Vulnerability scanning

On this page, we will describe how to install and operate Kubescape vulnerability scanning in your Kubernetes cluster.

Prerequisites

Vulnerability scanning

The Kubescape vulnerability scanner is working in the background.

The Kubescape vulnerability scanner scans the container images in the cluster right after the first installation and uploads the results to the Kubescape Cloud Platform. The results can be viewed at Kubescape Cloud Platform

Scanning images pulled from private registries

Before sending the scan command, Kubescape looks for all registry scan secrets (those which start with kubescape-registry-scan) and look for a match with the ImageTag (a strings.Contains comparison). In such case, we add the credentials to the websocket command for kubevuln.

Use the following link to configure the secret in the Kubescape namespace Registry Vulnerabilities

Secret example:

kind: Secret
apiVersion: v1
metadata:
  name: kubescape-registry-scan-my-acr-secret
  namespace: kubescape
type: Opaque
stringData:
  registriesAuth: |
    [     
      {
        "registry": "myrepo.azurecr.io",
        "username": "<username/clientID>",
        "password": "<password/secret>",
        "auth_method": "credentials"
      }
    ]

Air-gapped support

It is possible to get image vulnerability results in an air-gapped mode.

When installing the helm chart, add the following flag: --set grypeOfflineDB.enabled=true

Recurring image vulnerability scanning

The scanner is triggered by a CronJob called kubevuln-scheduler, by default, the scanner is triggered once every midnight. In order to customize the scan frequency, you can update this kubevulnScheduler.scanSchedule="0 0 * * *" value to the required value.

You can also disable the default creation of the cronjob by setting the value to false: kubevulnScheduler.enabled=false

Automatic scan of new images

Kubescape vulnerability scanner will scan new images which are deployed to the cluster:

  • A new Deployment/StatefulSet/DeamonSet/Pod is applied
  • The container image tag in an existing Deployment/StatefulSet/DeamonSet/Pod has changed