Kubernetes
Boost the security of your Kubernetes environment, otherwise known as K8s, with ThreatKey's Kubernetes integration. Designed to identify misconfigurations and security risks proactively, this integration ensures the robust protection of your container orchestration operations. It also offers robust remediation management capabilities, ensuring a swift and efficient resolution of any identified security threats.
Key features
Security risk identification
With ThreatKey's Kubernetes integration, you can uncover potential security risks and misconfigurations within your Kubernetes environment. Using advanced analytics, the integration identifies potential issues and helps you secure your container orchestration platform.
Remediation management
The Kubernetes integration includes a comprehensive remediation management feature. This capability allows you to oversee and track your remediation efforts, promoting quick and efficient resolutions for any security risks.
Reporting and analytics
Gain a deeper understanding of your Kubernetes environment's security posture with our detailed reporting and analytics. The insights can inform strategic decisions, aid in compliance efforts, and promote continuous security improvement.
Connect your AWS Elastic Kubernetes Service (EKS) cluster to ThreatKey
First, you'll create an AWS policy that describes the permissions we need. Once you have that policy, you'll attach it to either an AWS role or an AWS user. We recommend attaching the policy to an AWS role, but ThreatKey can work with AWS users as well. Then you can grant that AWS principal access to your EKS cluster, point ThreatKey at the EKS cluster, and we'll do the rest!
If you already have an AWS policy attached to an AWS principal, you can skip directly to "Grant the AWS role access to your EKS cluster." Once your AWS principal has access to your EKS cluster, you can continue to "Point ThreatKey at your EKS cluster."
Prepare AWS IAM and connect it to EKS
Create an AWS policy
-
Go to the AWS IAM Dashboard.
-
Create an AWS IAM policy.
- Use the sidebar to go to the Policies page and select Create policy.
-
Switch to the JSON version of the policy editor and enter the following JSON.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "**"
}
]
}With this policy, you can onboard multiple clusters with the same role. Just run the commands in the upcoming "Grant the AWS role access to your EKS cluster" step for each additional cluster.
-
Continue through the prompts to name your policy something descriptive, such as "TK-EKS-Policy."
-
Create the policy.
Create an AWS principal
An AWS principal can either be an AWS role or an AWS user.
We recommend setting up an AWS role for ThreatKey so you don't have to copy and paste long-term credentials anywhere.
If you need to use an AWS user instead, we support that as well. We do store the AWS user's permanent long-term credentials securely on our end, but the fact that those credentials exist at all makes AWS users inherently riskier than AWS roles for application authentication.
Please be very careful with the credentials for AWS users.
Option 1: Create an AWS role to use the policy
We recommend this option. If you need to use an AWS user instead, see Option 2.
- Go to the AWS IAM Dashboard.
- Create a role.
- Use the sidebar to go to the Roles page and select Create role.
- Select AWS account as the trusted entity type.
- Select Another AWS account and enter
742123671053as the Account ID. - Select Require external ID from the options and enter the unique External ID that we provide in the ThreatKey app.
- Continue to the next prompt to add permissions to this new role.
- Search for the AWS policy you made earlier and attach it to this role by checking the box next to it.
- Continue to the next prompt to name the role something descriptive, such as "ThreatKeyK8sRole."
- Create the role.
If you used the policy we provided earlier, you will be able to use this same role to onboard additional EKS clusters as well. Just run the following commands to grant this role access to those clusters.
Grant the AWS role access to your EKS cluster
-
Open a shell that has
kubectland access to the AWS Command Line Interface. -
Provision ThreatKey's K8s ClusterRole and ClusterRoleBinding
kubectl apply -f https://threatkey-assets.s3.amazonaws.com/k8s/provision.yml
- Replace all the placeholders in this example command and then run it to grant the new AWS role access to your EKS cluster.
- The
--profileargument is optional and only necessary if you have multiple AWS profiles configured on your machine.
- The
eksctl create iamidentitymapping \
--cluster <cluster_name> \
--region=<region> \
--arn arn:aws:iam::<aws_account_number>:role/<role_just_created> \
--username ThreatkeyAccessUser \
--no-duplicate-arns \
--profile <profile_associated_with_role_and_eks>
Option 2: Create an AWS user to use the policy
We recommend using an AWS role instead of an AWS user. To use an AWS role, see Option 1 above.
- Go to the AWS IAM Dashboard.
- Create an AWS user.
- Use the sidebar to go to the Users page and select Create user.
- Name the user something descriptive, such as "ThreatKeyK8sUser" and continue to the next prompt.
- Select Attach policies directly from the permissions options.
- Search for the policy you made earlier and attach it to this user by checking the box next to the policy.
- Continue to the next prompt.
- Create the user.
Generate credentials for the AWS user
- Go to the AWS IAM Dashboard.
- Go to the user.
- Use the sidebar to go to the Users page and search for the user we created in the earlier section.
- Select the user to open that user's page.
- Go to the Security credentials pane
- In the Access keys section, select Create access key.
- Select Other as your use case.
- Create the access key.
- Save the Access Key ID and Secret Access Key somewhere secure, such as a password manager.
Please be very careful with the credentials for AWS users.
If you used the policy we provided earlier, you will be able to use these same credentials to onboard additional EKS clusters as well. Just run the following commands to grant this user access to those clusters.
Grant the AWS user access to EKS
- Open a shell that has
kubectland access to the AWS Command Line Interface. - Provision ThreatKey's K8s ClusterRole and ClusterRoleBinding
kubectl apply -f https://threatkey-assets.s3.amazonaws.com/k8s/provision.yml
- Replace all the placeholders in this example command and then run it to grant the new AWS user access to the EKS cluster.
- The
--profileargument is optional and only necessary if you have multiple AWS profiles configured on your machine.
- The
eksctl create iamidentitymapping \
--cluster <cluster_name> \
--region=<region> \
--arn arn:aws:iam::<aws_account_number>:user/<user_just_created> \
--username ThreatkeyAccessUser \
--no-duplicate-arns \
--profile <profile_associated_with_role_and_eks>
Point ThreatKey at your EKS cluster
- Go to the K8s Source in the ThreatKey Console.
- Use the sidebar to go to the Environment page and select the K8s Source.
- Select AWS as the provider.
- If you made an AWS role earlier, select Role for the secret type. If you made an AWS user, select AKID.
- Enter the AWS role ARN or the AWS user Access Key ID and Secret Access Key into the appropriate fields.
- Enter the ARN of your EKS cluster.
- It should look something like
arn:aws:eks:<region>:<account_id>:<cluster_name>.
- It should look something like
- Connect to Kubernetes!
You should now be able to see your new K8s connection in the Sources section of the ThreatKey Console!
Need help?
We're available to assist with any questions or issues you may run into during the installation and setup process. You can reach us at support@threatkey.com or through our live chat.