The Kubescape operator
When installed in your cluster, Kubescape runs as a set of microservices. These allow you to continually monitor the security posture of the cluster the operator is installed in.
The Kubescape operator includes:
- scanning for misconfigurations
- scanning all deployed images for vulnerabilities (CVEs)
- exposing in-cluster data as Kubernetes API objects
- exporting data to a configured provider
- allowing secure control by a configured provider
Install
The Kubescape operator is installed using Helm. Here you can find the installation instructions for the Kubescape operator.
Misconfiguration scanning
The kubescape service uses the same engine as the Kubescape CLI to scan the cluster for misconfigurations.
Vulnerability scanning
The kubevuln microservice scans container images for vulnerabilities.
In-cluster storage
The storage microservice provides an aggregated API server to expose Kubescape scan data inside the cluster.
In-cluster scan results are considered ephemeral, as they are regularly updated and can be fully regenerated. If you want a history we recommend you use Kubescape's provider interface to send the data out of the cluster when scans are complete.
To see a list of the types that are added to your cluster, use kubectl api-resources:
$ kubectl api-resources | grep kubescape
operatorcommands opcmd kubescape.io/v1alpha1 true OperatorCommand
runtimerulealertbindings rab kubescape.io/v1 false RuntimeRuleAlertBinding
applicationactivities spdx.softwarecomposition.kubescape.io/v1beta1 true ApplicationActivity
applicationprofiles spdx.softwarecomposition.kubescape.io/v1beta1 true ApplicationProfile
knownservers spdx.softwarecomposition.kubescape.io/v1beta1 false KnownServer
networkneighborhoods spdx.softwarecomposition.kubescape.io/v1beta1 true NetworkNeighborhood
networkneighborses spdx.softwarecomposition.kubescape.io/v1beta1 true NetworkNeighbors
openvulnerabilityexchangecontainers spdx.softwarecomposition.kubescape.io/v1beta1 true OpenVulnerabilityExchangeContainer
sbomsyftfiltereds spdx.softwarecomposition.kubescape.io/v1beta1 true SBOMSyftFiltered
sbomsyfts spdx.softwarecomposition.kubescape.io/v1beta1 true SBOMSyft
seccompprofiles spdx.softwarecomposition.kubescape.io/v1beta1 true SeccompProfile
vulnerabilitymanifests spdx.softwarecomposition.kubescape.io/v1beta1 true VulnerabilityManifest
vulnerabilitymanifestsummaries spdx.softwarecomposition.kubescape.io/v1beta1 true VulnerabilityManifestSummary
workloadconfigurationscans spdx.softwarecomposition.kubescape.io/v1beta1 true WorkloadConfigurationScan
workloadconfigurationscansummaries spdx.softwarecomposition.kubescape.io/v1beta1 true WorkloadConfigurationScanSummary
- Custom Resource Definitions, a common approach for adding new types to the Kubernetes API.
- Software Bill of Materials
Telemetry
Several of our in-cluster components implement telemetry data using OpenTelemetry (OTel). You can optionally install an OTel collector in your cluster to aggregate these metrics and send them to your own tracing tool.
Automation and control
- The
operatormicroservice handles the scheduling and execution of scans. - The
synchronizermicroservice sends information about the state of the cluster to a configured provider. A connected provider can leverage thesynchronizerto create OperatorCommand (CRDs), to instruct theoperatorto perform tasks such as executing scans or other supported actions of the operator.
For information on how these services interact, check out their documentation on GitHub.
Deprecated microservices
The kollector1 and gateway2 microservices have been deprecated in Helm chart versions 1.24.0 and 1.25.0, respectively, and replaced by the synchronizer microservice.
Node agent
Some functions of Kubescape require access to every node. These include controls which require host scanning, and calculating runtime vulnerability relevancy.
The optional Kubescape node agent runs as a DaemonSet, deployed to every node in your cluster.