Host Scanning

The Kubernetes API server has a very limited set of information about the worker nodes in a cluster. To help Kubescape evaluate the security posture of your nodes, you can use the host scanner, a component which is deployed to each node when a scan is being performed and removed immediately after.

Usage

To enable the host scanner when using the Kubescape CLI, use the --enable-host-scan option:

kubescape scan --enable-host-scan

Kubescape will deploy a DaemonSet containing the host scanner, which will run on all the nodes in the cluster. The DaemonSet is removed at the end of the scan.

📘

Note

The host scanner is currently an opt-in feature. Based on user feedback, it may become the default.

How it works

The host scanner is a microservice which exposes values from the a Linux host and makes them available through a REST API. It is packaged as a container image.

It provides information about:

  • the control plane, if the node is hosting one
  • container network interface (CNI) configuration
  • kernel and OS version
  • kubelet and kube-proxy configuration
  • whether or not the node is running on a cloud, and if it has access to the cloud metadata server
  • open ports

More information on the host scanner, and its source code, is available on GitHub.

Deployment

Kubescape deploys the host scanner as a DaemonSet in a custom namespace. The host filesystem is mapped as a volume mount into the pod. When Kubescape has collected the information from every node, it deletes the DaemonSet and the namespace that were created.

Customize the host scanner

Kubescape can deploy the host scanner using a custom manifest.

📘

Why do this?

You are able to change the image tag, service account, tolerations, and more. This allows you to configure the deployment to suit any policy restrictions.

For example, you may not be able to deploy images from the registry that Kubescape uses (quay.io). Using this method, you can publish the image to your own private repository and deploy it the local copy.

Kubescape CLI

To deploy a custom manifest:

  1. Download the host scanner manifest (which contains both the Namespace object and the DaemonSet).
  2. Edit the YAML file so it will fit your needs
  3. Run Kubescape with --enable-host-scan and --host-scan-yaml /path/to/modified/file:
    kubescape scan --enable-host-scan --host-scan-yaml /path/to/modified/file
    

🚧

Warning!

Do not remove the Namespace object while editing the host sensor manifest. Kubescape ensures the DaemonSet is removed by deleting the namespace it created.

Using the Kubescape Operator

The template for deploying the host scanner can be edited in the Helm chart.