Skip to main content

Continuously Scan Kubernetes with the Mondoo Kubernetes Operator

The Mondoo Kubernetes Operator is Mondoo software that runs in your Kubernetes environment. Working within your cluster, the Mondoo Operator can:

  • Continuously scan nodes to assess security and identify vulnerabilities

  • Continuously scan the cluster to assess security and identify vulnerabilities

  • Scan new nodes as they come online

The operator includes a Kubernetes admission controller that performs a security scan on each deployment introduced into the cluster and reports the results. Learn more.

Add a Mondoo Kubernetes integration

To set up a Mondoo Kubernetes operator integration, access the Integrations > Add > GCP page in one of two ways:

  • New space setup: After creating a new Mondoo account or creating a new space, the initial setup guide welcomes you. Select BROWSE INTEGRATIONS and then select Kubernetes.

    Welcome to Mondoo Page

  • INTEGRATIONS page: In the side navigation bar, under INTEGRATIONS, select Add New Integration. Under Cloud Security, select Kubernetes.

Configure a Mondoo Kubernetes integration


  1. Type a name for the integration. This name identifies the integration in lists and distinguishes it from other integrations in your space. You can't change the name after you leave this page.

  2. To continuously assess the security posture of nodes in your Kubernetes cluster, enable Scan nodes.

  3. To continuously assess the security posture of workloads and resources in your cluster, enable Scan workloads.

  4. To assess the security of every change applied to your Kubernetes cluster and display the results in the CI/CD view, enable Scan incoming deployments.

  5. If you enable Scan incoming deployments, choose the tool to use for managing the Mondoo admission controller's certificates: cert-manager or OpenShift.

Scanning incoming deployments

Whenever a supported workload type is created or updated, the Kubernetes admission controller scans it. Currently, the admission controller can scan these workload types:

  • Pods
  • Deployments
  • DaemonSets
  • StatefulSets
  • Jobs
  • CronJobs

If a workload is dependent on another workload, the admission controller only scans the owner workload. For example, if a Deployment creates a pod, the admission controller skips the pod and scans the Deployment. The owner workload is the definition where you can fix issues permanently. For more details, see the Kubernetes documentation.

Mondoo scans workloads according to the activated policies. Learn more

Scan results appear in the CI/CD view when running the admission webhook in permissive mode. In enforcing mode, the scan result also determines whether the workload is applied to the cluster. For general information about admission controllers, see the Kubernetes documentation.

View Kubernetes integrations

Once you've added a Kubernetes Operator Integration you can view these integrations by going to the Integrations page and selecting Kubernetes


To view additional status details or change an integration's configuration, select its row in the list.


Remove Kubernetes integrations

  1. Follow the instructions above to view your Kubernetes integrations.

  2. On the Kubernetes Integrations page, select the pencil icon.

  3. Find the integration you want to remove and check the box beside it.

  4. On the Edit Selection menu, select Remove and then select the Done button.