Kubernetes Scanners
Scanners Overview
The InsightCloudSec Kubernetes Cluster support is provided by two types of scanning options: a local scanner and a remote scanner. In some scenarios, a customer may choose to employ both solutions for coverage of both managed and unmanaged clusters.
| Item/Process | Remote Scanner | Local Scanner |
|---|---|---|
| Installation Requirements | - Network access from InsightCloudSec to the Cluster API Server Endpoint - Permission to access the API server | Network access from the cluster to the InsightCloudSec endpoint for sending data |
| Installation Process | None required (feature built-in to InsightCloudSec) | User needs to install a Cron Job in the cluster |
| Enable/Disable Scanning | Available via InsightCloudSec UI | User can install/uninstall scanner |
| Error/State Reporting | Detailed Error and State Reporting | Limited |
| Data Retrieved | Workloads, Tasks (e.g., Cluster details) | Workloads, Tasks (e.g., Cluster details) |
Local Scanner
The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and any self-managed Kubernetes clusters. When configured to provide access to each specific cluster, self-managed clusters will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec. After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.
- Check out the Clusters Account Setup & Management for general details around onboarding your clusters.
- Check out our detailed Kubernetes Local Scanner documentation details for enabling the local scanner.
Remote Scanner
InsightCloudSec’s new Kubernetes Remote Scanner expands our existing Kubernetes capabilities by extending an agent-less approach for better usability and simplified operation of harvesting Kubernetes entities that exist within different Kubernetes clusters running across different cloud accounts. This solution currently only works with managed clusters.
Check out our detailed Kubernetes Remote Scanner documentation details for enabling the remote scanner.
Scanner Support
Detailed documentation for both the remote scanner and local scanner options are available:
InsightCloudSec currently supports adding a cluster from the following services/providers:
| Providers | Local Scanner | Remote Scanner |
|---|---|---|
| AWS (EKS) | Supported | Supported |
| AWS (EKS) GovCloud | Supported | Supported |
| AWS (EKS) China | Supported | Not Supported |
| GCP (GKE) | Supported | Supported |
| Azure (AKS) | Supported | Supported |
| Azure (AKS) GovCloud | Supported | Not Supported |
| Azure (AKS) China | Supported | Not Supported |
| Oracle Cloud Infrastructure (OCI) - OKE | Supported | Not Supported |
| Alibaba Cloud (ACK) | Supported | Not Supported |
| Red Hat OpenShift | Supported | Not Supported |
| Self-managed (All CSPs) | Supported | Not Supported |
Details on each Kubernetes provider and information around Kubernetes support through any of the specific CSPs can be found at the following pages. Contact us through the Customer Support Portal with any questions.
Frequently Asked Questions (FAQ) / Troubleshooting
Can I use the Remote Scanner and Local Scanner together?
Both solutions can be used at the same time but not on the same cluster.
Can I use the Remote Scanner with unmanaged clusters?
Currently, no. The Remote Scanner can only be used with managed clusters, e.g., AWS EKS, GCP GKE, etc.
Missing "create" permissions for "subjectaccessreviews"?
InsightCloudSec uses Privileged Kubernetes API Server Access Insights to check your pods' permissions. These Insights require explicit create permissions to create a dedicated query object called a subjectaccessreview. A create permission for subjectaccessreview does not allow creation of a "real" resource in your cluster that can consume CPU, storage, etc.; it just a temporary object that allows reading of the pods' permissions.
If you do not want to grant the permissions to InsightCloudSec, you will not lose any functionality but you will continue to receive this error and the Insight checks will fail. Unless other errors are displayed, the scan has still completed successfully. Review the Kubernetes Local Scanner and Kubernetes Remote Scanner pages (depending on which scanner(s) you use) for details on granting this permission.
Where can I view my Pods' labels?
Pod labels are harvested in InsightCloudSec as Tags, which are available from the Inventory.
To access your Pod labels:
- After successfully scanning your cluster(s), navigate to Inventory > Resources in InsightCloudSec.
- Click the Containers tab.
- Click Pods.
- Navigate to the desired pod then click the Open Resource Properties icon next to its entry.
- Click the Tags tab. Your Pod labels will be displayed.