The Kubernetes API server has a very limited set of information about the worker nodes in a cluster. To help Kubescape evaluate the security posture of your nodes, you can use the host scanner, a component which is deployed to each node when a scan is being performed and removed immediately after.
To enable the host scanner when using the Kubescape CLI, use the
kubescape scan --enable-host-scan
Kubescape will deploy a DaemonSet containing the host scanner, which will run on all the nodes in the cluster. The DaemonSet is removed at the end of the scan.
The host scanner is currently an opt-in feature. Based on user feedback, it may become the default.
How it works
The host scanner is a microservice which exposes values from the a Linux host and makes them available through a REST API. It is packaged as a container image.
It provides information about:
- the control plane, if the node is hosting one
- container network interface (CNI) configuration
- kernel and OS version
- kubelet and kube-proxy configuration
- whether or not the node is running on a cloud, and if it has access to the cloud metadata server
- open ports
More information on the host scanner, and its source code, is available on GitHub.
Kubescape deploys the host scanner as a DaemonSet in a custom namespace. The host filesystem is mapped as a volume mount into the pod. When Kubescape has collected the information from every node, it deletes the DaemonSet and the namespace that were created.
Customize the host scanner
Kubescape can deploy the host scanner using a custom manifest.
Why do this?
You are able to change the image tag, service account, tolerations, and more. This allows you to configure the deployment to suit any policy restrictions.
For example, you may not be able to deploy images from the registry that Kubescape uses (quay.io). Using this method, you can publish the image to your own private repository and deploy it the local copy.
To deploy a custom manifest:
- Download the host scanner manifest (which contains both the Namespace object and the DaemonSet).
- Edit the YAML file so it will fit your needs
- Run Kubescape with
kubescape scan --enable-host-scan --host-scan-yaml /path/to/modified/file
Do not remove the Namespace object while editing the host sensor manifest. Kubescape ensures the DaemonSet is removed by deleting the namespace it created.
Using the Kubescape Operator
The template for deploying the host scanner can be edited in the Helm chart.
Updated about 2 months ago