Kvisor security agent

The kvisor agent enables scanning images for vulnerability, Kubernetes YAML manifest linting, and aligning with CIS security recommendations. It's open source, and you can find it on GitHub.

Install kvisor using the CAST AI console UI

Please see the Getting started to connect your cluster to CAST AI with the enabled 'Deeper Security insights' option.

Install with Terraform

CAST AI Terraform modules for GKE, EKS, and AKS support the install_security_agent=true module input variable.

module "castai-eks-cluster" {
  // ...
  install_security_agent = true
}

See the EKS module example.

Install with Helm

Add CAST AI helm charts repository.

helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update

You can list all available components and versions.

helm search repo castai-helm

An expected example output:

NAME                                    CHART VERSION   APP VERSION     DESCRIPTION
castai-helm/castai-agent                0.18.0          v0.23.0         CAST AI agent deployment chart.
castai-helm/castai-cluster-controller   0.17.0          v0.14.0         CAST AI cluster controller deployment chart.
castai-helm/castai-evictor              0.10.0          0.5.1           Cluster utilization defragmentation tool
castai-helm/castai-spot-handler         0.3.0           v0.3.0          CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor               0.16.9        v0.20.3         CAST AI security agent deployment chart.

Now, let's install it.

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id>
  --set structuredConfig.provider=<aks|eks|gke>

Please note that:

  1. For structuredConfig.provider you should pass your Kubernetes provider or leave it empty if it's not AKS, EKS, or GKE.
  2. You can create an API key in the CAST AI console UI.
  3. You can find your cluster-ID in the CAST AI console UI.

Upgrade the kvisor agent

Upgrade to the latest version:

helm repo update
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values

Configuring features

You can change any of the supported config values described in the kvisor helm chart

Increase concurrent image scans count

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.imageScan.maxConcurrentScans=6

Enable private image scan

See detailed guide in Images scanning

Enable policy enforcement

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set policyEnforcement.enabled=true

Disable policy enforcement

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set policyEnforcement.enabled=false

Disable image scan

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.imageScan.enabled=false

Disable kube bench jobs

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.kubeBench.enabled=false

Disable Kubernetes YAML manifests linters

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.linter.enabled=false

Disable Policy Enforcement

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set policyEnforcement.enabled=false

Update resources (CPU, memory)

For large clusters, you may need to increase CPU and memory.

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values \
    --set resources.requests.cpu=100m \
    --set resources.requests.memory=2Gi \
    --set resources.limits.memory=2Gi

To check all applied configurations:

helm get values castai-kvisor -n castai-agent

Troubleshooting

Check kvisor logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor -n castai-agent