Kvisor security agent

Check how to configure and upgrade the CAST AI Kvisor security component.

The Kvisor is an open-source agent that enables scanning images for vulnerability, Kubernetes YAML manifests linting and aligning with CIS security recommendations. It's open source, and you can find it on GitHub.

Kvisor uses the same permissions set as the CAST AI agent. For more details, please refer to Security section.

Install kvisor using the CAST AI console UI

Please see the Getting started to connect your cluster to CAST AI with the enabled 'Deeper Security insights' option.

Install with Terraform

CAST AI Terraform modules for GKE, EKS, and AKS support the install_security_agent=true module input variable.

module "castai-eks-cluster" {
  // ...
  install_security_agent = true
}

See the EKS module example.

Install with Helm

Add CAST AI helm charts repository.

helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update

You can list all available components and versions.

helm search repo castai-helm

An expected example output:

NAME                                    CHART VERSION   APP VERSION     DESCRIPTION
castai-helm/castai-agent                0.18.0          v0.23.0         CAST AI agent deployment chart.
castai-helm/castai-cluster-controller   0.17.0          v0.14.0         CAST AI cluster controller deployment chart.
castai-helm/castai-evictor              0.10.0          0.5.1           Cluster utilization defragmentation tool
castai-helm/castai-spot-handler         0.3.0           v0.3.0          CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor               0.16.9        v0.20.3         CAST AI security agent deployment chart.

Now, let's install it.

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set controller.extraArgs.kube-linter-enabled=true \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true \
  --set controller.extraArgs.cloud-provider=<aks|eks|gke>

Please note that:

  1. For controller.extraArgs.cloud-provider you should pass your Kubernetes provider or leave it empty if it's not AKS, EKS, or GKE.
  2. You can create an API key in the CAST AI console UI.
  3. You can find your cluster-ID in the CAST AI console UI.

Upgrade the kvisor agent

If you have existing kvisor running and only want to upgrade to latest version you can run helm upgrade with --reuse-values. With this flag helm will reuse your existing clusterID and apiKey.

helm repo update castai-helm
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent --reset-then-reuse-values

Upgrading from v0.x.x to v1.x.x

Kvisor v1 helm chart contains some breaking changes and you need to reinstall it from scratch.

First get current kvisor values and remember your clusterID, apiKey and kube bench provider.

helm get values castai-kvisor -n castai-agent

Now you should be able to reinstall it. Replace <your-api-token> , <your-cluster-id> and <aks|eks|gke>

helm repo update castai-helm

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set controller.extraArgs.kube-linter-enabled=true \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true \
  --set controller.extraArgs.cloud-provider=<aks|eks|gke>

Configuring features

You can change any of the supported config values described in the kvisor helm chart

Set custom image

You can re-tag us-docker.pkg.dev/castai-hub/library/kvisor image into private registry and configure kvisor helm chart to use it.

Setting image pull secret is optional if you use managed cloud providers registries or image is kept public.

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set image.repository=my-kvisor-repository \
  --set image.tag=my-tag \
  --set 'imagePullSecrets[0].name=my-pull-secret'

Increase concurrent image scans count

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values --set controller.extraArgs.image-concurrent-scans=6

Enable private image scan

See detailed guide in Images scanning

Update resources (CPU, memory)

For large clusters, you may need to increase CPU and memory.

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reset-then-reuse-values \
    --set controller.resources.requests.cpu=100m \
    --set controller.resources.requests.memory=2Gi \
    --set controller.resources.limits.memory=2Gi

To check all applied configurations:

helm get values castai-kvisor -n castai-agent

Troubleshooting

Check kvisor controller logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent

What’s Next