The following instructions show how to deploy a simple application that reads EKS Kubernetes audit logs and forwards them to the Sysdig Secure agent. The steps below show an example configuration implemented with the AWS console, but the same can be done with scripts, API calls or Infrastructure-as-Code configurations.
These instructions have been tested with eks.5 on Kubernetes v1.14.
Your EKS cluster needs be configured to forward audit logs to CloudWatch, which is disabled by default.
- Open the EKS dashboard from the AWS console
- Select your cluster > Logging > Update and enable Audit
Your VPC needs an endpoint for the service com.amazonaws.<your-region>.logs, accessible from all the EKS security groups.
- Open the VPC dashboard from the AWS console
- Select Endpoints > Create Endpoints
- Select Find service by name, enter
com.amazonaws.<your-region>.logsand click "Verify". - Under VPC select your cluster's VPC
- Select all security groups
The EC2 instances that make up your EKS cluster must have the necessary permission to read CW logs. Usually they all use the same IAM Role, so that is the one to configure.
- Open the EC2 dashboard from the AWS console
- Select the AWS EC2 instances that are configured as cluster nodes
- Select the associated IAM Role, which should be the same for all nodes
- Find the policy
CloudWatchReadOnlyAccessand attach it
We can now deploy the log forwarder itself along with its configmap.
$ kubectl --namespace sysdig-agent apply -f ./ekscloudwatch-config.yaml
configmap/ekscloudwatch-config created
$ kubectl --namespace sysdig-agent apply -f ./deployment.yaml
deployment.apps/eks-cloudwatch created
To check if the forwarder is configured and working correctly you can check the logs for the pod that you just deployed in the sysdig-agent namespace.
You should see k8s audit related events in the Sysdig Secure dashboard.