Kubernetes Compliance Integrations
Overview
Lacework integrates with Kubernetes to monitor configuration compliance of your cluster resources. This includes:
- Visibility of your integrated Kubernetes resources in the Resource Inventory.
- Monitoring the configuration compliance of your Kubernetes cluster and resources within the Kubernetes Compliance Dashboard.
- Access to compliance frameworks and policies for Kubernetes.
- Context to detect potential service attack paths in your environment using Attack Path Analysis.
Supported Integration Outcomes
The following outcomes are supported by this type of integration:
- You want to monitor configuration compliance of your Kubernetes cluster.
- You want to monitor both configuration compliance and workload security of your Kubernetes cluster.
- Workload security is provided as an additional configuration option during the Kubernetes Compliance integration steps.
- You are already monitoring workload security, and you also want to monitor configuration compliance of your Kubernetes cluster.
If you are only wanting to monitor workload security of your Kubernetes clusters, see Deploy Linux Agent on Kubernetes.
Lacework Compliance Summary for Amazon EKS Integrations
Watch Video Summary
Kubernetes Compliance Integration Components
Lacework uses three components to collect data for Kubernetes Compliance integrations.
Node Collector
The Node Collector collects data on each Kubernetes node.
The Node Collector is an independent component that shares the same installation journey as the Lacework Agent. It has separate configuration to allow operation on Kubernetes nodes.
infoIf the Lacework Agent is already installed on the cluster nodes, the installation will update the Agent configuration to enable the Node Collector functionality.
It may also upgrade the Lacework Agent to the latest available release. See Lacework Agent Version Requirements for minimum version requirements for your Kubernetes environment.
This component is installed on every Kubernetes node in the cluster.
Node data is collected and sent to Lacework every hour.
The Node Collector will collect data relating to workload security if you choose to enable it during the installation steps.
Lacework Agent Version Requirements
The Node Collector has a minimum agent version for Kubernetes Compliance functionality, which varies for each supported Kubernetes environment:
Kubernetes Environment | Minimum Linux Agent Version |
---|---|
Amazon EKS | v6.2 |
GKE | v6.12 |
Cluster Collector
The Cluster Collector collects Kubernetes cluster data from the Kubernetes API server.
- This component is installed on one container per cluster.
- The container runs as a non-root user.
- Retrieves node/instance metadata.
- Cluster data is collected and sent to Lacework every 24 hours.
Cloud Collector (through Cloud Provider Integration)
The Cloud Collector collects data from cloud provider end points.
- This is already provided through a Configuration integration type. See the following sections to set this up (if you haven't already done so).
- The cloud collection occurs every 24 hours at the scheduled time in the Lacework Console (under Settings > Configuration: General > Resource Management Collection Schedule).
Timings for first report
Once all three of the integration components have collected data, the Kubernetes Compliance data is complete and available for assessment.
The node and cluster data is sent to Lacework within 2 hours of the collectors being installed on a cluster. Once the cloud collection has occurred, data will be visible in the Lacework platform.