Provision an EKS Cluster using Terraform and add the Lacework Agent on Amazon Elastic Kubernetes Service
The instructions in this repo will:
- Provide
terraform
to create an EKS cluster - Deploy K8s Metrics Server
- Deploy K8s Dashboard
- Install Lacework Agent
Before you begin, you will need the following:
- AWS Account
- AWS IAM Permissions Example Here
- AWS CLI Installed
- Kubernetes CLI
- wget installed
- Terraform 0.14.11
Clone the repo
git clone git@github.com:anthonygrees/lw_eks_k8s_demo.git
cd lw_eks_k8s_demo
Initiate the Terraform
terraform init -update
Apply the terraform to create the EKS cluster
terraform apply
This process should take approximately 10 minutes. Upon successful application, your terminal prints the outputs
Apply complete! Resources: 51 added, 0 changed, 0 destroyed.
Outputs:
cluster_endpoint = "https://80CD543ECDB40DCF1AC9xxxxxxx9710F.sk1.eu-north-1.eks.amazonaws.com"
cluster_id = "rees-eks-kXpc1xxxx"
cluster_name = "rees-eks-kXpcxxxx"
cluster_security_group_id = "sg-03614b30a2xxxxxd7"
config_map_aws_auth = [
{
"binary_data" = tomap(null) /* of string */
....
....
Now that you've provisioned your EKS cluster, you need to configure kubectl.
Run the following command to retrieve the access credentials for your cluster and automatically configure kubectl.
aws eks --region $(terraform output -raw region) update-kubeconfig --name $(terraform output -raw cluster_name)
The Kubernetes Metrics Server, used to gather metrics such as cluster CPU and memory usage over time, is not deployed by default in EKS clusters.
Download and unzip the metrics server by running the following command.
wget -O v0.3.6.tar.gz https://codeload.github.com/kubernetes-sigs/metrics-server/tar.gz/v0.3.6 && tar -xzf v0.3.6.tar.gz
Deploy the metrics server to the cluster by running the following command.
kubectl apply -f metrics-server-0.3.6/deploy/1.8+/
Verify that the metrics server has been deployed. If successful, you should see something like this.
kubectl get deployment metrics-server -n kube-system
The following command will schedule the resources necessary for the dashboard.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
Your output will look like this
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
Now, create a proxy server that will allow you to navigate to the dashboard from the browser on your local machine. This will continue running until you stop the process by pressing CTRL + C
.
kubectl proxy
Your output will be:
Starting to serve on 127.0.0.1:8001
You can reach the Kubernetes dashboard here - http://127.0.0.1:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
To use the Kubernetes dashboard, you need to create a ClusterRoleBinding and provide an authorization token.
In another terminal (do not close the kubectl proxy process), create the ClusterRoleBinding resource.
kubectl apply -f https://raw.githubusercontent.com/anthonygrees/lw_eks_k8s_demo/master/kubernetes-dashboard-admin.rbac.yaml
Then, generate the authorization token.
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep service-controller-token | awk '{print $1}')
Select "Token" on the Dashboard UI then copy and paste the entire token you receive into the dashboard authentication screen to sign in. You are now signed in to the dashboard for your Kubernetes cluster.
Navigate to the "Cluster" page by clicking on "Cluster" in the left navigation bar. You should see a list of nodes in your cluster.
-
In the Lacework Console, download the two Kubernetes YAML files. Navigate to
Settings > Agents
. Either use an existing agent access token or create a new agent token by clicking+ Create New
. Click Install Options. Download Kubernetes Config and Kubernetes Orchestration. -
Using the kubectl command line interface, add the Lacework configuration file into the cluster.
kubectl create -f lacework-cfg-k8s.yaml
The lacework-cfg-k8s.yaml
needs to have the variables replaced:
apiVersion: v1
kind: ConfigMap
metadata:
name: lacework-config
data:
config.json: |
{"tokens":{"AccessToken":"add_your_token_here"}, "tags":{"KubernetesCluster":"reesy.eks.local"}, "serverurl":"https://api.lacework.net"}
US Lacework Tenant serverurl - https://api.lacework.net
ANZ Lacework Tenant serverurl - https://auprodn1.agent.lacework.net
If you wish to use the Lacework Code Aware Agent and Syscall, then use this lacework-cfg-k8s.yaml
.
apiVersion: v1
kind: ConfigMap
metadata:
name: lacework-config
data:
config.json: |
{
"tokens":{
"AccessToken":"<snip>"
},
"tags":{
"Env":"k8s"
},
"serverurl":"https://api.lacework.net",
"codeaware":{
"enable":"all"
}
}
syscall_config.yaml: |
etype.exec:
group-by:
- ts
etype.file:
send-if-matches:
anydir:
watchpath: /*
depth: 3
- Instruct the Kubernetes orchestrator to deploy an agent using a
DaemonSet
on all nodes in the cluster, including the master.
To change the CPU and memory limits, see Change Agent Resource Installation Limits on K8s Environments.
kubectl create -f lacework-k8s.yaml
- Repeat the above steps for each Kubernetes cluster. The config.json file is embedded in the lacework-cfg-k8s.yaml file. To customize FIM or add tags in a Kubernetes environment, edit the configuration section of the YAML file and push the revised lacework-cfg-k8s.yaml file to the cluster using the following command.
kubectl replace -f lacework-cfg-k8s.yaml
You can check what is running on the pod with:
kubectl get pods
The response will be as follows:
kubectl get pods
NAME READY STATUS RESTARTS AGE
lacework-agent-9gfwq 1/1 Running 0 17d
lacework-agent-v96s2 1/1 Running 0 17d
lacework-agent-vds79 1/1 Running 0 17d
If you are running more than one K8s cluster, check the config view with:
kubectl config view
Change the config with:
kubectl config use-context <cluster::name>
In the Lacework UI, you will now see your K8s cluster in the Polygraph.
Lacework integrates with AWS to analyze EKS Audit Logs for monitoring EKS cluster security and configuration compliance.
Audit logging must be enabled on the cluster(s) that you want to integrate. You can do this via the AWS CLI using the following command:
aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'
or use the terraform output variables like this.
aws eks --region $(terraform output -raw region) update-cluster-config --name $(terraform output -raw cluster_name) \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'
The response will be as follows:
{
"update": {
"id": "ca1fa657-2a7b-48b5-8bbc-xxxxxxxxxx",
"status": "InProgress",
"type": "LoggingUpdate",
"params": [
{
"type": "ClusterLogging",
"value": "{\"clusterLogging\":[{\"types\":[\"audit\"],\"enabled\":true}]}"
}
],
"createdAt": "2022-05-06T19:53:11.939000+10:00",
"errors": []
}
}
This scenario creates a new Lacework EKS Audit Log integration with a cross-account IAM role to provide Lacework access. This example targets cluster(s) in a single AWS region.
Create a file called main.tf
with the following:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "aws" {
region = "ap-southeast-2"
profile = "default"
shared_credentials_file = "~/.aws/credentials"
}
provider "lacework" {}
module "eks-audit-log" {
source = "lacework/eks-audit-log/aws"
version = "0.2.0"
cloudwatch_regions = ["your-region"]
cluster_names = ["your-eks-name"]
}
Open a Terminal and change directories to the directory that contains the main.tf
file and run terraform init to initialize the project and download the required modules.
Run terraform plan to validate
the configuration and review pending changes.
After you review the pending changes, run terraform apply
to execute changes.
To validate the integration using the CLI, open a Terminal and run the command:
lacework integrations list
The integration will be listed as AWS_EKS_AUDIT
.