Skip to content

The Kubescape operator

When installed in your cluster, Kubescape runs as a set of microservices. These allow you to continually monitor the security posture of the cluster the operator is installed in.

The Kubescape operator includes:

  • scanning for misconfigurations
  • scanning all deployed images for vulnerabilities (CVEs)
  • exposing in-cluster data as Kubernetes API objects
  • exporting data to a configured provider
  • allowing secure control by a configured provider

Install

The Kubescape operator is installed using Helm. Here you can find the installation instructions for the Kubescape operator.

Misconfiguration scanning

The kubescape service uses the same engine as the Kubescape CLI to scan the cluster for misconfigurations.

Vulnerability scanning

The kubevuln microservice scans container images for vulnerabilities.

In-cluster storage

The storage microservice provides an aggregated API server to expose Kubescape scan data inside the cluster.

In-cluster scan results are considered ephemeral, as they are regularly updated and can be fully regenerated. If you want a history we recommend you use Kubescape's provider interface to send the data out of the cluster when scans are complete.

To see a list of the types that are added to your cluster, use kubectl api-resources:

$ kubectl api-resources | grep kubescape
applicationactivities                                     spdx.softwarecomposition.kubescape.io/v1beta1   true         ApplicationActivity
applicationprofiles                                       spdx.softwarecomposition.kubescape.io/v1beta1   true         ApplicationProfile
configurationscansummaries                                spdx.softwarecomposition.kubescape.io/v1beta1   false        ConfigurationScanSummary
generatednetworkpolicies                                  spdx.softwarecomposition.kubescape.io/v1beta1   true         GeneratedNetworkPolicy
knownservers                                              spdx.softwarecomposition.kubescape.io/v1beta1   false        KnownServer
networkneighborses                                        spdx.softwarecomposition.kubescape.io/v1beta1   true         NetworkNeighbors
openvulnerabilityexchangecontainers                       spdx.softwarecomposition.kubescape.io/v1beta1   true         OpenVulnerabilityExchangeContainer
sbomsyftfiltereds                                         spdx.softwarecomposition.kubescape.io/v1beta1   true         SBOMSyftFiltered
sbomsyfts                                                 spdx.softwarecomposition.kubescape.io/v1beta1   true         SBOMSyft
vulnerabilitymanifests                                    spdx.softwarecomposition.kubescape.io/v1beta1   true         VulnerabilityManifest
vulnerabilitymanifestsummaries                            spdx.softwarecomposition.kubescape.io/v1beta1   true         VulnerabilityManifestSummary
vulnerabilitysummaries                                    spdx.softwarecomposition.kubescape.io/v1beta1   false        VulnerabilitySummary
workloadconfigurationscans                                spdx.softwarecomposition.kubescape.io/v1beta1   true         WorkloadConfigurationScan
workloadconfigurationscansummaries                        spdx.softwarecomposition.kubescape.io/v1beta1   true         WorkloadConfigurationScanSummary
  1. Custom Resource Definitions, a common approach for adding new types to the Kubernetes API.
  2. Software Bill of Materials

Telemetry

Several of our in-cluster components implement telemetry data using OpenTelemetry (OTel). You can optionally install an OTel collector in your cluster to aggregate these metrics and send them to your own tracing tool.

Automation and control

  • The operator and gateway microservices interact to start or schedule scans.
  • The kollector service sends information about the state of the cluster to a configured provider.

For information on how these services interact, check out their documentation on GitHub.

Node agent

Some functions of Kubescape require access to every node. These include controls which require host scanning, and calculating runtime vulnerability relevancy.

The optional Kubescape node agent runs as a DaemonSet, deployed to every node in your cluster.