How Lacework FortiCNAPP derives the K8s cluster name
When you deploy the Lacework FortiCNAPP agent in your Kubernetes (K8s) environment, the list of K8s clusters in which the agent is deployed displays in the Kubernetes Dashboard in the Lacework FortiCNAPP console.
This topic describes how Lacework FortiCNAPP derives the K8s cluster name, what you can do if the cluster name does not appear in the Lacework FortiCNAPP console, and how you can modify the cluster name that appears in the Lacework FortiCNAPP console.
How Lacework FortiCNAPP derives the cluster name
Depending on your K8s environment and distribution, Lacework FortiCNAPP uses multiple methods to derive the cluster name.
-
If your K8s orchestrator supports machine tags, you can add a machine tag named
KubernetesCluster
for your cluster. Lacework FortiCNAPP can derive the cluster name from the machine tag. See Add KubernetesCluster Machine Tag. -
The Lacework FortiCNAPP agent can also read the cluster name from its local config.json file if it is specified using the
KubernetesCluster
agent tag, as shown in the following example. For more information, see Set KubernetesCluster Agent Tag in config.json File.{ "tokens":{"AccessToken":"YourAgentAccessToken"}, "serverurl":"LaceworkServerURL", "tags":{"Env":"k8s",KubernetesCluster":"prod.k8s.local"} }
-
When using the Lacework Kubernetes Agent Terraform module, the Kubernetes cluster name can be set explicitly with the following variable in the
lacework_k8s_datacollector
module:lacework_cluster_name = "my-k8s-cluster"
This should match the name defined in your cloud provider environment. For example, list your Amazon Elastic K8s Service (EKS) clusters to discover the relevant name.
-
If your K8s orchestrator does not have the
KubernetesCluster
machine tag and your config.json file does not have theKubernetesCluster
agent tag, Lacework FortiCNAPP attempts to locate a key in the agent data set that resemblesk8s.io/cluster-autoscaler/newprod.k8s.local:true
to derive the cluster name. In this example,newprod.k8s.local
is the cluster name. -
If the machine tag, agent tag, or agent data set key is not available, the cluster name does not display in the Kubernetes Dashboard in the Lacework FortiCNAPP console.
What should I do if a cluster does not display in the Lacework FortiCNAPP console?
A K8s cluster may not display in the K8s dashboard in the Lacework FortiCNAPP console if:
- The Lacework FortiCNAPP agent cannot read the cluster name in your K8s environment. See How Lacework derives the cluster name.
- The cluster was not active during the time window you selected in the K8s dashboard in the Lacework FortiCNAPP console.
If a cluster is active, you can do one of the following to display the cluster name in the Kubernetes dashboard:
- Add KubernetesCluster machine tag (recommended)
- Set KubernetesCluster agent tag in config.json file.
- Set the lacework_cluster_name variable in the Lacework Kubernetes agent Terraform module.
Add KubernetesCluster machine tag (recommended)
If your K8s orchestrator supports machine tags, do the following:
To add KubernetesCluster machine tag:
-
Add a machine tag named
KubernetesCluster
on your cluster and specify the cluster name as the tag value. For example, add the following tag on your EKS cluster using the instructions at Tagging Your Amazon EKS Resources. -
Ensure that the Lacework FortiCNAPP agent has access to the tags in your K8s orchestrator.
- To provide access to tags on AWS, see Configure access to tags and metadata in AWS.
- To provide access to labels on Google Cloud, see Configure Access to Labels in Google Cloud.
- The agent can automatically access tags on Microsoft Azure. Hence, no special configuration is required for Microsoft Azure.
We recommend this method because it enables the agent to automatically obtain the cluster name from your K8s orchestrator. |
Set KubernetesCluster Agent Tag in config.json File
You can set the KubernetesCluster
agent tag in the config.json
agent configuration file by doing any of the following. We recommend this method if you have built your own Kubernetes cluster rather than utilizing EKS, AKS, GKE, or similar orchestrator.
-
If you use the Lacework FortiCNAPP Helm chart to deploy the agent, use the following option with the
helm install
orhelm upgrade
command:--set laceworkConfig.kubernetesCluster=YourClusterName
helm --install --namespace lacework --create-namespace \ --set laceworkConfig.accessToken=LACEWORK_AGENT_TOKEN \ --set laceworkConfig.serverUrl=LACEWORK_SERVER_URL \ --set laceworkConfig.kubernetesCluster=YourClusterName \ lacework-agent lacework/lacework-agent
For more information about using the Lacework FortiCNAPP Helm chart, see Install using Helm.
-
If you use the
lacework-cfg-k8s.yaml
configmap file to deploy the agent, do the following:-
Specify the cluster name using the
KubernetesCluster
tag in theconfig.json
section of thelacework-cfg-k8s.yaml
file as shown below:apiVersion: v1 kind: ConfigMap metadata: name: lacework-config data: config.json: | { "tokens":{"AccessToken":"YourAgentAccessToken"}, "serverurl":"LaceworkServerURL", "tags":{"Env":"k8s", "KubernetesCluster":"YourClusterName"} }
-
Push the updated lacework-cfg-k8s.yaml file to the cluster.
kubectl replace -f lacework-cfg-k8s.yaml -n lacework
For more information about using the lacework-cfg-k8s.yaml configmap file, see Deploy with a DaemonSet.
-
Set the lacework_cluster_name Variable in the Lacework Kubernetes Agent Terraform Module
When using the Lacework Kubernetes Agent Terraform module, the Kubernetes cluster name can be set explicitly with the following variable in the lacework_k8s_datacollector
module:
lacework_cluster_name = "my-k8s-cluster"
The name should match the name defined in your cloud provider environment. For example, list your Amazon EKS clusters to discover the relevant cluster name.
How Can I Modify a Cluster Name in the Lacework FortiCNAPP Console
Lacework FortiCNAPP allows you to change the cluster name reported by the Lacework FortiCNAPP agent in the Kubernetes Dashboard in the Lacework FortiCNAPP Console.
-
If you use the Lacework FortiCNAPP Helm chart to deploy the agent, use the following option with the
helm install
orhelm upgrade
command:--set laceworkConfig.kubernetesCluster=YourClusterName
For more information about using the Lacework FortiCNAPP Helm chart, see Install using Helm.
-
If you use the
lacework-cfg-k8s.yaml
configmap file to deploy the agent, do the following:-
Specify the cluster name using the
KubernetesCluster
tag in theconfig.json
section of the lacework-cfg-k8s.yaml file as shown below:apiVersion: v1 kind: ConfigMap metadata: name: lacework-config data: config.json: | { "tokens":{"AccessToken":"YourAgentAccessToken"}, "serverurl":"LaceworkServerURL", "tags":{"Env":"k8s", "KubernetesCluster":"YourClusterName"} }
-
Push the updated
lacework-cfg-k8s.yaml
file to the cluster.kubectl replace -f lacework-cfg-k8s.yaml -n lacework
For more information about using the
lacework-cfg-k8s.yaml
configmap file, see DaemonSet Deployment Using a configmap. -
-
If you use the Lacework Kubernetes Agent Terraform module, add the following variable to your
main.tf
file within thelacework_k8s_datacollector
module:module "lacework_k8s_datacollector" { ... # This should match the name defined in your cloud provider environment. lacework_cluster_name = "my-k8s-cluster" }
You would then need to re-run
terraform apply -refresh-only
to apply the change (check that your version of Terraform supports this command before running).