Cluster vulnerability scanning

On this page, we will describe how to install and operate Kubescape vulnerability scanning in your Kubernetes cluster

Prerequisites

Vulnerability scanning

The kubescape vulnerability scanner is working in the background.

The kubescape vulnerability scanner scans the container images in the cluster right after the first installation and uploads the results to the Kubescape Cloud Platform. The results can be viewed at Kubescape Cloud Platform

Recurring image vulnerabilities scanning

The scanner is triggered by a CronJob called kubevuln-scheduler, by default, the scanner is triggered once every midnight. In order to customize the scan frequency, you can update this kubevulnScheduler.scanSchedule="0 0 * * *" value to the required value.

You can also disable the default creation of the cronjob by setting the value to false: kubevulnScheduler.enabled=false

Automatic scan of new images

Kubescape vulnerability scanner supports the ability to scan new images which are deployed to the cluster:

  • A new Deployment/StatefulSet/DeamonSet/Pod is applied
  • The container image tag in an existing Deployment/StatefulSet/DeamonSet/Pod has changed

The default setting for this feature is "disable". You can manually enable the feature by setting the value to "enable" when running the helm as follows: --set triggerNewImageScan=enable