Amazon Elastic Kubernetes Service (EKS) Compliance Integrations

Overview

This article describes how to integrate Lacework with your EKS cluster(s) using Helm, which is a package manager for Kubernetes.

Lacework integrates with your Amazon Elastic Kubernetes Service (EKS) to monitor configuration compliance of your cluster resources.

Optionally, Lacework can also monitor workload security on your EKS cluster. This is provided as an additional option during the installation steps in this article.

note

If you are only wanting to monitor workload security on your EKS clusters (rather than configuration compliance), see Deploy Linux Agent on Kubernetes.

Supported Versions

See Deploy on Kubernetes (Supported Versions) for the operating systems, Kubernetes, and Helm versions that are supported for Amazon EKS Compliance.

EKS Fargate

EKS Fargate is not supported for this type of integration.

EKS Compliance Integration Components

Lacework uses three components to collect data for EKS Compliance integrations:

Node Collector - collects data on each Kubernetes node.
- The Node Collector is an independent component that shares the same installation journey as the Lacework Agent. It has separate configuration to allow operation on EKS nodes.
  info
  If the Lacework Agent is already installed on the cluster nodes, the installation will update the Agent configuration map to enable the Node Collector functionality.
  It may also upgrade the Lacework Agent to the latest available release. The minimum agent version for EKS Compliance functionality is v6.2.
- This component is installed on every Kubernetes node in the cluster.
- Node data is collected and sent to Lacework every hour.
- If you choose to enable the datacollector component, the Node Collector will collect data relating to workload security.
Cluster Collector - collects Kubernetes cluster data from the Kubernetes API server.
- This component is installed on one container per cluster.
- The container runs as a non-root user.
- Retrieves AWS instance metadata.
- Cluster data is collected and sent to Lacework every 24 hours.
Cloud Collector (through Cloud Provider Integration) - collects data from cloud provider end points.
- This is already provided through the AWS Configuration integration type. See Integrate Lacework with AWS to set this up (if you haven't already done so).
- The cloud collection occurs every 24 hours at the scheduled time in the Lacework Console (under Settings > Configuration: General > Resource Management Collection Schedule).

Timings for first report

The EKS Compliance data is complete and available for assessment once all 3 collections have occurred at least once.

The node and cluster data is sent to Lacework within 2 hours of the collectors being installed on a cluster. Once the cloud collection has occurred, data will be visible in the Lacework platform.

Prerequisites

AWS Configuration integration has been configured and is working for your account or organization.
Lacework Linux Agent - Access Token has been created.
- Use an existing agent token or create a new one for this integration.
  - If you only want to monitor compliance configuration, it is recommended that you create a new access token. You can then disable or enable the Agent token for this integration without affecting other integrations that use this token.
  - If you want to monitor both compliance configuration and workload security, you may want to use an existing access token. For example, if you have an Agent token in use for workload security on Kubernetes clusters, it may be better to combine this integration with the same access token.
note
You only need to generate the access token as the Agent is installed during the Install using Helm steps.

Install using Helm

Follow these steps to install the Node and Cluster collectors on your EKS cluster.

Add the Lacework Helm Charts repository:

helm repo add lacework https://lacework.github.io/helm-charts/

Choose one of the following options to install the necessary components on your EKS cluster:

tip

Add --debug to this command to enter debug mode:

helm upgrade --debug --install --create-namespace...

Configuration compliance integration only:

Template with Workload Security disabled
helm upgrade --install --create-namespace --namespace lacework \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.datacollector=disable \
--set clusterAgent.enable=True \
--set clusterAgent.image.repository=lacework/k8scollector \
--set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
--set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
--set image.repository=lacework/datacollector \
lacework-agent lacework/lacework-agent

Adjust the parameter values to match your environment, see Configuration Parameters for guidance.

Configuration compliance and Workload Security integration:

tip

Use this option if you already have the Lacework Agent installed on your cluster nodes.

Template with Workload Security enabled
helm upgrade --install --create-namespace --namespace lacework \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
--set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
--set clusterAgent.enable=True \
--set clusterAgent.image.repository=lacework/k8scollector \
--set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
--set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
--set image.repository=lacework/datacollector \
lacework-agent lacework/lacework-agent

Adjust the parameter values to match your environment, see Configuration Parameters for guidance.

Display the pods for verification:
```
kubectl get pods -n lacework -o wide
```

Configuration Parameters

Required Parameters

Adjust the following values to match your environment:

Value	Description	Example(s)
`${LACEWORK_SERVER_URL}`	Your Lacework Agent Server URL.	`https://api.lacework.net` `https://api.fra.lacework.net` `https://auprodn1.agent.lacework.net`
`${LACEWORK_AGENT_TOKEN}`	Your Lacework Agent Access Token.	`0123456789abc...`
`${KUBERNETES_CLUSTER_NAME}`	Provide your EKS cluster name and ensure it matches the name defined in AWS.	`prd01`
`${KUBERNETES_ENVIRONMENT_NAME}`	Your EKS environment name (this will be shown in the Lacework Console). Only required for Workload Security integrations.	`Production`
`${KUBERNETES_CLUSTER_TYPE}`	The Kubernetes cluster type. NOTE: For EKS integrations, the cluster type must be written as `eks` in lower case.	`eks`
`${KUBERNETES_CLUSTER_REGION}`	The AWS Region of the EKS cluster.	`us-west` `eu-west-1`

Optional Parameters

The following parameters are optional and not required for the installation:

Parameter	Description	Example(s)
`clusterAgent.image.tag`	Specify a Lacework Agent tag suitable for your cluster. The default is `latest` when this parameter is omitted.	`5.6.0.8352-amd64`
`image.tag`	Specify a Lacework Agent tag suitable for your cluster. The default is `latest` when this parameter is omitted.	`5.6.0.8352-amd64`

Add these parameters when running the installation command:

Example
helm upgrade --install --create-namespace --namespace lacework \
...
--set clusterAgent.image.tag=5.6.0.8352-amd64 \
--set image.tag=5.6.0.8352-amd64 \
...

See Helm Configuration Options for additional parameters that can also be set using Helm.

Next Steps

See Kubernetes Benchmarks for details on how to check whether your resources are compliant with CIS and other regulatory benchmarks.

Overview​

Supported Versions​

EKS Compliance Integration Components​

Prerequisites​

Install using Helm​

Configuration Parameters​

Required Parameters​

Optional Parameters​

Next Steps​

Video Summary​