This topic contains the following sections.
This topic discusses the available methods to deploy Lacework on Kubernetes.
- Deploy with a Daemonset - DaemonSets are an easy way to deploy a Kubernetes pod onto every node in the cluster. This is useful for monitoring tools such as Lacework. You can use the DaemonSet method to deploy Lacework onto any Kubernetes cluster, including hosted versions like EKS, AKS, and GKE.
- Deploy with a Helm Chart - Helm is a package manager for Kubernetes that uses a packaging format called charts. A chart is a collection of files that describe a related set of Kubernetes resources. You can download a copy of the Lacework Helm chart from the Lacework agent releases site.
Deploy with a DaemonSet
Supported Kubernetes Versions
- Kubernetes v1.9.x to v1.19.x
Unsupported Kubernetes Versions
- Lacework does not currently support Kubernetes v1.20 and Google Kubernetes Engine (GKE) v1.19.
- Lacework support for Kubernetes v1.8.x and v1.7.11 has been deprecated.
If you are using a different combination of versions, contact Lacework for assistance.
In the Lacework Console, download the two Kubernetes YAML files. Navigate to Settings > Agents. Either use an existing agent access token or create a new agent token by clicking + Create New. Click Install Options. Download Kubernetes Config and Kubernetes Orchestration.
- Using the kubectl command line interface, add the Lacework configuration file into the cluster.
$ kubectl create -f lacework-cfg-k8s.yaml
- Instruct the Kubernetes orchestrator to deploy an agent on all nodes in the cluster, including the master.
To change the CPU and memory limits, see Change Agent Resource Installation Limits on K8s Environments.
$ kubectl create -f lacework-k8s.yaml
- Repeat the above steps for each Kubernetes cluster.
The config.json file is embedded in the lacework-cfg-k8s.yaml file.
To customize FIM or add tags in a Kubernetes environment, edit the configuration section of the YAML
file and push the revised lacework-cfg-k8s.yaml file to the cluster using the following command.
$ kubectl replace -f lacework-cfg-k8s.yaml
Deploy with a Helm Chart
- Kubernetes v1.10 to v1.16.0
- 3.1.x (3.1.0, 3.1.1, 3.1.2, 3.1.3)
- 3.2.x (3.2.1, 3.2.2, 3.2.3, 3.2.4)
- 2.x based Helm charts are not supported
Get the Helm Chart for the Agent
The Helm chart is available from the agent release tarball at https://github.com/lacework/lacework-agent-releases/releases (v2.12.1 or later). Extract the helm.tar.gz file using a tool of your choice.
The Helm chart includes the following:
Create the Namespace
This step is optional. Lacework can run in the default namespace or its own namespace. Create a namespace only if the namespace you want to use in the installation step (example-namespace below) is not created yet.
Run the following command.
$ kubectl create -f ./namespace.yaml
You must edit the values.yaml file and add your Lacework access token to
accessToken: in the
laceworkConfig: section (as in the following code sample). Optionally, you can also provide a name for your Kubernetes environment and Kubernetes cluster name.
laceworkConfig: # [Required] An access token is required before running agents. # Visit https://LACEWORK_UI_URL for eg: https://lacework.lacework.net accessToken: # [Optional] Give your k8s environment a friendly name env: # [Optional] Kubernetes cluster name # https://support.lacework.com/hc/en-us/articles/360005263034-Deploy-on-Kubernetes clustername:
Use Helm to Install the Agent
Replace example text with your own values.
- Install the Lacework agent package.
$ helm install helm/lacework-agent --generate-name --namespace example-namespace
- Display the pods for verification.
$ kubectl get pods -l name=lacework -o=wide --all-namespaces
Kubernetes Cluster Name
For information about how Lacework collects the cluster name from tags, see How Lacework Derives the Kubernetes Cluster Name.