The Kubescape operator
When installed in your cluster, Kubescape runs as a set of microservices. These allow you to continually monitor the security posture of the cluster the operator is installed in.
The Kubescape operator includes:
- scanning for misconfigurations
- scanning all deployed images for vulnerabilties (CVEs)
- exposing in-cluster data as Kubernetes API objects
- exporting data to a configured provider
- allowing secure control by a configured provider
kubescape service uses the same engine as the Kubescape CLI to scan the cluster for misconfigurations.
kubevuln microservice scans container images for vulnerabilities.
storage microservice provides an aggregated API server to expose Kubescape scan data inside the cluster.
In-cluster scan results are considered ephemeral, as they are regularly updated and can be fully regenerated. If you want a history we recommend you use Kubescape's provider interface to send the data out of the cluster when scans are complete.
To see a list of the types that are added to your cluster, use
$ kubectl api-resources | grep kubescape configurationscansummaries spdx.softwarecomposition.kubescape.io/v1beta1 false ConfigurationScanSummary sbomspdxv2p3filtereds spdx.softwarecomposition.kubescape.io/v1beta1 true SBOMSPDXv2p3Filtered sbomspdxv2p3s spdx.softwarecomposition.kubescape.io/v1beta1 true SBOMSPDXv2p3 sbomsummaries spdx.softwarecomposition.kubescape.io/v1beta1 true SBOMSummary vulnerabilitymanifests spdx.softwarecomposition.kubescape.io/v1beta1 true VulnerabilityManifest vulnerabilitymanifestsummaries spdx.softwarecomposition.kubescape.io/v1beta1 true VulnerabilityManifestSummary vulnerabilitysummaries spdx.softwarecomposition.kubescape.io/v1beta1 false VulnerabilitySummary workloadconfigurationscans spdx.softwarecomposition.kubescape.io/v1beta1 true WorkloadConfigurationScan workloadconfigurationscansummaries spdx.softwarecomposition.kubescape.io/v1beta1 true WorkloadConfigurationScanSummary
- Custom Resource Definitions, a common approach for adding new types to the Kubernetes API.
- Software Bill of Materials
Several of our in-cluster components implement telemetry data using OpenTelemetry (OTel). You can optionally install an OTel collector in your cluster to aggregate these metrics and send them to your own tracing tool.
Automation and control
gatewaymicroservices interact to start or schedule scans.
kollectorservice sends information about the state of the cluster to a configured provider.
For information on how these services interact, check out their documentation on GitHub.
The optional Kubescape node agent runs as a DaemonSet, deployed to every node in your cluster.