Skip to main content

Deploy on Google Cloud Run

Overview

Google Cloud Run is a managed compute platform that lets you run containers directly on top of Google's scalable infrastructure. You can deploy code written in any programming language on Cloud Run if you can build a container image from it.

Lacework’s workload security provides visibility into all processes and applications within an organization’s cloud environments such as runtime workload security, container vulnerability management, and automated anomaly and threat detection.

After you install the Lacework agent, Lacework scans hosts and streams select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.

note

The Lacework agent does not support File Integrity Monitoring (FIM) and package vulnerability scanning on Google Cloud Run.

Supported Cloud Run Execution Environment

You can deploy the Lacework agent to the second generation Cloud Run execution environment. For more information, see About Execution Environments.

note

The first generation Cloud Run execution environment is not supported by the agent.

Deployment Methods

You can use the following two methods to deploy the Lacework agent on Cloud Run:

After you deploy the agent, it takes 10 to 15 minutes for the agent data to appear in the Lacework Console under Agents. You can also view your cluster in the Lacework Console under Workloads > Kubernetes.

Prerequisites

  1. Install the following on your machine:
  2. Lacework Linux agent version 6.3 or later.
  3. A Google Cloud account with the required permissions for Cloud Run, Cloud Build, Google Container Registry (GCR), and Artifact Registry.

Deploy Agent Embedded in Prebuilt Application Container Image

Deploying the agent embedded in a prebuilt application container image involves the following high-level steps:

  1. Embed the Lacework agent in your application container image.
  2. Build and push the container image to Google Container Registry (GCR) or Artifact Registry.
  3. Deploy the container image to the second generation Cloud Run execution environment.

The following steps describe how you can deploy the container image from Google Container Registry, but you can use similar steps for other registry types.

Step 1: Embed Agent in Application Container Image

To embed the agent in your application container image:

  1. Create a startup script file named run.sh.

    The following example shows a run.sh script that starts the agent and an application named appserver.

    #!/bin/bash

    # Start Lacework agent in the background
    /var/lib/lacework/datacollector &

    # Start your application
    /your-app/appserver

  2. Make run.sh an executable. 

    chmod +x run.sh

  3. Add the agent to your Dockerfile.

    The following example shows a Dockerfile that embeds the Lacework agent and executes the run.sh script to start the agent and your application.

    ARG DcVersion=*

    # Lacework agent: adding a build stage
    FROM lacework/datacollector:latest-sidecar AS agent-build-image

    FROM ubuntu:latest as lw-agent-provider
    ARG DcVersion
    COPY --from=agent-build-image /var/lib/lacework-backup/${DcVersion}/datacollector /var/lib/lacework/datacollector
    RUN chmod +x /var/lib/lacework/datacollector

    FROM ubuntu:latest
    ARG DcVersion
    RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

    # Lacework agent: copying the agent binary
    COPY --from=lw-agent-provider /var/lib/lacework/datacollector /var/lib/lacework/datacollector
    COPY run.sh /your-app/run.sh

    # Copying the application binary
    COPY ./appserver /your-app/appserver

    # Start the agent and your application
    CMD ["/your-app/run.sh"]
    note

    The above Dockerfile uses Ubuntu as the base container for the application. If you are using Alpine Linux as the base container for your application, replace the following line in the Dockerfile:

    COPY --from=agent-build-image /var/lib/lacework-backup/${DcVersion}/datacollector /var/lib/lacework/datacollector

    With the following to pull the Lacework agent binary for Alpine Linux:

    COPY --from=agent-build-image /var/lib/lacework-backup/${DcVersion}/datacollector-musl /var/lib/lacework/datacollector

  4. Ensure that the Dockerfile, the run.sh script, and your application file (named appserver in this example) are in the same directory.

Step 2: Build and Push Container Image to Google Container Registry

  1. Run the following command to build the image:
    docker build -t gcr.io/<your project name>/<application image name>:<tag> .
  2. Run the following command to push the image to Google Container Registry (GCR): 
    docker push gcr.io/<your project name>/<application image name>:<tag>

Step 3: Deploy Container Image to Cloud Run

You can deploy the container image to the second generation Cloud Run execution environment using the following methods:

Deploy to Second Generation Cloud Run Environment Using gcloud CLI

  1. Open a Terminal and navigate to the directory that contains the Dockerfile, the run.sh script, and your application file.

  2. Define the following environment variables: 

    LaceworkAccessToken=LACEWORK_ACCESS_TOKEN
    LaceworkServerUrl=LACEWORK_SERVER_URL
    LW_CLOUDRUN_ENV_GEN=gen2

    In the environment variables, replace:

    • LACEWORK_ACCESS_TOKEN with an agent access token from your Lacework account. For more information, see Agent Access Tokens.
    • LACEWORK_SERVER_URL with the agent server URL. For more information, see Agent Server URL.

  3. Deploy the container image:

    gcloud beta run deploy <your service name> --image gcr.io/<your project name>/<application image name>:<tag> --no-cpu-throttling --execution-environment $LW_CLOUDRUN_ENV_GEN --region <region name> --update-env-vars LW_CLOUDRUN_ENV_GEN=$LW_CLOUDRUN_ENV_GEN,LaceworkServerUrl=$LaceworkServerUrl,LaceworkAccessToken=$LaceworkAccessToken
    note

    The --no-cpu-throttling option disables throttling the CPU when the container is not actively serving requests. This is required for the agent to work correctly.

  4. Verify that the Cloud Run service is deployed:

    gcloud run services list --region <region name>

Deploy to Second Generation Cloud Run Environment Using Terraform

The following steps describe how you use Terraform to deploy the container image from Google Container Registry, but you can use similar steps for other registry types.

  1. Install Terraform on your machine.

  2. Use a text editor to create a variables.tf file with the following content:

    variable "service_name" {
        description = "Description of your Cloud Run service"
        type = string
    }

    variable "LaceworkAccessToken" {
        type = string
    }

    variable "LaceworkServerUrl" {
        type = string
    }

    variable "LW_CLOUDRUN_ENV_GEN" {
        type = string
        default = "gen2"
    }

    variable "region" {
        type = string
    }

  3. (Optional) Specify the value for the following variable in the variables.tf file:

    • description - The description of your Cloud Run service.

  4. In the directory where you created the variables.tf file, use a text editor to create a main.tf file with the following content:

    provider "google-beta" {
      project     = "<your project id>"
      region      = var.region
    }

    resource "google_cloud_run_service" "default" {
      provider = google-beta
      name     = var.service_name
      location = var.region

      template {
        spec {
          containers {
            image = "gcr.io/<your project name>/<application image name>:<tag>"
            env {
              name = "LaceworkServerUrl"
              value = var.LaceworkServerUrl
            }
            env {
              name = "LaceworkAccessToken"
              value = var.LaceworkAccessToken
            }
            env {
              name = "LW_CLOUDRUN_ENV_GEN"
              value = var.LW_CLOUDRUN_ENV_GEN
            }
          }
          service_account_name = google_service_account.webserverapp.email
        }
        metadata {
          annotations = {
            "run.googleapis.com/cpu-throttling": "false"
            "run.googleapis.com/execution-environment" = var.LW_CLOUDRUN_ENV_GEN
          }
        }
      }
    }

    resource "google_service_account" "webserverapp" {
      provider     = google-beta
      account_id   = "webserverapp-identity"
      display_name = "service account name to display in Google Cloud console"
    }

    data "google_iam_policy" "apppolicy" {
      binding {
        role = "roles/run.invoker"
        members = [
          "allUsers",
        ]
      }
      binding {
        role = "roles/run.viewer"
        members = [
         "serviceAccount:${google_service_account.webserverapp.email}",
        ]
      }
    }

    resource "google_cloud_run_service_iam_policy" "servicepolicy" {
      location    = google_cloud_run_service.default.location
      project     = google_cloud_run_service.default.project
      service     = google_cloud_run_service.default.name
      policy_data = data.google_iam_policy.apppolicy.policy_data
    }

    output "service_url" {
      value = google_cloud_run_service.default.status[0].url
    }
    note

    Note the following in the main.tf file:

    • The application’s service account webserverapp is assigned the roles/run.viewer role in the google_iam_policy section. This is required to enable the Lacework agent to access Cloud Run APIs to read service metadata.
    • The service annotation "run.googleapis.com/cpu-throttling": "false" disables throttling the CPU when the container is not actively serving requests. This is required for the agent to work correctly.

  5. Specify values for the following fields in the main.tf file:

    • project - The ID of the Google Cloud project in which you want to deploy the Cloud Run service.

    • image - The path to the container image in Google Container Registry in the following format:

      "gcr.io/<your project name>/<application image name>:<tag>"

      Where:

      • gcr.io indicates Google Container Registry (GCR) hostname where the image is stored. For more information, see Pushing and Pulling Images in Container Registry.
      • <your project name> is your Google Cloud project ID.
      • <application image name> is the name of your image file in the Google Container Registry.
      • <tag> is the version (tag) of the image you want to deploy.

    • resource "google_service_account" "service account name" - The service account name.

    • account_id - A unique service account ID within your Google Cloud project.

    • display_name - The service account name to display in the Google Cloud console.

  6. Open a Terminal and navigate to the directory that contains the main.tf and variables.tf files.

  7. Define the following environment variables:

    • LaceworkAccessToken=LACEWORK_ACCESS_TOKEN
    • LaceworkServerUrl=LACEWORK_SERVER_URL
    • service_name=CLOUD_RUN_SERVICE_NAME
    • region=GCP_REGION

    In the environment variables, replace:

    • LACEWORK_ACCESS_TOKEN with an agent access token from your Lacework account. For more information, see Agent Access Tokens.
    • LACEWORK_SERVER_URL with the agent server URL. For more information, see Agent Server URL.
    • CLOUD_RUN_SERVICE_NAME with the name of your Cloud Run service.
    • GCP_REGION with the region in which you want to deploy the Cloud Run service. For example, us-central1.

  8. Run the following command to initialize the project:

    terraform init

  9. Run the following command to validate the configuration and review pending changes:

    terraform plan

  10. Run the following command to deploy the service to Cloud Run. 

    terraform apply -var LaceworkAccessToken=$LaceworkAccessToken -var LaceworkServerUrl=$LaceworkServerUrl -var service_name=$service_name -var region=$region -var LW_CLOUDRUN_ENV_GEN=gen2

  11. Verify that the Cloud Run service is deployed:

    gcloud run services list --region <region name>

Deploy Application from Source with Agent

Deploying your application from source with the agent involves the following high-level steps.

  1. Package the application source files and the agent in a container image.
  2. Deploy the container image to the second generation Cloud Run execution environment.

Step 1: Package Application Source and Agent in a Container Image

  1. Create a startup script file named run.sh in the directory that contains the source files for your application.

    The following example shows a run.sh script that starts the agent and a Python application. See Deploy a Python Service to Cloud Run for details about the Python application.

    #!/bin/bash

    # Start Lacework agent in the background
    /var/lib/lacework/datacollector &

    # Start your application
    # Run the web service on container startup. Here we use the 
    # gunicorn webserver, with one worker process and 8 threads.
    # Timeout is set to 0 to disable the timeouts of the workers to 
    # allow Cloud Run to handle instance scaling.
    gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 main:app

  2. Make run.sh an executable. 

    chmod +x run.sh

  3. Add the agent to your Dockerfile.

    The following example shows a Dockerfile that packages the agent and the application source code and executes the run.sh script to start the agent and the application.

    # Lacework agent: adding a build stage

    ARG DcVersion=*
    FROM lacework/datacollector:latest-sidecar AS agent-build-image

    FROM ubuntu:latest as lw-agent-provider
    ARG DcVersion
    COPY --from=agent-build-image /var/lib/lacework-backup/${DcVersion}/datacollector /var/lib/lacework/datacollector
    RUN chmod +x /var/lib/lacework/datacollector

    # Use the official lightweight Python image.
    # https://hub.docker.com/_/python
    FROM python:3.10-slim

    # Lacework agent: copying the agent binary
    COPY --from=lw-agent-provider /var/lib/lacework/datacollector /var/lib/lacework/datacollector
    COPY run.sh /your-app/run.sh

    # Allow statements and log messages to immediately appear in the Knative logs
    ENV PYTHONUNBUFFERED True

    # Copy source code to the container image.
    ENV APP_HOME /your-app
    WORKDIR $APP_HOME
    COPY . ./

    # Install production dependencies.
    RUN pip install --no-cache-dir -r requirements.txt

    # Start the agent and the application
    CMD ["/your-app/run.sh"]

  4. Ensure that the Dockerfile, the run.sh script, and your source files are in the same directory.

  5. Ensure that you have access to an Artifact Registry Docker repository to store containers.

Step 2: Deploy Container Image to Cloud Run

You can deploy the container image to the second generation Cloud Run execution environment.

  1. Open a Terminal and navigate to the directory that contains the Dockerfile, the run.sh script, and your application source files.
  2. Define the following environment variables: 
    LaceworkAccessToken=LACEWORK_ACCESS_TOKEN
    LaceworkServerUrl=LACEWORK_SERVER_URL
    LW_CLOUDRUN_ENV_GEN=gen2
    In the environment variables, replace:
    • LACEWORK_ACCESS_TOKEN with an agent access token from your Lacework account. For more information, see Agent Access Tokens.
    • LACEWORK_SERVER_URL with the agent server URL. For more information, see Agent Server URL.
  3. Deploy the container image:
    gcloud beta run deploy <your service name> --no-cpu-throttling --execution-environment $LW_CLOUDRUN_ENV_GEN --region <region-name> --update-env-vars LW_CLOUDRUN_ENV_GEN=$LW_CLOUDRUN_ENV_GEN,LaceworkServerUrl=$LaceworkServerUrl,LaceworkAccessToken=$LaceworkAccessToken
    note

    The --no-cpu-throttling option disables throttling the CPU when the container is not actively serving requests. This is required for the agent to work correctly.

  4. Verify that the Cloud Run service is deployed:
    gcloud run services list --region <region name>
Last updated on