Skip to main content

Install Linux Agent on GKE Autopilot

Overview

GKE Autopilot is a mode of operation in Google Kubernetes Engine (GKE) in which Google Cloud automatically manages your Kubernetes clusters.

Lacework’s workload security provides visibility into all processes and applications within an organization’s cloud environments such as runtime workload security, container vulnerability management, and automated anomaly and threat detection.

After you install the Lacework agent, Lacework scans hosts and streams select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.

You can use the following two methods to deploy the Lacework agent on GKE Autopilot clusters. These methods enable you to automatically deploy a Kubernetes Pod containing the agent onto every node in a cluster:

note

The agent does not support package vulnerability scanning on GKE Autopilot.

Supported GKE Versions

The Lacework agent is supported with GKE Autopilot clusters running GKE version 1.25.8-gke.1000 or later.

Prerequisites

  1. Install the following on your machine:
  2. Lacework Linux agent version 6.2 or later to deploy the agent using a DeamonSet manifest.
  3. Lacework Linux agent version 6.3 or later to deploy the agent using Helm.
  4. A GKE Autopilot cluster running GKE version 1.25.8-gke.1000 or later.

Deploy Agent Using Helm

To deploy the agent using Helm on a GKE Autopilot cluster, do the following:

  1. Add the Lacework Helm Charts repository:

    helm repo add lacework https://lacework.github.io/helm-charts/
  2. Define the following environment variables:

    • LACEWORK_AGENT_TOKEN=agent_token
    • LACEWORK_SERVER_URL=server_url
    • CLUSTER_NAME=gke_cluster_name
    • KUBERNETES_ENVIRONMENT_NAME=env_name

    In the environment variables, replace:

    • agent_token with an agent access token from your Lacework account. For more information, see Create Agent Access Tokens.
      note

      GKE does not support specifying the agent access token as an existing secret using the instructions at Specify an Existing Secret. Hence, you must use the LACEWORK_AGENT_TOKEN environment variable to specify the agent access token.

    • server_url with the agent server URL. For more information, see Agent Server URL.
    • gke_cluster_name with the name of your GKE Autopilot cluster. For more information, see How Lacework Derives the Kubernetes Cluster Name.
    • env_name with a label for your Kubernetes environment. For example, K8s_production. The label you specify will be displayed as an Env tag in the Lacework Console. For more information, see Add Agent Tags.
  1. Install the Helm chart.

    helm install --namespace lacework --create-namespace \
    --set resources.requests.cpu=100m \
    --set resources.requests.memory=512Mi \
    --set priorityClassCreate=true \
    --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
    --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
    --set laceworkConfig.kubernetesCluster=${CLUSTER_NAME} \
    --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
    --set image.overrideValue=lacework/datacollector:latest \
    --set cloudservice.gke.autopilot=true \
    lacework-agent lacework/lacework-agent
    note

    In the Helm installation:

    • resources.requests.cpu=100m and resources.requests.memory=512Mi set the default CPU and memory requests for the agent container. Lacework recommends that you do not change the default values.
    • priorityClassCreate=true prevents the agent pod from being evicted by other pods.
    • image.overrideValue=lacework/datacollector:latest ensures that the agent image is pulled from the correct source.
    • cloudservice.gke.autopilot=true enables the agent to be installed on GKE Autopilot.
  2. Verify that the agent pods are up and running.

    kubectl get pods -n lacework -o wide
  3. Verify that the agent is successfully communicating with the Lacework server.

    kubectl logs POD_NAME -n lacework | grep 'Payload'

    Where POD_NAME is the name of the agent POD.

After you deploy the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents. You can also view your cluster in the Lacework Console under Resources > Kubernetes.

Deploy Agent Using a DeamonSet Manifest

To deploy the agent using a DeamonSet manifest on a GKE Autopilot cluster, do the following:

  1. Download the Lacework GKE Autopilot manifest file (lacework-gke-autopilot.yaml) from https://updates.lacework.net/6.3.0.10546_2023-01-20_release-v6.3_45e38ac3c79bc24acc94eb76157c057e15437ce5/lacework-gke-autopilot.yaml.
  2. Update the lacework-gke-autopilot.yaml file as required for your environment:
    1. Replace LaceworkAccessToken with an agent access token from your Lacework account. For more information, see Create Agent Access Token.
    2. Replace LaceworkServerUrl with the agent server URL. For more information, see Agent Server URL.
    3. Replace YOUR GKE CLUSTER NAME with your GKE Autopilot cluster name.
    4. The config.json agent configuration file is embedded in the config.json section of the lacework-gke-autopilot.yaml file. Update the config.json section if required. For more information, see Configure Linux Agent Behavior in config.json File.
    5. The default CPU, memory, and ephemeral storage requests for the agent container are set as shown below in the lacework-gke-autopilot.yaml file. Lacework recommends that you do not change the default values.
      resources:
      requests:
      cpu: 100m
      memory: 512Mi
      ephemeral-storage: 200Mi
  3. Deploy the agent using the updated lacework-gke-autopilot.yaml file.
    kubectl apply -f lacework-gke-autopilot.yaml
  4. Verify that the agent pods are up and running.
    kubectl get pods -n lacework -o wide
  5. Verify that the agent is successfully communicating with the Lacework server.
    kubectl logs POD_NAME -n lacework | grep 'Payload'
    Where POD_NAME is the name of the agent POD.
  6. If you update the lacework-gke-autopilot.yaml file after the agent is deployed, push the revised file to the cluster using the following command:
    kubectl replace -f lacework-gke-autopilot.yaml -n lacework