This guide explains how to configure various features of the Kvisor security agent to enhance your Kubernetes security posture. Kvisor provides several specialized monitoring and scanning capabilities that can be enabled and customized according to your needs.

Configuration overview

Kvisor supports multiple configuration options that can be set via Helm during installation or upgrade. The basic format for enabling or modifying features is:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set [configuration-option]=[value]

All supported configuration values are found in the Kvisor Helm chart values.yaml.

Scanning frequencies and intervals

Cast AI performs different types of security scans at various intervals. You can customize these frequencies to meet your specific requirements:

Image vulnerability scanning

Default behavior:

• Detection interval: Checks for new images every 30 seconds
• Concurrent scans: 1 image scanned at a time
• Trigger: Scans start automatically when new running images are detected

Configure image scan detection interval

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-scan-interval=60s

Configure concurrent image scans

To increase scanning performance for environments with many images:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-concurrent-scans=6

Compliance checking

Default behavior:

• Scan frequency: Every 60 seconds
• Monitoring: Continuous configuration monitoring

Configure compliance scan interval

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.kube-linter-scan-interval=120s

Summary of scan frequencies

Image scanning configuration

Scanning intervals and behavior

Cast AI automatically scans container images for vulnerabilities with the following default behavior:

• Detection interval: Checks for new images every 30 seconds
• Concurrent scans: 1 image scanned at a time
• Trigger: Scans start automatically when new running images are detected

Configure image scan detection interval

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-scan-interval=60s

Configure compliance scan interval

Compliance checks run every 60 seconds by default. To adjust this interval:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.kube-linter-scan-interval=120s

Use a custom image

You can configure Kvisor to use a custom image from your private registry:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set image.repository=my-kvisor-repository \
  --set image.tag=my-tag \
  --set 'imagePullSecrets[0].name=my-pull-secret'

Private image scanning

For detailed instructions on configuring private image scanning, refer to the dedicated Private Image Scanning documentation.

Excluding Namespaces from Scanning

You may want to exclude specific namespaces from image scanning, particularly for third-party monitoring tools or systems that manage their own security. To configure namespace exclusions:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-scan-ignored-namespaces=namespace1,namespace2

For example, to exclude the Dynatrace namespace from scanning:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-scan-ignored-namespaces=dynatrace

You can specify multiple namespaces by separating them with commas.

Network traffic monitoring

Kvisor can collect Kubernetes network flows using eBPF. This feature provides visibility into pod-to-pod and pod-to-external communications, which is valuable for security analysis and network optimization.

To enable network traffic monitoring:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.netflow-enabled=true

📘

Note

If you have the egressd component running, it should be uninstalled before enabling network traffic monitoring in Kvisor:

Shell

helm uninstall castai-helm/egressd -n castai-agent 

Resource statistics monitoring

Kvisor can collect detailed resource usage statistics from containers and nodes, including CPU, Memory, I/O usage, and PSI (Pressure Stall Information) metrics. This data can help identify performance bottlenecks and resource contention.

To enable resource statistics collection:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.stats-enabled=true

Runtime security monitoring

Runtime Security monitoring enables real-time detection of anomalous activities in your cluster. This feature requires installing the Kvisor agent as a DaemonSet on all nodes.

To enable runtime security:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.ebpf-events-enabled=true \
  --set agent.extraArgs.file-hash-enricher-enabled=true

For detailed information on runtime security, refer to the Runtime Security documentation.

Resource configuration

For large clusters or environments with intensive monitoring requirements, you may need to increase the resources allocated to Kvisor:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.resources.requests.cpu=100m \
  --set controller.resources.requests.memory=2Gi \
  --set controller.resources.limits.memory=2Gi

Adjust these values based on your specific cluster size and monitoring needs.

Combine multiple features

You can enable multiple features and configure scan intervals in a single Helm command:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.ebpf-events-enabled=true \
  --set agent.extraArgs.file-hash-enricher-enabled=true \
  --set agent.extraArgs.netflow-enabled=true \
  --set agent.extraArgs.stats-enabled=true \
  --set controller.extraArgs.image-concurrent-scans=6 \
  --set controller.extraArgs.image-scan-interval=30s \
  --set controller.extraArgs.kube-linter-scan-interval=60s

Verify your configuration

To verify that your configuration changes have been applied correctly:

helm get values castai-kvisor -n castai-agent

This command displays the current configuration values for Kvisor.

Troubleshooting

If you encounter issues after changing Kvisor's configuration:

Check Controller Logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent

Check Agent Logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-agent -n castai-agent

Restart the Pods

If configuration changes don't seem to be taking effect, you can restart the Kvisor pods:

kubectl rollout restart deployment castai-kvisor-controller -n castai-agent
kubectl rollout restart daemonset castai-kvisor-agent -n castai-agent

Next Steps

After configuring Kvisor features, you can:

• View security insights in the Security dashboard
• Explore the Vulnerabilities report to identify image security issues
• Check your compliance status in the Compliance report
• Analyze Runtime anomalies if you've enabled Runtime Security