Kvisor security agent

Check how to configure and upgrade the CAST AI Kvisor security component.

Suggest Edits

Kvisor is an open-source agent that enables the scanning of container images for vulnerabilities, linting Kubernetes YAML manifests, and alignment with CIS (Center for Internet Security) security recommendations. It is designed to enhance the security posture of your Kubernetes clusters and provide deeper insights into potential security risks.

It's open source, and you can find it on GitHub.

Kvisor uses the same permission set as the CAST AI agent. Please refer to the Kubernetes permissions section for more details.

Installation

Kvisor can be easily installed using various methods, including the CAST AI console UI, Terraform, or Helm.

Install using the CAST AI console UI

Please see the Getting started guide to connect your cluster to CAST AI and enable the Security feature set.

Install using Terraform

CAST AI Terraform modules for GKE, EKS, and AKS support the install_security_agent=true module input variable. To enable Kvisor installation, set the variable to true:

module "castai-eks-cluster" {
  // ...
  install_security_agent = true
}

See the EKS module example.

Install using Helm

Add the CAST AI Helm charts repository:

helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update

You can list all available components and versions:

helm search repo castai-helm

An expected example output:

NAME                                    CHART VERSION   APP VERSION     DESCRIPTION
castai-helm/castai-agent                0.18.0          v0.23.0         CAST AI agent deployment chart.
castai-helm/castai-cluster-controller   0.17.0          v0.14.0         CAST AI cluster controller deployment chart.
castai-helm/castai-evictor              0.10.0          0.5.1           Cluster utilization defragmentation tool
castai-helm/castai-spot-handler         0.3.0           v0.3.0          CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor               0.16.9          v0.20.3         CAST AI security agent deployment chart.

Now, let's install the Kvisor security agent.

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set controller.extraArgs.kube-linter-enabled=true \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true \
  --set controller.extraArgs.cloud-provider=<aks|eks|gke>

Please note that:

  1. Replace <your-api-token> with your CAST AI API token, which can be created in the CAST AI console UI.
  2. Replace <your-cluster-id>with the ID of your cluster, which can be found in the CAST AI console UI.
  3. Set controller.extraArgs.cloud-provider to your Kubernetes provider (e.g., aks, eks, gke) or leave it empty if it's not AKS, EKS, or GKE.

Upgrade the Kvisor agent

If you have an existing Kvisor agent running and only want to upgrade to the latest version, you can run helm upgrade with --reuse-values. With this flag, Helm will reuse your existing clusterID and apiKey.

helm repo update castai-helm
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent --reset-then-reuse-values

Upgrading from v0.x.x to v1.x.x

The Kvisor v1 Helm chart contains some breaking changes; you need to reinstall it from scratch. Follow these steps:

  1. Get the current Kvisor values and note down your clusterID, apiKey, and kube-bench provider:
helm get values castai-kvisor -n castai-agent
  1. Reinstall Kvisor. Replace <your-api-token>, <your-cluster-id> and <aks|eks|gke> with your actual values.
helm repo update castai-helm

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set controller.extraArgs.kube-linter-enabled=true \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true \
  --set controller.extraArgs.cloud-provider=<aks|eks|gke>

Configuring features

Kvisor provides various configuration options to customize its behavior. Change any supported config values described in the kvisor Helm chart.

Set custom image

You can re-tag the us-docker.pkg.dev/castai-hub/library/kvisor image into a private registry and configure the Kvisor Helm chart to use it. Setting an image pull secret is optional if you use managed cloud provider registries or if the image is kept public.

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set image.repository=my-kvisor-repository \
  --set image.tag=my-tag \
  --set 'imagePullSecrets[0].name=my-pull-secret'

Increase concurrent image scan count

To increase the number of concurrent image scans, use the following command:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values --set controller.extraArgs.image-concurrent-scans=6

Enable private image scan

For detailed instructions on enabling private image scanning, refer to Private image scanning

Update resources (CPU, memory)

For large clusters, you may need to increase the CPU and memory resources allocated to Kvisor:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reset-then-reuse-values \
    --set controller.resources.requests.cpu=100m \
    --set controller.resources.requests.memory=2Gi \
    --set controller.resources.limits.memory=2Gi

Troubleshooting

Check the Kvisor controller logs:

kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent

Check all applied configurations:

helm get values castai-kvisor -n castai-agent

Updated about 14 hours ago

What’s Next