- Notifications
You must be signed in to change notification settings - Fork3
andrewelizondo/lw_k8s_ac
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Provide a quick workshop to understand how to use the K8s AC with the Lacework platform.
⚠️ This is not intended for production use as the generated certificates only live in the terraform state file.
- Functioning K8s Cluster
- Active Lacework Account
- Create a Lacework Proxy scanner token
https://docs.lacework.com/integrate-proxy-scanner#create-a-proxy-scanner-integration-in-lacework
- In your lacework account, enable the Critical CVE (LW_CONTAINER_POLICY_4) and apt-get caches are not cleared in Dockerfile (LW_CONTAINER_POLICY_10) policies and associate them to the proxy scanner you created.
https://docs.lacework.com/container-vulnerability-policies#default-policies
- Run Terraform apply to setup the certs & helm chart for the admission controller + proxy scanner
$ terraform apply -var"account=<youraccount>" -var"int_token=<proxyscannertoken>"
- Validate that the proxy scanner & admission controller is running in your cluster
$ kubectl get pods -n lacework...lacework lacework-admission-controller... Runninglacework lacework-proxy-scanner... Running...
- Tail the logs of the admission controller in a separate terminal
$ kubectl logs$(kubectl get pods -n lacework -l app=lacework-admission-controller -o name) -n lacework -f...[INFO]: 2022-05-25 01:24:23 - Starting server..[INFO]: 2022-05-25 01:24:23 - Listener started.....- While logs are tailing, create a deployment file with an older image of nginx
# deployment.yamlapiVersion:apps/v1kind:Deploymentmetadata:name:nginx-deploymentspec:selector:matchLabels:app:nginxreplicas:2template:metadata:labels:app:nginxspec:containers: -name:nginximage:nginx:1.11.9ports: -containerPort:80
- Attempt to create the deployment, you should be stopped by the admission controller noting that the image failed the policies you configured in your Lacework tenant.
➜~ kubectl apply -f deployment.yamlError from server: error when creating"deployment.yaml": admission webhook"validate.lacework.net" denied the request: Violations the following policies:LW_CONTAINER_POLICY_10 - apt-get caches are not clearedin Dockerfile - fail on violation:trueLW_CONTAINER_POLICY_4 - Critical CVEs - fail on violation:true
- Enjoy a tasty beverage 🍺