Kvisor is an open-source security agent designed to enhance the security posture of your Kubernetes clusters. It provides comprehensive security monitoring and assessment capabilities to help identify potential security risks and vulnerabilities in your containerized environment.

What is Kvisor?

Kvisor is a core component of Cast AI's security offering that operates as both a Kubernetes controller (Deployment) and an agent (DaemonSet). It continuously scans and monitors your Kubernetes environment to identify security issues, vulnerabilities, and misconfigurations.

The agent was designed to be lightweight, efficient, and minimally invasive while providing maximum security visibility across your clusters. As an open-source solution, you can review its implementation on GitHub.

Key capabilities

Container image vulnerability scanning

Kvisor scans container images running in your cluster to identify known vulnerabilities and provide actionable insights. It evaluates both public and private container registries, offering severity assessments based on CVSS scores and suggesting appropriate remediation steps when available.

About Cast AI's image scanner

The vulnerability scanning capability in Kvisor is powered by Cast AI's proprietary image scanner, built specifically for Kubernetes environments. This scanner checks container images against multiple security standards and vulnerability databases:

• Center for Internet Security (CIS) Kubernetes Benchmark
• National Security Agency (NSA) Kubernetes Hardening Guidelines
• Open Web Application Security Project (OWASP) recommendations
• Payment Card Industry Data Security Standard (PCI DSS) requirements

This ensures your container images are assessed against the most relevant security standards and best practices.

Kubernetes security assessment

Kvisor evaluates your Kubernetes environment against industry best practices and CIS Benchmarks. This comprehensive assessment helps you identify misconfigurations, validate RBAC settings, and ensure your control plane and node configurations align with security standards.

Runtime security monitoring

When enabled, Kvisor provides real-time security monitoring using eBPF technology. This capability detects anomalous activities such as unusual network connections, potentially malicious processes, and suspicious file system operations, helping you identify threats as they emerge.

Telemetry collection

Kvisor can be configured to collect additional telemetry that enhances your security visibility. This includes network traffic flows, resource usage statistics, and process relationship information, providing valuable context for security investigations and performance analysis.

Architecture

Kvisor operates with a two-component architecture:

1. Kvisor Controller (Deployment): Manages the scanning operations, communicates with the Cast AI control plane, and schedules assessments.

2. Kvisor Agent (DaemonSet): When Runtime Security is enabled, this component is deployed on each node to collect real-time security telemetry.

This design ensures comprehensive coverage and efficient resource usage, minimizing the impact on your cluster while maximizing security visibility.

Permissions and security considerations

Kvisor uses the same permission set as the standard Cast AI agent. For detailed information about the required permissions, please refer to the Kubernetes permissions section.

Kvisor is designed to be secure by default and follows the principle of least privilege, requesting only the permissions necessary to perform its security functions.

Compatibility with Other Tools

Kvisor is designed to operate alongside your existing security toolchain. It runs in read-only mode for most operations and follows careful resource management practices to ensure it doesn't interfere with other security tools or monitoring solutions you may have deployed in your cluster.

Unlike some security tools that might enforce policies or block operations, Kvisor focuses on detection and reporting, making it complementary to your existing security stack rather than competitive.

Next steps

For detailed installation and configuration instructions, see the Installing and Upgrading Kvisor guide.

To learn how to scan private container registries, refer to the Private Image Scanning documentation.