Vulnerability scanning
On this page, we will describe how to install and operate Kubescape vulnerability scanning in your Kubernetes cluster.
Prerequisites
Vulnerability scanning
The kubescape vulnerability scanner is working in the background.
The kubescape vulnerability scanner scans the container images in the cluster right after the first installation and uploads the results to the Kubescape Cloud Platform. The results can be viewed at Kubescape Cloud Platform
Recurring image vulnerability scanning
The scanner is triggered by a CronJob
called kubevuln-scheduler
, by default, the scanner is triggered once every midnight. In order to customize the scan frequency, you can update this kubevulnScheduler.scanSchedule="0 0 * * *"
value to the required value.
You can also disable the default creation of the cronjob by setting the value to false: kubevulnScheduler.enabled=false
Automatic scan of new images
Kubescape vulnerability scanner supports the ability to scan new images which are deployed to the cluster:
- A new Deployment/StatefulSet/DeamonSet/Pod is applied
- The container image tag in an existing Deployment/StatefulSet/DeamonSet/Pod has changed
The default setting for this feature is "disable". You can manually enable the feature by setting the value to "enable" when running the helm as follows: --set triggerNewImageScan=enable
Updated 23 days ago