1>=<value1>
--set windowsAgent.agentConfig.labels.<key2>=<value2>For example:
--set windowsAgent.agentConfig.labels.release=stable
--set windowsAgent.agentConfig.labels.environment=productionModify the
values.yaml
file and add data similar to the following:labels:
<key1>: <value1>
<key2>: <value2>For example:
labels:
release: stable
environment: production
Specify the Cluster Name
If your cluster does not appear in the Lacework Console under Resources > Kubernetes after the agent is installed successfully, you can specify the cluster name using the kubernetesCluster
option.
You can specify the cluster name in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.kubernetesCluster=CLUSTER_NAME
- Modify the
values.yaml
file and add data similar to the following:kubernetesCluster: CLUSTER_NAME
Specify a Name for your Kubernetes Environment
You can specify a user-friendly name for your Kubernetes environment. For example, K8s_production
. The name you specify is displayed as the value for the Env
tag in the Lacework Console. For more information, see Add Agent Tags.
You can specify a name for your Kubernetes Environment in one of the following ways:
- Use the following option with the
helm install
orhelm upgrade
command:--set windowsAgent.agentConfig.env=KUBERNETES_ENVIRONMENT_NAME
- Modify the
values.yaml
file and add data similar to the following:env: KUBERNETES_ENVIRONMENT_NAME
Uninstall Agent with a Helm Chart
To uninstall the agent with a Helm chart:
Open a Terminal and navigate to the
helm_chart
directory that contains the Helm chart.Do the following:
If you are using AKS, run the
az login
command to use the Azure CLI with your Azure account.If you are using EKS, run the
aws configure
command to use the AWS CLI with your AWS account.Ensure that you have connected to the AWS region that contains your EKS cluster.
Use Helm to uninstall the agent.
helm uninstall lw-agent
Verify that the pods for the Windows agent have been terminated.
kubectl get pods