ZCSPM
Configuring the ZCSPM Agent for the Amazon Elastic Kubernetes Service
ZCSPM provides an agent that can be installed on your Amazon Elastic Kubernetes Service (EKS) cluster and VM hosted Kubernetes clusters to support the security policies listed in the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 and CIS AWS EKS - Kubernetes Benchmark v1.5.1 benchmarks.
The agent is container-based and is deployed as a cronjob in your Kubernetes cluster. The agent will collect all necessary data which needs to be checked against the security policies listed in the CIS benchmark. To learn more, see AWS security policies.
You must be a License Admin to configure the ZCSPM agent.
Prerequisite
Before you begin setting up the ZCSPM agent, you need to:
- Install the AWS Command Line Interface.
- Install and set up kubectl.
- Install and set up Helm 3.0 or higher.
- Add ZCSPM Helm repo.
- Add the ZCSPM Helm repo using the following command:
helm repo add zcspm https://charts.cloudneeti.com
- Verify the Helm repo addition using the following command:
helm repo list
- List the available ZCSPM Helm charts using the following command:
Closehelm search repo zcspm --versions
Configuring the ZCSPM Agent
To configure the ZCSPM agent:
- 1. Associate your Kubernetes cluster with your AWS cloud account in ZCSPM.
- On the ZCSPM Admin Portal, go to Configurations > Cloud Accounts.
- Expand AWS, and click Configure Account next to the cloud account which needs to be associated with your Kubernetes cluster.
- Click K8s Cluster Association from the drop-down menu, then click Associate Cluster in the top-right corner.
- Enter the Kubernetes Cluster Name, select your Cluster Hosting, and click Save.
- The
zcspm-agent-config
JSON file will be downloaded. The JSON file has the information you need to deploy the ZCSPM agent in your Kubernetes cluster:- ZCSPM License ID
- ZCSPM Account ID
- Cluster Name
- ZCSPM Environment
- Cluster Hosting
- Along with the JSON file, you need the following information to deploy the ZCSPM agent:
- ZCSPM API Key
To generate the ZCSPM API Key:
- Sign up at the ZCSPM API portal.
- From the top navigation bar, go to PRODUCTS > Unlimited.
- Under Customer-Api, click Subscribe. Zscaler will then activate your subscription and send you an email confirmation.
- After you receive the email confirmation, click on your Username on the top-right corner.
- Select your profile and click Show next to the Primary key.
- ZCSPM API App ID and Secret
To create a ZCSPM API application:
- In the ZCSPM Admin Portal, select the License from the drop-down menu in which you want to create a ZCSPM API application.
- Go to Configurations > API Access.
- Click Create API Application in the top-right corner.
- Enter the API Application Name, and select APIs from the drop-down menu.
- Select the Account.InsertKubernetesClusterData from the APIs Scope drop-down menu, then select the Token Expiry duration from the drop-down menu.
- Set the Secret Expiry date and click Save.
- From the pop-up menu, copy the API Application Secret and click Done.
- Copy the API Application ID.
- ZCSPM API Key
- 2. Deploy the ZCSPM agent on your cluster.
- EKS
- Access the Kubernetes cluster using the following command:
aws eks --region <region> update-kubeconfig --name <cluster_name>
- Deploy the ZCSPM agent on the Kubernetes cluster using the following command:
Closehelm install <release-name> zcspm/zcspm-agent ` --set clusterName=<cluster-name-as-onboarded-on-zcspm> ` --set licenseId=<zcspm-license-id> ` --set accountId=<zcspm-account-id> ` --set zcspmEnvironment=<environment-prefix (qa/trial/prod/prod1)> ` --set zcspmApiAppId=<api-app-id> ` --set zcspmAPIKey=<zcspm-apimgmt-key> ` --set zcspmAPIAppSecret=<api-app-secret> ` --set clusterHosting="EKS"
- EC2 instance hosted
- Access the Kubernetes cluster.
- Download the kubeconfig file from the EC2-hosted instance kubernetes cluster and save it on your local machine.
- Verify K8s cluster access using the following command:
kubectl cluster-info --kubeconfig ./kubeconfig
- Deploy the ZCSPM agent on the Kubernetes cluster using the following command:
Closehelm install <release-name> zcspm/zcspm-agent ` --set clusterName=<cluster-name-as-onboarded-on-zcspm> ` --set licenseId=<zcspm-license-id> ` --set accountId=<zcspm-account-id> ` --set zcspmEnvironment=<environment-prefix (qa/trial/prod/prod1)> ` --set zcspmApiAppId=<api-app-id> ` --set zcspmAPIKey=<zcspm-apimgmt-key> ` --set zcspmAPIAppSecret=<api-app-secret> ` --set clusterHosting="EC2-Instance-hosted"
- EKS
- 3. Verify the ZCSPM agent installation.
To verify the ZCSPM agent installation:
- Verify the namespace using the following command:
kubectl get namespace
NAME STATUS AGE zcspm Active 11m default Active 15d kube-node-lease Active 15d kube-public Active 15d kube-system Active 15d
- Verify the ZCSPM agent cronjob deployment using the following command:
kubectl get cronjob --namespace zcspm
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE zcspm-agent 0 12 * * * False 0 <none> 18h
- Trigger the cronjob using the following command:
kubectl create job <job-name> --from=cronjobs/zcspm-agent --namespace zcspm
job.batch/sanity created
- Get jobs using the following command:
kubectl get job --namespace zcspm
- Verify the job logs of the ZCSPM agent using the following command:
kubectl get pods --selector job-name=<job-name> --namespace zcspm
NAME READY STATUS RESTARTS AGE sanity-2jkfc 0/2 Completed 0 46s
- Get the ZCSPM agent pod and verify the data was successfully sent to ZCSPM using the following command:
Closekubectl logs <ZCSPM-agent-pod-name> -c zcspm-agent --namespace zcspm
- 4. Verify CIS Kubernetes v1.5.1 benchmark's security policy results.
If the agent was installed successfully, you can view the policy results on ZCSPM. To view:
- On the ZCSPM Admin Portal, go to Dashboard > Compliance.
- Click CIS EKS K8s v1.5.1.
Upgrading the ZCSPM Agent
Whenever ZCSPM releases a new agent version, you can upgrade your agent to the latest version using Helm. To upgrade the ZCSPM agent:
- Update the ZCSPM Helm repository using the following command:
helm repo update
- Upgrade the ZCSPM agent using the following command:
helm upgrade <release-name> zcspm/zcspm-agent --reuse-values
Updating the ZCSPM Agent parameters
You can update individual agent parameters such as API key using the following command:
helm upgrade <release-name> zcspm/zcspm-agent --set <parameter-to-update>=<value> --reuse-values
Roll back the ZCSPM agent to a previous version
If you face any issue with the newly upgraded ZCSPM agent, you can always roll back to a previous version of the agent using the following command:
helm rollback <release-name>
Offboarding your Kubernetes cluster
To offboard your Kubernetes cluster:
- Disassociate your Kubernetes cluster from ZCSPM:
- Go to Configurations > Cloud Accounts.
- Expand any one of the cloud service providers.
- Click Configure Account for the cloud account which is associated with your Kubernetes cluster.
- Click K8s Clusters Association.
- Click the Delete icon to disassociate your Kubernetes cluster from ZCSPM.
- Delete the ZCSPM Agent from your Kubernetes cluster:
- Connect to your Kubernetes cluster.
- List down the Helm releases associated with the ZCSPM agent using the following command:
helm list
- Delete the cluster using the following command:
helm delete <release-name>