Kvisor security agent
Check how to configure and upgrade the CAST AI Kvisor security component.
The Kvisor is an open-source agent that enables scanning images for vulnerability, Kubernetes YAML manifests linting and aligning with CIS security recommendations. It's open source, and you can find it on GitHub.
Kvisor uses the same permissions set as the CAST AI agent. For more details, please refer to Security section.
Install kvisor using the CAST AI console UI
Please see the Getting started to connect your cluster to CAST AI with the enabled 'Deeper Security insights' option.
Install with Terraform
CAST AI Terraform modules for GKE, EKS, and AKS support the install_security_agent=true module input variable.
module "castai-eks-cluster" {
// ...
install_security_agent = true
}
See the EKS module example.
Install with Helm
Add CAST AI helm charts repository.
helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update
You can list all available components and versions.
helm search repo castai-helm
An expected example output:
NAME CHART VERSION APP VERSION DESCRIPTION
castai-helm/castai-agent 0.18.0 v0.23.0 CAST AI agent deployment chart.
castai-helm/castai-cluster-controller 0.17.0 v0.14.0 CAST AI cluster controller deployment chart.
castai-helm/castai-evictor 0.10.0 0.5.1 Cluster utilization defragmentation tool
castai-helm/castai-spot-handler 0.3.0 v0.3.0 CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor 0.16.9 v0.20.3 CAST AI security agent deployment chart.
Now, let's install it.
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id> \
--set controller.extraArgs.kube-linter-enabled=true \
--set controller.extraArgs.image-scan-enabled=true \
--set controller.extraArgs.kube-bench-enabled=true \
--set controller.extraArgs.kube-bench-cloud-provider=<aks|eks|gke>
Please note that:
- For
controller.extraArgs.kube-bench-cloud-provideryou should pass your Kubernetes provider or leave it empty if it's not AKS, EKS, or GKE. - You can create an API key in the CAST AI console UI.
- You can find your cluster-ID in the CAST AI console UI.
Upgrade the kvisor agent
If you have existing kvisor running and only want to upgrade to latest version you can run helm upgrade with --reuse-values. With this flag helm will reuse your existing clusterID and apiKey.
helm repo update castai-helm
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values
Configuring features
You can change any of the supported config values described in the kvisor helm chart
Set custom image
You can re-tag us-docker.pkg.dev/castai-hub/library/kvisor image into private registry and configure kvisor helm chart to use it.
Setting image pull secret is optional if you use managed cloud providers registries or image is kept public.
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values \
--set image.repository=my-kvisor-repository \
--set image.tag=my-tag \
--set 'imagePullSecrets[0].name=my-pull-secret'
Increase concurrent image scans count
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set controller.extraArgs.image-concurrent-scans=6
Enable private image scan
See detailed guide in Images scanning
Update resources (CPU, memory)
For large clusters, you may need to increase CPU and memory.
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values \
--set controller.resources.requests.cpu=100m \
--set controller.resources.requests.memory=2Gi \
--set controller.resources.limits.memory=2Gi
To check all applied configurations:
helm get values castai-kvisor -n castai-agent
Troubleshooting
Check kvisor controller logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent
Updated 29 days ago