Support Conditional Integration Usage

[BenB196]

Is your feature request related to a problem? Please describe.

As an operator of Kubernetes on multiple platforms (AWS, Self-managed, GCP, Azure, etc...). I'd like to maintain a single Elastic Agent policy, while specifying multiple Security Posture Management integrations that are conditionally run depending on specific conditions.

Describe the solution you'd like

It would be nice if Security Posture Management integrations supported Elastic Agent conditions. This would allow an operator to choose when and where these integrations run, while using the same policy.

Describe alternatives you've considered

1. Have multiple unique Elastic Agent policies for each deployment type.
   • I have opted to not go this path as the management overhead here becomes a nightmare
2. Elastic Agent supports sub-policies/reusable policies; Reusable integration policies elastic-agent#2227

Additional context

The lack of this feature and the overhead (or lack) of alternatives, currently dissuades us from adopting these features.

[oren-zohar]

Hello @BenB196, thanks for opening this ticket 🙂 a few questions for clarification:

From what I understand, you are attempting to run KSPM. Is that correct? Would you mind sharing more information about your deployment?

I'd like to maintain a single Elastic Agent policy, while specifying multiple Security Posture Management integrations that are conditionally run depending on specific conditions.

Can you provide more details about your intended workflow? Will the conditions you set determine whether or not KSPM runs, or is there a more complex workflow involved?

[BenB196]

Hi @oren-zohar,

From what I understand, you are attempting to run KSPM. Is that correct?

Yes, attempting to run KSPM, Kubernetes Security Posture Management.

Would you mind sharing more information about your deployment?

Sure, today, we have a large number of Kubernetes clusters spread across both on-prem deployments and AWS EKS. Overall, we segment our clusters into "environments", and for each environment we try and keep one (1) Elastic Agent policy that does everything, to reduce the amount of policy management if something needs to change.

Can you provide more details about your intended workflow? Will the conditions you set determine whether or not KSPM runs, or is there a more complex workflow involved?

The intended workflow, is that we're able to define one or more KSPM integrations (or configurations) that are assigned to the same Elastic Agent policy, that based on conditions would determine which KSPM integration (or configuration) would be used/run.

A simple example would be that I would like to configure one KSPM integration for "self-managed" and another for "EKS". I'd then like to define a condition that would determine which would run. For clarity, could use the example condition; if eks.amazonaws.com/nodegroup exists, run the "EKS" configuration, if eks.amazonaws.com/nodegroup does not exist, run the "self-managed" configuration

[oren-zohar]

Hi so after looking into it, it seems like to support conditions in the Cloud Posture integrations we need to do two things:

• Add the conditions vars into the integration manifest, as seen here. Otherwise, when adding them manually you'll receive

  {
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Variable kspm-cloudbeat/cis_k8s:condition not found"
  }

2. Add conditions configuration under advanced options into our integration deployment page:
   

I'll open a ticket so you can track the progress of this request, cc @smriti0321

• Supporting conditions configuration in CSPM/KSPM #2144