Snyk Controller for Amazon EKS

Quick Start Reference Deployment

QS

November 2020
Jay Yeras, Snyk
Jay McConnell, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Snyk in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

Snyk controller for Amazon Elastic Kubernetes Service (Amazon EKS) lets you import and test your running EKS workloads to identify vulnerabilities in associated images and configurations that might make workloads less secure. As new images deploy and workload configurations change, Snyk continually monitors workloads to identify security issues.

This Quick Start is for developers, DevOps, security teams, and roles within an organization for building, deploying, and maintaining Amazon EKS applications.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Software licenses

This Quick Start requires a Snyk license. For more information, see Snyk’s AWS Marketplace page.

Architecture

Deploying this Quick Start with default parameters into an existing Amazon EKS cluster builds the following environment. For a diagram of the new virtual private cloud (VPC) and Amazon EKS cluster, see Amazon EKS on the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Snyk Controller for Amazon EKS

As shown in Figure 1, the Quick Start sets up the following:

  • A Kubernetes namespace for Snyk.

  • A Kubernetes secret that contains a Snyk integration ID and Docker configuration file.

  • A Snyk monitor pod.

Planning the deployment

Specialized knowledge

This deployment guide requires a moderate level of familiarity with AWS services. If you’re new to AWS, see the Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with Amazon EKS, AWS CloudFormation, and Kubernetes.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using your phone’s keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Amazon EKS cluster

If you deploy your cluster into an existing Amazon EKS cluster that was not created by the Amazon EKS on the AWS Cloud Quick Start, you must configure your cluster to allow this Quick Start to manage it. For more information, see the Deployment steps section.

IAM permissions

Before launching the Quick Start, you must log in to the AWS Management Console with AWS Identity and Access Management (IAM) permissions for the resources and actions that each template deploys.

The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions.

Deployment options

This Quick Start provides three deployment options:

  • Deploy Snyk controller into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, EKS cluster, a node group, and other infrastructure components. It then deploys Snyk controller into this new EKS cluster.

  • Deploy Snyk controller into a new EKS cluster of an existing VPC. This option builds a new Amazon EKS cluster, node group, and other infrastructure components into an existing VPC. It then deploys Snyk controller into this new EKS cluster.

  • Deploy Snyk controller into an existing EKS cluster. This option provisions Snyk controller in your existing AWS infrastructure. Note that when deploying into an EKS cluster that was not created by the Amazon EKS on the AWS Cloud Quick Start, you must prepare the cluster as described in the Deployment steps section.

Deployment steps

Prepare an existing EKS cluster

This step is only required if you launch this Quick Start into an existing Amazon EKS cluster that was not created using the Amazon EKS on the AWS Cloud deployment. If you want to create a new EKS cluster with your deployment, skip to step 3.
  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment, earlier in this guide.

  2. Launch the cluster preparation template.

  3. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where you build the infrastructure. The template is launched in the us-east-2 Region by default. For more information, see Supported AWS Regions earlier in this guide.

  4. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  5. On the Specify stack details page, change the stack name if needed. Enter the name of the Amazon EKS cluster you want to deploy to in addition to the subnet IDs and security group ID associated with the cluster. These can be obtained from the EKS cluster console.

  6. On the Options page, specify the key-value pairs for resources in your stack, and set advanced options. When you’re done, choose Next.

  7. On the Review page, review and confirm your template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  8. Choose Create stack to deploy the stack.

  9. Monitor the stack’s status until it is CREATE_COMPLETE.

  10. From the Outputs section of the stack, note the KubernetesRoleArn and HelmRoleArn roles.

  11. Add the roles to the aws-auth config map in your cluster, specifying system:masters for the groups. This allows the Quick Start to manage your cluster via AWS CloudFormation. For more information, see Managing users or IAM roles for your cluster.

Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Retrieve a Snyk Kubernetes integration ID

  1. Log in to your Snyk account, and navigate to Integrations.

  2. Search for Kubernetes, and then choose it.

  3. Choose Connect, and copy the Snyk Integration ID. The Integration ID is a UUID with a format that’s similar to the following: abcd1234-abcd-1234-abcd-1234abcd1234. Save the UUID for the next step.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.
  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see the Deployment options section, earlier in this guide.

    Deploy into a new VPC and new Amazon EKS cluster

    Deploy into a new Amazon EKS cluster in an existing VPC

    Deploy into an existing Amazon EKS cluster

    View template

    View template

    View template

    New clusters take about 1.5 hours to deploy. Existing clusters take about 5 minutes to deploy.

    If you deploy Snyk controller into an existing VPC, ensure that any private subnets have NAT gateways in their route tables to allow the Quick Start to download packages and software. Also, ensure that the domain name in the DHCP options is configured. For more information, see DHCP options sets.
  2. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where you build the infrastructure. The template is launched in the us-east-2 Region by default. For more information, see Supported AWS Regions earlier in this guide.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings, and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  5. On the Options page, specify the key-value pairs for resources in your stack, and set advanced options. When you’re done, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  7. Choose Create stack to deploy the stack.

  8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Snyk controller deployment is ready.

  9. To view the created resources, see the values displayed in the Outputs tab for the stack.

Test the deployment

  1. Configure the kubectll command line utility to connect to your EKS cluster. For more information, see Cluster authentication.

  2. Run kubectl to get namespaces, and verify that the snyk-monitor namespace has an Active status.

  3. Run kubectl get pods --namespace snyk-monitor, and verify that a pod with the snyk-monitor prefix has a Running status.

  4. From the Snyk console, verify that your cluster appears and you can add workloads. For more information, see Adding Kubernetes workloads for security scanning.

Best practices for using Snyk controller on EKS

The Snyk controller monitors workloads and provides details about potential vulnerabilities in container images in addition to the security configuration for your deployments. We recommend that your Kubernetes manifests adhere to the workload configuration properties. For more information, see Viewing project details and test results.

Security

Snyk provides alerts for common misconfigurations. Examples of this include running containers as the root user, not setting application limits for your CPU or memory, and using a writable mounted file system, which allows attackers to compromise your containers by writing to the disk. If your containers are stateless, you don’t need a writable file system.

At a low level, Linux controls what processes are allowed within your containers, from writing to the disk to communicating over the network. For this reason, ensure that your system’s capabilities are defined.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to Disabled. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained and the workload remains running so you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for the stack. Ensure to delete the stack when you finish troubleshooting.

Troubleshooting

For general EKS troubleshooting steps, see Amazon EKS on the AWS Cloud.

For Snyk-specific troubleshooting, see the Kubernetes integration overview.

For troubleshooting AWS CloudFormation stacks, see Troubleshooting AWS CloudFormation.

Customer responsibility

After you successfully deploy this Quick Start, confirm that your resources and services are updated and configured — including any required patches — to meet your security and other needs. For more information, see the AWS Shared Responsibility Model.

Parameter reference

Deploy into a new VPC and new Amazon EKS cluster

The full list of parameters for this entrypoint are documented in Amazon EKS on the AWS Cloud.

Deploy into a new Amazon EKS cluster in an existing VPC

The full list of parameters for this entrypoint are documented in Amazon EKS on the AWS Cloud.

Deploy into an existing EKS cluster

Table 1. Snyk monitor for EKS configuration
Parameter label (name) Default value Description

EKS cluster name (KubeClusterName)

Requires input

Name of the EKS cluster to deploy Snyk into.

Snyk integration ID (SnykIntegrationId)

Requires input

Snyk Kubernetes integration ID. This must be obtained from the Snyk console. For more information, see https://support.snyk.io/hc/en-us/articles/360003916158-Install-the-Snyk-controller-with-Helm.

Namespace (Namespace)

snyk-monitor

(Optional) Kubernetes namespace to deploy the Snyk controller into.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. If you want to submit code, review the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

See the GitHub repository to download the templates and scripts for this Quick Start, post comments, and share customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.