Configuring Kvisor features
This guide explains how to configure various features of the Kvisor security agent to enhance your Kubernetes security posture. Kvisor provides several specialized monitoring and scanning capabilities that can be enabled and customized according to your needs.
Configuration overview
Kvisor supports multiple configuration options that can be set via Helm during installation or upgrade. The basic format for enabling or modifying features is:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set [configuration-option]=[value]
All supported configuration values are found in the Kvisor Helm chart values.yaml.
Image scanning configuration
Use a custom image
You can configure Kvisor to use a custom image from your private registry:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set image.repository=my-kvisor-repository \
--set image.tag=my-tag \
--set 'imagePullSecrets[0].name=my-pull-secret'
Increase concurrent image scan count
To improve scanning performance for environments with many images:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set controller.extraArgs.image-concurrent-scans=6
Private image scanning
For detailed instructions on configuring private image scanning, refer to the dedicated Private Image Scanning documentation.
Excluding Namespaces from Scanning
You may want to exclude specific namespaces from image scanning, particularly for third-party monitoring tools or systems that manage their own security. To configure namespace exclusions:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set controller.extraArgs.image-scan-ignored-namespaces=namespace1,namespace2
For example, to exclude the Dynatrace namespace from scanning:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set controller.extraArgs.image-scan-ignored-namespaces=dynatrace
You can specify multiple namespaces by separating them with commas.
Network traffic monitoring
Kvisor can collect Kubernetes network flows using eBPF. This feature provides visibility into pod-to-pod and pod-to-external communications, which is valuable for security analysis and network optimization.
To enable network traffic monitoring:
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id> \
--set agent.enabled=true \
--set agent.extraArgs.netflow-enabled=true
Note
If you have the
egressd
component running, it should be uninstalled before enabling network traffic monitoring in Kvisor:helm uninstall castai-helm/egressd -n castai-agent
Resource statistics monitoring
Kvisor can collect detailed resource usage statistics from containers and nodes, including CPU, Memory, I/O usage, and PSI (Pressure Stall Information) metrics. This data can help identify performance bottlenecks and resource contention.
To enable resource statistics collection:
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id> \
--set agent.enabled=true \
--set agent.extraArgs.stats-enabled=true
Runtime security monitoring
Runtime Security monitoring enables real-time detection of anomalous activities in your cluster. This feature requires installing the Kvisor agent as a DaemonSet on all nodes.
To enable runtime security:
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id> \
--set agent.enabled=true \
--set agent.extraArgs.ebpf-events-enabled=true \
--set agent.extraArgs.file-hash-enricher-enabled=true
For detailed information on runtime security, refer to the Runtime Security documentation.
Resource configuration
For large clusters or environments with intensive monitoring requirements, you may need to increase the resources allocated to Kvisor:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set controller.resources.requests.cpu=100m \
--set controller.resources.requests.memory=2Gi \
--set controller.resources.limits.memory=2Gi
Adjust these values based on your specific cluster size and monitoring needs.
Combine multiple features
You can enable multiple features in a single Helm command:
helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reset-then-reuse-values \
--set castai.apiKey=<your-api-token> \
--set castai.clusterID=<your-cluster-id> \
--set agent.enabled=true \
--set agent.extraArgs.ebpf-events-enabled=true \
--set agent.extraArgs.file-hash-enricher-enabled=true \
--set agent.extraArgs.netflow-enabled=true \
--set agent.extraArgs.stats-enabled=true \
--set controller.extraArgs.image-concurrent-scans=6
Verify your configuration
To verify that your configuration changes have been applied correctly:
helm get values castai-kvisor -n castai-agent
This command displays the current configuration values for Kvisor.
Troubleshooting
If you encounter issues after changing Kvisor's configuration:
Check Controller Logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent
Check Agent Logs
kubectl logs -l app.kubernetes.io/name=castai-kvisor-agent -n castai-agent
Restart the Pods
If configuration changes don't seem to be taking effect, you can restart the Kvisor pods:
kubectl rollout restart deployment castai-kvisor-controller -n castai-agent
kubectl rollout restart daemonset castai-kvisor-agent -n castai-agent
Next Steps
After configuring Kvisor features, you can:
- View security insights in the Security dashboard
- Explore the Vulnerabilities report to identify image security issues
- Check your compliance status in the Compliance report
- Analyze Runtime anomalies if you've enabled Runtime Security
Updated 6 days ago