Limitations
Cluster scanning
Cloud vendor integrations
Kubescape reads cluster information from the cloud vendors' API. Each vendor has a list of authorizations they require (see the SDK of the given vendor). Kubescape uses SDKs to retrieve this information. This authentication information must be available in the running environment of Kubescape
- AWS IAM roles for EKS access, see more here Amazon Web Services integration
- GCP IAM roles for GKE access, see more here Google Cloud Services integration
- Azure AKS is not yet supported
- DigitalOcean API is not yet supported
Vulnerability scanning
Private registries support
- Private registries are supported via:
- ImagePullSecrets (in podSpec or serviceAccount)
- AWS IAM roles for ECR access, see more here Amazon Web Services integration
- GCP IAM roles for GCR access, see more here Google Cloud Services integration
- Azure ACR authentication is not yet supported
Scanning Troubleshooting
| Issue / logs | Issue Description | Solution |
|---|---|---|
| Unable to update vulnerability database: unable to download db _Failed to get image descriptor from registry | The image may be deleted from the container registry, so the vulnerability scanner can't get the image manifest data and it's vulnerabilities | *## first solution suggestion:* The image needs to be added to the container registry to scan it *## second solution suggestion:* Update your image in the pod to the latest image that exists in the container registry |
| Failed to load vulnerability db: vulnerability database is corrupt | We reached the limit of the the process memory limited by the kubernetes deployment: "armo-vuln-scan" | *## first solution suggestion:* Increase the memory limit of the deployment. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ *## second solution suggestion:* Reduce the number in the CA_MAX_VULN_SCAN_ROUTINS environment variable(the default is 4). |
Updated 8 months ago