Kvisor and security

Does running the CAST AI Kvisor for security reporting interfere with running other security tools against the cluster?

No, Kvisor runs in a read-only mode and will not interfere with any other security tools.



What is the purpose of retaining data for 10 years?

10 years is a blanket statement for auditors (SOC2/ISO27001) to keep internal documents, communication, etc. CAST AI does not commit to how long it will keep customer data. Snapshots are discarded after three months, but reports, audit logs, machine learning artifacts, etc., are kept indefinitely.



What image scanner does CAST AI use internally for image vulnerabilities?

CAST AI has its own image scanner built into the Kvisor component. It checks against the CIS Kubernetes security benchmark, as well as NSA, OWASP, and PCI recommendations.



Does castai-kvisor image scanning support the exclusion of specific resources like Dynatrace?

Yes, it is possible to exclude specific resources from the castai-kvisor image scanning. We support excluding images by their resource namespaces. To exclude a particular resource, it must be in a separate namespace. In our chart, we have the value controller.extraArgs.image-scan-ignored-namespaces=dynatrace. Setting this value should solve the issue. If you're onboarded through Helm, you can run the following command:

helm upgrade -n castai-agent --reuse-values --set controller.extraArgs.image-scan-ignored-namespaces=dynatrace castai-kvisor castai-helm/castai-kvisor