Set up and Manage Clusters
InsightCloudSec currently supports the setup and harvesting of Kubernetes cluster details through two scanners: the local scanner and the remote scanner. The remote scanner supports harvesting of managed Kubernetes clusters: those clusters for which InsightCloudSec has access (e.g., network access and permissions). The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and self-managed Kubernetes clusters.
This page provides information on setting up your cluster accounts as well as detail on viewing that information within InsightCloudSec once your Kubernetes clusters have been harvested.
Kubernetes Scanner Support
Detailed documentation for both the remote scanner and local scanner options are available, refer to the following individual pages:
Details on each Kubernetes provider can be found at the following pages:
InsightCloudSec currently supports adding a cluster from the following services/providers:
Providers | Local Scanner | Remote Scanner |
---|---|---|
AWS (EKS) | Supported | Supported |
AWS (EKS) GovCloud | Supported | Supported |
AWS (EKS) China | Supported | Not Supported |
GCP (GKE) | Supported | Supported |
Azure (AKS) | Supported | Supported |
Azure (AKS) GovCloud | Supported | Not Supported |
Azure (AKS) China | Supported | Not Supported |
Oracle Cloud Infrastructure (OCI) - OKE | Supported | Not Supported |
Alibaba Cloud (ACK) | Supported | Not Supported |
Self-managed (All CSPs) | Supported | Not Supported |
Additional Details
After validating or setting up the appropriate permissions, InsightCloudSec harvests the Kubernetes services via the cloud provider API and creates a matching cloud account for each Kubernetes cluster.
- Cluster access is generated using the account access credentials provided by the user.
- Cluster resources are harvested and associated with the parent cloud account that is created to model the Kubernetes service.
Setup For Managed Kubernetes Clusters
Before getting started you will need to ensure that the Cloud Service Provider (CSP) Accounts (e.g., AWS, Azure, GPC) where the target Kubernetes Clusters reside have been successfully connected to InsightCloudSec. If you have not connected your CSP accounts refer to the Cloud Account Setup & Management for a summary and links to detailed steps for each individual CSP.
With appropriate access to the desired CSPs, after an upgrade to the latest version of InsightCloudSec, the remote scanner will automatically add all clusters for which the scanner has access and permission for harvesting. Each scanned cluster will be added to InsightCloudSec as an individual Kubernetes Cluster.
Enabling Scanning
Assessment is disabled by default. Each added cluster is harvested in a Paused state and should be enabled for each Cluster you would like to have scanned.
Enable Scanning for Managed Clusters
After onboarding Managed Kubernetes clusters using the Remote Scanner, you must enable your clusters for scanning.
- Go to Cloud > Kubernetes Clusters to view the list of successfully onboarded clusters.
- Check the box next to the name for any clusters for which you want to enable scanning.
- To enable a scan cycle, click the Play button from the top menu options.
Setup for Self-Managed Kubernetes Clusters
Self-managed clusters are not visible to InsightCloudSec through the remote scanner. Self-managed clusters, when configured to provide access to each specific cluster, will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec.
After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.
Refer to the detailed documentation on the Kubernetes Local Scanner to enable support for self-managed clusters.
Setup General Troubleshooting
What if the Remote Scanner was not able to access my cluster(s)?
If the remote scanner cannot access one of your clusters you have two options:
- Update the cloud account/cluster settings to allow the remote scanner access to harvest the cluster details
- If you are unable to allow access to this cluster for the remote scanner this cluster can be accessed by installing the local scanner.
What happens if I'm using the local scanner (for managed clusters) and I want to switch to the remote scanner?
Is there any way to determine if a cluster that is currently supported by the local scanner can be supported by the remote scanner?
How do I migrate from a Local Scanner to a Remote Scanner?
If a managed cluster has already been scanned via local scanner it will continue to operate via local scanner. You can migrate it to a remote scanner by taking the following steps:
- Uninstall the local scanner from the designated cluster. You can use
helm uninstall <Release Name>
command to remove. For Example: Assuming Guardrails was installed withk8s-guardrails
as the name andrapid7
as the namespace, you can use the followinghelm uninstall k8s-guardrails -n rapid7
- Delete the associated Kubernetes cloud account from InsightCloudSec. Deleting the cloud account will cause loss of the Kubernetes data that was harvested and the respective Insights. Data will be restored via a fresh harvesting and assessment using the remote scanner._
- When the remote scanner runs it will detect the cluster and create a new Kubernetes cluster in InsightCloudSec. Note that new clusters are created in a Paused state.
- Select the new cluster and click "Resume" to start the assessment.
- The remote scanner will execute harvesting and assessment on the next harvesting cycle or upon manual harvesting trigger.
Refer to the Kubernetes Remote Scanner page for additional details.
How do I migrate from a Remote Scanner to a Local Scanner?
For a managed cluster that was onboarded through the remote scanner, refer to the details below on migrating from the remote scanner to a local scanner.
- Validate that the cluster ID configured for the local scanner installation is identical to the cluster ID in InsightCloudSec for any clusters you want to migrate.
- For existing clusters, view the cluster ID on the Cloud > Kubernetes Clusters page.
- Set up your local scanner as desired based on the steps in the Kubernetes Local Scanner - Setup & Configuration page.
- Any clusters you've specified should be onboarded through the local scanner.
After finishing these steps, InsightCloudSec will automatically update the scanner entry from remote to local, so there's no need to remove the cluster first. InsightCloudSec uses the Cluster ID to perform this automatic update, so failing to perform the steps below in order will result in two entries for the same cluster in InsightCloudSec (one for each ID).