kvisor
Kvisor is resposible for images vulnerability scanning, Kubernetes YAML manifests linting and CIS security recommendations.
It's open source and can be found on github.
Install kvisor using Console UI
Please see the Getting started to connect your cluster to CAST AI with enabled 'Deeper Security insights'.
Install with Terraform
CAST AI terraform modules for gke, eks and aks supports install_security_agent=true
variable.
See eks module example.
Install with Helm
Add CAST AI helm charts repository.
helm repo add castai-helm https://castai.github.io/helm-charts
helm repo update
You can list all available components and versions.
helm search repo castai-helm
Expected example output
NAME CHART VERSION APP VERSION DESCRIPTION
castai-helm/castai-agent 0.18.0 v0.23.0 CAST AI agent deployment chart.
castai-helm/castai-cluster-controller 0.17.0 v0.14.0 CAST AI cluster controller deployment chart.
castai-helm/castai-evictor 0.10.0 0.5.1 Cluster utilization defragmentation tool
castai-helm/castai-spot-handler 0.3.0 v0.3.0 CAST AI spot handler daemonset chart.
castai-helm/castai-kvisor 0.16.9 v0.20.3 CAST AI security agent deployment chart.
Now let's install it.
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id>
--set structuredConfig.provider=<aks|eks|gke>
!!! note ""
For structuredConfig.provider
you should pass your kubernetes provider or leave empty if it's none of aks
, eks
or gke
.
!!! note ""
You can create api key via CAST AI console UI.
!!! note ""
You can find your cluster ID in CAST AI console UI.
Upgrade kvisor
Upgrade to latest version.
helm repo update
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent --reuse-values
Configuring features
You can change any of the supported config values described in kvisor helm chart
To increase concurrent images scan count:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.imageScan.maxConcurrentScans=6
To disable images can:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.imageScan.enabled=false
To disable kube bench jobs:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.kubeBench.enabled=false
To disable kubernetes YAML manifests linters:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set structuredConfig.linter.enabled=false
To check all applied configurations:
helm get values castai-kvisor -n castai-agent
Troubleshooting
Check kvisor logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor -n castai-agent
Updated 4 days ago