Skip to content

STEP 4: Configuring Cloudneeti agent in Amazon Elastic Kubernetes Service (Amazon EKS) (Optional)

This step is optional.

Cloudneeti includes CIS recommendations for EKS by deploying a Cloudneeti agent to Amazon Kubernetes Cluster. A docker container agent is deployed to collect data for additional security policies. Cloudneeti then provides out-of-box mappings for all 13+ compliance frameworks included in the product.

Deploying Cloudneeti agent on Amazon Elastic Kubernetes Service (Amazon EKS) enables compliance monitoring of Kubernetes cluster for security policies listed here.

Prerequisites

Activity Description
1. Download and review yaml files for configuration of Cloudneeti Agent The yaml files are used to configure Cloudneeti Agent in AWS Kubernetes Cluster:
cloudneeti-namespace.yaml
cloudneeti-agent-config.yaml
cloudneeti-agent-secret.yaml
cloudneeti-agent-worker.yaml
2. Workstation: Install AWS Command Line Interface To install AWS cli follow link AWS Command Line Interface (CLI) is a unified tool to manage your AWS services.
3. Workstation: Install and set up kubectl to execute PowerShell commands within Cloudneeti Agent configuration script Please follow link to install and set up kubectl
choco install kubernetes-cli

4.1: Associate Kubernetes cluster with Cloud account in Cloudneeti

Login to Cloudneeti portal with License Admin role

  1. Navigate to Configurations and Cloud Accounts

    Associate Kubernetes

  2. Expand AWS (1) section

  3. Click Configure Accounts (2) for the Cloud account where Kubernetes Cluster is to be associated.

  4. Click Manage K8s Clusters (3)

    Associate Kubernetes

  5. Add Kubernetes Cluster Name

  6. Save

    Associate Kubernetes

  7. It will download a JSON file cloudneeti-agent-config which will be used in step 2 to update agent configuration script.

    Associate Kubernetes config

Sample JSON file

    {"LicenseId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","AccountId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","ClusterName":"EKS Demo","Environment":"prod"}

4.2: Deploy Cloudneeti agent

Please use below steps to deploy Cloudneeti Agent on EKS

4.2.1 Update agent configuration scripts

  • cloudneeti-namespace.yaml metadata section with value for namespace name.

            metadata:
                name: <Namespace>
    
  • cloudneeti-agent-config.yaml data section with values cloudneeti-agent-config downloaded in STEP 4.1.

    • cloudneetiApiAppId Please follow steps to configure API access for API Account.InsertKubernetesClusterData
          data:
              clusterName: "<uniqueclustername>"
              licenseId: "<cloudneetilicenseid>"
              accountId: "<cloudneetiaccountid>"
              cloudneetiEnvironment: "<prod/trial>"
              cloudneetiApiAppId: "<cloudneetiapiappid>"
      
  • cloudneeti-agent-secret.yaml set the below values.

    • namespace as given in cloudneeti-namespace.yaml.

    • cloudneetiAPIKey

      • Set Cloudneeti API key to base64 format : Please follow steps to generate the key and set the key in base64 format.
    • cloudneetiAPIAppSecret

      • Generate API app secret : Please follow steps to configure API access for API Account.InsertKubernetesClusterData and generate API access secret.
      • Set API app secret to base64 format : Set the key in base64 format using steps.
        metadata:
            name: cloudneeti-agent
            namespace: <Namespace>
        data:
            cloudneetiAPIKey: <cloudneetiapikey>
            cloudneetiAPIAppSecret: <cloudneetiapiappsecret>
        
  • cloudneeti-agent-worker.yaml update value for schedule in spec section, set cron job schedule as per your requirement.

            spec:
                schedule: "0 12 * * *"
    

Note: The default value is set to scan the cluster every day at 12PM. It is recommended to set the execution time of Cloudneeti agent once a day.

4.2.2 Access Kubernetes cluster with root account from local machine

    aws eks --region <region> update-kubeconfig --name <EKS cluser name>

4.2.3 Deploy Cloudneeti agent on Kubernetes cluster node

  1. Create/copy below files on Kubernets master

    • cloudneeti-namespace.yaml
    • cloudneeti-agent-config.yaml
    • cloudneeti-agent-secret.yaml
    • cloudneeti-agent-worker.yaml

    Associate Kubernetes

  2. Create a Cloudneeti namespace

    kubectl apply -f cloudneeti-namespace.yaml
    
  3. Create Cloudneeti agent secret

    kubectl apply -f cloudneeti-agent-secret.yaml --namespace <namespace name>
    
  4. Create Cloudneeti agent config

    kubectl apply -f cloudneeti-agent-config.yaml --namespace <namespace name>
    
  5. Deploy Cloudneeti agent

    kubectl apply -f cloudneeti-agent-worker.yaml --namespace <namespace name>
    

4.3: Verify Cloudneeti agent installation

Verify Cloudneeti agent installation using Kubernetes dashboard. Please follow link

  1. Verify namespace created

    Associate Kubernetes

  2. Navigate to a cron jobs

    Associate Kubernetes

  3. Select a latest job

    Associate Kubernetes

  4. Check if Cloudneeti agent has sent the data successfully.

    Associate Kubernetes

4.4: Verify policy results

Login to Cloudneeti portal with License Admin role

  1. Navigate to CIS Kubernetes v1.5.0 benchmark

    Associate Kubernetes

  2. On successful agent configuration, policy results will appear on Cloudneeti portal

    Associate Kubernetes

Appendix

Kubernetes policy list

The following CIS Kubernetes policies get enabled due to Cloudneeti Kubernetes agent configuration.

Category_Name Policy_Title
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet service file has permissions of 644 or more restrictive
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet service file ownership is set to root:root
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the proxy kubeconfig file ownership is set to root:root
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet.conf file permissions are set to 644 or more restrictive
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet.conf file ownership is set to root:root
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the client certificate authorities file ownership is set to root:root
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet configuration file has permissions set to 644 or more restrictive
Kubernetes - Worker Nodes - Worker Node Configuration Files Ensure that the kubelet configuration file ownership is set to root:root
Kubernetes - Worker Nodes - Kubelet Ensure that the --anonymous-auth argument is set to false
Kubernetes - Worker Nodes - Kubelet Ensure that the --authorization-mode argument is not set to AlwaysAllow
Kubernetes - Worker Nodes - Kubelet Ensure that the --client-ca-file argument is set as appropriate
Kubernetes - Worker Nodes - Kubelet Ensure that the --read-only-port argument is set to 0
Kubernetes - Worker Nodes - Kubelet Ensure that the --streaming-connection-idle-timeout argument is not set to 0
Kubernetes - Worker Nodes - Kubelet Ensure that the --protect-kernel-defaults argument is set to true
Kubernetes - Worker Nodes - Kubelet Ensure that the --make-iptables-util-chains argument is set to true
Kubernetes - Worker Nodes - Kubelet Ensure that the --hostname-override argument is not set
Kubernetes - Worker Nodes - Kubelet Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate
Kubernetes - Worker Nodes - Kubelet Ensure that the --rotate-certificates argument is not set to false
Kubernetes - Worker Nodes - Kubelet Ensure that the RotateKubeletServerCertificate argument is set to true
Kubernetes - Worker Nodes - Kubelet Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

Generate Cloudneeti API key

Sign-up on Cloudneeti API portal.

  1. Go to API portal and Sign up.

  2. Fill the required fields in the sign-up form

  3. You will receive a confirmation mail for sign-up, Click on the confirmation link.

  4. The confirmation link will ask you for change password (info: You can use the password your used when signing up)

  5. You are signed up successfully

Retrieve and activate API key

Retrieve and activate your API key using the Cloudneeti API portal

  1. Click on PRODUCTS
  2. Select Unlimited Cloudneeti API
  3. Click on Subscribe Subscribe

This will notify Cloudneeti to activate your API subscription access. Please wait for the activation to be done. When Cloudneeti activates your subscription, you will get an email notification.

Once you receive the confirmation, proceed with the following steps.

  1. Click on Username
  2. Select Profile
  3. Click on Show
  4. Copy the Primary key to your notepad. Primary key

Set API key in base64

Below commands can be used to set API key in base64

Bash
    echo <apikey> | base64
Powershell
    $PlainTextKey = <apikey>
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($PlainTextKey)
    $EncodedKey =[Convert]::ToBase64String($Bytes)
    $EncodedKey