ZCSPM provides an agent that can be installed on your Amazon Elastic Kubernetes Service (EKS) cluster and VM hosted Kubernetes clusters to support the security policies listed in the CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 and CIS AWS EKS - Kubernetes Benchmark v1.5.1 benchmarks.

The agent is container-based and is deployed as a cronjob in your Kubernetes cluster. The agent will collect all necessary data which needs to be checked against the security policies listed in the CIS benchmark. To learn more, see AWS security policies.

You must be a License Admin to configure the ZCSPM agent.

Prerequisite

Before you begin setting up the ZCSPM agent, you need to:

1. Install the AWS Command Line Interface.
2. Install and set up kubectl.
3. Install and set up Helm 3.0 or higher.
4. Add ZCSPM Helm repo.
   1. Add the ZCSPM Helm repo using the following command:

   helm repo add zcspm https://charts.cloudneeti.com

   2. Verify the Helm repo addition using the following command:

   helm repo list

   3. List the available ZCSPM Helm charts using the following command:

   helm search repo zcspm --versions

   Close

Configuring the ZCSPM Agent

To configure the ZCSPM agent:

• 1. Associate your Kubernetes cluster with your AWS cloud account in ZCSPM.
  1. On the ZCSPM Admin Portal, go to Configurations > Cloud Accounts.
  2. Expand AWS, and click Configure Account next to the cloud account which needs to be associated with your Kubernetes cluster.
  3. Click K8s Cluster Association from the drop-down menu, then click Associate Cluster in the top-right corner.
  4. Enter the Kubernetes Cluster Name, select your Cluster Hosting, and click Save.

  See image.

  

  Close

  5. The zcspm-agent-config JSON file will be downloaded. The JSON file has the information you need to deploy the ZCSPM agent in your Kubernetes cluster:
     • ZCSPM License ID
     • ZCSPM Account ID
     • Cluster Name
     • ZCSPM Environment
     • Cluster Hosting
  6. Along with the JSON file, you need the following information to deploy the ZCSPM agent:
     • ZCSPM API Key

       To generate the ZCSPM API Key:

       1. Sign up at the ZCSPM API portal.
       2. From the top navigation bar, go to PRODUCTS > Unlimited.
       3. Under Customer-Api, click Subscribe. Zscaler will then activate your subscription and send you an email confirmation.
       4. After you receive the email confirmation, click on your Username on the top-right corner.
       5. Select your profile and click Show next to the Primary key.

       Close
     • ZCSPM API App ID and Secret

       To create a ZCSPM API application:

       1. In the ZCSPM Admin Portal, select the License from the drop-down menu in which you want to create a ZCSPM API application.
       2. Go to Configurations > API Access.
       3. Click Create API Application in the top-right corner.
       4. Enter the API Application Name, and select APIs from the drop-down menu.
       5. Select the Account.InsertKubernetesClusterData from the APIs Scope drop-down menu, then select the Token Expiry duration from the drop-down menu.
       6. Set the Secret Expiry date and click Save.
       7. From the pop-up menu, copy the API Application Secret and click Done.
       8. Copy the API Application ID.

       Close

  Close
• 2. Deploy the ZCSPM agent on your cluster.
  • EKS
    1. Access the Kubernetes cluster using the following command:

     aws eks --region <region> update-kubeconfig --name <cluster_name>

    2. Deploy the ZCSPM agent on the Kubernetes cluster using the following command:

     helm install <release-name> zcspm/zcspm-agent `
     --set clusterName=<cluster-name-as-onboarded-on-zcspm> `
     --set licenseId=<zcspm-license-id> `
     --set accountId=<zcspm-account-id> `
     --set zcspmEnvironment=<environment-prefix (qa/trial/prod/prod1)> `
     --set zcspmApiAppId=<api-app-id> `
     --set zcspmAPIKey=<zcspm-apimgmt-key> `
     --set zcspmAPIAppSecret=<api-app-secret> `
     --set clusterHosting="EKS"

    Close
  • EC2 instance hosted
    1. Access the Kubernetes cluster.
    2. Download the kubeconfig file from the EC2-hosted instance kubernetes cluster and save it on your local machine.
    3. Verify K8s cluster access using the following command:

    kubectl cluster-info --kubeconfig ./kubeconfig
    

    4. Deploy the ZCSPM agent on the Kubernetes cluster using the following command:

     helm install <release-name> zcspm/zcspm-agent `
     --set clusterName=<cluster-name-as-onboarded-on-zcspm> `
     --set licenseId=<zcspm-license-id> `
     --set accountId=<zcspm-account-id> `
     --set zcspmEnvironment=<environment-prefix (qa/trial/prod/prod1)> `
     --set zcspmApiAppId=<api-app-id> `
     --set zcspmAPIKey=<zcspm-apimgmt-key> `
     --set zcspmAPIAppSecret=<api-app-secret> `
     --set clusterHosting="EC2-Instance-hosted"

    Close

  Close
• 3. Verify the ZCSPM agent installation.

  To verify the ZCSPM agent installation:

  1. Verify the namespace using the following command:

  kubectl get namespace
  

  NAME                STATUS         AGE
  zcspm               Active         11m
  default             Active         15d
  kube-node-lease     Active         15d
  kube-public         Active         15d
  kube-system         Active         15d
  

  2. Verify the ZCSPM agent cronjob deployment using the following command:

  kubectl get cronjob --namespace zcspm
  

  NAME                   SCHEDULE         SUSPEND        ACTIVE         LAST SCHEDULE           AGE
  zcspm-agent            0 12 * * *       False          0              <none>                  18h
  

  3. Trigger the cronjob using the following command:

  kubectl create job <job-name> --from=cronjobs/zcspm-agent --namespace zcspm
  

  job.batch/sanity created
  

  4. Get jobs using the following command:

  kubectl get job --namespace zcspm
  

  5. Verify the job logs of the ZCSPM agent using the following command:

  kubectl get pods --selector job-name=<job-name> --namespace zcspm
  

  NAME           READY     STATUS       RESTARTS       AGE
  sanity-2jkfc   0/2       Completed    0              46s
  

  6. Get the ZCSPM agent pod and verify the data was successfully sent to ZCSPM using the following command:

  kubectl logs <ZCSPM-agent-pod-name> -c zcspm-agent --namespace zcspm

  Close
• 4. Verify CIS Kubernetes v1.5.1 benchmark's security policy results.

  If the agent was installed successfully, you can view the policy results on ZCSPM. To view:

  1. On the ZCSPM Admin Portal, go to Dashboard > Compliance.
  2. Click CIS EKS K8s v1.5.1.

  Close

Upgrading the ZCSPM Agent

Whenever ZCSPM releases a new agent version, you can upgrade your agent to the latest version using Helm. To upgrade the ZCSPM agent:

1. Update the ZCSPM Helm repository using the following command:

helm repo update

2. Upgrade the ZCSPM agent using the following command:

helm upgrade <release-name> zcspm/zcspm-agent --reuse-values

Updating the ZCSPM Agent parameters

You can update individual agent parameters such as API key using the following command:

helm upgrade <release-name> zcspm/zcspm-agent --set <parameter-to-update>=<value> --reuse-values

Roll back the ZCSPM agent to a previous version

If you face any issue with the newly upgraded ZCSPM agent, you can always roll back to a previous version of the agent using the following command:

helm rollback <release-name>

Offboarding your Kubernetes cluster

To offboard your Kubernetes cluster:

1. Disassociate your Kubernetes cluster from ZCSPM:
   1. Go to Configurations > Cloud Accounts.
   2. Expand any one of the cloud service providers.
   3. Click Configure Account for the cloud account which is associated with your Kubernetes cluster.
   4. Click K8s Clusters Association.
   5. Click the Delete icon to disassociate your Kubernetes cluster from ZCSPM.
2. Delete the ZCSPM Agent from your Kubernetes cluster:
   1. Connect to your Kubernetes cluster.
   2. List down the Helm releases associated with the ZCSPM agent using the following command:

   helm list

   3. Delete the cluster using the following command:

   helm delete <release-name>