Environment

GCP Logging Stackdriver, GKE, Aqua CSP 4.6+


Deployment Task

How to integrate Google Cloud Logging Stackdriver with Aqua CSP 4.6+


Stage 1 - Retrieving Credentials

In this step, a service account with the rights to write logs will be created and the credentials will be generated and downloaded into a file.


1. Create a Service Account using your GCP account under your selected project.

Home -> IAM & Admin -> Service Accounts -> Create Service Account


2. Grant the account the required permissions; Log Writer permissions are sufficient.




3. Click on the 3 dots next to the name of the newly created service account and then Manage Keys

4. Click on Add Key and generate the json credentials file. Save it locally with the name application_default_credentials.json

 

 

 

Stage 2: Deploy Credentials

In this step the downloaded credentials will be installed in the Kubernetes namespace as a Secret and mounted in the Aqua web pod chaging its deployment manifest with the following instructions


5. Create a Kubernetes secret called google-stackdriver-credentials


kubectl create secret generic google-stackdriver-credentials --from-file /path/to/file/application_default_credentials.json


6. Edit the Aqua web deployment adding the following environment varialble and mounting the secret


Under env:

- env:
  - name: GOOGLE_APPLICATION_CREDENTIALS
    value: /opt/stackdriver/application_default_credentials.json

Under volumeMounts:

volumeMounts:
- mountPath: /opt/stackdriver
   name: google-stackdriver-credentials

Under volumes:

volumes:
- name: google-stackdriver-credentials
  secret:
    secretName: google-stackdriver-credentials


The changes above can be applied other modifing the running Aqua deployment in Kuberenes (kubectl edit deployment aqua-console) or changing the versioned manifest accrodingly and applying again (kubectl apply -f aqua-console.yaml)


Important: this step will cause a new Aqua Console pod to be created and, during the switch, the console might become unavailable for a short time
 

Stage 3: Enable Integration

We'll proceed now to enable the StackDriver integration from the Aqua Console


7. Navigate to:

System > Integration > Log Management > Google Stackdriver


Enter the Project ID, the Key ID of the Service Account you previously created (that can be found in the file downloaded in step 4) and a Log Name. The connection should be successful.




After you start scanning images and perform other activities with Aqua CSP, the log files are available in GCP Stackdriver Logging own Logs Viewer.


8. Switch to the “Convert to advanced filter” option.


 

9. In the “Filter by label or text search” type logName= you see a list of logs to choose from. Choose aqua-security and click on “Submit Filter”.




 

 

Related information 

[1] https://cloud.google.com/sdk/docs/

[2] https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

[3] https://kubernetes.io/docs/concepts/storage/persistent-volumes/

[4] https://docs.aquasec.com/docs/kubernetes#section-create-a-yaml-file-for-the-aqua-csp-components