Integrate with Kubernetes Admission Controller

Overview

The Kubernetes Admission Controller acts as the last checkpoint before images are deployed (rather than at runtime or build). Use our ValidatingAdmissionWebhook with the Kubernetes Admission Controller to automatically scan images for vulnerabilities during continuous deployment.

Install our Proxy Scanner and Webhook together in your Kubernetes cluster to allow communication between Lacework and the Admission Controller.

Once integrated, you can view the vulnerabilities found on all images deployed.

Workflow

Supported Kubernetes Versions

• 1.20
• 1.21
• 1.22
• 1.23
• 1.24
• 1.25
• 1.26
• 1.27

All patch versions are supported for these releases.

Default Scanning Quotas

See Proxy Scanner Default Scanning Quotas.

Prerequisites

Choose your installation method first as some prerequisite steps will change depending on your chosen method.

Once you have selected your installation method, complete the following prerequisites:

1. Provide or generate the TLS/SSL certificates that are used during installation.
2. Prepare the Proxy Scanner configuration that is used during installation.
3. Consider Kubernetes workload resources that you want to exclude from vulnerability scans.

Installation Methods

Choose one of the following installation methods for the Proxy Scanner and Webhook:

• Option 1: Install the Webhook and Proxy Scanner in a Combined Helm Chart (Recommended).
  Use this method to install both the Webhook and Proxy Scanner on the same host as the Kubernetes Admission Controller.

• Option 2: Install the Proxy Scanner and Webhook in Separate Helm Charts.
  This method can be used to install the Webhook and Proxy Scanner on separate hosts (or if you already have the Proxy Scanner installed).

• Option 3: Download and Install the Helm Charts Manually.
  This method allows you to download templates for both the Proxy Scanner and Webhook configuration (values.yaml) and configure them manually prior to installation.

Helm Charts help you define, install, and upgrade Kubernetes applications.

Create TLS/SSL Certificates

Secure communication between the Admission Controller Webhook and the Kubernetes API server by providing Base64 encoded certificates for the Webhook. Choose from one of the following options:

• Option 1: Provide your own certificates.
• Option 2: Generate the certificates using a script provided in the Lacework Helm Charts repository.

You can also choose to secure communication between the Proxy Scanner and Admission Controller Webhook by providing Base64 encoded certificates for the Proxy Scanner. This is optional though.

info

The lacework namespace should be used when installing the Admission Controller Webhook and Proxy Scanner.

If integrating with EKS Fargate, make sure the lacework namespace is added to your Fargate profile:

Example

eksctl create fargateprofile \
--cluster <fargate_cluster_name> \
--name <fargate_profile_name> \
--namespace lacework

If you want to deploy in a different namespace, ensure that the domain of the Subject Alternative Names in your certificates are adjusted accordingly.

Option 1: Provide Your Own Certificates

Provide your own Base64 encoded certificates for the Admission Controller Webhook.

1. Create these files for the following properties or values during installation:

   File to use	Entries in values.yaml or Helm entry
   Webhook Root CA	<base64_webhook_ca.crt>
   Webhook server certificate	<base64_webhook.crt>
   Webhook server key	<base64_webhook.key>

   tip

   The Kubernetes documentation provides guidance for creating certificates manually.

2. Ensure to include the following DNS names for the Admission Controller Webhook:

   Example for Certificate Signing Request (CSR) config file entry

   [ alt_names ]
   DNS.1 = lacework-admission-controller.lacework.svc
   DNS.2 = lacework-admission-controller.lacework.svc.cluster.local
   DNS.3 = admission.lacework-dev.svc
   DNS.4 = admission.lacework-dev.svc.cluster.local
   DNS.5 = lacework-proxy-scanner.lacework.svc
   DNS.6 = lacework-proxy-scanner.lacework.svc.cluster.local
   DNS.7 = lacework-proxy-scanner.lacework

   The DNS.5, DNS.6, and DNS.7 entries are only required if you are using the same certificates for traffic between the Admission Controller and Proxy Scanner.

3. Encode the certificates in Base64 format before using them:

   Example

   cat <webhook_ca.crt> | base64 | tr -d '\n' > <base64_webhook_ca.crt> \
   cat <webhook.crt> | base64 | tr -d '\n' > <base64_webhook.crt> \
   cat <webhook.key> | base64 | tr -d '\n' > <base64_webhook.key>

Proxy Scanner Certificates (Optional)

Provide your own Base64 encoded certificates for the Proxy Scanner.

1. Create these files for the following properties or values during installation:

   File to use	Entries in values.yaml or Helm entry
   Proxy Scanner Root CA	<base64_scanner_ca.crt>
   Proxy Scanner server certificate	<base64_scanner.crt>
   Proxy Scanner server key	<base64_scanner.key>

2. Ensure to include the following DNS names for the Proxy Scanner:

   Example for Certificate Signing Request (CSR) config file entry

   [ alt_names ]
   DNS.1 = lacework-admission-controller.lacework.svc
   DNS.2 = lacework-admission-controller.lacework.svc.cluster.local
   DNS.3 = admission.lacework-dev.svc
   DNS.4 = admission.lacework-dev.svc.cluster.local
   DNS.5 = lacework-proxy-scanner.lacework.svc
   DNS.6 = lacework-proxy-scanner.lacework.svc.cluster.local
   DNS.7 = lacework-proxy-scanner.lacework

3. Encode the certificates in Base64 format before using them:

   Example

   cat <scanner_ca.crt> | base64 | tr -d '\n' > <base64_scanner_ca.crt> \
   cat <scanner.crt> | base64 | tr -d '\n' > <base64_scanner.crt> \
   cat <scanner.key> | base64 | tr -d '\n' > <base64_scanner.key>

Option 2: Generate Certificates Using the Script in the Lacework Helm Charts Repository

1. Get the latest copy of the Admission Controller from the Lacework Helm Charts repository

   tip

   If using Helm, you can pull the repository directly using helm pull lacework/admission-controller.

   The file will be in the format of admission-controller-<version>.tgz.

2. Extract the script:

   tar -xvf admission-controller-*.tgz \
   admission-controller/generate-certs.sh

   This extracts the script to a subdirectory named 'admission-controller' in your current working directory.

3. Run the script to generate the certificates:

   cd admission-controller

   chmod u+x generate-certs.sh

   ./generate-certs.sh

4. Use these generated files for the following properties or values during installation:

   File to use	Entries in values.yaml or Helm entry
   ca.crt_b64	<base64_webhook_ca.crt>
   admission.crt_b64	<base64_webhook.crt>
   admission.key_b64	<base64_webhook.key>

Generate the Proxy Scanner certificates (Optional)

note

Generating certificates using the script in the Lacework Helm Charts repository only provides the Webhook certificates.

You can reuse the same certificates for the Proxy Scanner if you generated them for the Webhook:

File to use	Entries in values.yaml or Helm entry
ca.crt_b64 (same as the Webhook Root CA)	<base64_scanner_ca.crt>
admission.crt_b64	<base64_scanner.crt>
admission.key_b64	<base64_scanner.key>

Configure the Proxy Scanner

Configure the Proxy Scanner to authenticate with Lacework and automatically initiate scans prior to deployment. This also allows container vulnerability policies to be evaluated during scans. Scan results are then sent to the Admission Controller prior to pod deployment.

During installation of the Proxy Scanner, the values.yaml file will need to be provided. This section explains how to prepare this file depending on your installation method.

note

If choosing the manual installation method, a template of values.yaml is downloaded as part of the installation and does not need to be prepared in advance.

Proxy Scanner Config for Combined Helm Chart

When installing the Webhook and Proxy Scanner in a Combined Helm Chart, create the values.yaml file in advance by using the following blank template of the proxy-scanner section:

proxy-scanner:
  config:
    scan_public_registries: 
    default_registry: 
    static_cache_location: /opt/lacework
    lacework:
      account_name: 
      integration_access_token: 
        existingSecret:
          key: 
          name: 
    registry_secret_name: 
    registries:
      - domain: 
        name: 
        ssl: 
        auto_poll: false
        is_public: 
        auth_type: 
        auth_header_name: 
        credentials:
          user_name: 
          password: 
        poll_frequency_minutes: 20
        disable_non_os_package_scanning: 
        go_binary_scanning:
          enable: 
          scan_directory_path: ""

See Configure the Proxy Scanner for on-demand scans for instructions on how to populate the configuration.

There are also example configurations available to view (other authentication types with examples can be found in this section).

Proxy Scanner Config for Separate Helm Charts

When installing the Proxy Scanner and Webhook in Separate Helm Charts, create the values.yaml file in advance by using the following blank template of the config section:

config:
  scan_public_registries: 
  static_cache_location: /opt/lacework
  default_registry: 
  lacework:
    account_name: 
    integration_access_token: 
      existingSecret:
        key: 
        name: 
  registry_secret_name: 
  registries:
    - domain: 
      name: 
      ssl: 
      auto_poll: false
      is_public: 
      auth_type: 
      auth_header_name: 
      credentials:
        user_name: 
        password: 
      poll_frequency_minutes: 20
      disable_non_os_package_scanning: 
      go_binary_scanning:
        enable: 
        scan_directory_path: ""

See Configure the Proxy Scanner for on-demand scans for instructions on how to populate the configuration.

There are also example configurations available to view (other authentication types with examples can be found in this section).

Exclude Workload Resources

danger

It is highly recommended that all resources except Pod are excluded from scans. All other resources may spawn multiple child resources, and these will cause excessive scanning during the deployment if not excluded.

For example, a CronJob will spawn instances of Jobs, which can also launch Pods. If only CronJob and Job are excluded, then a scan will still be triggered on Pod.

Only remove resources from the exclude list if you are okay with the additional delay that may occur during deployments.

You can exclude Kubernetes Workload Resources from vulnerability scans by adding them to an excluded resources list.

The types of resources that can be excluded from scans are:

• Pod
• Deployment
• ReplicaSet
• DaemonSet
• Job
• CronJob
• StatefulSet

Edit the values.yaml to Exclude Resources

Exclude resources by adding an admission.excluded_resources field to the values.yaml file for the Admission Controller Webhook configuration.

If not added, the default configuration will exclude all resources except Pod (which is recommended).

The example below is an exhaustive list of all possible resources that can be excluded. Only add the resources that you want to exclude from scanning.

Example entry to exclude all resources

admission:
  excluded_resources:
    - Pod
    - Deployment
    - ReplicaSet
    - DaemonSet
    - Job
    - CronJob
    - StatefulSet

Where and when to add this field depends on which installation method you have chosen:

• Combined Helm Chart: Add this field to the Proxy Scanner configuration prior to installation as it can contain both Proxy Scanner and Webhook configuration.

• Separate Helm Charts: Create a separate values_resources.yaml file and add this field as the contents. It can then be used when prompted during the Webhook installation steps.

• Manual Installation: Add this field to the values.yaml when prompted during the Webhook installation steps.

Installation Steps

Option 1: Install the Webhook and Proxy Scanner in a Combined Helm Chart

1. Before you begin, ensure you have all the TLS/SSL certificates in your working directory.

2. Add the Lacework Helm Charts repository:

   helm repo add lacework https://lacework.github.io/helm-charts/

3. Install and configure the Admission Controller Webhook and Proxy Scanner by using the values.yaml file created earlier:

   helm upgrade --install --create-namespace --namespace lacework \
   --set webhooks.caBundle=`cat <base64_webhook_ca.crt>` \
   --set certs.serverCertificate=`cat <base64_webhook.crt>` \
   --set certs.serverKey=`cat <base64_webhook.key>` \
   --values values.yaml \
   lacework-admission-controller lacework/admission-controller

   • (Optional) If you want to secure communication between the Proxy Scanner and Admission Controller Webhook, include these optional properties:

     --set scanner.skipVerify=false \
     --set scanner.caCert=`cat <base64_scanner_ca.crt>` \
     --set proxy-scanner.certs.skipCert=false \
     --set proxy-scanner.certs.serverCertificate=`cat <base64_scanner.crt>` \
     --set proxy-scanner.certs.serverKey=`cat <base64_scanner.key>` \
     Example

     helm upgrade --install --create-namespace --namespace lacework \
     --set webhooks.caBundle=`cat <base64_webhook_ca.crt>` \
     --set certs.serverCertificate=`cat <base64_webhook.crt>` \
     --set certs.serverKey=`cat <base64_webhook.key>` \
     --values values.yaml \
     --set scanner.skipVerify=false \
     --set scanner.caCert=`cat <base64_scanner_ca.crt>` \
     --set proxy-scanner.certs.skipCert=false \
     --set proxy-scanner.certs.serverCertificate=`cat <base64_scanner.crt>` \
     --set proxy-scanner.certs.serverKey=`cat <base64_scanner.key>` \
     lacework-admission-controller lacework/admission-controller

     Alternatively, provide the full Base64 encoded string for each certificate instead of the cat certificateFile command.

   • (Optional) If you want to exclude workload resources from vulnerability scans, ensure you have added the admission.excluded_resources field to the values.yaml file.

4. Display the pods for verification:

   kubectl get pods -n lacework

Option 2: Install the Proxy Scanner and Webhook in Separate Helm Charts

Install the Proxy Scanner with Helm

1. Before you begin, ensure you have all the TLS/SSL certificates in your working directory.

2. Add the Lacework Helm Charts repository:

   helm repo add lacework https://lacework.github.io/helm-charts/

3. Install and configure the Proxy Scanner by using the values.yaml file created earlier:

   helm upgrade --install --create-namespace --namespace lacework \
   --values values.yaml \
   lacework-proxy-scanner lacework/proxy-scanner

   • (Optional) If you want to secure communication between the Proxy Scanner and Admission Controller Webhook, include these optional properties:

     --set certs.skipCert=false \
     --set certs.serverCertificate=`cat <base64_scanner.crt>` \
     --set certs.serverKey=`cat <base64_scanner.key>` \
     Example

     helm upgrade --install --create-namespace --namespace lacework \
     --set certs.skipCert=false \
     --set certs.serverCertificate=`cat <base64_scanner.crt>` \
     --set certs.serverKey=`cat <base64_scanner.key>` \
     --values values.yaml \
     lacework-proxy-scanner lacework/proxy-scanner

4. Display the pods for verification:

   kubectl get pods -n lacework

Install the Admission Controller Webhook With Helm

1. Before you begin, ensure you have all the TLS/SSL certificates in your working directory.

2. Install and configure the Admission Controller Webhook:

   helm upgrade --install --create-namespace --namespace lacework \
   --set proxy-scanner.enabled=false \
   --set webhooks.caBundle=`cat <base64_webhook_ca.crt>` \
   --set certs.serverCertificate=`cat <base64_webhook.crt>` \
   --set certs.serverKey=`cat <base64_webhook.key>` \
   lacework-admission-controller lacework/admission-controller

   • (Optional) If you want to exclude workload resources from vulnerability scans, include the values_resources.yaml file that was created earlier.

     --values values_resources.yaml \
     Example

     helm upgrade --install --create-namespace --namespace lacework \
     --set proxy-scanner.enabled=false \
     --set webhooks.caBundle=`cat <base64_webhook_ca.crt>` \
     --set certs.serverCertificate=`cat <base64_webhook.crt>` \
     --set certs.serverKey=`cat <base64_webhook.key>` \
     --values values_resources.yaml \
     lacework-admission-controller lacework/admission-controller

   • (Optional) If you want to secure communication between the Proxy Scanner and Admission Controller Webhook, include this optional property:

     --set scanner.caCert=`cat <base64_scanner_ca.crt>` \
     --set scanner.skipVerify=false \
     Example

     helm upgrade --install --create-namespace --namespace lacework \
     --set proxy-scanner.enabled=false \
     --set webhooks.caBundle=`cat <base64_webhook_ca.crt>` \
     --set certs.serverCertificate=`cat <base64_webhook.crt>` \
     --set certs.serverKey=`cat <base64_webhook.key>` \
     --set scanner.caCert=`cat <base64_scanner_ca.crt>` \
     --set scanner.skipVerify=false \
     lacework-admission-controller lacework/admission-controller

3. Display the pods for verification:

   kubectl get pods -n lacework

Option 3: Download and Install the Helm Charts Manually

Install the Proxy Scanner Manually

1. Get the latest copy of the Proxy Scanner from the Lacework Helm Charts repository.

   The file will be in the format of proxy-scanner-<version>.tgz.

2. Extract the Proxy Scanner files into your current working directory:

   tar -xvf proxy-scanner-*.tgz

   This creates the 'proxy-scanner' directory containing the related files.

3. Edit the proxy-scanner/values.yaml file to configure the Proxy Scanner for on-demand scans (follow the links for instructions on how to populate the configuration). There are also example configurations available to view for each authentication type.

   • (Optional) If you want to secure communication between the Proxy Scanner and Admission Controller Webhook, provide the scanner certificate and key entries in the values.yaml file.

     certs:
       skipCert: false
       serverCertificate: "<base64_scanner.crt>"
       serverKey: "<base64_scanner.key>"

     Provide the full Base64 encoded strings for the certificates encapsulated in double quotes.

4. Install the Proxy Scanner:

   helm install -n lacework --create-namespace lacework-proxy-scanner ./proxy-scanner

5. Display the pods for verification:

   kubectl get pods -n lacework

Install the Admission Controller Webhook Manually

1. Get the latest copy of the Admission Controller from the Lacework Helm Charts repository.

   The file will be in the format of admission-controller-<version>.tgz.

2. Extract the Admission Controller Webhook files into your current working directory:

   tar -xvf admission-controller-*.tgz

   This creates the 'admission-controller' directory containing the related files.

3. Provide the certificate entries in values.yaml for the Admission Controller.

   certs:
     name: lacework-admission-certs
     serverCertificate: "<base64_webhook.crt>"
     serverKey: "<base64_webhook.key>"
   
   webhooks:
     caBundle: "<base64_webhook_ca.crt>"

   Provide the full Base64 encoded strings for the certificates encapsulated in double quotes.

   • (Optional) If you want to exclude workload resources from vulnerability scans, add the admission.excluded_resources field to the values.yaml.

   • (Optional) If you want to secure communication between the Proxy Scanner and Admission Controller Webhook, provide the scanner root CA entry in the values.yaml file:

     scanner:
       skipVerify: false
       caCert: "<base64_scanner_ca.crt>"

     Provide the full Base64 encoded string for the certificate encapsulated in double quotes.

4. Install the Admission Controller Webhook:

   helm install -n lacework --create-namespace lacework-admission-controller ./admission-controller

5. Display the pods for verification:

   kubectl get pods -n lacework

Configurable Parameters for Admission Controller Webhook

The following table lists all parameters for the Admission Controller Webhook configurable in the values.yaml file:

Parameter	Description	Default	Mandatory
logger.debug	Set to enable debug logging	false	NO
certs.name	Secret name for Helios certs	helios-admission-certs	NO
certs.serverCertificate	Certificate for TLS authentication with the Kubernetes api-server	N/A	YES
certs.serverKey	Certificate key for TLS authentication with the Kubernetes api-server	N/A	YES
webhooks.caBundle	Root certificate for TLS authentication with the Kubernetes api-server	N/A	YES
policy.block_exec	Set to enable 'exec' shell access to a Kubernetes pod.	false	NO
policy.bypass_scope	CSV of namespaces to bypass	kube-system,kube-public,lacework,lacework-dev	NO
nodeSelector	Kubernetes node selector	{}	NO
scanner.server	Lacework proxy scanner name	lacework-proxy-scanner	NO
scanner.namespace	Namespace in which it is deployed	lacework	NO
scanner.skipVerify	SSL between the webhook and the scanner	true	NO
scanner.caCert	Root cert of scanner	N/A	NO
scanner.timeout	Context deadline timeout	30	NO
scanner.defaultRegistry	Default registry to use when one is not provided in the image name	index.docker.io	NO
admission.excluded_resources	List of resources to skip admission review	N/A	NO
scanner.blockOnError	Block admission request if proxy scanner returns error	false	YES

scanner.defaultRegistry Configuration

If the scanner.defaultRegistry value is changed to be empty (the default value of index.docker.io would need to be removed), the registry must also be provided when supplying the image name that you want to scan.

Configuring Parameters After Installation

info

You can configure parameters using Helm after an installation, but the changes will not become active until you redeploy.

Configure parameters by using either of the following methods:

Method 1: Make Changes to values.yaml

Make your changes to the values.yaml and push them through Helm:

Example for Admission Controller Webhook

helm upgrade --values values.yaml lacework-admission-controller lacework/admission-controller

Example for Proxy Scanner

helm upgrade --values values.yaml lacework-proxy-scanner lacework/proxy-scanner

Method 2: Set Values Directly

Set values directly using Helm:

Example for Admission Controller Webhook

helm upgrade --set logger.debug=true lacework-admission-controller lacework/admission-controller

Example for Proxy Scanner

helm upgrade --set default_registry="NewDefaultRegistry.io" lacework-proxy-scanner lacework/proxy-scanner

Default Scan Behavior

If a Kubernetes image tag is not specified during a scan, the latest tag is used by default.

Next Steps

• Check for vulnerabilities in your scanned images using the Lacework Console.