diff --git a/README.md b/README.md index 399cb89..7d4af4d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,7 @@ # helm-charts + Official Lacework Helm Charts + +# Lacework Agent + +[Install Using Lacework Charts Repository](https://support.lacework.com/hc/en-us/articles/360005263034-Deploy-on-Kubernetes#install-using-lacework-charts-repository-recommended). diff --git a/index.yaml b/index.yaml new file mode 100644 index 0000000..ffbbcb7 --- /dev/null +++ b/index.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +entries: + lacework-agent: + - apiVersion: v1 + appVersion: "1.0" + created: "2021-10-06T20:28:07.439483296-07:00" + description: Lacework Agent + digest: 316df313975abcb5ab65846cc749c194c5169f09636f2ffbc26a71f0ae9ef29b + home: https://www.lacework.com + icon: https://www.lacework.com/wp-content/uploads/2019/07/Lacework_Logo_color_2019.svg + keywords: + - monitoring + - security + - run-time + - metric + - troubleshooting + maintainers: + - email: info@lacework.net + name: lacework-support + name: lacework-agent + urls: + - lacework-agent-4.3.0.tgz + version: 4.3.0 +generated: "2021-10-06T20:28:07.438487133-07:00" diff --git a/lacework-agent-4.3.0.tgz b/lacework-agent-4.3.0.tgz new file mode 100644 index 0000000..26c498e Binary files /dev/null and b/lacework-agent-4.3.0.tgz differ diff --git a/lacework-agent/Chart.yaml b/lacework-agent/Chart.yaml new file mode 100644 index 0000000..c868a41 --- /dev/null +++ b/lacework-agent/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: "1.0" +description: Lacework Agent +home: https://www.lacework.com +icon: https://www.lacework.com/wp-content/uploads/2019/07/Lacework_Logo_color_2019.svg +keywords: +- monitoring +- security +- run-time +- metric +- troubleshooting +maintainers: +- email: info@lacework.net + name: lacework-support +name: lacework-agent +version: 4.3.0 diff --git a/lacework-agent/dev_install.sh b/lacework-agent/dev_install.sh new file mode 100644 index 0000000..3df92ea --- /dev/null +++ b/lacework-agent/dev_install.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +set -euo pipefail + +helm upgrade --install --create-namespace -f values.yaml \ + --set image.pullPolicy=Never \ + --set image.tag=${VERSION:-99.9.9} \ + --set laceworkConfig.accessToken=${LACEWORK_AGENT_TOKEN} \ + --set laceworkConfig.serverUrl=${LACEWORK_SERVER_URL} \ + --set laceworkConfig.env=${USER}-minikube \ + --set laceworkConfig.kubernetesCluster=${USER}-minikube \ + lacework-agent . diff --git a/lacework-agent/dev_uninstall.sh b/lacework-agent/dev_uninstall.sh new file mode 100644 index 0000000..27fa2c8 --- /dev/null +++ b/lacework-agent/dev_uninstall.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +set -euo pipefail + +helm uninstall lacework-agent diff --git a/lacework-agent/templates/_helpers.tpl b/lacework-agent/templates/_helpers.tpl new file mode 100644 index 0000000..5ea348e --- /dev/null +++ b/lacework-agent/templates/_helpers.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "lacework-agent.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "lacework-agent.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "lacework-agent.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper Lacework Agent image name +*/}} +{{- define "lacework-agent.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{- if .Values.image.overrideValue }} + {{- printf .Values.image.overrideValue -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} diff --git a/lacework-agent/templates/access-token.yaml b/lacework-agent/templates/access-token.yaml new file mode 100644 index 0000000..7bf97d7 --- /dev/null +++ b/lacework-agent/templates/access-token.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "lacework-agent.name" . }}-access-token + labels: + tier: monitoring + app: {{ include "lacework-agent.name" . }} +type: Opaque +data: + agent-access-token: {{ required "A valid AccessToken is required! Specify your Lacework agent token in values.yaml" .Values.laceworkConfig.accessToken | b64enc }} diff --git a/lacework-agent/templates/configmap.yaml b/lacework-agent/templates/configmap.yaml new file mode 100644 index 0000000..db48173 --- /dev/null +++ b/lacework-agent/templates/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: lacework-config + namespace: {{ .Release.Namespace }} +data: + config.json: | + {"autoupgrade": "{{ required "A value for autoupgrade is required" .Values.laceworkConfig.autoUpgrade }}", + "serverurl": "{{ .Values.laceworkConfig.serverUrl}}", + "tags": {"Env": "{{ .Values.laceworkConfig.env }}" + {{- if .Values.laceworkConfig.kubernetesCluster }}, "KubernetesCluster" :"{{ .Values.laceworkConfig.kubernetesCluster}}" {{- end }} + } + } diff --git a/lacework-agent/templates/daemonset.yaml b/lacework-agent/templates/daemonset.yaml new file mode 100644 index 0000000..69ddbd6 --- /dev/null +++ b/lacework-agent/templates/daemonset.yaml @@ -0,0 +1,132 @@ +apiVersion: apps/v1 + +kind: DaemonSet +metadata: + name: {{ include "lacework-agent.name" . }} + namespace: {{ .Release.Namespace }} + labels: + tier: monitoring + app: {{ include "lacework-agent.name" . }} +spec: + selector: + matchLabels: + name: {{ include "lacework-agent.name" . }} + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: {{ include "lacework-agent.name" . }} + spec: + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} +{{- end }} +{{- if .Values.image.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.image.imagePullSecrets | indent 8 }} +{{- end }} + terminationGracePeriodSeconds: 20 + hostPID: true + hostNetwork: true + containers: + - name: lacework + image: {{ template "lacework-agent.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: LaceworkLogStdout + value: "yes" + - name: LaceworkAccessToken + valueFrom: + secretKeyRef: + name: {{ include "lacework-agent.name" . }}-access-token + key: agent-access-token + resources: +{{ toYaml .Values.resources | indent 12 }} + securityContext: + privileged: true + runAsNonRoot: false + runAsUser: 0 + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + volumeMounts: + - name: cfgmap + mountPath: /var/lib/lacework/config + - name: dev + mountPath: /dev + - name: run-sock + mountPath: /var/run/docker.sock + - name: run-pid + mountPath: /var/run/docker.pid + - name: sys + mountPath: /sys + - name: log + mountPath: /var/log + - name: passwd + mountPath: /etc/passwd + readOnly: true + - name: group + mountPath: /etc/group + readOnly: true + - name: hostlacework + mountPath: /var/lib/lacework/collector + - name: hostroot + mountPath: /laceworkfim + readOnly: true + - name: podinfo + mountPath: /etc/podinfo + volumes: + - name: dev + hostPath: + path: /dev + - name: run-sock + hostPath: + path: /var/run/docker.sock + - name: run-pid + hostPath: + path: /var/run/docker.pid + - name: sys + hostPath: + path: /sys + - name: log + hostPath: + path: /var/log + - name: passwd + hostPath: + path: /etc/passwd + - name: group + hostPath: + path: /etc/group + - name: hostroot + hostPath: + path: / + - name: hostlacework + hostPath: + path: /var/lib/lacework/collector + - name: cfgmap + configMap: + name: lacework-config + items: + - key: config.json + path: config.json + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "name" + fieldRef: + fieldPath: metadata.name + - path: "poduid" + fieldRef: + fieldPath: metadata.uid + - path: "namespace" + fieldRef: + fieldPath: metadata.namespace + updateStrategy: +{{ toYaml .Values.daemonset.updateStrategy | indent 4 }} diff --git a/lacework-agent/values.schema.json b/lacework-agent/values.schema.json new file mode 100644 index 0000000..5752b5a --- /dev/null +++ b/lacework-agent/values.schema.json @@ -0,0 +1,84 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "required": [ + "laceworkConfig" + ], + "properties": { + "image": { + "type": "object", + "properties": { + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "pullPolicy": { + "type": "string", + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "laceworkConfig": { + "type": "object", + "required": [ + "accessToken" + ], + "properties": { + "accessToken": { + "type": "string" + }, + "autoUpgrade": { + "type": "string", + "enum": [ + "disable", + "enable" + ] + }, + "kubernetesCluster": { + "type": [ + "string", + "null" + ] + }, + "env": { + "type": [ + "string", + "null" + ] + }, + "serverUrl": { + "type": [ + "string", + "null" + ] + } + } + }, + "priorityClassName": { + "type": [ + "string", + "null" + ] + } + }, + "additionalProperties": true +} diff --git a/lacework-agent/values.yaml b/lacework-agent/values.yaml new file mode 100644 index 0000000..8b40d5a --- /dev/null +++ b/lacework-agent/values.yaml @@ -0,0 +1,76 @@ +# Default values for Lacework Agent. + +image: + registry: docker.io + repository: lacework/datacollector + tag: latest + + # imagePullPolicy should be Always to get the latest container + # http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + pullPolicy: Always + + # [Optional] imagePullSecrets. + # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # imagePullSecrets: + # - name: CustomerRegistrKeySecretName + +resources: + # The requests/limits is guidance and should be adjusted based on the workload + # Please contact Lacework support for additional details + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits + # https://support.lacework.com/hc/en-us/articles/360047019354-Usage-Impact-of-Agent-Deployment + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 500m + memory: 1450Mi + +laceworkConfig: + # [Optional] Set to "disable" to disable autoupgrade of the datacollector + autoUpgrade: enable + # [Required] An access token is required before running agents. + # Visit https:// for eg: https://lacework.lacework.net + accessToken: + # [Optional] Give your k8s environment a friendly name + env: + # [Optional] Kubernetes cluster name + # https://support.lacework.com/hc/en-us/articles/360005263034-Deploy-on-Kubernetes + kubernetesCluster: + # [Optional] Region specific Lacework service URL. If not provided + # the Agent defaults to the US region + serverUrl: + +########################################################################## +# Set daemonset priorityClassName +priorityClassName: + +# Allow Lacework agent to run on all nodes including master node +tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + # Allow Lacework agent to run on all nodes in case of a taint + # - effect: NoSchedule + # operator: Exists + +daemonset: + # Use rolling updates in the DaemonSet + # https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + updateStrategy: + type: RollingUpdate + # DaemonSet to schedule using affinity rules + # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: kubernetes.io/os + operator: In + values: + - linux