Host Scanning

Kubescape Host Scanner

Kubescape helps to find your cluster's security risks based on different factors and information sources. One of them being the actual machine behind your Kubernetes Node. Kubernetes API gives a very limited set of information about this machine therefore Kubescape uses a component called "Kubescape Host Scanner" to access a broader and deeper set of information.


To enable host scanner simply run Kubescape scan with --enable-host-scan option. This will deploy sensors on each Nodes for the time of the scan only and will remove them at the end. This is an "opt in'' feature for the time being and might be turned on later by default.

kubescape scan --enable-host-scan


The host scanner is a microservice reading different values from the Linux host making them available through its REST API. It is packaged as a container image


Kubescape deploys host scanner as a Kuberenetes DaemonSet. Mapping the host filesystem as a volume mount into the POD. Kubescape installs it on start-up, collects information from every POD/Node and deletes the DaemonSet when done (by removing the namespace).

Customize your host-scanner DaemonSet

It is possible to tune the host-scanner deployment by modifying the original YAML and tell Kubescape what file to use instead of the original one.
e.g. When the cluster is allowed to run images only from certain images repositories.

  1. Download the original YAML (combined from namespace object and daemonset object).
  2. Edit the YAML file so it will fit your needs (change image tag, ServiceAccount, tolerations, etc.).
  3. Run Kubescape with --enable-host-scan and --host-scan-yaml /path/to/modified/file. e.g. ->
    kubescape scan --enable-host-scan --host-scan-yaml /path/to/modified/file

Do not remove the namespace when editing the YAML. Kubescape removes the DaemonSet by deleting it's namespace