InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Amazon EKS (Kubernetes)

Instructions for adding Amazon EKS Clusters to InsightCloudSec

Overview

InsightCloudSec is pleased to include support for Kubernetes (K8s) — the world’s leading open-source container-orchestration system for automating deployment, scaling, and management of containerized applications. This page includes instructions for adding one or more Amazon Elastic Kubernetes Service (EKS) clusters to InsightCloudSec using the steps detailed below.

Steps for Adding an Amazon EKS Cluster

📘

Installation Notes

These instructions assume that you are connecting to your K8s environment from a system where ‘kubectl’ is installed, with access to your EKS cluster.

Note: Instructions, examples, or back end capabilities may still refer to DivvyCloud vs. InsightCloudSec. The functionality is the same - just ensure that when using paths/databases/etc., your configuration references the appropriate items.

Important Note: For customers attempting to onboard with an EKS cluster that is configured on a private IP address, you must validate that the cluster has VPC Peering/Transit Gateway configured and enabled in the same environment as your InsightCloudSec installation. This ensures that the EKS server endpoint is accessible to InsightCloudSec. If you have questions or concerns about your configuration reach out to us at [email protected]

1. Download the YAML/configuration that will allow our workers to join the cluster:
curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2018-08-30/aws-auth-cm.yaml

2. Go to your EKS console and grab the role ARN for your cluster:

3. Update the YAML file you just downloaded (aws-auth-cm.yaml) with the ARN from Step 2.

apiVersion: v 1 kind: ConfigMap metadata:
   name: aws-auth
   namespace: kube-system
 data:
   mapRoles: |
     - rolearn: <Role ARN for the Cluster(highlighted in step 2)>
      username: system:node:{{EC2PrivateDNSName}}
       groups:
         - system:bootstrappers
         - system:nodes

4. Apply the updated YAML to the cluster:
kubectl apply -f aws-auth-cm.yaml

Expected output:
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
configmap/aws-auth configured

5. Download the ‘create_admin.sh’ script:
curl -sO http://get.divvycloud.com/kubernetes/create_admin.sh

❗️

For non-Ubuntu Linux

The script is made to run on Ubuntu. If you're running on another flavor of Linux, please run

sed -i s/"base64 -D"/"base64 -d"/g ./create_admin.sh

base64 has a different case preference for the -d flag in the OSs.

6. Run the script to connect to your EKS cluster and generate the YAML/configuration needed to add the cluster to InsightCloudSec.

Usage: sh ./create_admin.sh kube-system
For you can pick anything. 'divvycloud' or 'insightcloudsec' is recommended:

sh ./create_admin.sh divvycloud kube-system

Expected output:

$> sh ./create_admin.sh divvycloud kube-system

Creating target directory to hold files in /tmp/kube...done Creating a service account: <username> on namespace: kube-system serviceaccount  "divvycloud"  created
Getting secret of service account <username>-kube-system Secret name: <username>-token -2 p 7 fx
 Extracting ca.crt from secret...done
 Getting user token from secret...done
 Setting current context to: aws
 Cluster name: kubernetes
Endpoint: https:// 978 A 955 EE 0 F 90 F 7059 AD 9670 DF 329 A 8 A.sk 1 .us-east -1. eks.amazonaws.com
Preparing k 8 s-<username>-kube-system-conf
Setting a cluster entry in kubeconfig...Cluster  "kubernetes"  set. Setting token credentials entry in kubeconfig...User "<username>-kube-system-kubernetes"  set.
Setting a context entry in kubeconfig...Context "<username>-kube-system-kubernetes"  created.
Setting the current-context in the kubeconfig file...Switched to context "<username>-kube-system-kubernetes" .
All done! Test with:
KUBECONFIG=/tmp/kube/k 8 s-<username>-kube-system-conf kubectl get pods
you should not have any permissions by default - you have just created the authentication part
You will need to create RBAC permissions
Error from server (Forbidden): pods is forbidden: User

"system:serviceaccount:kube-system:divvycloud"  cannot list pods in the namespace  "kube-system"

❗️

The above error (lines 18-20) is expected.

Error from server (Forbidden): pods is forbidden: User
"system:serviceaccount:kube-system:divvycloud" cannot list pods in the namespace "kube-system"

7. Apply a role to the user we’ve just created. Download the roles.yml config file:
curl -sO http://get.divvycloud.com/kubernetes/role.yaml

8. Update role.yaml to substitute YOUR-USERNAME-HERE with the username you used in Step 6 (e.g., 'divvycloud').

apiVersion: rbac.authorization.k 8 s.io/v 1 beta 1 kind: ClusterRoleBinding
metadata:
   name: YOUR-USERNAME-HERE
 roleRef:
apiGroup: rbac.authorization.k 8 s.io kind: ClusterRole
name: cluster-admin
 subjects:
 - kind: ServiceAccount
   name: YOUR-USERNAME-HERE
   namespace: kube-system

9. Use the ‘role.yaml’ file to modify the permissions for the previously created user:
kubectl apply -f role.yaml

Expected output:
$> kubectl apply -f role.yaml
clusterrolebinding.rbac.authorization.k 8 s.io divvycloud created

10. A temp config file was created during the create_admin script. Copy it to your current config directory.
Usage: cp /tmp/kube/k8s--kube-system-conf ~/.kube/config

cp /tmp/kube/k8s-divvycloud-kube-system-conf ~/.kube/config

11. Verify connectivity to the cluster:
kubectl get all

Expected sample output (if there are no errors):
$> kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.100.0.1 443 /TCP 29 m

12. Use the verified ‘~/.kube/config’ configuration above as the YAML input for InsightCloudSec in the steps below:
cat ~/.kube/config

Steps for Setup in InsightCloudSec

Once you have your config file, you'll need to add it to InsightCloudSec in the K8s onboarding page

1. From your InsightCloudSec platform locate "Cloud --> Clouds" on the main navigation menu.

*2. Click on "Add Cloud" in the upper right.

Clouds Listing Page - Add a CloudClouds Listing Page - Add a Cloud

Clouds Listing Page - Add a Cloud

3. Select Kubernetes and complete the fields as follows:

  • Provide your Kubernetes cluster with a nickname.
  • Paste in Kubernetes your configuration. Note configuration must be in yaml format.

4. Click "Add Cloud".

Add Kubernetes ConfigurationAdd Kubernetes Configuration

Add Kubernetes Configuration

5. To confirm, you should see a screen that indicates you have successfully added a cloud account. InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so depending upon the size of your Kubernetes cluster.

Updated 25 days ago

Amazon EKS (Kubernetes)


Instructions for adding Amazon EKS Clusters to InsightCloudSec

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.