Mondoo
Docs
Integrate Your AssetsCloudKubernetes

Continuously Scan Kubernetes with the Mondoo Kubernetes Operator

This guide covers how you can continuously assess the security configuration of your Kubernetes cluster, nodes, and deployments with Mondoo.

The Mondoo Kubernetes Operator runs in your Kubernetes environment to continuously scan your infrastructure. Because it runs inside your cluster, it can detect security issues and vulnerabilities as they appear, rather than relying on periodic external scans.

The operator can:

  • Continuously scan nodes to assess security and identify vulnerabilities

  • Continuously scan the cluster to assess security and identify vulnerabilities

  • Scan new nodes as they come online

The Mondoo Kubernetes Operator also includes an admission controller that scans each deployment before it enters your cluster. This lets you catch misconfigurations and security issues before workloads start running, rather than discovering them later. Learn more.

The admission controller scans these workload types whenever they're created or updated:

  • Pods
  • Deployments
  • DaemonSets
  • StatefulSets
  • Jobs
  • CronJobs

When a workload depends on another workload (such as a Deployment that creates pods), the admission controller scans only the owner workload—the definition where you can fix issues permanently. To learn more, read the Kubernetes documentation.

Add a Mondoo Kubernetes integration

import Partial from "../../../partials/_editor-owner.mdx";

{" "}

  1. Access the Integrations > Add > Kubernetes page in one of two ways:

    • New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select Kubernetes.

      Welcome to Mondoo Page

    • INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Under Cloud Security, select Kubernetes.

      k8s-settings

  2. Type a name for the integration to identify it in lists and distinguish it from other integrations in your space. You can't change the name after you leave this page.

  3. To continuously assess the security posture of nodes in your Kubernetes cluster, enable Scan nodes.

    Choose how to scan cluster nodes:

    • We strongly recommend that you leave CronJob-based selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes.

    • If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select DaemonSet-based scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times.

  4. To continuously assess the security posture of workloads and resources in your cluster, enable Scan workloads.

    Kubernetes integration

  5. To scan container images, enable Scan workload images.

  6. To control which namespaces Mondoo scans, enable Filter namespaces and list the namespaces to which you want to allow or deny access.

    You control which namespaces to scan using either the Allow list or the Deny list boxes. To scan only the namespaces you specify, type them in the Allow list box. To scan all namespaces except the ones you specify, type the namespaces to skip in the Deny list box. If you list multiple namespaces, separate them with line breaks.

    By default, the mondoo-operator namespace is in the Deny list box because there's no need to scan Mondoo Operator workloads. However, if you prefer to include the Mondoo Operator in your scans, you can remove it from the Deny list box.

  7. To assess the security of every change applied to your Kubernetes cluster and display the results in the CI/CD view, enable Scan incoming deployments and choose the tool to use for managing the Mondoo admission controller's certificates: CertManager or OpenShift.

  8. Select the CREATE KUBERNETES INTEGRATION button.

Mondoo scans workloads according to the activated policies. Learn more.

View a Kubernetes integration

Once you've added a Kubernetes Operator Integration you can view these integrations by going to the Integrations page and selecting Kubernetes.

k8s-integrations-list

To view additional status details or change an integration's configuration, select its row in the list.

k8s-integration-detail

Remove a Kubernetes integration

{" "}

  1. Follow the instructions above to view your list of Kubernetes integrations.

  2. Find the integration you want to remove and check the box beside it.

  3. Select the DELETE button.

remove-k8s-integration

Overview

Overview of Mondoo for Kubernetes clusters

Oracle Cloud Infrastructure (OCI)

Continuously secure your Oracle Cloud Infrastructure (OCI) environment with Mondoo

On this page

Add a Mondoo Kubernetes integrationView a Kubernetes integrationRemove a Kubernetes integration