Continuously Scan Kubernetes with the Mondoo Kubernetes Operator

The Mondoo Kubernetes Operator runs inside your cluster and continuously scans it. Because it lives in the cluster, it detects issues as they appear instead of waiting for an external scan window.

The operator can:

• Continuously scan nodes for misconfigurations and vulnerabilities
• Continuously scan workloads in the cluster
• Scan new nodes as they come online

It also includes an admission controller that scans each workload before it's admitted to the cluster, so you catch issues at deploy time. Learn more.

The admission controller scans these workload types on create or update:

• Pods
• Deployments
• DaemonSets
• StatefulSets
• Jobs
• CronJobs

When one workload owns another (a Deployment that creates pods, for example), the admission controller scans only the owner. The owner is the definition where you can actually fix the issue. See the Kubernetes documentation for background.

How the integration model works

A Mondoo Kubernetes integration consists of two parts:

• A service account credential (stored as a Kubernetes Secret) that authenticates to Mondoo Platform
• A MondooAuditConfig custom resource that tells the operator what to scan

Because these are separate, a single operator installation can serve multiple integrations. Each integration gets its own Secret and MondooAuditConfig, but they all share the same operator. This is useful when you want different scan configurations or want to report results to different spaces from the same cluster.

Add a Mondoo Kubernetes integration

You can create Kubernetes integrations at either the space level or the organization level:

• Space-level integration: In the Mondoo App, navigate to the space where you want to add the integration. In the side navigation bar, select Integrations. In the top right, select + INSTALL. On the integrations page, find Kubernetes by browsing or searching by name, then select it.

• Organization-level integration: Navigate to your organization's Integrations page and follow the same steps. Organization-level integrations use an org-scoped service account, which can route scan results to any space in the organization.

Configure scanning options

1. Type a name for the integration to identify it in lists and distinguish it from other integrations.

2. To continuously assess the security posture of nodes in your Kubernetes cluster, enable Scan nodes.

3. To continuously assess the security posture of workloads and resources in your cluster, enable Scan workloads.

4. To scan container images running in the cluster, enable Scan container images.

5. To control which namespaces Mondoo scans, enable Filter namespaces and list the namespaces to which you want to allow or deny access.

   You control which namespaces to scan using either the Allow list or the Deny list boxes. To scan only the namespaces you specify, type them in the Allow list box. To scan all namespaces except the ones you specify, type the namespaces to skip in the Deny list box. If you list multiple namespaces, separate them with line breaks.

6. If you plan to run multiple integrations on the same cluster, enable Use unique audit config name.

7. Select Create Integration.

Install the Mondoo Operator

After you create the integration, the console shows installation commands. Choose either Helm (recommended) or Kubectl.

Install with Helm

helm repo add mondoo https://mondoohq.github.io/mondoo-operator
helm repo update
helm install mondoo-operator mondoo/mondoo-operator --namespace mondoo-operator --create-namespace

Install with kubectl

kubectl apply -f https://github.com/mondoohq/mondoo-operator/releases/latest/download/mondoo-operator-manifests.yaml

If you already have the operator installed in this cluster, skip the installation step and proceed to applying the token and audit configuration.

Apply the token and audit configuration

The console generates two commands for you: one to create a Kubernetes Secret containing the integration token, and one to apply the MondooAuditConfig. Copy and run both commands against your cluster.

Mondoo scans workloads according to the activated policies. Learn more.

Run multiple integrations on a single cluster

Because the operator and its integrations are decoupled, you can connect a single operator to multiple Mondoo integrations. Each integration gets its own service account Secret and MondooAuditConfig. This lets you:

• Report different parts of the cluster to different Mondoo spaces
• Apply different scan configurations (schedule, namespace filters) side by side
• Use a single org-level service account to route assets to multiple spaces

To run multiple integrations on the same cluster, enable Use unique audit config name when creating each integration. This gives each MondooAuditConfig a name based on the integration ID, preventing naming conflicts.

View a Kubernetes integration

Once you've added a Kubernetes Operator Integration, you can view these integrations by going to the Integrations page and selecting Kubernetes.

To view additional status details or change an integration's configuration, select its row in the list.

Remove a Kubernetes integration

1. Follow the instructions above to view your list of Kubernetes integrations.

2. Find the integration you want to remove and check the box beside it.

3. Select the DELETE button.