Clusters Account Setup & Management

Instructions on Connecting and Viewing Your Kubernetes Clusters with InsightCloudSec

InsightCloudSec currently supports the setup and harvesting of Kubernetes cluster details through two scanners: the local scanner and the remote scanner. The remote scanner supports harvesting of managed Kubernetes clusters: those clusters for which InsightCloudSec has access (e.g., network access and permissions). The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and self-managed Kubernetes clusters.

This page provides information on setting up your cluster accounts as well as detail on viewing that information within InsightCloudSec once your Kubernetes clusters have been harvested.

Kubernetes Scanner Support

Detailed documentation for both the remote scanner and local scanner options are available, refer to the following individual pages:

InsightCloudSec currently supports adding a cluster from the following services/providers:

ProvidersLocal ScannerRemote Scanner
AWS (EKS)SupportedSupported
AWS (EKS) GovCloudSupportedSupported
AWS (EKS) ChinaSupportedNot Supported
GCP (GKE)SupportedSupported
Azure (AKS)SupportedSupported
Azure (AKS) GovCloudSupportedNot Supported
Azure (AKS) ChinaSupportedNot Supported
Oracle Cloud Infrastructure (OCI) - OKESupportedNot Supported
Alibaba Cloud (ACK)SupportedNot Supported
Self-managed (All CSPs)SupportedNot Supported

Details on each Kubernetes provider can be found at the following pages:

Note: Click one of the links above to view details around Kubernetes support through any of the specific Cloud Service Providers(CSPs). Contact us through the Customer Support Portal with any questions.

Additional Details

After validating or setting up the appropriate permissions, InsightCloudSec harvests the Kubernetes services via the cloud provider API and creates a matching cloud account for each Kubernetes cluster.

  • Cluster access is generated using the account access credentials provided by the user.
  • Cluster resources are harvested and associated with the parent cloud account that is created to model the Kubernetes service.

Setting Up Cluster Accounts

Setup For Managed Kubernetes Clusters

Before getting started you will need to ensure that the Cloud Service Provider (CSP) Accounts (e.g., AWS, Azure, GPC) where the target Kubernetes Clusters reside have been successfully connected to InsightCloudSec.

With appropriate access to the desired CSPs, after an upgrade to the latest version of InsightCloudSec, the remote scanner will automatically add all clusters for which the scanner has access and permission for harvesting.

  • Each scanned cluster will be added to InsightCloudSec as an individual Kubernetes Cluster.

📘

Enable Scanning

Assessment is disabled by default. Each added cluster is harvested in a "Paused" state and should be enabled (see below) for each Cluster you would like to have scanned.

Enabling Scanning for Managed Clusters

After onboarding Managed Kubernetes clusters using the Remote Scanner, you will need to enable your clusters for scanning with the following steps:

1. Navigate to "Cloud --> Kubernetes Clusters" to view the list of successfully onboarded clusters.

1729

Kubernetes Clusters Page

2. Check the box next to the name for any clusters for which you want to enable scanning.

3. Click the "Play" button (arrow) from the top menu options to enable a scan cycle.

Managed Clusters - Local Scanner Migration

If a managed cluster has already been scanned via local scanner it will continue to operate via local scanner. You can migrate it to a remote scanner by taking the following steps:

1. Uninstall the local scanner from the designated cluster.

  • You can use helm uninstall <Release Name> command to remove.

2. Delete the associated Kubernetes cloud account from InsightCloudSec.

  • Note: Deleting the cloud account will cause loss of the Kubernetes data that was harvested and the respective Insights. Data will be restored via a fresh harvesting and assessment using the remote scanner.

3. The remote scanner will create a new Kubernetes cloud account and execute harvesting and assessment on the next harvesting cycle or upon manual harvesting trigger.

Refer to the Kubernetes Remote Scanner page for additional details.

Setup for Self-Managed Kubernetes Clusters

Self-managed clusters are not visible to InsightCloudSec through the remote scanner. Self-managed clusters, when configured to provide access to each specific cluster, will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec.

After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.

Setup General Troubleshooting

What if the Remote Scanner was not able to access my cluster(s)?

If the remote scanner cannot access one of your clusters you have two options:

  • Update the cloud account/cluster settings to allow the remote scanner access to harvest the cluster details
  • If you are unable to allow access to this cluster for the remote scanner this cluster can be accessed by installing the local scanner.

What happens if I'm using the local scanner (for managed clusters) and I want to switch to the remote scanner?

You can switch clusters from the local scanner to the remote scanner. For details on migrating refer to the steps on this page for Managed Clusters - Local Scanner Migration.

Is there any way to determine if a cluster that is currently supported by the local scanner can be supported by the remote scanner?

In general if a cluster has a public endpoint the cluster is likely eligible to be supported by the remote scanner. If you are unsure we recommend that you reach out to support prior to uninstalling local scanner.

Viewing & Managing Clusters

After connecting your CSPs and upgrading, details around the successfully harvested clusters (managed or self-managed) will be available under "Cloud --> Kubernetes Clusters".

Status

The available status for clusters are:

  • OK - Successfully harvested and enabled for scanning
  • Paused - Successfully harvested, not enabled for scanning
  • Unauthorized - Issues with harvesting or scanning, generally the result of access issues (permissions, token authorization, etc)
  • Failed - Issues with harvesting or scanning, generally the result of connectivity issues

Actions

Selecting the checkbox next to the individual cluster/cloud account will enable options to play, pause or delete for each account selected (these are also available under the Actions column).

  • Multi-select is available (for the items displayed on the page) but if a single cluster cannot be modified, the button/behavior will be greyed-out.
2872

Clouds Listing Page - Viewing Managed Clusters

Deleting Clusters

If you delete a Cluster outside of InsightCloudSec, it will detect the deletion in the next harvesting cycle or event if EDH is used. The following events will occur:

  • The cluster will be marked as deleted
  • The Kubernetes entities related to this cluster are marked as deleted
  • The account associated with the cluster will not be deleted from the UI and the harvesting state will be set to “suspended”

You will need to manually delete the suspended account. Deleting a cluster from the UI does not actually delete the account. Note: Automatic deletion of the suspended account will be supported in future versions

To remove the deleted cluster from InsightCloudSec, you will need to do so from the Kubernetes Cluster page.

1. Select the account with the checkbox on the left from the "Clouds --> Kubernetes Cluster" page.

2. Click the "Delete" icon (trash can).

2440

Removing a Cloud Account (Cluster)

What's Next?

For additional details related to InsightCloudSec's support of Kubernetes check out the following pages: