Deploy Windows Agent on AKS and EKS Clusters

You can deploy the Windows agent on an Azure Kubernetes Service (AKS) or Amazon Elastic Kubernetes Service (EKS) cluster with a Helm chart. The Helm chart enables you to automatically deploy a Kubernetes pod containing the agent onto every node in your cluster.

note

The Windows agent running on AKS and EKS clusters currently does not support host vulnerability assessment.

Prerequisites

• An AKS or EKS cluster with Windows Server nodes that meet the system requirements specified in Supported Kubernetes Environments.

• Lacework Windows agent version 1.5 or later for AKS.

• Lacework Windows agent version 1.4 or later for EKS.

• Ensure that the agent has access to tags in your AWS account. For more information, see Configure Access to Tags in AWS.

  Note: The agent can automatically access tags in Microsoft Azure. Hence, no special configuration is required for Microsoft Azure.

• Install the following on your machine:

  • Docker
  • Helm
  • kubectl command-line tool
  • For AKS, install:
    • Azure CLI
  • For EKS, install:
    • AWS CLI
    • eksctl command-line tool

Supported Kubernetes Environments

Environment	Environment Name / Version
Kubernetes	Version 1.23, 1.24
K8s orchestrator	Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS)
Supported Windows OS for Nodes	Windows Server 2022 Windows Server 2019 Important: The Windows Server nodes must have Windows installed on the C:\ drive. Ensure that container and host OS versions are the same. For more information, see Windows Container Version Compatibility.
Container runtime	containerd version 1.6 or later
Container isolation mode	Process isolation mode Note: Hyper-V isolation mode is not supported.
Helm	Version 3.8x, 3.9.x, 3.10.x

Deploy Agent with a Helm Chart

To deploy the agent with a Helm chart:

1. Add the Lacework Helm Charts repository:

   helm repo add lacework https://lacework.github.io/helm-charts/

2. Do the following:

   • If you are using AKS, run the az login command to use the Azure CLI with your Azure account.

   • If you are using EKS, run the aws configure command to use the AWS CLI with your AWS account.

     Ensure that you have connected to the AWS region that contains your EKS cluster.

3. Use Helm to install the agent.

   If you are using a tenant located in North America, run the following command:

   helm upgrade --install lw-agent lacework-agent-windows \
             --set windowsAgent.agentConfig.accessToken=LACEWORK_AGENT_TOKEN \
             --set windowsAgent.agentConfig.kubernetesCluster=CLUSTER_NAME \            

   If you are using a tenant located outside of North America, run the following command:

   helm upgrade --install lw-agent lacework-agent-windows \
             --set windowsAgent.agentConfig.accessToken=LACEWORK_AGENT_TOKEN \
             --set windowsAgent.agentConfig.serverUrl=LACEWORK_SERVER_URL \
             --set windowsAgent.agentConfig.kubernetesCluster=CLUSTER_NAME \            
   • Replace LACEWORK_AGENT_TOKEN with your agent access token. For more information, see Obtain an Access Token for the Windows Agent.
   • Replace LACEWORK_SERVER_URL with your Lacework server URL. For more information, see serverurl Property.
   • Replace CLUSTER_NAME with the name of your cluster.

4. Verify that the pods for the Windows agent have the Running status.

   kubectl get pods

5. Confirm if the Windows agent is installed successfully.

   kubectl logs POD_NAME | grep 'MSI Installation successful'

   Where POD_NAME is the name of your agent POD.

After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents. You can also view your cluster in the Lacework Console under Resources > Kubernetes.

Configure Agent with a Helm Chart

You can do one of the following to configure the agent with a Helm chart:

1. Use command-line options for the helm install or helm upgrade command.
2. Modify the parameters in the values.yaml file in your Helm chart to configure the agent and use the helm install or helm upgrade command to apply the configuration.

See the following sections for more information about the command-line options and values.yaml parameters that you can use to configure the agent.

Specify Lacework Agent Access Token

You can specify your Lacework agent access token in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.accessToken=AGENT_ACCESS_TOKEN
2. Modify the values.yaml file and add data similar to the following:

   accessToken: AGENT_ACCESS_TOKEN
   For more information, see Obtain an Access Token for the Windows Agent.

Specify Lacework Server URL

You can specify your Lacework server URL in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.serverUrl=LACEWORK_SERVER_URL
2. Modify the values.yaml file and add data similar to the following:

   serverUrl: LACEWORK_SERVER_URL

note

The default server URL is https://api.lacework.net and the default region is US. If you do not specify this property, the agent assumes that the default region is US and uses the default URL https://api.lacework.net. For more information, see serverurl Property.

Specify CPU Requests and Limits​

CPU requests specify the minimum CPU resources available to containers. CPU limits specify the maximum CPU resources available to containers. For more information, see Resource Management for Pods and Containers.

The default CPU request is 200m. The default CPU limit is 500m.

You can specify the CPU requests and limits in one of the following ways:

1. Use the following options with helm install or helm upgrade command:

   --set windowsAgent.resources.requests.cpu=300m
   --set windowsAgent.resources.limits.cpu=500m
2. Modify the values.yaml file in your Helm chart and add data similar to the following:

   resources:
      requests:
         cpu: 300m
      limits:
         cpu: 500m

note

The CPU requests and limits are currently not applied to the Windows agent.

Specify Memory Requests and Limits​

Memory requests specify the minimum memory available to containers. Memory limits specify the maximum memory available to containers. For more information, see Resource Management for Pods and Containers.

The default memory request is 64Mi. The default memory limit is 1024Mi.

You can specify the memory requests and limits in one of the following ways:

1. Use the following options with the helm install or helm upgrade command:

   --set windowsAgent.resources.requests.memory=384Mi
   --set windowsAgent.resources.limits.memory=512Mi
2. Modify the values.yaml file and add data similar to the following:

   resources:
      requests:
         memory: 384Mi
      limits:
         memory: 512Mi

note

The memory requests and limits are currently not applied to the Windows agent.

Specify Image Pull Secrets​

Image pull secrets enable fetching the Lacework agent image from private repositories and/or allow bypassing rate limits.

You can configure image pull secrets in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.image.imagePullSecrets.name=<registrySecret>
2. Modify the values.yaml file and add data similar to the following:

   imagePullSecrets:
      - name: <registrySecret>

Where <registrySecret> is the name of the secret that contains the credentials necessary to fetch the Lacework Windows agent image.

Specify a Proxy URL

Proxy servers allow you to specify a URL to route agent traffic.

You can set the proxy server URL in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.proxyUrl=LACEWORK_PROXY_URL
2. Modify the values.yaml file and add data similar to the following:

   proxyUrl: value

For more information, see Use a Network Proxy for Windows Agent Traffic.

Configure File Integrity Monitoring Properties​

Disable or Enable FIM​

File Integrity Monitoring (FIM) is enabled by default. You can disable FIM in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.enable=false
2. Modify the values.yaml file and add data similar to the following:

   fim:
      enable: false

If FIM is disabled, you can enable it in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.enable=true
2. Modify the values.yaml file and add data similar to the following:

   fim:
      enable: true

For more information, see File Integrity Monitoring for Windows Overview.

Override Default File Path​s for FIM

You can override default file paths for FIM in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.filePath={C:\\users,C:\\data}
2. Modify the values.yaml file and add data similar to the following:

   fim:
      filePath: [C:\\users,C:\\data]

For more information, see filepath Property.

Specify the File Paths to Ignore​ for FIM

You can specify file paths to ignore for FIM in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.fileIgnore={C:\\backup,C:\\test}
2. Modify the values.yaml file and add data similar to the following:

   fim:
      fileIgnore: [C:\\backup,C:\\test]

For more information, see fileignore Property.

Specify the FIM Scan Start Time​

You can specify a start time for the daily FIM scan. For example, to start the FIM scan at 7:30 PM every day, do one of the following:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.runAt=19:30
2. Modify the values.yaml file and add data similar to the following:

   fim:
      runAt: 19:30

For more information, see runat Property.

Override the Default Maximum Number of Files to Scan

By default, Lacework runs the FIM scan on up to 500000 files.

You can increase or decrease the maximum number of files to scan. For example, to limit the FIM scan to 20000 files, do one of the following:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.maxscanfiles=20000
2. Modify the values.yaml file and add data similar to the following:

   fim:
      maxscanfiles: 20000

For more information, see maxscanfiles Property.

Prevent File Access Timestamp from Being Used in Hash Computation​

You can prevent the file access timestamp from being used in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.noAtime=true
2. Modify the values.yaml file and add data similar to the following:

   fim:
      noAtime: true

Alternatively, you can enable file access timestamp to be used in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.fim.noAtime=false
2. Modify the values.yaml file and add data similar to the following:

   fim:
      noAtime: false

For more information, see noatime Property.

Disable or Enable Windows Registry Monitoring

Windows registry monitoring is enabled by default.

You can disable registry monitoring in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.registry=disable
2. Modify the values.yaml file and add data similar to the following:

   registry: disable

If registry monitoring is disabled, you can enable it in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.registry=enable
2. Modify the values.yaml file and add data similar to the following:

   registry: enable

For more information, see Monitor Windows Registry Changes.

Disable or Enable Automatic Upgrade of the Agent

By default, the Windows agent is automatically upgraded when a new version is available.

You can disable automatic upgrade in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.autoUpgrade=disabled
2. Modify the values.yaml file and add data similar to the following:

   autoUpgrade: disabled

If automatic upgrade is disabled, you can enable it in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.autoUpgrade=enable
2. Modify the values.yaml file and add data similar to the following:

   autoUpgrade: enable

Specify Custom Annotations

Annotations are a way of adding non-identifying metadata to Kubernetes objects. They are used by external tools to provide extra functionalities. For more information, see Annotations.

You can set annotations in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.annotations.<key1>=<value1>
   --set windowsAgent.agentConfig.annotations.<key2>=<value2>

   For example:

   --set windowsAgent.agentConfig.annotations.owner=pete
   --set windowsAgent.agentConfig.annotations.repository=https://github.com/lacework-test

2. Modify the values.yaml file and add data similar to the following:

   annotations:
      <key1>: <value1>
      <key2>: <value2>

   For example:

   annotations:
      owner: pete
      repository: https://github.com/lacework-test

Specify Custom Labels​

Similar to custom annotations, custom labels are a way of adding non-identifying metadata to Kubernetes objects. They are used by external tools to provide extra functionalities. For more information, see Labels and Selectors.

You can set labels in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.labels.<key1>=<value1>
   --set windowsAgent.agentConfig.labels.<key2>=<value2>

   For example:

   --set windowsAgent.agentConfig.labels.release=stable
   --set windowsAgent.agentConfig.labels.environment=production

2. Modify the values.yaml file and add data similar to the following:

   labels:  
      <key1>: <value1>
      <key2>: <value2>

   For example:

   labels:
      release: stable
      environment: production

Specify the Cluster Name

If your cluster does not appear in the Lacework Console under Resources > Kubernetes after the agent is installed successfully, you can specify the cluster name using the kubernetesCluster option.

You can specify the cluster name in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.kubernetesCluster=CLUSTER_NAME
2. Modify the values.yaml file and add data similar to the following:

   kubernetesCluster: CLUSTER_NAME

Specify a Name for your Kubernetes Environment

You can specify a user-friendly name for your Kubernetes environment. For example, K8s_production. The name you specify is displayed as the value for the Env tag in the Lacework Console. For more information, see Add Agent Tags.

You can specify a name for your Kubernetes Environment in one of the following ways:

1. Use the following option with the helm install or helm upgrade command:

   --set windowsAgent.agentConfig.env=KUBERNETES_ENVIRONMENT_NAME
2. Modify the values.yaml file and add data similar to the following:

   env: KUBERNETES_ENVIRONMENT_NAME

Uninstall Agent with a Helm Chart

To uninstall the agent with a Helm chart:

1. Open a Terminal and navigate to the helm_chart directory that contains the Helm chart.

2. Do the following:

   • If you are using AKS, run the az login command to use the Azure CLI with your Azure account.

   • If you are using EKS, run the aws configure command to use the AWS CLI with your AWS account.

     Ensure that you have connected to the AWS region that contains your EKS cluster.

3. Use Helm to uninstall the agent.

   helm uninstall lw-agent 

4. Verify that the pods for the Windows agent have been terminated.

   kubectl get pods