Enable and use Kubernetes Security Guardrails
Kubernetes Security Guardrails helps you harden your production environment by auditing Kubernetes clusters, nodes, and pod configurations. It evaluates your clusters against security best practices and internal guidelines, and provides actionable recommendations to reduce risk and improve compliance.
With Kubernetes Security Guardrails, you can:
- Scan multiple Kubernetes clusters for vulnerabilities and misconfigurations
- View a summary of your cluster’s security and compliance posture
- Review detailed findings with recommended remediation steps
- Baseline cluster profiles and monitor degradations over time
Enable Kubernetes Security Guardrails
To use Kubernetes Security Guardrails, you must first:
- Connect a cloud account with access to your Kubernetes clusters in Cloud Security (InsightCloudSec)
- Deploy a remote or local scanner for each cluster
- Schedule a scan for each cluster
Task 1: Onboard your cloud account
Before clusters can be discovered or scanned:
- Connect the cloud service provider (CSP) account (for example, AWS, Azure, or GCP) that hosts your Kubernetes clusters.
- Confirm that Cloud Security (InsightCloudSec) has the required permissions to access cluster metadata.
For detailed instructions, review Onboard a Cloud Account.
Additional permissions required for Remote Scanner
The Remote Scanner requires additional cloud permissions and configuration. Review Configuring Permissions for details.
Once your cloud account is connected, managed clusters accessible using CSP APIs are discovered by the remote scanner. Cluster resources are harvested and associated with the parent cloud account. Self-managed or restricted-access clusters require the local scanner. See Task 2 for details on getting the correct scanner deployed.
Task 2: Deploy a Kubernetes scanner
Cloud Security (InsightCloudSec) offers two scanners:
- Remote scanner: For managed clusters (for example, EKS, AKS, GKE) and when Rapid7 has API and network access to the clusters
- To get started, go to Deploy the Kubernetes remote scanner.
- Local scanner: For self-managed clusters and when managed clusters are not accessible to Rapid7 or network or security policies restrict remote harvesting
- To get started, go to Deploy the Kubernetes local scanner.
Use the following chart to determine which scanner supports your cluster type:
| Providers | Local Scanner | Remote Scanner |
|---|---|---|
| AWS (EKS) | Supported | Supported |
| AWS (EKS) GovCloud | Supported | Supported |
| AWS (EKS) China | Supported | Not Supported |
| GCP (GKE) | Supported | Supported |
| Azure (AKS) | Supported | Supported |
| Azure (AKS) GovCloud | Supported | Not Supported |
| Azure (AKS) China | Supported | Not Supported |
| Oracle Cloud Infrastructure (OCI) - OKE | Supported | Not Supported |
| Alibaba Cloud (ACK) | Supported | Not Supported |
| Red Hat OpenShift | Supported | Not Supported |
| Self-managed (All CSPs) | Supported | Not Supported |
Task 3: Enable scanning for your clusters
Cluster scans are disabled by default. After clusters are discovered:
- Go to Cloud > Kubernetes Clusters.
- Select the clusters you want to scan.
- Click Resume.
This enables the scan cycle. The scanner will harvest cluster configuration data and begin assessment on the next scheduled cycle or when manually triggered.
Use Kubernetes Security Guardrails
After scanning is enabled and data is harvested, you can review findings in Insights and Misconfigurations.
Explore Kubernetes Security Insights
Kubernetes Guardrails findings appear as Insights in Cloud Security (InsightCloudSec). Insights help you:
- Identify cluster misconfigurations
- Review compliance failures
- Prioritize remediation based on risk
For more information, visit Insights. Many Kubernetes Security Insights are included in the Kubernetes-related CIS Compliance Packs. You can also create custom Insight Packs to tailor compliance visibility to your organization’s requirements. Review Custom Packs for details.
Explore Kubernetes Misconfigurations
You can review Kubernetes-related configuration findings and remediation guidance on the Misconfigurations page. For more information, review Misconfigurations.
Troubleshooting and FAQs
Why can’t my remote scanner access my cluster?
The most common cause is that the remote scanner can’t access a cluster because it requires additional permissions. Review Configuring Permissions for details.
It’s also possible that your cluster is not supported by the remote scanner. Review Task 2: Deploy a Kubernetes scanner for details. In this case, you can use the local scanner instead.
How can I migrate between scanners?
You can migrate clusters between scanners but not run both scanners on the same cluster simultaneously.
To migrate a local scanner to a remote scanner (managed clusters):
- Uninstall the local scanner.
- Delete the cluster from Cloud Security (InsightCloudSec). This removes harvested Kubernetes data and Insight findings, but data will be restored after another harvesting cycle and a remote scan.
- Deploy the remote scanner.
- Allow the remote scanner to rediscover the cluster.
- Resume scanning.
To migrate a remote scanner to a local scanner:
- Find the cluster ID on the Cloud > Kubernetes Clusters page.
- Deploy the local scanner. Ensure the local scanner configuration uses the same Cluster ID as the ID listed in Cloud Security (InsightCloudSec).
Rapid7 will automatically update the scanner type.
Why do I need to provide subjectaccessreviews permissions?
subjectaccessreviews permissions?Certain Kubernetes Insights require create permissions for subjectaccessreviews, which are dedicated query objects that are used to check your Kubernetes pods’ permissions. If not granted, scans will complete, but related Insight checks will fail and no subjectaccessreviews will be created in your cluster.
Where can I view my pods’ labels?
Pod labels are ingested as resource tags.
To view resource tags:
- Go to Inventory > Resources
- Click Containers > Pods.
- Find a Pod and click it to open resource properties.
- Click the Tags tab.