Set up and Manage Clusters Accounts
InsightCloudSec currently supports the setup and harvesting of Kubernetes cluster details through two scanners: the local scanner and the remote scanner. The remote scanner supports harvesting of managed Kubernetes clusters: those clusters for which InsightCloudSec has access (e.g., network access and permissions). The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and self-managed Kubernetes clusters.
This page provides information on setting up your cluster accounts as well as detail on viewing that information within InsightCloudSec once your Kubernetes clusters have been harvested.
Kubernetes Scanner Support
Detailed documentation for both the remote scanner and local scanner options are available, refer to the following individual pages:
Details on each Kubernetes provider can be found at the following pages:
InsightCloudSec currently supports adding a cluster from the following services/providers:
|Providers||Local Scanner||Remote Scanner|
|AWS (EKS) GovCloud||Supported||Supported|
|AWS (EKS) China||Supported||Not Supported|
|Azure (AKS) GovCloud||Supported||Not Supported|
|Azure (AKS) China||Supported||Not Supported|
|Oracle Cloud Infrastructure (OCI) - OKE||Supported||Not Supported|
|Alibaba Cloud (ACK)||Supported||Not Supported|
|Self-managed (All CSPs)||Supported||Not Supported|
After validating or setting up the appropriate permissions, InsightCloudSec harvests the Kubernetes services via the cloud provider API and creates a matching cloud account for each Kubernetes cluster.
- Cluster access is generated using the account access credentials provided by the user.
- Cluster resources are harvested and associated with the parent cloud account that is created to model the Kubernetes service.
Setup For Managed Kubernetes Clusters
Before getting started you will need to ensure that the Cloud Service Provider (CSP) Accounts (e.g., AWS, Azure, GPC) where the target Kubernetes Clusters reside have been successfully connected to InsightCloudSec. If you have not connected your CSP accounts refer to the Cloud Account Setup & Management for a summary and links to detailed steps for each individual CSP.
With appropriate access to the desired CSPs, after an upgrade to the latest version of InsightCloudSec, the remote scanner will automatically add all clusters for which the scanner has access and permission for harvesting. Each scanned cluster will be added to InsightCloudSec as an individual Kubernetes Cluster.
Assessment is disabled by default. Each added cluster is harvested in a Paused state and should be enabled for each Cluster you would like to have scanned.
Enable Scanning for Managed Clusters
After onboarding Managed Kubernetes clusters using the Remote Scanner, you must enable your clusters for scanning.
- Go to Cloud > Kubernetes Clusters to view the list of successfully onboarded clusters.
- Check the box next to the name for any clusters for which you want to enable scanning.
- To enable a scan cycle, click the Play button from the top menu options.
Setup for Self-Managed Kubernetes Clusters
Self-managed clusters are not visible to InsightCloudSec through the remote scanner. Self-managed clusters, when configured to provide access to each specific cluster, will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec.
After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.
Refer to the detailed documentation on the Kubernetes Local Scanner to enable support for self-managed clusters.
Setup General Troubleshooting
What if the Remote Scanner was not able to access my cluster(s)?
If the remote scanner cannot access one of your clusters you have two options:
- Update the cloud account/cluster settings to allow the remote scanner access to harvest the cluster details
- If you are unable to allow access to this cluster for the remote scanner this cluster can be accessed by installing the local scanner.
What happens if I'm using the local scanner (for managed clusters) and I want to switch to the remote scanner?
Is there any way to determine if a cluster that is currently supported by the local scanner can be supported by the remote scanner?
Viewing and managing clusters
After connecting your CSPs and upgrading, go to Cloud > Kubernetes Clusters to view details around the successfully harvested clusters (managed or self-managed).
|Status||The available status for clusters are: |
|Actions||Selecting the checkbox next to the individual cluster/cloud account will enable options to play, pause or delete for each account selected (these are also available under the Actions column). |
Multi-select is available (for the items displayed on the page) but if a single cluster cannot be modified, the button/behavior will be greyed-out.
|Related Resources||For Remote Clusters only: you can click the cluster name to open the Related Resources graph. From this graph, you can view details about the cluster as well as all resources associated with the cluster. You can also access this graph from supported Kubernetes resources on the Resources page. |
Note: K8S Secrets, Config Maps, and Persistent Volumes are not supported currently._ Review Related Resources for more information.
Migrating from a Local Scanner to a Remote Scanner (Managed Clusters)
If a managed cluster has already been scanned via local scanner it will continue to operate via local scanner. You can migrate it to a remote scanner by taking the following steps:
- Uninstall the local scanner from the designated cluster. You can use
helm uninstall <Release Name>command to remove. For Example: Assuming Guardrails was installed with
k8s-guardrailsas the name and
rapid7as the namespace, you can use the following
helm uninstall k8s-guardrails -n rapid7
- Delete the associated Kubernetes cloud account from InsightCloudSec. Deleting the cloud account will cause loss of the Kubernetes data that was harvested and the respective Insights. Data will be restored via a fresh harvesting and assessment using the remote scanner._
- When the remote scanner runs it will detect the cluster and create a new Kubernetes cluster in InsightCloudSec. Note that new clusters are created in a Paused state.
- Select the new cluster and click "Resume" to start the assessment.
- The remote scanner will execute harvesting and assessment on the next harvesting cycle or upon manual harvesting trigger.
Migrating from a Remote Scanner to a Local Scanner
For a managed cluster that was onboarded through the remote scanner, refer to the details below on migrating from the remote scanner to a local scanner.
- Validate that the cluster ID configured for the local scanner installation is identical to the cluster ID in InsightCloudSec for any clusters you want to migrate.
- For existing clusters, view the cluster ID on the Cloud > Kubernetes Clusters page.
- Set up your local scanner as desired based on the steps in the Kubernetes Local Scanner - Setup & Configuration page.
- Any clusters you've specified should be onboarded through the local scanner.
After finishing these steps, InsightCloudSec will automatically update the scanner entry from remote to local, so there's no need to remove the cluster first. InsightCloudSec uses the Cluster ID to perform this automatic update, so failing to perform the steps below in order will result in two entries for the same cluster in InsightCloudSec (one for each ID).
If you delete a Cluster outside of InsightCloudSec, it will detect the deletion in the next harvesting cycle or event if EDH is used. The following events will occur:
- The cluster will be marked as deleted
- The Kubernetes entities related to this cluster are marked as deleted
- The account associated with the cluster will not be deleted from the UI and the harvesting state will be set to suspended
Deleting a cluster from the UI does not actually delete the account.
Remove a deleted cluster
- Go to Clouds > Kubernetes Cluster, and select the account you want to remove.
- Click the Delete icon.
For additional details related to InsightCloudSec's support of Kubernetes check out the following pages:
- Kubernetes Scanners - Overview for a summary of the scanner options we support and links to detailed pages for both the local and remote scanning options.
- Kubernetes Security Guardrails Overview page for details on this feature and our support for hardening your production environment for Kubernetes clusters, nodes, and pods.
- Container Image Vulnerability Assessment for details on this feature which is designed to continuously analyze production environment container image software vulnerability.