Configuring Kvisor features

This guide explains how to configure various features of the Kvisor security agent to enhance your Kubernetes security posture. Kvisor provides several specialized monitoring and scanning capabilities that can be enabled and customized according to your needs.

Configuration overview

Kvisor supports multiple configuration options that can be set via Helm during installation or upgrade. The basic format for enabling or modifying features is:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set [configuration-option]=[value]

All supported configuration values are found in the Kvisor Helm chart values.yaml.

Image scanning configuration

Use a custom image

You can configure Kvisor to use a custom image from your private registry:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set image.repository=my-kvisor-repository \
  --set image.tag=my-tag \
  --set 'imagePullSecrets[0].name=my-pull-secret'

Increase concurrent image scan count

To improve scanning performance for environments with many images:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-concurrent-scans=6

Private image scanning

For detailed instructions on configuring private image scanning, refer to the dedicated Private Image Scanning documentation.

Excluding Namespaces from Scanning

You may want to exclude specific namespaces from image scanning, particularly for third-party monitoring tools or systems that manage their own security. To configure namespace exclusions:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-scan-ignored-namespaces=namespace1,namespace2

For example, to exclude the Dynatrace namespace from scanning:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.extraArgs.image-scan-ignored-namespaces=dynatrace

You can specify multiple namespaces by separating them with commas.

Network traffic monitoring

Kvisor can collect Kubernetes network flows using eBPF. This feature provides visibility into pod-to-pod and pod-to-external communications, which is valuable for security analysis and network optimization.

To enable network traffic monitoring:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.netflow-enabled=true

📘

Note

If you have the egressd component running, it should be uninstalled before enabling network traffic monitoring in Kvisor:

helm uninstall castai-helm/egressd -n castai-agent 

Resource statistics monitoring

Kvisor can collect detailed resource usage statistics from containers and nodes, including CPU, Memory, I/O usage, and PSI (Pressure Stall Information) metrics. This data can help identify performance bottlenecks and resource contention.

To enable resource statistics collection:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.stats-enabled=true

Runtime security monitoring

Runtime Security monitoring enables real-time detection of anomalous activities in your cluster. This feature requires installing the Kvisor agent as a DaemonSet on all nodes.

To enable runtime security:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.ebpf-events-enabled=true \
  --set agent.extraArgs.file-hash-enricher-enabled=true

For detailed information on runtime security, refer to the Runtime Security documentation.

Resource configuration

For large clusters or environments with intensive monitoring requirements, you may need to increase the resources allocated to Kvisor:

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set controller.resources.requests.cpu=100m \
  --set controller.resources.requests.memory=2Gi \
  --set controller.resources.limits.memory=2Gi

Adjust these values based on your specific cluster size and monitoring needs.

Combine multiple features

You can enable multiple features in a single Helm command:

helm upgrade --install castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reset-then-reuse-values \
  --set castai.apiKey=<your-api-token> \
  --set castai.clusterID=<your-cluster-id> \
  --set agent.enabled=true \
  --set agent.extraArgs.ebpf-events-enabled=true \
  --set agent.extraArgs.file-hash-enricher-enabled=true \
  --set agent.extraArgs.netflow-enabled=true \
  --set agent.extraArgs.stats-enabled=true \
  --set controller.extraArgs.image-concurrent-scans=6

Verify your configuration

To verify that your configuration changes have been applied correctly:

helm get values castai-kvisor -n castai-agent

This command displays the current configuration values for Kvisor.

Troubleshooting

If you encounter issues after changing Kvisor's configuration:

Check Controller Logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-controller -n castai-agent

Check Agent Logs

kubectl logs -l app.kubernetes.io/name=castai-kvisor-agent -n castai-agent

Restart the Pods

If configuration changes don't seem to be taking effect, you can restart the Kvisor pods:

kubectl rollout restart deployment castai-kvisor-controller -n castai-agent
kubectl rollout restart daemonset castai-kvisor-agent -n castai-agent

Next Steps

After configuring Kvisor features, you can: