InsightCloudSec currently supports the setup and harvesting of Kubernetes cluster details through two scanners: the local scanner and the remote scanner. The remote scanner supports harvesting of managed Kubernetes clusters: those clusters for which InsightCloudSec has access (e.g., network access and permissions). The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and self-managed Kubernetes clusters.
This page provides information on setting up your cluster accounts as well as detail on viewing that information within InsightCloudSec once your Kubernetes clusters have been harvested.
Detailed documentation for both the remote scanner and local scanner options are available, refer to the following individual pages:
InsightCloudSec currently supports adding a cluster from the following services/providers:
|Providers||Local Scanner||Remote Scanner|
|AWS (EKS) GovCloud||Supported||Supported|
|AWS (EKS) China||Supported||Not Supported|
|Azure (AKS) GovCloud||Supported||Not Supported|
|Azure (AKS) China||Supported||Not Supported|
|Oracle Cloud Infrastructure (OCI) - OKE||Supported||Not Supported|
|Alibaba Cloud (ACK)||Supported||Not Supported|
|Self-managed (All CSPs)||Supported||Not Supported|
Details on each Kubernetes provider can be found at the following pages:
Note: Click one of the links above to view details around Kubernetes support through any of the specific Cloud Service Providers(CSPs). Contact us through the Customer Support Portal with any questions.
After validating or setting up the appropriate permissions, InsightCloudSec harvests the Kubernetes services via the cloud provider API and creates a matching cloud account for each Kubernetes cluster.
- Cluster access is generated using the account access credentials provided by the user.
- Cluster resources are harvested and associated with the parent cloud account that is created to model the Kubernetes service.
Before getting started you will need to ensure that the Cloud Service Provider (CSP) Accounts (e.g., AWS, Azure, GPC) where the target Kubernetes Clusters reside have been successfully connected to InsightCloudSec.
- If you have not connected your CSP accounts refer to the Cloud Account Setup & Management for a summary and links to detailed steps for each individual CSP.
With appropriate access to the desired CSPs, after an upgrade to the latest version of InsightCloudSec, the remote scanner will automatically add all clusters for which the scanner has access and permission for harvesting.
- Each scanned cluster will be added to InsightCloudSec as an individual Kubernetes Cluster.
Assessment is disabled by default. Each added cluster is harvested in a "Paused" state and should be enabled (see below) for each Cluster you would like to have scanned.
After onboarding Managed Kubernetes clusters using the Remote Scanner, you will need to enable your clusters for scanning with the following steps:
1. Navigate to "Cloud --> Kubernetes Clusters" to view the list of successfully onboarded clusters.
2. Check the box next to the name for any clusters for which you want to enable scanning.
3. Click the "Play" button (arrow) from the top menu options to enable a scan cycle.
Self-managed clusters are not visible to InsightCloudSec through the remote scanner. Self-managed clusters, when configured to provide access to each specific cluster, will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec.
After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.
- Refer to the detailed documentation on the Kubernetes Local Scanner to enable support for self-managed clusters.
What if the Remote Scanner was not able to access my cluster(s)?
If the remote scanner cannot access one of your clusters you have two options:
- Update the cloud account/cluster settings to allow the remote scanner access to harvest the cluster details
- If you are unable to allow access to this cluster for the remote scanner this cluster can be accessed by installing the local scanner.
What happens if I'm using the local scanner (for managed clusters) and I want to switch to the remote scanner?
You can switch clusters from the local scanner to the remote scanner. For details on migrating refer to the steps on this page for Managed Clusters - Local Scanner Migration.
Is there any way to determine if a cluster that is currently supported by the local scanner can be supported by the remote scanner?
In general if a cluster has a public endpoint the cluster is likely eligible to be supported by the remote scanner. If you are unsure we recommend that you reach out to support prior to uninstalling local scanner.
After connecting your CSPs and upgrading, details around the successfully harvested clusters (managed or self-managed) will be available under "Cloud --> Kubernetes Clusters".
The available status for clusters are:
- OK - Successfully harvested and enabled for scanning
- Paused - Successfully harvested, not enabled for scanning
- Unauthorized - Issues with harvesting or scanning, generally the result of access issues (permissions, token authorization, etc)
- Failed - Issues with harvesting or scanning, generally the result of connectivity issues
Selecting the checkbox next to the individual cluster/cloud account will enable options to play, pause or delete for each account selected (these are also available under the Actions column).
- Multi-select is available (for the items displayed on the page) but if a single cluster cannot be modified, the button/behavior will be greyed-out.
For Remote Clusters only, you can click the cluster name to open the Related Resources graph. From this graph, you can view details about the cluster as well as all resources associated with the cluster. You can also access this graph from supported Kubernetes resources on the Resources page. Note: K8S Secrets, Config Maps, and Persistent Volumes are not supported currently. Review Related Resources for more information.
If a managed cluster has already been scanned via local scanner it will continue to operate via local scanner. You can migrate it to a remote scanner by taking the following steps:
1. Uninstall the local scanner from the designated cluster.
- You can use
helm uninstall <Release Name>command to remove.
- For Example: Assuming Guardrails was installed with
k8s-guardrailsas the name and
rapid7as the namespace, you can use the following
helm uninstall k8s-guardrails -n rapid7
2. Delete the associated Kubernetes cloud account from InsightCloudSec.
- Note: Deleting the cloud account will cause loss of the Kubernetes data that was harvested and the respective Insights. Data will be restored via a fresh harvesting and assessment using the remote scanner.
3. When the remote scanner runs it will detect the cluster and create a new Kubernetes cluster in InsightCloudSec. Note that new clusters are created in a "Paused" state.
- Select the new cluster and click "Resume" to start the assessment.
4. The remote scanner will execute harvesting and assessment on the next harvesting cycle or upon manual harvesting trigger.
For a managed cluster that was onboarded through the remote scanner, Refer to the details below on migrating from the remote scanner to a local scanner.
Before Setting up a Local Scanner
After finishing the steps below, InsightCloudSec will automatically update the scanner entry from "remote" to "local", so there's no need to remove the cluster first. InsightCloudSec uses the Cluster ID to perform this automatic update, so failing to perform the steps below in order will result in two entries for the same cluster in InsightCloudSec (one for each ID).
1. Validate that the cluster ID configured for the local scanner installation is identical to the cluster ID in InsightCloudSec for any clusters you want to migrate.
- For existing clusters view the cluster ID within the "Cloud --> Kubernetes Clusters" page.
2. Set up your local scanner as desired based on the steps in the Kubernetes Local Scanner - Setup & Configuration page.
3. Any clusters you've specified should be onboarded through the local scanner.
If you delete a Cluster outside of InsightCloudSec, it will detect the deletion in the next harvesting cycle or event if EDH is used. The following events will occur:
- The cluster will be marked as deleted
- The Kubernetes entities related to this cluster are marked as deleted
- The account associated with the cluster will not be deleted from the UI and the harvesting state will be set to “suspended”
You will need to manually delete the suspended account. Deleting a cluster from the UI does not actually delete the account. Note: Automatic deletion of the suspended account will be supported in future versions
To remove the deleted cluster from InsightCloudSec, you will need to do so from the Kubernetes Cluster page.
1. Select the account with the checkbox on the left from the "Clouds --> Kubernetes Cluster" page.
2. Click the "Delete" icon (trash can).
For additional details related to InsightCloudSec's support of Kubernetes check out the following pages:
- Refer to the Kubernetes Scanners - Overview for a summary of the scanner options we support and links to detailed pages for both the local and remote scanning options.
- Refer to the Kubernetes Security Guardrails Overview page for details on this feature and our support for hardening your production environment for Kubernetes clusters, nodes, and pods.
- Refer to Container Image Vulnerability for details on this feature which is designed to continuously analyze production environment container image software vulnerability.
Updated 3 months ago