View Clusters and Details

The Kubernetes Clusters section of InsightCloudSec provides visibility into all of the Kubernetes Clusters connected to InsightCloudSec. From this page, you can monitor the visibility of your clusters, review resources and badges associated with clusters, and force a scan for a cluster. The Kubernetes Clusters page is divided into two tabs:

  • Listing - This tab lists all clusters that are connected to InsightCloudSec
  • Admission Controller - This tab lists the Admission Controllers in your clusters discovered by InsightCloudSec

Listing

After connecting your clouds and clusters, navigate to Cloud > Kubernetes Clusters > Listing to view the details of the successfully harvested clusters.

FeatureDescription
StatusThe available status for clusters are:
  • OK - Successfully harvested and enabled for scanning
  • Paused - Successfully harvested, not enabled for scanning
  • Unauthorized - Issues with harvesting or scanning, generally the result of access issues (permissions, token authorization, and others)
  • Failed - Issues with harvesting or scanning, generally the result of connectivity issues
ActionsSelect the checkbox next to the individual cluster or cloud account to enable options to resume, pause, or delete for each account selected (Resume and Force Scan are available in the Actions menu). Deleting a cluster in the interface will only superficially remove the cluster from InsightCloudSec. See Deleting clusters for more information.
Related Resources (For Remote Clusters only)Click the cluster name to open the Related Resources graph. From this graph, you can view details about the cluster as well as all resources associated with the cluster. You can also access this graph from supported Kubernetes resources on the Resources page.

Kubernetes Secrets, Configuration Maps, and Persistent Volumes are not supported currently. Review Related Resources for more information.

Deleting clusters

If you delete a Cluster outside of InsightCloudSec, it will detect the deletion in the next harvesting cycle or event if EDH is used. The following events will occur:

  • The cluster will be marked as deleted.
  • The Kubernetes entities related to this cluster will be marked as deleted.
  • The account associated with the cluster will not be deleted from the interface and the harvesting state will be set to Suspended.

Admission Controller

Once a cluster has been harvested, InsightCloudSec has the ability to detect which Admission Controllers are available on the cluster. Currently, InsightCloudSec only supports monitoring and managing Gatekeeper Constraints.

Gatekeeper Constraints

Gatekeeper Constraints describe and enforce policies for your Kubernetes Clusters. ConstraintTemplates provide a strict structure that Constraints must adhere to. InsightCloudSec harvests these Constraints and ConstraintTemplates as resources (found in your Inventory).

From the Gatekeeper Constraints page, you can manage a list of pre-defined Constraints and download ConstraintTemplates. You can quickly see which Constraints have been deployed by looking at the Active column. Constraints that have been created by Rapid7 are marked as such in the the Owner column. We've also marked the most critical Constraints with a Recommended badge (in the Recommended column). Rapid7 Constraints cannot be deleted. Outside of InsightCloudSec, deploy the downloaded ConstraintTemplates file to your Kubernetes Clusters.

Deprecated pod security policy

Admission Controller Constraints related to pod security policy implement the deprecated functionality of native Kubernetes pod security policy.

To interact with the page:

  • Click a Constraint Name to open the Constraint Details panel. From this panel, you can review the Parameters and Matches for the Constraint as well as duplicate or delete it.

    • If the Constraint is Custom, you can edit the alias, description, effect, Parameters, and Matches as necessary.

    Constraint Names must be unique

    Constraint Names cannot be changed in InsightCloudSec as these must be unique inside each cluster it appears in. This means these Constraints are fully managed by InsightCloudSec. If needed, you can modify the Constraint Name on the cluster itself or in the downloaded YAML file. If you change the Constraint Name, InsightCloudSec will still be able to identify it by its properties, effect, match, and the template deployed alongside it on the cluster.

  • Click the ellipsis (...) in the Action column to duplicate or delete the relevant Constraint.

Downloading and Deploying

After updating the Constraints as necessary, you can download one or more of them and deploy them to the desired Clusters. Any Constraint Alias will be added to the YAML file as an annotation (r7.alias). If you already have Constraints deployed in your cluster then you must verify the Constraint Names provided by InsightCloudSec are not in conflict with your existing Constraints.

Deploying Constraints

Constraints can restrict access to resources and prevent actions. Never deploy a constraint without ensuring it is safe.

To deploy the Constraints:

  1. Log in to InsightCloudSec.

  2. Navigate to Cloud > Kubernetes Clusters > Admission Controller.

  3. Select one or more Constraints.

  4. Click Download YAML for Deployment.

  5. Extract the directory from the zipped file.

  6. Upload the directory to the desired Clusters.

  7. Access the Clusters from the command line and run the following command to install the templates:

    bash
    1
    kubectl apply -f "r7/templates/*.yaml"

  8. Once you have ensured the templates are installed correctly before the constraints, run the following command to install the constraints:

    bash
    1
    kubectl apply -f "r7/constraints/*.yaml"