Beta feature
This functionality is in beta and is subject to change. The design and code is less mature than official generally available features and is being provided as-is with no warranties. Beta features are not subject to the support service level agreement of official generally available features.
What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

Overview

This integration periodically monitors and compares Kubernetes infrastructure against security best practices defined by CIS to help security, DevOps, and DevSecOps personnel to:

  1. Identify and remediate misconfigurations
  2. Understand the overall security posture of their Kubernetes clusters both- individually and holistically

Integration Assets

After this integration has been installed for the first time, the following assets will get created and made available in the Security solution UI:

AssetDescription
Posture Dashboard
The posture dashboard provides an overview of the security posture of all Kubernetes clusters monitored
Findings
Findings communicate the outcome of a specific resource being evaluated with a specific rule. All latest findings are viewable on the findings page
Benchmark Rules
Benchmark rules are used to assess Kubernetes resources for secure configuration. Benchmark rules are viewable on the Benchmark page

Compatibility

This integration is tested with Kubernetes 1.21.x and currently supports the security posture assessment of:

  1. Unmanaged/Vanilla Kubernetes clusters
  2. Amazon EKS clusters

This integration has not been tested on

  1. Amazon EKS on AWS Outposts

This Integration does not currently support the security posture assessment of:

  1. Google GKE
  2. Azure AKS
  3. Red Hat Openshift
  4. Amazon EKS with AWS Fargate nodes

Permissions

This integration requires access to node files, node processes, and the Kubernetes api-server therefore, it assumes the agent will be installed as a DaemonSet with the proper Roles and RoleBindings attached.

If deploying this integration on an Amazon EKS cluster, an IAM user with programmatic access and specific permissions is required to make AWS API calls. When creating the IAM user, please make sure to create and attach an IAM policy to it that has the following set of permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:GetRegistryPolicy",
                "eks:ListTagsForResource",
                "elasticloadbalancing:DescribeTags",
                "ecr-public:DescribeRegistries",
                "ecr:DescribeRegistry",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "ecr:ListImages",
                "ecr-public:GetRepositoryPolicy",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "ecr-public:DescribeRepositories",
                "eks:DescribeNodegroup",
                "ecr:DescribeImages",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "ecr:DescribeRepositories",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "elasticloadbalancing:DescribeInstanceHealth",
                "ecr:GetRepositoryPolicy"
            ],
            "Resource": "*"
        }
    ]
}

If the necessary credentials aren't provided, EKS clusters won't get evaluated.

Leader election

To collect cluster level data (compared to node level information) the integration makes use of the leader election mechanism. This mechanism assures that the cluster level data is collected by only one of the agents running as a part of the DaemonSet and not by all of them.

Cluster level data example: List of the running pods. Node level data example: kubelet configuration.

Deployment

Deploy the Elastic agent

Just like every other integration, the KSPM integration requires an Elastic agent to be deployed.

See agent installation instructions.

Note, this integration can only be added to Elastic agents with versions 8.4 or higher.

Changelog

VersionDetails
0.0.26
Enhancement View pull request
Version bump

Enhancement View pull request
Updates to KSPM Integration README
0.0.25
Bug fix View pull request
Remove unimplemented EKS rules from template
0.0.24
Enhancement View pull request
Updated release tag to beta
0.0.23
Bug fix View pull request
Fix rule id typo
0.0.22
Enhancement View pull request
Adjust findings data-stream mappings to fit ECS conventions

Enhancement View pull request
Turned off dynamic mappings of findings data-stream

Enhancement View pull request
Added default pipeline to findings data-stream
0.0.21
Enhancement View pull request
Update package display name
0.0.20
Enhancement View pull request
Remove Kibana configuration section from README
0.0.19
Enhancement View pull request
Adding EKS rule templates

Enhancement View pull request
Added date time field to index patterns

Enhancement View pull request
Update rule benchmark field to include an id
0.0.18
Enhancement View pull request
enhance integration to support eks
0.0.17
Enhancement View pull request
Refactored csp-rule-template metadata field to fit 8.4.0 schema
0.0.16
Enhancement View pull request
update resource id keyword mapping
0.0.15
Enhancement View pull request
update resource id mapping
0.0.14
Enhancement View pull request
Add mapping for rule id and resource id and revert Kibana version constrain
0.0.13
Enhancement View pull request
Update Kibana version constrain
0.0.12
Enhancement View pull request
Add new rule templates
0.0.11
Enhancement View pull request
Update elastic-agent deployment instructions
0.0.10
Enhancement View pull request
Update CSP rules configuration template
0.0.9
Enhancement View pull request
Update csp rule template
0.0.8
Enhancement View pull request
Send dataYaml (Rules Activation YAML) to cloudbeat
0.0.7
Enhancement View pull request
Add rule template assets
0.0.6
Enhancement View pull request
Update findings template asset
0.0.5
Enhancement View pull request
Add CSP rule template asset
0.0.4
Enhancement View pull request
Add latest findings data view
0.0.3
Enhancement View pull request
Change README
0.0.2
Enhancement View pull request
Change README
0.0.1
Enhancement View pull request
Initial draft of the package