The following Lacework API endpoint, “/api/v2/Configs/ComplianceEvaluations/search”, will enable you to export Kubernetes Compliance report data in json format. Below is an example using this endpoint to pull all Kubernetes Compliance data for a set timeframe. When using this endpoint, ensure that the payload has dataset set to “K8sCompliance” to filter out any CSP compliance data.
lacework api post "/api/v2/Configs/ComplianceEvaluations/search" -d '{ "timeFilter": { "startTime": "2024-03-12T20:30:00Z", "endTime": "2024-03-13T22:30:00Z"},"dataset": "K8sCompliance" }'The output of this command will be a json array of objects detailing all the Kubernetes Compliance Violations with each object looking similar to the example below:
{
"account": {
"AccountId": "XXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXX"
},
"evalType": "LW_K8S_SA",
"id": "lacework-global-315",
"reason": "EKS cluster does not have all logging categories enabled",
"recommendation": "Enable audit Logs",
"region": "us-west-1",
"reportTime": "2024-03-13T22:16:52.370Z",
"resource": "arn:aws:eks:us-west-1:XXXXXXXXXXXX:cluster/test-eks-cluster",
"section": "",
"severity": "Medium",
"status": "NonCompliant"
}Finally, in some cases the resource displayed in this output will be a Kubernetes cluster identifier instead of a cloud resource identifier (arn, resource name, etc). This is particularly relevant for policies that reference a specific Kubernetes api or node instead of the entire cluster. It is possible to convert a Kubernetes uid (ex: 1ac6926e-d5df-438f-84af-616a1102cfcc8) to a cluster name, cloud account, and region using the following LQL query.
queryId: K8uid_to_cluster_id
queryText: |-
{
source {
LW_CFG_K8S_CLUSTER_ALL
}
filter {
RESOURCE_KEY like any("%<uid>%")
}
return distinct{
CLUSTER_ID,
RESOURCE_REGION,
CSP_INFO:account AS ACCOUNT
}
}References:
ComplianceEvaluations API Documentation
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
AWS