Kvisor security agent
The kvisor agent enables scanning images for vulnerability, Kubernetes YAML manifest linting, and aligning with CIS security recommendations. It's open source, and you can find it on GitHub.
Install kvisor using the CAST AI console UI
Please see the Getting started to connect your cluster to CAST AI with the enabled 'Deeper Security insights' option.
Install with Terraform
CAST AI Terraform modules for GKE, EKS, and AKS support the install_security_agent=true
module input variable.
module "castai-eks-cluster" {
// ...
install_security_agent = true
}
See the EKS module example.
Install with Helm
Add CAST AI helm charts repository.
helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update
You can list all available components and versions.
helm search repo castai-helm
An expected example output:
NAME CHART VERSION APP VERSION DESCRIPTION
castai-helm/castai-agent 0.18.0 v0.23.0 CAST AI agent deployment chart.
castai-helm/castai-cluster-controller 0.17.0 v0.14.0 CAST AI cluster controller deployment chart.
castai-helm/castai-evictor 0.10.0 0.5.1 Cluster utilization defragmentation tool
castai-helm/castai-spot-handler 0.3.0 v0.3.0 CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor 0.16.9 v0.20.3 CAST AI security agent deployment chart.
Now, let's install it.
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id>
--set structuredConfig.provider=<aks|eks|gke>
Please note that:
- For
structuredConfig.provider
you should pass your Kubernetes provider or leave it empty if it's not AKS, EKS, or GKE. - You can create an API key in the CAST AI console UI.
- You can find your cluster-ID in the CAST AI console UI.
Upgrade the kvisor agent
Upgrade to the latest version:
helm repo update
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values
Configuring features
You can change any of the supported config values described in the kvisor helm chart
Increase concurrent image scans count
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.imageScan.maxConcurrentScans=6
Enable private image scan
See detailed guide in Images scanning
Enable policy enforcement
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set policyEnforcement.enabled=true
Disable policy enforcement
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set policyEnforcement.enabled=false
Disable image scan
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.imageScan.enabled=false
Disable kube bench jobs
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.kubeBench.enabled=false
Disable Kubernetes YAML manifests linters
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.linter.enabled=false
Disable Policy Enforcement
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set policyEnforcement.enabled=false
Update resources (CPU, memory)
For large clusters, you may need to increase CPU and memory.
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values \
--set resources.requests.cpu=100m \
--set resources.requests.memory=2Gi \
--set resources.limits.memory=2Gi
To check all applied configurations:
helm get values castai-kvisor -n castai-agent
Troubleshooting
Check kvisor logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor -n castai-agent
Updated 3 days ago