Skip to main content

Amazon Elastic Kubernetes Service (EKS) Compliance Integrations

beta feature

This topic describes functionality that is currently in beta.

Overview

This article describes how to integrate Lacework with your EKS cluster(s) using Helm, which is a package manager for Kubernetes.

Lacework integrates with your Amazon Elastic Kubernetes Service (EKS) to monitor configuration compliance of your cluster resources.

Optionally, Lacework can also monitor workload security on your EKS cluster. This is provided as an additional option during the installation steps in this article.

note

If you are only wanting to monitor workload security on your EKS clusters (rather than configuration compliance), see Deploy on Kubernetes.

EKS Compliance Integration Components

Lacework uses three components to collect data for EKS Compliance integrations:

  • Node Collector - collects data on each Kubernetes node.

    • The Node Collector is an independent component that shares the same installation journey as the Lacework Agent. It has separate configuration to allow operation on EKS nodes.

      important

      If the Lacework Agent is already installed on the cluster nodes, the installation will update the Agent configuration map to enable the Node Collector functionality.

      It may also upgrade the Lacework Agent to the latest available release.

    • This component is installed on every Kubernetes node in the cluster.

    • Node data is collected and sent to Lacework every hour.

    • If you choose to enable the datacollector component, the Node Collector will collect data relating to workload security.

  • Cluster Collector - collects Kubernetes cluster data from the Kubernetes API server.

    • This component is installed on one container per cluster.
    • Cluster data is collected and sent to Lacework every 24 hours.
  • Cloud Collector (through Cloud Provider Integration) - collects data from cloud provider end points.

    • This is already provided through the AWS Configuration integration type. See Integrate Lacework with AWS to set this up (if you haven't already done so).
    • The cloud collection occurs every 24 hours at the scheduled time in the Lacework Console (under Settings > Configuration: General > Resource Management Collection Schedule).
Timings for first report

The EKS Compliance data is complete and available for assessment once all 3 collections have occurred at least once.

The node and cluster data is sent to Lacework within 2 hours of the collectors being installed on a cluster. Once the cloud collection has occurred, data will be visible in the Lacework platform.

Prerequisites

Install using Helm

Follow these steps to install the Node and Cluster collectors on your EKS cluster.

  1. Add the Lacework Helm Charts repository:

    helm repo add lacework https://lacework.github.io/helm-charts/
  2. Choose one of the following options to install the necessary components on your EKS cluster:

    tip

    Add --debug to this command to enter debug mode:

    helm upgrade --debug --install --create-namespace...
    • Configuration compliance integration only:

      Template with Workload Security disabled
      helm upgrade --install --create-namespace --namespace lacework \
      --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
      --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
      --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
      --set laceworkConfig.datacollector=disable \
      --set clusterAgent.enable=True \
      --set clusterAgent.image.repository=lacework/k8scollector \
      --set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
      --set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
      --set image.repository=lacework/datacollector \
      lacework-agent lacework/lacework-agent

      Adjust the parameter values to match your environment, see Configuration Parameters for guidance.

    • Configuration compliance and Workload Security integration:

      Template with Workload Security enabled
      helm upgrade --install --create-namespace --namespace lacework \
      --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \
      --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \
      --set laceworkConfig.kubernetesCluster=${KUBERNETES_CLUSTER_NAME} \
      --set laceworkConfig.env=${KUBERNETES_ENVIRONMENT_NAME} \
      --set clusterAgent.enable=True \
      --set clusterAgent.image.repository=lacework/k8scollector \
      --set clusterAgent.clusterType=${KUBERNETES_CLUSTER_TYPE} \
      --set clusterAgent.clusterRegion=${KUBERNETES_CLUSTER_REGION} \
      --set image.repository=lacework/datacollector \
      lacework-agent lacework/lacework-agent

      Adjust the parameter values to match your environment, see Configuration Parameters for guidance.

  3. Display the pods for verification:

    kubectl get pods -n lacework -o wide

Configuration Parameters

Required Parameters

Adjust the following values to match your environment:

ValueDescriptionExample(s)
${LACEWORK_SERVER_URL}Your Lacework URL instance.https://myCompany.lacework.net
https://myCompany.fra.lacework.net
${LACEWORK_AGENT_TOKEN}Your Lacework Agent Access Token.0123456789abc...
${KUBERNETES_CLUSTER_NAME}Your EKS cluster name (this will be shown in the Lacework Console). If not specified, a Lacework generated UUID will be assigned to the cluster.prd01
${KUBERNETES_ENVIRONMENT_NAME}Your EKS environment name (this will be shown in the Lacework Console).

Only required for Workload Security integrations.
Production
${KUBERNETES_CLUSTER_TYPE}The Kubernetes cluster type.

NOTE: For EKS integrations, the cluster type must be written as eks in lower case.
eks
${KUBERNETES_CLUSTER_REGION}The AWS Region of the EKS cluster.us-west
eu-west-1

Optional Parameters

The following parameters are optional and not required for the installation:

ParameterDescriptionExample(s)
clusterAgent.image.tagSpecify a Lacework Agent tag suitable for your cluster. The default is latest when this parameter is omitted.5.6.0.8352-amd64
image.tagSpecify a Lacework Agent tag suitable for your cluster. The default is latest when this parameter is omitted.5.6.0.8352-amd64

Add these parameters when running the installation command:

Example
helm upgrade --install --create-namespace --namespace lacework \
...
--set clusterAgent.image.tag=5.6.0.8352-amd64 \
--set image.tag=5.6.0.8352-amd64 \
...

See Helm Configuration Options for additional parameters that can also be set using Helm.

Next Steps

See Kubernetes Benchmarks for details on how to enable CIS EKS Benchmark policies.