Skip to content

andrewelizondo/lw_k8s_ac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
modules/lwac_certs
modules/lwac_certs
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
values.tftpl
values.tftpl
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Lacework Kubernetes Admission Controller

Purpose

Provide a quick workshop to understand how to use the K8s AC with the Lacework platform.

⚠️ This is not intended for production use as the generated certificates only live in the terraform state file.

Prerequisites

  1. Functioning K8s Cluster
  2. Active Lacework Account

Steps

  1. Create a Lacework Proxy scanner token

https://docs.lacework.com/integrate-proxy-scanner#create-a-proxy-scanner-integration-in-lacework

  1. In your lacework account, enable the Critical CVE (LW_CONTAINER_POLICY_4) and apt-get caches are not cleared in Dockerfile (LW_CONTAINER_POLICY_10) policies and associate them to the proxy scanner you created.

https://docs.lacework.com/container-vulnerability-policies#default-policies

https://docs.lacework.com/container-vulnerability-policies#associate-policies-with-a-registry-integration

  1. Run Terraform apply to setup the certs & helm chart for the admission controller + proxy scanner
$ terraform apply -var "account=<youraccount>" -var "int_token=<proxyscannertoken>"
  1. Validate that the proxy scanner & admission controller is running in your cluster
$ kubectl get pods -n lacework
...
lacework      lacework-admission-controller...   Running
lacework      lacework-proxy-scanner...          Running
...
  1. Tail the logs of the admission controller in a separate terminal
$ kubectl logs $(kubectl get pods -n lacework -l app=lacework-admission-controller -o name) -n lacework -f
...
[INFO]:   2022-05-25 01:24:23 - Starting server..
[INFO]:   2022-05-25 01:24:23 - Listener started..
...
  1. While logs are tailing, create a deployment file with an older image of nginx
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.11.9
        ports:
        - containerPort: 80
  1. Attempt to create the deployment, you should be stopped by the admission controller noting that the image failed the policies you configured in your Lacework tenant.
~ kubectl apply -f deployment.yaml
Error from server: error when creating "deployment.yaml": admission webhook "validate.lacework.net" denied the request: Violations the following policies:
LW_CONTAINER_POLICY_10 - apt-get caches are not cleared in Dockerfile - fail on violation: true
LW_CONTAINER_POLICY_4 - Critical CVEs - fail on violation: true
  1. Enjoy a tasty beverage 🍺

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages