Clusters Account Setup & Management
Instructions on Connecting and Viewing Your Kubernetes Clusters with InsightCloudSec
InsightCloudSec currently supports the setup and harvesting of Kubernetes cluster details through two scanners: the local scanner and the remote scanner. The remote scanner supports harvesting of managed Kubernetes clusters: those clusters for which InsightCloudSec has access (e.g., network access and permissions). The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and self-managed Kubernetes clusters.
This page provides information on setting up your cluster accounts as well as detail on viewing that information within InsightCloudSec once your Kubernetes clusters have been harvested.
Kubernetes Scanner Support
Detailed documentation for both the remote scanner and local scanner options are available, refer to the following individual pages:
InsightCloudSec currently supports adding a cluster from the following services/providers:
|Providers||Local Scanner||Remote Scanner|
|AWS (EKS) GovCloud||Supported||Supported|
|AWS (EKS) China||Supported||Not Supported|
|Azure (AKS) GovCloud||Supported||Not Supported|
|Azure (AKS) China||Supported||Not Supported|
|Oracle Cloud Infrastructure (OCI) - OKE||Supported||Not Supported|
|Alibaba Cloud (ACK)||Supported||Not Supported|
|Self-managed (All CSPs)||Supported||Not Supported|
Details on each Kubernetes provider can be found at the following pages:
Note: Click one of the links above to view details around Kubernetes support through any of the specific Cloud Service Providers(CSPs). Contact us through the Customer Support Portal with any questions.
After validating or setting up the appropriate permissions, InsightCloudSec harvests the Kubernetes services via the cloud provider API and creates a matching cloud account for each Kubernetes cluster.
- Cluster access is generated using the account access credentials provided by the user.
- Cluster resources are harvested and associated with the parent cloud account that is created to model the Kubernetes service.
Setting Up Cluster Accounts
Setup For Managed Kubernetes Clusters
Before getting started you will need to ensure that the Cloud Service Provider (CSP) Accounts (e.g., AWS, Azure, GPC) where the target Kubernetes Clusters reside have been successfully connected to InsightCloudSec.
- If you have not connected your CSP accounts refer to the Cloud Account Setup & Management for a summary and links to detailed steps for each individual CSP.
With appropriate access to the desired CSPs, after an upgrade to the latest version of InsightCloudSec, the remote scanner will automatically add all clusters for which the scanner has access and permission for harvesting.
- Each scanned cluster will be added to InsightCloudSec as an individual Kubernetes Cluster.
Assessment is disabled by default. Each added cluster is harvested in a "Paused" state and should be enabled (see below) for each Cluster you would like to have scanned.
Enabling Scanning for Managed Clusters
After onboarding Managed Kubernetes clusters using the Remote Scanner, you will need to enable your clusters for scanning with the following steps:
1. Navigate to "Cloud --> Kubernetes Clusters" to view the list of successfully onboarded clusters.
2. Check the box next to the name for any clusters for which you want to enable scanning.
3. Click the "Play" button (arrow) from the top menu options to enable a scan cycle.
Managed Clusters - Local Scanner Migration
If a managed cluster has already been scanned via local scanner it will continue to operate via local scanner. You can migrate it to a remote scanner by taking the following steps:
1. Uninstall the local scanner from the designated cluster.
- You can use
helm uninstall <Release Name>command to remove.
2. Delete the associated Kubernetes cloud account from InsightCloudSec.
- Note: Deleting the cloud account will cause loss of the Kubernetes data that was harvested and the respective Insights. Data will be restored via a fresh harvesting and assessment using the remote scanner.
3. The remote scanner will create a new Kubernetes cloud account and execute harvesting and assessment on the next harvesting cycle or upon manual harvesting trigger.
Refer to the Kubernetes Remote Scanner page for additional details.
Setup for Self-Managed Kubernetes Clusters
Self-managed clusters are not visible to InsightCloudSec through the remote scanner. Self-managed clusters, when configured to provide access to each specific cluster, will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec.
After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.
- Refer to the detailed documentation on the Kubernetes Local Scanner to enable support for self-managed clusters.
Setup General Troubleshooting
What if the Remote Scanner was not able to access my cluster(s)?
If the remote scanner cannot access one of your clusters you have two options:
- Update the cloud account/cluster settings to allow the remote scanner access to harvest the cluster details
- If you are unable to allow access to this cluster for the remote scanner this cluster can be accessed by installing the local scanner.
What happens if I'm using the local scanner (for managed clusters) and I want to switch to the remote scanner?
You can switch clusters from the local scanner to the remote scanner. For details on migrating refer to the steps on this page for Managed Clusters - Local Scanner Migration.
Is there any way to determine if a cluster that is currently supported by the local scanner can be supported by the remote scanner?
In general if a cluster has a public endpoint the cluster is likely eligible to be supported by the remote scanner. If you are unsure we recommend that you reach out to support prior to uninstalling local scanner.
Viewing & Managing Clusters
After connecting your CSPs and upgrading, details around the successfully harvested clusters (managed or self-managed) will be available under "Cloud --> Kubernetes Clusters".
The available status for clusters are:
- OK - Successfully harvested and enabled for scanning
- Paused - Successfully harvested, not enabled for scanning
- Unauthorized - Issues with harvesting or scanning, generally the result of access issues (permissions, token authorization, etc)
- Failed - Issues with harvesting or scanning, generally the result of connectivity issues
Selecting the checkbox next to the individual cluster/cloud account will enable options to play, pause or delete for each account selected (these are also available under the Actions column).
- Multi-select is available (for the items displayed on the page) but if a single cluster cannot be modified, the button/behavior will be greyed-out.
If you delete a Cluster outside of InsightCloudSec, it will detect the deletion in the next harvesting cycle or event if EDH is used. The following events will occur:
- The cluster will be marked as deleted
- The Kubernetes entities related to this cluster are marked as deleted
- The account associated with the cluster will not be deleted from the UI and the harvesting state will be set to “suspended”
You will need to manually delete the suspended account. Deleting a cluster from the UI does not actually delete the account. Note: Automatic deletion of the suspended account will be supported in future versions
To remove the deleted cluster from InsightCloudSec, you will need to do so from the Kubernetes Cluster page.
1. Select the account with the checkbox on the left from the "Clouds --> Kubernetes Cluster" page.
2. Click the "Delete" icon (trash can).
For additional details related to InsightCloudSec's support of Kubernetes check out the following pages:
- Refer to the Kubernetes Scanners - Overview for a summary of the scanner options we support and links to detailed pages for both the local and remote scanning options.
- Refer to the Kubernetes Security Guardrails Overview page for details on this feature and our support for hardening your production environment for Kubernetes clusters, nodes, and pods.
- Refer to Container Image Vulnerability Assessment for details on this feature which is designed to continuously analyze production environment container image software vulnerability.
Updated 11 days ago