Vulnerability scanning
On this page, we will describe how to install and operate Kubescape vulnerability scanning in your Kubernetes cluster.
Prerequisites
Vulnerability scanning
The Kubescape vulnerability scanner is working in the background.
The Kubescape vulnerability scanner scans the container images in the cluster right after the first installation and uploads the results to the Kubescape Cloud Platform. The results can be viewed at Kubescape Cloud Platform
Scanning images pulled from private registries
Before sending the scan command, Kubescape looks for all registry scan secrets (those which start with kubescape-registry-scan
) and look for a match with the ImageTag (a strings.Contains
comparison). In such case, we add the credentials to the websocket command for kubevuln.
Use the following link to configure the secret in the Kubescape namespace Registry Vulnerabilities
Secret example:
kind: Secret
apiVersion: v1
metadata:
name: kubescape-registry-scan-my-acr-secret
namespace: kubescape
type: Opaque
stringData:
registriesAuth: |
[
{
"registry": "myrepo.azurecr.io",
"username": "<username/clientID>",
"password": "<password/secret>",
"auth_method": "credentials"
}
]
Air-gapped support
It is possible to get image vulnerability results in an air-gapped mode.
When installing the helm chart, add the following flag: --set grypeOfflineDB.enabled=true
Recurring image vulnerability scanning
The scanner is triggered by a CronJob
called kubevuln-scheduler
, by default, the scanner is triggered once every midnight. In order to customize the scan frequency, you can update this kubevulnScheduler.scanSchedule="0 0 * * *"
value to the required value.
You can also disable the default creation of the cronjob by setting the value to false: kubevulnScheduler.enabled=false
Automatic scan of new images
Kubescape vulnerability scanner will scan new images which are deployed to the cluster:
- A new Deployment/StatefulSet/DeamonSet/Pod is applied
- The container image tag in an existing Deployment/StatefulSet/DeamonSet/Pod has changed
Updated 4 months ago