Configure GuardDuty security agent (add-on) parameters for Amazon EKS
You can configure specific parameters of your GuardDuty security agent for Amazon EKS. This support is available for GuardDuty security agent version 1.5.0 and above. For information about latest add-on versions, see GuardDuty security agent for Amazon EKS clusters.
- Why should I update the security agent configuration schema
-
Configuration schema for the GuardDuty security agent is the same across all containers within your Amazon EKS clusters. When the default values do not align with the associated workloads and instance size, consider configuring the CPU settings, memory settings,
PriorityClass, anddnsPolicysettings. Regardless of how you manage the GuardDuty agent for your Amazon EKS clusters, you can configure or update the existing configuration of these parameters.
Automated agent configuration behavior with configured parameters
When GuardDuty manages the security agent (EKS add-on) on your behalf, it updates the add-on, as
needed. GuardDuty will set the value of the configurable parameters to a default value. However, you
can still update the parameters to a desired value. If this leads to a conflict, the default
option to resolveConflicts is None.
Configurable parameters and values
For information about the steps to configure the add-on parameters, see:
The following tables provide the ranges and values that you can use to deploy the Amazon EKS add-on manually or update the existing add-on settings.
- CPU settings
-
Parameters
Default value
Configurable range
Requests
200m
Between 200m and 10000m, both inclusive
Limits
1000m
- Memory settings
-
Parameters
Default value
Configurable range
Requests
256Mi
Between 256Mi and 20000Mi, both inclusive
Limits
1024Mi
PriorityClasssettings-
When GuardDuty creates an Amazon EKS add-on for you, the assigned
PriorityClassisaws-guardduty-agent.priorityclass. This means that no action will be taken based on the priority of the agent pod. You can configure this add-on parameter by choosing one of the followingPriorityClassoptions:Configurable
PriorityClasspreemptionPolicyvaluepreemptionPolicydescriptionPod value
aws-guardduty-agent.priorityclassNeverNo action
1000000
aws-guardduty-agent.priorityclass-highPreemptLowerPriorityAssigning this value will preempt a pod running with the priority value lower than the agent pod value.
100000000
system-cluster-critical1PreemptLowerPriority2000000000
system-node-critical1PreemptLowerPriority2000001000
1 Kubernetes provides these two
PriorityClassoptions –system-cluster-criticalandsystem-node-critical. For more information, see PriorityClassin the Kubernetes documentation.
dnsPolicysettings-
Choose one of the following DNS policy options that Kubernetes supports. When no configuration is specified,
ClusterFirstis used as the default value.-
ClusterFirst -
ClusterFirstWithHostNet -
Default
For information about these policies, see Pod's DNS Policy
in the Kubernetes documentation. -
Verifying configuration schema updates
After you have configured the parameters, perform the following steps to verify that the configuration schema has been updated:
Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters
. -
In the navigation pane, choose Clusters.
-
On the Clusters page, select the Cluster name for which you want to verify the updates.
-
Choose the Resources tab.
-
From the Resource types pane, under Workloads, choose DaemonSets.
-
Select aws-guardduty-agent.
-
On the aws-guardduty-agent page, choose Raw view to view the unformatted JSON response. Verify that the configurable parameters display the value that you provided.
After you verify, switch to the GuardDuty console. Select the corresponding AWS Region and view the coverage status for your Amazon EKS clusters. For more information, see Runtime coverage and troubleshooting for Amazon EKS clusters.
