This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
Overview
This integration periodically monitors and compares Kubernetes infrastructure against security best practices defined by CIS to help security, DevOps, and DevSecOps personnel to:
- Identify and remediate misconfigurations
- Understand the overall security posture of their Kubernetes clusters both- individually and holistically
Integration Assets
After this integration has been installed for the first time, the following assets will get created and made available in the Security solution UI:
| Asset | Description |
|---|---|
Posture Dashboard | The posture dashboard provides an overview of the security posture of all Kubernetes clusters monitored |
Findings | Findings communicate the outcome of a specific resource being evaluated with a specific rule. All latest findings are viewable on the findings page |
Benchmark Rules | Benchmark rules are used to assess Kubernetes resources for secure configuration. Benchmark rules are viewable on the Benchmark page |
Compatibility
This integration is tested with Kubernetes 1.21.x and currently supports the security posture assessment of:
This integration has not been tested on
- Amazon EKS on AWS Outposts
This Integration does not currently support the security posture assessment of:
- Google GKE
- Azure AKS
- Red Hat Openshift
- Amazon EKS with AWS Fargate nodes
Permissions
This integration requires access to node files, node processes, and the Kubernetes api-server therefore, it assumes the agent will be installed as a DaemonSet with the proper Roles and RoleBindings attached.
If deploying this integration on an Amazon EKS cluster, an IAM user with programmatic access and specific permissions is required to make AWS API calls. When creating the IAM user, please make sure to create and attach an IAM policy to it that has the following set of permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:GetRegistryPolicy",
"eks:ListTagsForResource",
"elasticloadbalancing:DescribeTags",
"ecr-public:DescribeRegistries",
"ecr:DescribeRegistry",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"ecr:ListImages",
"ecr-public:GetRepositoryPolicy",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"ecr-public:DescribeRepositories",
"eks:DescribeNodegroup",
"ecr:DescribeImages",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"ecr:DescribeRepositories",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticloadbalancing:DescribeInstanceHealth",
"ecr:GetRepositoryPolicy"
],
"Resource": "*"
}
]
}
If the necessary credentials aren't provided, EKS clusters won't get evaluated.
Leader election
To collect cluster level data (compared to node level information) the integration makes use of the leader election mechanism. This mechanism assures that the cluster level data is collected by only one of the agents running as a part of the DaemonSet and not by all of them.
Cluster level data example: List of the running pods. Node level data example: kubelet configuration.
Deployment
Deploy the Elastic agent
Just like every other integration, the KSPM integration requires an Elastic agent to be deployed.
See agent installation instructions.
Note, this integration can only be added to Elastic agents with versions 8.4 or higher.
Changelog
| Version | Details |
|---|---|
0.0.26 | View pull request Version bump View pull request Updates to KSPM Integration README |
0.0.25 | View pull request Remove unimplemented EKS rules from template |
0.0.24 | View pull request Updated release tag to beta |
0.0.23 | View pull request Fix rule id typo |
0.0.22 | View pull request Adjust findings data-stream mappings to fit ECS conventions View pull request Turned off dynamic mappings of findings data-stream View pull request Added default pipeline to findings data-stream |
0.0.21 | View pull request Update package display name |
0.0.20 | View pull request Remove Kibana configuration section from README |
0.0.19 | View pull request Adding EKS rule templates View pull request Added date time field to index patterns View pull request Update rule benchmark field to include an id |
0.0.18 | View pull request enhance integration to support eks |
0.0.17 | View pull request Refactored csp-rule-template metadata field to fit 8.4.0 schema |
0.0.16 | View pull request update resource id keyword mapping |
0.0.15 | View pull request update resource id mapping |
0.0.14 | View pull request Add mapping for rule id and resource id and revert Kibana version constrain |
0.0.13 | View pull request Update Kibana version constrain |
0.0.12 | View pull request Add new rule templates |
0.0.11 | View pull request Update elastic-agent deployment instructions |
0.0.10 | View pull request Update CSP rules configuration template |
0.0.9 | View pull request Update csp rule template |
0.0.8 | View pull request Send dataYaml (Rules Activation YAML) to cloudbeat |
0.0.7 | View pull request Add rule template assets |
0.0.6 | View pull request Update findings template asset |
0.0.5 | View pull request Add CSP rule template asset |
0.0.4 | View pull request Add latest findings data view |
0.0.3 | View pull request Change README |
0.0.2 | View pull request Change README |
0.0.1 | View pull request Initial draft of the package |