Kubescape Operator
Kubescape can run as a set of microservices inside a Kubernetes cluster. This allows you to continually monitor the status of a cluster, including for compliance and vulnerability management, and to export this data to an external provider.
The Kubescape Operator is installed using Helm.
Prerequisites
First, configure kubectl to refer to the Kubernetes cluster you wish to install the Kubescape Operator into.
If you have not already, you should install Helm.
Install
Warning: We only support installing this chart using Helm or ArgoCD. Using alternative installation methods, such as Kustomize, Helmfile or using custom scripts, may lead to unexpected behavior and issues. We cannot guarantee compatibility or provide support for deployments that are installed using methods other than Helm or ArgoCD.
Run the installation command:
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.continuousScan=enable
Verify that the installation was successful:
$ kubectl get pods -n kubescape
kubescape kubescape-548d6b4577-qshb5 1/1 Running 0 60m
kubescape kubevuln-6779c9d74b-wfgqf 1/1 Running 0 60m
kubescape operator-5d745b5b84-ts7zq 1/1 Running 0 60m
kubescape storage-59567854fd-hg8n8 1/1 Running 0 60m
View results
The scanning results will be available gradually as the scans are completed.
There are multiple options to visualize the results (GUI):
- Headlamp integration
- Lens integration
- ARMO Platform (commercial)
Compliance scanning
View Compliance summary report per namespace:
View Compliance summary report for each workload:
View Compliance detailed report for each workload:
Image Vulnerabilities scanning
View Vulnerabilities summary report per namespace:
View vulnerabilities summary report for each workload/image:
View vulnerabilities detailed report for each workload/image:
Network Policy Generation
View generated network policies:
Upgrading to a new release
To upgrade to the most recent version of the Kubescape Operator:
You can find the current version of the Helm chart installed in your cluster by running helm list -n kubescape.
To manually check if a newer version is available, visit the GitHub page for the Helm chart, or run
Uninstall
You can uninstall this helm chart by running the following command:
Then, delete the kubescape namespace:
Configuring your installation
The Helm charts for the Kubescape Operator offer both broad and detailed configuration options.
Enabling capabilities
High-level capabilities of the Kubescape Operator can be configured using the values.yaml file:
capabilities:
# ====== configuration scanning related capabilities ======
#
# Default configuration scanning setup
configurationScan: enable
# Continuous Scanning continuously evaluates the security posture of your cluster.
continuousScan: disable
nodeScan: enable
# ====== Image vulnerabilities scanning related capabilities ======
#
vulnerabilityScan: enable
relevancy: enable
# Generate VEX documents alongside the image vulnerabilities report (experimental)
vexGeneration: disable
# ====== Runtime related capabilities ======
#
runtimeObservability: enable
networkPolicyService: enable
runtimeDetection: disable
malwareDetection: disable
nodeProfileService: disable
seccompProfileService: enable
# ====== Other capabilities ======
#
# This is an experimental capability with an elevated security risk. Read the
# matching docs before enabling.
autoUpgrading: disable
prometheusExporter: disable
# seccompGenerator: disable
#extra capability - service discovery option
serviceScanConfig:
enabled : false
interval: 1h
You can configure these by using --set when installing the chart, or by specifying your own values file with the -f flag. Read the Helm documentation to learn more.
Configuring parameters
See the GitHub repository for the Kubescape operator to learn the full set of configuration parameters.
Sizing resources
By default, Kubescape supports small- to medium-sized clusters. If you have a larger cluster and you experience slowdowns, or see Kubernetes evicting components, revise the number of resources allocated for the troubled component.
The defaults of 500 MiB of memory and 500m CPU work well for clusters up to 1250 total resources when running Kubescape.
If you have more total resources or experience resource pressure, verify how many resources are in your cluster by running the following command:
The command prints an approximate count of resources in your cluster. Then based on the number you see, allocate 100 MiB of memory for every 200 resources in your cluster over the count of 1250, but no less than 128 MiB total.
The formula for memory is as follows:
For example, if your cluster has 500 resources, a sensible memory limit would be:
If your cluster has 50 resources, we recommend allocating at least 128 MiB of memory.
For the CPU, the more you allocate, the faster your clusters are scanned. This is especially true for clusters that have a large number of resources.
However, we recommend that you give Kubescape no less than 500m CPU no matter the size of your cluster so it can scan a relatively large amount of resources fast.
Verifying images
Kubescape container images are signed with Cosign.
Keyless verification
For keyless verification use GitHub as the trust anchor, see this example:
cosign verify quay.io/kubescape/kubescape:v2.9.2-prerelease --certificate-identity-regexp "github.com" --certificate-oidc-issuer-regexp "githubusercontent.com" && echo Signature OK
Validation with Public key
Put the following key to a file called cosign.pub.
Kubescape Cosign public key (version 1):
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbgIMZrMTTlEFDLEeZXz+4R/908BG
EeO70x6oMN7E4JQgzgbCB5rinqhK5t7dB61saVKQTb4P2NGtjPjXVbSTwQ==
-----END PUBLIC KEY-----
Use the following command to verify the image integrity with it: