Skip to main content

Kubernetes Compliance Integration Using Helm

Overview

This article describes how to integrate Lacework with your Kubernetes cluster using Helm.

Installation Steps Using Helm

Follow these steps to install the Node and Cluster collectors on your Kubernetes cluster.

  1. Add the Lacework Helm Charts repository:

    helm repo add lacework https://lacework.github.io/helm-charts/

  2. Choose one of the following options to install the necessary components on your Kubernetes cluster:

    tip

    Add --debug to this command to enter debug mode:

    helm upgrade --debug --install --create-namespace...

    Adjust the parameter values to match your environment, see Configuration Parameters for guidance.

    Template with Workload Security disabled
    helm upgrade --install --create-namespace --namespace lacework \
    --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
    --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
    --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
    --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
    --set laceworkConfig.datacollector=disable \
    --set clusterAgent.enable=True \
    --set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
    --set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
    --set clusterAgent.image.repository=lacework/k8scollector \
    --set image.repository=lacework/datacollector \
    --repo https://lacework.github.io/helm-charts/ \
    lacework-agent lacework-agent

  3. Display the pods for verification. Choose one of the following options:

    • Run the following kubectl command:

      kubectl get pods -n lacework -o wide

    • Go to Workloads > Kubernetes in the Lacework Console.

      In the Behavior section, click Pod network and then Pod activity.

    All Node Collector and Cluster Collector pods have a naming convention that includes lacework-agent-* and lacework-agent-cluster-* respectively.

Configuration Parameters

tip

See Helm Configuration Options for additional parameters that can also be set using Helm.

Adjust the following values to match your environment:

ValueDescriptionExample(s)
${LACEWORK_SERVER_URL}Your Lacework Agent server URL.https://api.lacework.net
https://aprodus2.agent.lacework.net
https://api.fra.lacework.net
https://auprodn1.agent.lacework.net
${LACEWORK_AGENT_TOKEN}Your Lacework Agent access token.0123456789abc...
${KUBERNETES_CLUSTER_NAME}Provide your Kubernetes cluster name as it is defined in your Cloud Provider (for example: Amazon EKS, GKE).
See also How Lacework Derives the Kubernetes Cluster Name.		prd01
${KUBERNETES_ENVIRONMENT_NAME}Provide a Kubernetes environment name that will be shown in the Lacework Console.

This is user-defined and only essential for Workload Security integrations.		Production
${KUBERNETES_CLUSTER_TYPE}The Kubernetes cluster type (must be written in lower case):

Amazon EKS = eks
GKE = gke		eks
${KUBERNETES_CLUSTER_REGION}The cloud region of the Kubernetes cluster.us-west-1

Troubleshooting

See Kubernetes Troubleshooting for help with this integration.

Next Steps

Once integrated, you can utilize the Lacework platform in the following ways:

  • View your integrated Kubernetes resources in the Resource Inventory.
  • Monitoring the configuration compliance of your Kubernetes cluster and resources within the Kubernetes Compliance Dashboard.
  • Enable or disable policies that are part of the compliance frameworks for Kubernetes.
  • View the additional context provided by this integration for Attack Path Analysis to detect potential service attack paths in your environment.
  • Check our Kubernetes Compliance FAQ for additional information and guidance on this integration.
Last updated on