Kubernetes Scanners
Scanners Overview
The InsightCloudSec Kubernetes Cluster support is provided by two types of scanning options: a local scanner and a remote scanner. In some scenarios, a customer may choose to employ both solutions for coverage of both managed and unmanaged clusters.
| Item/Process | Remote Scanner | Local Scanner |
|---|---|---|
| Installation Requirements | - Network access from InsightCloudSec to the Cluster API Server Endpoint - Permission to access the API server | Network access from the cluster to the InsightCloudSec endpoint for sending data |
| Installation Process | None required (feature built-in to InsightCloudSec) | User needs to install a Cron Job in the cluster |
| Enable/Disable Scanning | Available via InsightCloudSec UI | User can install/uninstall scanner |
| Error/State Reporting | Detailed Error and State Reporting | Limited |
| Data Retrieved | Workloads, Tasks (e.g., Cluster details) | Workloads, Tasks (e.g., Cluster details) |
Local Scanner
The local scanner supports managed Kubernetes clusters not accessible to InsightCloudSec and any self-managed Kubernetes clusters. When configured to provide access to each specific cluster, self-managed clusters will be harvested and assessed automatically through the local scanner after they are successfully onboarded to InsightCloudSec. After successful onboarding, the local scanner allows you to identify cluster coverage through the Clouds page.
- Check out the Clusters Account Setup & Management for general details around onboarding your clusters.
- Check out our detailed Kubernetes Local Scanner documentation details for enabling the local scanner.
Remote Scanner
InsightCloudSec’s new Kubernetes Remote Scanner expands our existing Kubernetes capabilities by extending an agentless approach for better usability and simplified operation of harvesting Kubernetes entities that exist within different Kubernetes clusters running across different cloud accounts. This solution currently only works with managed clusters.
Check out our detailed Kubernetes Remote Scanner documentation details for enabling the remote scanner.
Scanner Support
Detailed documentation for both the remote scanner and local scanner options are available:
InsightCloudSec currently supports adding a cluster from the following services/providers:
| Providers | Local Scanner | Remote Scanner |
|---|---|---|
| AWS (EKS) | Supported | Supported |
| AWS (EKS) GovCloud | Supported | Supported |
| AWS (EKS) China | Supported | Not Supported |
| GCP (GKE) | Supported | Supported |
| Azure (AKS) | Supported | Supported |
| Azure (AKS) GovCloud | Supported | Not Supported |
| Azure (AKS) China | Supported | Not Supported |
| Oracle Cloud Infrastructure (OCI) - OKE | Supported | Not Supported |
| Alibaba Cloud (ACK) | Supported | Not Supported |
| Red Hat OpenShift | Supported | Not Supported |
| Self-managed (All CSPs) | Supported | Not Supported |
Details on each Kubernetes provider and information around Kubernetes support through any of the specific CSPs can be found at the following pages. Contact us through the Customer Support Portal with any questions.
Frequently Asked Questions (FAQ)
Can I use the Remote Scanner and Local Scanner together?
Both solutions can be used at the same time but not on the same cluster.
Can I use the Remote Scanner with unmanaged clusters?
Currently, no. The Remote Scanner can only be used with managed clusters, e.g., AWS EKS, GCP GKE, etc.