Skip to main content

Deploy on Kubernetes

This topic discusses the available methods to deploy Lacework on Kubernetes.

  • Deploy with a Helm Chart - Helm is a package manager for Kubernetes that uses a packaging format called charts. A chart is a collection of files that describe a related set of Kubernetes resources. You can download a copy of the Lacework Helm chart from the Lacework agent releases site.
  • Deploy with a DaemonSet - DaemonSets are an easy way to deploy a Kubernetes pod onto every node in the cluster. This is useful for monitoring tools such as Lacework. You can use the DaemonSet method to deploy Lacework onto any Kubernetes cluster, including hosted versions like EKS, AKS, and GKE.
  • Deploy with Terraform - For organizations using Hashicorp Terraform to automate their environments, Lacework maintains the terraform-kubernetes-agent module to create a Secret and DaemonSet for deploying the Lacework Datacollector Agent in a Kubernetes cluster.
important

If you have built your own Kubernetes clusters (rather than utilizing EKS, AKS, GKE or similar), you must specify the Kubernetes cluster name in a tag for the agent to find the cluster name. For details, see How Lacework Derives the Kubernetes Cluster Name.

After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Agents.

note

The datacollector pod uses privileged containers and requires access to host PID namespace, networking, and volumes.

Supported Kubernetes Versions

  • Kubernetes v1.9.x to v1.24

Unsupported Kubernetes Versions

  • Lacework support for Kubernetes v1.8.x and v1.7.11 has been deprecated.

If you are using a different combination of versions, contact Lacework for assistance.

Install using Helm

Supported Versions

  • EKS (Bottlerocket)
  • Helm
    • 3.1.x
    • 3.2.x
    • 3.3.x
    • 3.4.x
  • Kops 1.20
  • Kubernetes v1.10 to v1.22
  • Ubuntu 20.04

Limitations

  • 2.x based Helm charts are not supported.

Use Helm to Install the Agent (Charts Repository)

Helm Charts help you define, install, and upgrade Kubernetes applications.

  1. Add the Lacework Helm Charts repository:

    helm repo add lacework https://lacework.github.io/helm-charts/
  2. Install the Helm charts or upgrade an existing Helm chart. If the tenant you are using is located outside North America, replace the values for the LACEWORK_AGENT_TOKEN and LACEWORK_SERVER_URL.

    note

    KUBERNETES_CLUSTER_NAME and KUBERNETES_ENVIRONMENT_NAME are optional. Replace them with values from your setup. To change the KUBERNETES_CLUSTER_NAME, see How Lacework Derives the Kubernetes Cluster Name.

    If you are using a tenant located in North America, run the following command:

    helm upgrade --install --namespace lacework --create-namespace \
    --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
    --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
    --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
    lacework-agent lacework/lacework-agent

    If you are using a tenant located outside of North America, run the following command:

    helm upgrade --install --namespace lacework --create-namespace \
    --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
    --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
    --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
    --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
    lacework-agent lacework/lacework-agent
  3. Verify the pods.

    kubectl get pods -n lacework -o wide

Install Using the Charts from the Lacework Release Page

note

Lacework recommends installing from the charts repository than from the Lacework Release Page if possible. Installing from the charts repository does not require editing of the Charts.yaml file, whereas this method does.

Get the Helm Chart for the Agent

The Helm chart is available as part of the agent release tarball from the Lacework Agent Release GitHub repository (v2.12.1 or later).

The Helm chart includes the following:

  • ./helm/
  • ./helm/lacework-agent/
  • ./helm/lacework-agent/Chart.yaml
  • ./helm/lacework-agent/templates/
  • ./helm/lacework-agent/templates/_helpers.tpl
  • ./helm/lacework-agent/templates/configmap.yaml
  • ./helm/lacework-agent/templates/daemonset.yaml
  • ./helm/lacework-agent/values.yaml

Edit Charts.yaml

For Helm charts v4.2, in the Charts.yaml, change the version: 4.2.0.218 line to be version: 4.2.0

Use Helm to Install the Agent (Release Page)

Replace the example text with your own values.

  1. Install the charts or upgrade an existing deployment.

    helm upgrade --install --namespace lacework --create-namespace \
    --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
    --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
    --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
    --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
    lacework-agent helm.tar.gz
  2. Verify the pods.

    kubectl get pods -n lacework -o wide

If you have an autogenerated or custom Helm deployment and these steps do not work, you can optionally:

  1. Change "additionalProperties": true in values.schema.json. Lacework supports this change, but it is not encouraged.
  2. Use Helm to install the agent (charts repository).

Install on Openshift

Install with the cluster-admin Role

Use the normal Helm installation instructions to install the Lacework agent on Openshift.

Install with a Service Account

You can also install the Lacework agent using Helm charts and a service account.

Before deploying the Helm chart, ensure that the service account has permissions to create privileged pods by running the following command:

oc adm policy add-scc-to-user privileged -z ${SERVICE_ACCOUNT_NAME}

To install the agent using a Helm chart:

  1. Specify a service account when installing the Helm chart by adding laceworkConfig.serviceAccountName to the Helm command:

    --set laceworkConfig.serviceAccountName="${SERVICE_ACCOUNT_NAME}"

  2. Modify the values.yaml file and add the service account:

      # [Optional] Specify the service account for agent pods
    serviceAccountName: ${SERVICE_ACCOUNT_NAME}

You can specify that the agent runs on all nodes in a cluster or in a subset of nodes in the cluster.

Enable the Lacework Agent on all Nodes

To run the Lacework agent on all nodes in your cluster, specify the following toleration during installation in one of the following ways:

  1. Enter a command, such as: --set "tolerations[0].effect=NoSchedule" --set "tolerations[0].operator=Exists"

  2. Modify the values.yaml file and add data similar to the following:

    tolerations:
    # Allow Lacework agent to run on all nodes in case of a taint
    - effect: NoSchedule
    operator: Exists
Enable the Lacework Agent on a Subset of Nodes

To set multiple tolerations for the Lacework agent, set an array of desired tolerations in one of the following ways:

  1. Enter the following command and repeat for each scheduling condition: --set "tolerations[0].effect=NoSchedule" --set "tolerations[0].operator=node-role.kubernetes.io/master". Ensure you increment the array index for each scheduling condition.

  2. Modify the values.yaml file and add data similar to the following:

    tolerations:
    # Allow Lacework agent to run on all nodes in case of a taint tolerations:
    - effect: NoSchedule
    key: node-role.kubernetes.io/master
    - effect: NoSchedule
    key: node-role.kubernetes.io/infra

Helm Configuration Options

Specify Image Pull Secrets

Image pull secrets enable fetching the Lacework agent image from private repositories and/or allow bypassing rate limits.

You can configure image pull secrets in one of the following ways:

  1. Modify your Helm install/upgrade command with the following options:

      --set image.imagePullSecrets.name=<registrySecret>
  2. Modify the values.yaml file and add data similar to:

      # [Optional] imagePullSecrets.
    # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    imagePullSecrets:
    - name: <registrySecret>

    Where <registrySecret> is the name of the secret that contains the credentials necessary to fetch the Lacework agent image.

Specify an Existing Secret

Existing secrets allow you to store the Lacework access token outside of Helm.

You can use an existing secret in your Lacework Helm charts in one of the following ways:

  1. Enter a command such as the following on the command line:

    --set laceworkConfig.accessToken.existingSecret.key="lacework_agent_token"
    --set laceworkConfig.accessToken.existingSecret.name="lacework-agent-secret"
  2. Modify the values.yaml file and add data similar to the following:

    laceworkConfig:
    # [Required] An access token is required before running agents.
    # Visit https://<LACEWORK UI URL> for eg: https://lacework.lacework.net
    accessToken:
    existingSecret:
    key: lacework_agent_token
    name: lacework-agent-secret

Specify Custom Annotations on Helm Charts

Annotations are a way of adding non-identifying metadata to Kubernetes objects. They are used by external tools to provide extra functionalities.

You can set annotations in your Lacework Helm charts in one of the following ways:

  1. Enter a command such as --set laceworkConfig.annotations.<key> <value> on the command line.

  2. Modify the values.yaml file and add data similar to the following:

    # [Optional] Define custom annotations to use for identifying resources created by these charts
    annotations:
    key: value
    another_key: another_value

Specify Custom Labels on Helm Charts

Similar to custom annotations, custom labels are a way of adding non-identifying metadata to Kubernetes objects. They are used by external tools to provide extra functionalities.

You can set labels in your Lacework Helm charts in one of the following ways:

  1. Enter a command such as --set laceworkConfig.labels.<key> <value> on the command line.

  2. Modify the values.yaml file and add data similar to the following:

    # [Optional] Define custom labels to use for identifying resources created by these charts
    labels:
    key: value
    another_key: another_value

Specify a Proxy URL on Helm Charts

Proxy servers allow you to specify a URL to route agent traffic.

You can set the proxy server URL in your Lacework Helm charts in one of the following ways:

  1. Enter a command such as --set laceworkConfig.proxyUrl=${LACEWORK_PROXY_URL} on the command line.

  2. Modify the values.yaml file and add data similar to the following:

    # [Required] Specify a proxy server URL to use for routing agent
    proxyUrl: value

Specify the perfmode Property on Helm Charts

You can set the perfmode property in your Lacework Helm charts in one of the following ways:

  1. Enter a command such as --set laceworkConfig.perfmode=PERFMODE_TYPE on the command line.

  2. Modify the values.yaml file and add data similar to the following:

    # [Optional] Set to one of the other modes like ebpflite, scan, or lite for load balancers.
    perfmode: PERFMODE_TYPE

Where PERFMODE_TYPE can be one of the following values:

  • ebpflite - The eBPF lite mode.
  • lite - The lite mode.
  • scan - The scan mode.
  • null - Disables the perfmode property. The agent runs in normal mode.

Disable or Enable Logging to stdout

Logging to stdout is enabled by default for Lacework Helm charts. You can disable stdout logging in one of the following ways:

  1. Enter a command such as --set laceworkConfig.stdoutLogging=false on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      stdoutLogging: false

Configure File Integrity Monitoring Properties

Enable or Disable FIM

Enable FIM in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.mode=enable on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      mode: enable

Disable FIM in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.mode=disable on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      mode: disable
Specify the File Path

You can override default paths for FIM using this property in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.filePath={<path1>,<path2>, ...} on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      filePath: [<path1>, <path2>, ...]
Specify the File Path to Ignore

Alternatively, you can override default paths by specifying files to ignore for FIM in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fileIgnore={<path1>,<path2>, ...} on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      fileIgnore: [<path1>, <path2>, ...]
Prevent the Access Timestamp from Being Used in Hash Computation

You can prevent the access timestamp from being used by utilizing this property in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.noAtime=true on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      noAtime: true

Alternatively, you can enable access timestamp to be used by utilizing this property in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.noAtime=false on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      noAtime: false
Specify the FIM Scan Start Time

You can specify a start time for the daily FIM scan using this property in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.runAt=<HH:MM> on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      runAt: <HH:MM>
Specify the FIM Scan Interval

You can specify the FIM scan interval using this property in one of the following ways:

  1. Enter a command such as --set laceworkConfig.fim.crawlInterval=<time_interval> on the command line.

  2. Modify the values.yaml file and add data similar to the following:

      crawlInterval: <time_interval>

Specify Nodes for Your Agent Deployment

Tolerations let you run the agent on nodes that have scheduling constraints such as master nodes or infrastructure nodes (for OpenShift).

By default, the Lacework agent is permitted to run on worker nodes and master nodes in your Kubernetes cluster. This is done by specifying the toleration as follows:

# Allow Lacework agent to run on all nodes including master node
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
# Allow Lacework agent to run on all nodes in case of a taint
# - effect: NoSchedule
# operator: Exists

Deploy with a DaemonSet

DaemonSet Visibility

When an agent is installed on a node as a DaemonSet/Pod or on the node itself, the agent has container visibility of the following resources:

  • Processes running on the host.
  • Processes running in a container that make a network connection (server or client).
  • All container internal servers and processes that are listening actively on certain ports.
  • File Integrity Monitoring (FIM) on the host.
  • Host vulnerability on the host.

DaemonSet Deployment Using a configmap

  1. Download the Kubernetes Config (lacework-cfg-k8s.yaml) and Kubernetes Orchestration (lacework-k8s.yaml) files using the instructions in Create Agent Access Tokens and Download Linux Agent Installers.

  2. Create the pods namespace

    kubectl create namespace lacework
    note

    Lacework recommends assigning a namespace to the DaemonSet config.

  3. Using the kubectl command line interface, add the Lacework configuration file into the cluster in the newly created namespace.

    kubectl create -f lacework-cfg-k8s.yaml -n lacework
  4. Instruct the Kubernetes orchestrator to deploy an agent on all nodes in the cluster, including the master.
    To change the CPU and memory limits, see Change Agent Resource Installation Limits on K8s Environments.

    kubectl apply -f lacework-k8s.yaml -n lacework
  5. Repeat the above steps for each Kubernetes cluster.
    The config.json file is embedded in the lacework-cfg-k8s.yaml file.
    To customize FIM or add tags in a Kubernetes environment, edit the configuration section of the YAML file and push the revised lacework-cfg-k8s.yaml file to the cluster using the following command:

    kubectl replace -f lacework-cfg-k8s.yaml -n lacework
    note

    Lacework always recommends assigning a namespace to the DaemonSet config.

DaemonSet Deployment Using a Secret

  1. Download the Kubernetes orchestration file (lacework-k8s.yaml) using the instructions in Create Agent Access Tokens and Download Linux Agent Installers.

  2. Edit the lacework-k8s.yaml file and make the following changes:

    • Change configMap to secret
    • Change name to secretName
  3. Use the following command in the kubectl command line interface to create the Lacework access token secret. In the command, replace:

    • YOUR_ACCESS_TOKEN with the access token you copied in step 1.
    • CLUSTER_NAME with your Kubernetes cluster name.
    kubectl create secret generic lacework-config --from-literal config.json='{"tokens":{"AccessToken":"YOUR_ACCESS_TOKEN"},"tags":{"Env":"k8s", "KubernetesCluster":"CLUSTER_NAME"}}'

    You should see the message secret/lacework-config created if the secret is created successfully.

  4. Instruct the Kubernetes orchestrator to deploy an agent on all nodes in the cluster, including the master. To change the CPU and memory limits, see Change Agent Resource Installation Limits on K8s Environments.

    kubectl create -f lacework-k8s.yaml

    You should see the message daemonset.apps/lacework-agent created if the DaemonSet is created successfully.

  5. Repeat the above steps for each Kubernetes cluster.
    To customize FIM or add tags in a Kubernetes environment, edit the configuration section of the YAML file and push the revised lacework-cfg-k8s.yaml file to the cluster using the following commands:

    kubectl replace -f lacework-k8s.yaml
    kubectl create namespace lacework
    kubectl apply -f lacework-k8s.yaml -n lacework
  6. You can confirm the DaemonSet status using the following command:

    kubectl get ds

    or

    kubectl get pods --all-namespaces | grep lacework-agent

Deploy DaemonSet Using Terraform

Lacework maintains the terraform-kubernetes-agent module to create a Secret and DaemonSet for deploying the Lacework Datacollector Agent in a Kubernetes cluster.

If you are new to the Lacework Terraform Provider or Lacework Terraform Modules, read the Terraform for Lacework Overview article to learn the basics on how to configure the provider and more.

This topic assumes familiarity with the Terraform Provider for Kubernetes maintained by Hashicorp on the Terraform Registry.

DaemonSets are an easy way to deploy a Kubernetes pod onto every node in the cluster. This is useful for monitoring tools such as Lacework. You can use the DaemonSet method to deploy Lacework onto any Kubernetes cluster, including hosted versions such as EKS, AKS, and GKE.

Run Terraform

The following code snippet creates a Lacework Agent Access token with Terraform and then deploys the DaemonSet to the Kubernetes cluster being managed with Terraform.

important

Before running this code, ensure that the following settings match the configurations for your deployment.

  • config_path
  • config_context
  • lacework_server_url
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0"
}
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}

provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "my-context"
}

provider "lacework" {
# Configuration options
}

resource "lacework_agent_access_token" "k8s" {
name = "prod"
description = "k8s deployment for production env"
}

module "lacework_k8s_datacollector" {
source = "lacework/agent/kubernetes"
version = "~> 1.0"

lacework_access_token = lacework_agent_access_token.k8s.token

# For deployments in Europe, overwrite the Lacework Server URL
#lacework_server_url = "https://api.fra.lacework.net"

# Add the lacework_agent_tag argument to retrieve the cluster name in the Kubernetes Dossier
lacework_agent_tags = {KubernetesCluster: "Name of the Kubernetes cluster"}

pod_cpu_request = "200m"
pod_mem_request = "512Mi"
pod_cpu_limit = "500m"
pod_mem_limit = "1024Mi"
}
note

Due to upstream breaking changes, version 1.0+ of this module discontinued support for version 1.x of the hashicorp/kubernetes provider. If 1.x of the hashicorp/kubernetes provider is required, pin this module's version to ~> 0.1.

  1. Open an editor and create a file called main.tf.
  2. Copy/Paste the code snippet above into the main.tf file and save the file.
  3. Run terraform plan and review the changes that will be applied.
  4. Once satisfied with the changes that will be applied, run terraform apply -auto-approve to execute Terraform.

Validate the Changes

After Terraform executes, you can use kubectl to validate the DaemonSet is deployed successfully:

kubectl get pods -l name=lacework -o=wide --all-namespaces