If there are Kubernetes nodes among the instances that are mirrored to the STA, the STA can automatically enrich source and destination IPs in its events with information about the pod or node that generated this traffic.
To get this to work, follow these simple steps:
Self-hosted Kubernetes (Non – EKS)
During the STA’s installation set an S3 bucket to store the configuration (Using the ConfigS3Bucket CloudFormation/Terraform parameter)
Create a kube config file (that allows at least to run kubectl get nodes and kubectl get pods) and upload it to that S3 bucket at the root of the bucket under the name kube.config
AWS EKS
During the STA’s installation set an empty S3 bucket to store the configuration (Using the ConfigS3Bucket CloudFormation/Terraform parameter)
Open AWS EC2 console and click the STA instance, navigate to the Security tab and click the STA’s IAM role
Copy the role’s ARN to clipboard or to a text file
Click the policy named “cgx_sta”, click on “Add additional permissions”, click on “Choose a service” and select “STS”
In the “Actions” section, click the tiny triangle next to “Write” and select “AssumeRole”
In the “Resources” section, click the tiny triangle next to “Resources” and click “Add ARN” and at the top text box under “Specify ARN for role” replace all the text with the ARN you copied at step 3 and click “Add”, click “Review policy” and then on “Save changes”
Connect to your AWS environment via CLI and run the following command:
Use this command on your EKS management instance to generate the kube config file:
Under mapRoles: add the following content (for rolearn paste the ARN you copied at step 3 and for username copy and paste the last part after the slash):
Upload the ~/.kube/config file to the S3 bucket chosen to hold the configuration under the name kube.config
The following steps are essentially optional and will be automatically carried out by the system but carrying them out now will force applying the new settings immediately:
Log in to the STA via SSH and run the following commands:
sta-force-sync-configs(if it returns with a message saying it has collided with one of the STA’s core services, wait for three minutes and try again)
sta-restart-enrichment-k8s-context
You should now see that events from the STA are now enriched with on of the fields source_ip_k8sinfo or destination_ip_k8sinfo or both: