Kubernetes Integration

Feature availability notice

Rapid7 no longer offers Container Security for new InsightVM customers. This feature is available to eligible InsightVM users only. If interested in this feature, see our Cloud Risk Complete offering.

InsightVM now integrates with Kubernetes to extend your container security. With this integration, you’ll be able to see the clusters an image has been deployed to, as well as how many containers are running a specific image. You’ll increase your awareness of vulnerabilities potentially present in your containers so you can monitor and prioritize accordingly.

In this article, we’ll walk you through the steps to integrate Kubernetes with InsightVM.

Before You Begin

We support the following environments:

  • Self-hosted Kubernetes
  • Amazon Web Services - Elastic Kubernetes Services
  • Microsoft Azure Kubernetes Service
  • Google Kubernetes Engine

Confirm that your network can communicate with the Insight Platform by meeting these requirements.

Verify that you have permissions to do the following:

  1. Push images to your registry.
  2. Deploy images to your Kubernetes clusters.
  3. Configure your Kubernetes host.

Network requirements

You need to confirm that outbound connections are allowed for the following hostnames according to the region you selected.

Check your hostname

Outbound connections to the following region specific addresses on port 443 must be allowed for the Kubernetes Monitor to function. Also, verify the region you select is specific to your InsightVM deployment.

United States - 1us.api.endpoint.ingress.rapid7.comus.deployment.endpoint.ingress.rapid7.com
United States - 2us2.api.endpoint.ingress.rapid7.comus2.deployment.endpoint.ingress.rapid7.com
United States - 3us3.api.endpoint.ingress.rapid7.comus3.deployment.endpoint.ingress.rapid7.com

Insight Platform Administrator Rights

Before starting the integration, confirm that you have admin privileges for the Rapid7 Insight platform, not the Security Console.

Downloaded Agents

You must have at least one downloaded agent to enable the Kubernetes Monitor. If you don’t have a downloaded agent, you’ll need to download one, but installation is not required.

View your agents:

  1. Push the Rapid7 Kubernetes monitor to your registry or cluster.
  2. Go to the Insight Platform home.
  3. In the left nav menu, click Data Collection Management (electrical plug icon).
  4. Look at the Agents tab, where you’ll see a number in the parentheses. This number indicates the number of deployed agents.

If you do not have any downloaded agents, you’ll need to download one, but do not need to deploy it:

  1. In the Agents tab, click Add New ^.
  2. Select Agent from the menu dropdown.
  3. Select your OS system.
  4. In the Advanced tab, click Download agent.

Integrate Kubernetes with InsightVM

After confirmation that you meet the above requirements, do the following:

  1. Go to insight.rapid7.com and sign in with your Insight account email address and password.
  2. Click Data Collection Management (electric plug icon) in the left menu.
  3. Click the Kubernetes Monitor tab.
  4. Click Integrate to be guided through the integration process.

Do not edit the config file

Only the cluster name and namespace should be edited if required in the Kubernates config file because deleting or changing other configurations will affect the functionality of the Monitor.

Diagram of where to click for Steps 2 through 4

Kubernetes connection status is not displayed

The connection status is not displayed on the Kubernetes Monitor tab like it is for scan engines.

View the Health and Connection Metrics of the Kubernetes Monitor

After integration, you’ll be able to view more detailed information about the Kubernetes Monitor. Details include cluster name and ID, Kubernetes and Kubernetes Monitor versions, Kubernetes Monitor status, and the last time we successfully processed a beacon, which is sent every 60 seconds.

Health and Connection Metrics in the Kubernetes Monitor

You’ll also see monitor health and connection data, that show monitors:

  • Running in different clusters
  • As offline, which means they have not sent a beacon back in 1 hour

Offline monitors will be removed after 7 days

An offline monitor will result if a beacon is not sent back to the Kubernetes monitor.

This can be caused by an incorrectly configured token, which means that the monitor never started. Another cause is if a user deleted the monitor by removing the pod, cluster, or namespace.

Access the Kubernetes Containers Tab

After you’ve completed the Kubernetes integration process, you can view your Kubernetes details in InsightVM. To do so:

  1. Log into InsightVM.
  2. Click Container Security in the left navigation menu.
  3. Select the Kubernetes Containers tab to view its relevant information.

View the Kubernetes Containers Tab

The Kubernetes Containers tab shows data for only running containers

If you are running a container, that data will display until you exit it. Once you stop or delete a container, data will no longer be displayed. This tab only shows information on the containers currently running in your environment.

These containers are discovered only through the Kubernetes Monitor, not the scan engine.

  1. On the Kubernetes Containers tab, select the appropriate checkbox(es) to update the filter accordingly.

  2. In the table, you’ll see the following:

    • Name - Unique identifier for the container.
    • Risk Score - A calculated value based on a number of factors, such as base impact, likelihood of compromise, and maturity of threat exposure over time.
    • Vulnerability Instance - Denotes the number of vulnerability instances found on an image.
    • Repository - Where the container resides.
    • Age - Denotes the container’s age in days, hours, minutes, and seconds.
    • ID - Unique image identifier. If there are dashes (-) in the Risk Score, Vulnerability Instance, and ID columns, this indicates that the container is running an image that has not been assessed before.
    • Pods - Displays the name of the pod for that container.

Image Scanning

To scan an image on a specific registry, you must connect that registry so it can be scanned. There are 2 ways to do this:

View the Images Tab

  1. On the Images tab, select the appropriate checkbox(es) to update the filter results accordingly. In this case, check the box next to Kubernetes.
  2. In the resulting table, you’ll see a list of Kubernetes records where you can view more details.

View Images Details

  1. Click an image ID to see its details.

  2. In the dropdown menu, select 1 of the following options to view more details:

    • Packages
    • Layers
    • Vulnerabilities
    • Hosts - Indicates the actual machine the Docker image is running on.
    • Containers - Lists instantiated containers based on that image. Applies only to images in Kubernetes clusters.
    • Namespaces - Lists the namespaces for instantiated containers based on that image. Applies only to images in Kubernetes clusters.
    • Pods - Displays the name of the pod for that container.