Kubernetes Compliance Integration Using Helm
Overview
This article describes how to integrate Lacework with your Kubernetes cluster using Helm.
Installation Steps Using Helm
Follow these steps to install the Node and Cluster collectors on your Kubernetes cluster.
Add the Lacework Helm Charts repository:
helm repo add lacework https://lacework.github.io/helm-charts/
Choose one of the following options to install the necessary components on your Kubernetes cluster:
tipAdd
--debug
to this command to enter debug mode:helm upgrade --debug --install --create-namespace...
- Configuration Compliance Integration Only
- Configuration Compliance and Workload Security Integration
Adjust the parameter values to match your environment, see Configuration Parameters for guidance.
Template with Workload Security disabledhelm upgrade --install --create-namespace --namespace lacework \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
--set laceworkConfig.datacollector=disable \
--set clusterAgent.enable=True \
--set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
--set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
--set clusterAgent.image.repository=lacework/k8scollector \
--set image.repository=lacework/datacollector \
--repo https://lacework.github.io/helm-charts/ \
lacework-agent lacework-agentAdjust the parameter values to match your environment, see Configuration Parameters for guidance.
tipUse this option for the following outcomes:
- You want to install the Lacework Agent to monitor both configuration compliance and workload security of your Kubernetes cluster.
- You already have the Lacework Agent installed and monitoring workload security, and you also want to monitor configuration compliance of your Kubernetes cluster.
Template with Workload Security enabledhelm upgrade --install --create-namespace --namespace lacework \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
--set clusterAgent.enable=True \
--set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
--set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
--set clusterAgent.image.repository=lacework/k8scollector \
--set image.repository=lacework/datacollector \
--repo https://lacework.github.io/helm-charts/ \
lacework-agent lacework-agentDisplay the pods for verification. Choose one of the following options:
Run the following
kubectl
command:kubectl get pods -n lacework -o wide
Go to Workloads > Kubernetes in the Lacework Console.
In the Behavior section, click Pod network and then Pod activity.
All Node Collector and Cluster Collector pods have a naming convention that includes
lacework-agent-*
andlacework-agent-cluster-*
respectively.
Configuration Parameters
See Helm Configuration Options for additional parameters that can also be set using Helm.
- Required Parameters
- Optional Parameters
Adjust the following values to match your environment:
Value | Description | Example(s) |
---|---|---|
${LACEWORK_SERVER_URL} | Your Lacework Agent server URL. | https://api.lacework.net https://aprodus2.agent.lacework.net https://api.fra.lacework.net https://auprodn1.agent.lacework.net |
${LACEWORK_AGENT_TOKEN} | Your Lacework Agent access token. | 0123456789abc... |
${KUBERNETES_CLUSTER_NAME} | Provide your Kubernetes cluster name as it is defined in your Cloud Provider (for example: Amazon EKS, GKE). See also How Lacework Derives the Kubernetes Cluster Name. | prd01 |
${KUBERNETES_ENVIRONMENT_NAME} | Provide a Kubernetes environment name that will be shown in the Lacework Console. This is user-defined and only essential for Workload Security integrations. | Production |
${KUBERNETES_CLUSTER_TYPE} | The Kubernetes cluster type (must be written in lower case): Amazon EKS = eks GKE = gke | eks |
${KUBERNETES_CLUSTER_REGION} | The cloud region of the Kubernetes cluster. | us-west-1 |
The following parameters are optional and not required for the installation:
Parameter | Description | Example(s) |
---|---|---|
clusterAgent.hostNetworkAccess | The Cluster Collector needs to be able to contact the Kubernetes API server, cloud provider metadata services, and Lacework APIs. By setting this option to true , the Cluster Collector pod will have access to the host network. This is needed if your pod network policies restrict access to the host network. Default is false when omitted. | true |
clusterAgent.proxyUrl | Configure the Cluster Collector to use a network proxy by setting the proxy server URL and port. The Cluster Collector will use the laceworkConfig.proxyUrl option first (if it has been set). NOTE: This option is available from Linux Agent 6.12 and above. | https://my_proxy_server:443 |
clusterAgent.image.tag | Specify a Lacework Agent tag suitable for your cluster. The default is latest when this parameter is omitted. | 5.6.0.8352-amd64 |
image.tag | Specify a Lacework Agent tag suitable for your cluster. The default is latest when this parameter is omitted. | 5.6.0.8352-amd64 |
Add these parameters when running the installation command:
helm upgrade --install --create-namespace --namespace lacework \
...
--set clusterAgent.image.tag=5.6.0.8352-amd64 \
--set image.tag=5.6.0.8352-amd64 \
...
Troubleshooting
See Kubernetes Troubleshooting for help with this integration.
Next Steps
Once integrated, you can utilize the Lacework platform in the following ways:
- View your integrated Kubernetes resources in the Resource Inventory.
- Monitoring the configuration compliance of your Kubernetes cluster and resources within the Kubernetes Compliance Dashboard.
- Enable or disable policies that are part of the compliance frameworks for Kubernetes.
- Use the Kubernetes frameworks to check whether your resources are compliant with CIS and other regulatory benchmarks.
- View the additional context provided by this integration for Attack Path Analysis to detect potential service attack paths in your environment.
- Check our Kubernetes Compliance FAQ for additional information and guidance on this integration.