Kvisor is resposible for images vulnerability scanning, Kubernetes YAML manifests linting and CIS security recommendations.
It's open source and can be found on github.

Install kvisor using Console UI

Please see the Getting started to connect your cluster to CAST AI with enabled 'Deeper Security insights'.

Install with Terraform

CAST AI terraform modules for gke, eks and aks supports install_security_agent=true variable.

See eks module example.

Install with Helm

Add CAST AI helm charts repository.

helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update

You can list all available components and versions.

helm search repo castai-helm

Expected example output

NAME                                    CHART VERSION   APP VERSION     DESCRIPTION
castai-helm/castai-agent                0.18.0          v0.23.0         CAST AI agent deployment chart.
castai-helm/castai-cluster-controller   0.17.0          v0.14.0         CAST AI cluster controller deployment chart.
castai-helm/castai-evictor              0.10.0          0.5.1           Cluster utilization defragmentation tool
castai-helm/castai-spot-handler         0.3.0           v0.3.0          CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor               0.16.9        v0.20.3         CAST AI security agent deployment chart.

Now let's install it.

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id>
  --set structuredConfig.provider=<aks|eks|gke>

!!! note ""
For structuredConfig.provider you should pass your kubernetes provider or leave empty if it's none of aks, eks or gke.

!!! note ""
You can create api key via CAST AI console UI.

!!! note ""
You can find your cluster ID in CAST AI console UI.

Upgrade kvisor

Upgrade to latest version.

helm repo update
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values

Configuring features

You can change any of the supported config values described in kvisor helm chart

To increase concurrent images scan count:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.imageScan.maxConcurrentScans=6

To disable images can:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.imageScan.enabled=false

To disable kube bench jobs:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.kubeBench.enabled=false

To disable kubernetes YAML manifests linters:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set structuredConfig.linter.enabled=false

To check all applied configurations:

helm get values castai-kvisor -n castai-agent

Troubleshooting

Check kvisor logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor -n castai-agent