Kubernetes Scanners

Scanners Overview

The InsightCloudSec Kubernetes Cluster support is provided by two types of scanning options: a local scanner and a remote scanner. In some scenarios, a customer may choose to employ both solutions for coverage of both managed and unmanaged clusters.

Item/ProcessRemote ScannerLocal Scanner
Installation Requirements- Network access from InsightCloudSec to the Cluster API Server Endpoint
- Permission to access the API server
Network access from the cluster to the InsightCloudSec endpoint for sending data
Installation ProcessNone required (feature built-in to InsightCloudSec)User needs to install a Cron Job in the cluster
Enable/Disable ScanningAvailable via InsightCloudSec UIUser can install/uninstall scanner
Error/State ReportingDetailed Error and State ReportingLimited
Data RetrievedWorkloads, Tasks (e.g., Cluster details)Workloads, Tasks (e.g., Cluster details)

Local Scanner

The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and any self-managed Kubernetes clusters. When configured to provide access to each specific cluster, self-managed clusters will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec. After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.

Remote Scanner

InsightCloudSec’s new Kubernetes Remote Scanner expands our existing Kubernetes capabilities by extending an agent-less approach for better usability and simplified operation of harvesting Kubernetes entities that exist within different Kubernetes clusters running across different cloud accounts. This solution currently only works with managed clusters.

Check out our detailed Kubernetes Remote Scanner documentation details for enabling the remote scanner.

Scanner Support

Detailed documentation for both the remote scanner and local scanner options are available:

InsightCloudSec currently supports adding a cluster from the following services/providers:

ProvidersLocal ScannerRemote Scanner
AWS (EKS)SupportedSupported
AWS (EKS) GovCloudSupportedSupported
AWS (EKS) ChinaSupportedNot Supported
GCP (GKE)SupportedSupported
Azure (AKS)SupportedSupported
Azure (AKS) GovCloudSupportedNot Supported
Azure (AKS) ChinaSupportedNot Supported
Oracle Cloud Infrastructure (OCI) - OKESupportedNot Supported
Alibaba Cloud (ACK)SupportedNot Supported
Red Hat OpenShiftSupportedNot Supported
Self-managed (All CSPs)SupportedNot Supported

Details on each Kubernetes provider and information around Kubernetes support through any of the specific CSPs can be found at the following pages. Contact us through the Customer Support Portal with any questions.

Frequently Asked Questions (FAQ) / Troubleshooting

Can I use the Remote Scanner and Local Scanner together?

Both solutions can be used at the same time but not on the same cluster.

Can I use the Remote Scanner with unmanaged clusters?

Currently, no. The Remote Scanner can only be used with managed clusters, e.g., AWS EKS, GCP GKE, etc.

Missing "create" permissions for "subjectaccessreviews"?

InsightCloudSec uses Privileged Kubernetes API Server Access Insights to check your pods' permissions. These Insights require explicit create permissions to create a dedicated query object called a subjectaccessreview. A create permission for subjectaccessreview does not allow creation of a "real" resource in your cluster that can consume CPU, storage, etc.; it just a temporary object that allows reading of the pods' permissions.

If you do not want to grant the permissions to InsightCloudSec, you will not lose any functionality but you will continue to receive this error and the Insight checks will fail. Unless other errors are displayed, the scan has still completed successfully. Review the Kubernetes Local Scanner and Kubernetes Remote Scanner pages (depending on which scanner(s) you use) for details on granting this permission.

Where can I view my Pods' labels?

Pod labels are harvested in InsightCloudSec as Tags, which are available from the Inventory.

To access your Pod labels:

  1. After successfully scanning your cluster(s), navigate to Inventory > Resources in InsightCloudSec.
  2. Click the Containers tab.
  3. Click Pods.
  4. Navigate to the desired pod then click the Open Resource Properties icon next to its entry.
  5. Click the Tags tab. Your Pod labels will be displayed.