Install Linux Agent on GKE Autopilot
Overview
GKE Autopilot is a mode of operation in Google Kubernetes Engine (GKE) in which Google Cloud automatically manages your Kubernetes clusters.
Lacework’s workload security provides visibility into all processes and applications within an organization’s cloud environments such as runtime workload security, container vulnerability management, and automated anomaly and threat detection.
After you install the Lacework agent, Lacework scans hosts and streams select metadata to the Lacework data warehouse to build a baseline of normal behavior, which is updated hourly. From this, Lacework can provide detailed in-context alerts for anomalous behavior by comparing each hour to the previous one. Anomaly detection uses machine learning to determine, for example, if a machine sends data to an unknown IP, or if a user logs in from an IP that has not been seen before.
You can use the following two methods to deploy the Lacework agent on GKE Autopilot clusters. These methods enable you to automatically deploy a Kubernetes Pod containing the agent onto every node in a cluster:
The agent does not support package vulnerability scanning on GKE Autopilot.
Supported GKE Versions
The Lacework agent is supported with GKE Autopilot clusters running GKE version 1.25.8-gke.1000
or later.
Prerequisites
- Install the following on your machine:
- Lacework Linux agent version 6.2 or later to deploy the agent using a DeamonSet manifest.
- Lacework Linux agent version 6.3 or later to deploy the agent using Helm.
- A GKE Autopilot cluster running GKE version
1.25.8-gke.1000
or later.
Deploy Agent Using Helm
To deploy the agent using Helm on a GKE Autopilot cluster, do the following:
Add the Lacework Helm Charts repository:
helm repo add lacework https://lacework.github.io/helm-charts/
Define the following environment variables:
LACEWORK_AGENT_TOKEN=agent_token
LACEWORK_SERVER_URL=server_url
CLUSTER_NAME=gke_cluster_name
KUBERNETES_ENVIRONMENT_NAME=env_name
In the environment variables, replace:
agent_token
with an agent access token from your Lacework account. For more information, see Create Agent Access Tokens.noteGKE does not support specifying the agent access token as an existing secret using the instructions at Specify an Existing Secret. Hence, you must use the
LACEWORK_AGENT_TOKEN
environment variable to specify the agent access token.server_url
with the agent server URL. For more information, see Agent Server URL.gke_cluster_name
with the name of your GKE Autopilot cluster. For more information, see How Lacework Derives the Kubernetes Cluster Name.env_name
with a label for your Kubernetes environment. For example,K8s_production
. The label you specify will be displayed as anEnv
tag in the Lacework Console. For more information, see Add Agent Tags.
Install the Helm chart.
helm install --namespace lacework --create-namespace \
--set resources.requests.cpu=100m \
--set resources.requests.memory=512Mi \
--set priorityClassCreate=true \
--set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
--set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
--set laceworkConfig.kubernetesCluster=${CLUSTER_NAME} \
--set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
--set image.overrideValue=lacework/datacollector:latest \
--set cloudservice.gke.autopilot=true \
lacework-agent lacework/lacework-agentnoteIn the Helm installation:
resources.requests.cpu=100m
andresources.requests.memory=512Mi
set the default CPU and memory requests for the agent container. Lacework recommends that you do not change the default values.priorityClassCreate=true
prevents the agent pod from being evicted by other pods.image.overrideValue=lacework/datacollector:latest
ensures that the agent image is pulled from the correct source.cloudservice.gke.autopilot=true
enables the agent to be installed on GKE Autopilot.
Verify that the agent pods are up and running.
kubectl get pods -n lacework -o wide
Verify that the agent is successfully communicating with the Lacework server.
kubectl logs POD_NAME -n lacework | grep 'Payload'
Where
POD_NAME
is the name of the agent POD.
After you deploy the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Agents. You can also view your cluster in the Lacework Console under Workloads > Kubernetes.
Deploy Agent Using a DeamonSet Manifest
To deploy the agent using a DeamonSet manifest on a GKE Autopilot cluster, do the following:
- Download the Lacework GKE Autopilot manifest file (
lacework-gke-autopilot.yaml
) from https://updates.lacework.net/6.3.0.10546_2023-01-20_release-v6.3_45e38ac3c79bc24acc94eb76157c057e15437ce5/lacework-gke-autopilot.yaml. - Update the
lacework-gke-autopilot.yaml
file as required for your environment:- Replace
LaceworkAccessToken
with an agent access token from your Lacework account. For more information, see Create Agent Access Token. - Replace
LaceworkServerUrl
with the agent server URL. For more information, see Agent Server URL. - Replace
YOUR GKE CLUSTER NAME
with your GKE Autopilot cluster name. - The config.json agent configuration file is embedded in the
config.json
section of thelacework-gke-autopilot.yaml
file. Update the config.json section if required. For more information, see Configure Linux Agent Using Agent Configuration File. - The default CPU, memory, and ephemeral storage requests for the agent container are set as shown below in the
lacework-gke-autopilot.yaml
file. Lacework recommends that you do not change the default values.resources:
requests:
cpu: 100m
memory: 512Mi
ephemeral-storage: 200Mi
- Replace
- Deploy the agent using the updated lacework-gke-autopilot.yaml file.
kubectl apply -f lacework-gke-autopilot.yaml
- Verify that the agent pods are up and running.
kubectl get pods -n lacework -o wide
- Verify that the agent is successfully communicating with the Lacework server. Where
kubectl logs POD_NAME -n lacework | grep 'Payload'
POD_NAME
is the name of the agent POD. - If you update the
lacework-gke-autopilot.yaml
file after the agent is deployed, push the revised file to the cluster using the following command:kubectl replace -f lacework-gke-autopilot.yaml -n lacework