Kubernetes
Visualize Kubernetes resources and monitor changes through queries and alerts.
- Installation guide
- Kubernetes data model
Installation
To use this integration, you must have a running Kubernetes cluster. This integration with JupiterOne will be deployed as a pod and interact with a Kubernetes API server.
Configuration in JupiterOne
To install the Kubernetes integration in JupiterOne
- Navigate to the Integrations tab in JupiterOne and select Kubernetes.
- Click New Instance to begin configuring your integration and provide the following:
The Account Name used to identify the Kubernetes account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled.Description to assist in identifying the integration instance, if desired.
- Click Create after all values are provided and your instance appears in the list of all your Kubernetes instances.
- Click the name of the new instance in the list of instances, and go to the API Keys tab.
- Follow the prompts to create the integration API Key.
- Click Reveal and copy the API Key.
For the configuration in Kubernetes, you need:
- The Integration API Key you just created
- The Integration Instance Id (which is listed as ID in the Configuration Settings)
- Your Account ID (listed under Account Management after clicking the gear Icon).
Configuration in Kubernetes using Helm
The easiest way to install and update the graph-kubernetes project is through the published helm chart. You can find information on how to install the JupiterOne repository here with specific information about maintain the graph-kubernetes chart here.
Quickstart
helm repo add jupiterone https://jupiterone.github.io/helm-charts
helm repo update
helm install [RELEASE_NAME] jupiterone/graph-kubernetes --set secrets.jupiteroneAccountId="some-account-id" --set secrets.jupiteroneApiKey="some-api-key" --set secrets.jupiteroneIntegrationInstanceId="some-integration-instance-id"
Configuration in Kubernetes using standard YAML
In addition to Helm, you can utilize YAML as outlined below.
Authentication
RBAC This integration expects a service account with either a specific namespace read-only access, or cluster-wide read-only access.
Creating a service account with namespace read-only access:
- Create a new service account using
kubectl create sa jupiterone-integration. - Assign namespace read-only access using
kubectl create rolebinding jupiterone-integration-view --clusterrole=view --serviceaccount=default:jupiterone-integration --namespace=default.
Creating service account with cluster-wide read-only access:
- Create a new service account using
kubectl create sa jupiterone-integration-cluster. - Assign cluster-wide read-only access using
kubectl apply -f clusterRole.ymlandkubectl apply -f clusterRoleBinding.yml.
If you are using a different service account name or different namespace name, ensure you use the correct name in both the commands/YAML listed above.
Secrets
The integration requires you to store your jupiterone account ID, jupiterone API key, and integration ID as secrets that will be read by the pod.
Update the createSecret.yml with base64-encoded values using kubectl apply -f createSecret.yml.
Deploying
To deploy the built image as a pod:
- a. To create cronjob deployment for a service account with namespace read-only access, use:
kubectl apply -f cronjobNamespace.yml - b. To create deployment for a service account with entire cluster read-only access use:
kubectl apply -f cronjobCluster.yml
Debugging
To check if the cronjob has been created, use:
kubectl get cronjobTo check if the cronjob has spawned any jobs, use:
kubectl get jobTo see the logs, use:
kubectl logs --selector job-name=job-name
Uninstall
To delete the deployment, use:
kubectl delete cronjob <name>To delete the service account, use:
kubectl delete serviceaccount <serviceaccount> -n <namespace>To delete the cluster role binding, use:
`kubectl delete clusterrolebinding <clusterrolebinding>To delete the cluster role binding, use:
kubectl delete clusterole <clusterrole>
Upgrading
To upgrade a particular resource such as cronjob and secrets, reapply the yaml using:
kubectl apply -f resourceFile.yaml
Telemetry and Diagnostics
The Helm charts and vanilla Kubernetes YAML are instrumented with the OpenTelemetry Collector and FluentBit with FluentBit forwarding docker logs into the OpenTelemetry Collector. If you want to forward the same telemetry to your own internal systems (CloudWatch, Prometheus, etc) configure the collector to point to them and update the manifests.
Data Model
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Kubernetes Cluster | kube_cluster | Cluster |
| Kubernetes Cluster Role | kube_cluster_role | AccessRole |
| Kubernetes Cluster Role Binding | kube_cluster_role_binding | AccessPolicy |
| Kubernetes ConfigMap | kube_config_map | Configuration |
| Kubernetes Container | kube_container | Container |
| Kubernetes Container Spec | kube_container_spec | Configuration |
| Kubernetes CronJob | kube_cron_job | Task |
| Kubernetes DaemonSet | kube_daemon_set | Deployment |
| Kubernetes Deployment | kube_deployment | Deployment |
| Kubernetes Image | kube_image | Image |
| Kubernetes Job | kube_job | Task |
| Kubernetes Namespace | kube_namespace | Group |
| Kubernetes Network Policy | kube_network_policy | Configuration |
| Kubernetes Node | kube_node | Host |
| Kubernetes Pod | kube_pod | Task |
| Kubernetes ReplicaSet | kube_replica_set | Deployment |
| Kubernetes Role | kube_role | AccessRole |
| Kubernetes Role Binding | kube_role_binding | AccessPolicy |
| Kubernetes Secret | kube_secret | Vault |
| Kubernetes Service | kube_service | Service |
| Kubernetes Service Account | kube_service_account | User |
| Kubernetes StatefulSet | kube_stateful_set | Deployment |
| Kubernetes User | kube_user | User |
| Kubernetes Volume | kube_volume | Disk |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
kube_cluster | CONTAINS | kube_cluster_role |
kube_cluster | CONTAINS | kube_cluster_role_binding |
kube_cluster | CONTAINS | kube_namespace |
kube_container_spec | USES | kube_volume |
kube_cron_job | USES | kube_container_spec |
kube_cron_job | MANAGES | kube_job |
kube_daemon_set | USES | kube_container_spec |
kube_deployment | USES | kube_container_spec |
kube_deployment | MANAGES | kube_replica_set |
kube_job | USES | kube_container_spec |
kube_job | MANAGES | kube_pod |
kube_namespace | CONTAINS | kube_config_map |
kube_namespace | CONTAINS | kube_cron_job |
kube_namespace | CONTAINS | kube_daemon_set |
kube_namespace | CONTAINS | kube_deployment |
kube_namespace | CONTAINS | kube_job |
kube_namespace | CONTAINS | kube_network_policy |
kube_namespace | CONTAINS | kube_replica_set |
kube_namespace | CONTAINS | kube_role |
kube_namespace | CONTAINS | kube_role_binding |
kube_namespace | CONTAINS | kube_secret |
kube_namespace | CONTAINS | kube_service |
kube_namespace | CONTAINS | kube_service_account |
kube_namespace | CONTAINS | kube_stateful_set |
kube_node | HAS | kube_image |
kube_node | HAS | kube_pod |
kube_pod | CONTAINS | kube_container |
kube_replica_set | USES | kube_container_spec |
kube_replica_set | USES | kube_image |
kube_replica_set | MANAGES | kube_pod |
kube_stateful_set | MANAGES | kube_pod |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
kube_cluster | IS | *azure_kubernetes_cluster* | FORWARD |
kube_cluster | IS | *google_container_cluster* | FORWARD |