If there are Kubernetes nodes among the instances that are mirrored to the STA, the STA can automatically enrich source and destination IPs in its events with information about the pod or node that generated this traffic.
To get this to work, follow these simple steps:
ConfigS3Bucket
CloudFormation/Terraform parameter)kubectl get nodes
and kubectl get pods
) and upload it to that S3 bucket at the root of the bucket under the name kube.config
ConfigS3Bucket
CloudFormation/Terraform parameter)aws --profile <aws_profile> eks update-kubeconfig --name <cluster_name> --region <aws_region>
kubectl edit configmap aws-auth -n kube-system
mapRoles:
add the following content (for rolearn paste the ARN you copied at step 3 and for username copy and paste the last part after the slash): - rolearn: arn:aws:iam::123456789012:role/test-sta-spot-k8s-eks-CoralogixSTASpotsManagerRole-4ECRD39DWTKT
username: test-sta-spot-k8s-eks-CoralogixSTASpotsManagerRole-4ECRD39DWTKT
groups:
- system:masters
~/.kube/config
file to the S3 bucket chosen to hold the configuration under the name kube.config
during the STA’s installation, you provided several arguments representing Azure’s storage variables.
in case AKS and STA are using same virtual network and subnet:
~/.kube/config
file to the Storage container chosen to hold the configuration under the name kube.config
– thats it!sta-force-sync-configs
(if it returns with a message saying it has collided with one of the STA’s core services, wait for three minutes and try again)sta-restart-enrichment-k8s-context
source_ip_k8sinfo
or destination_ip_k8sinfo
or both: