Skip to main content

Scan images in a Kubernetes cluster

Scan all images in a Kubernetes cluster for vulnerabilities to achieve a continuous clean bill of health and defense in depth.

Common use cases for scanning in a Kubernetes cluster are:

  • Images may pass scanning during the build phase, but they could contain vulnerabilities days or weeks later
  • Third-party images that are pulled from public registries are often not scanned in build pipelines and can contain Critical or High vulnerabilities
  • Application teams may build one-off images outside of their pipeline to make an emergency patch and fix a critical bug.

About Image Assurance scanner​

The Image Assurance scanner that runs in a Kubernetes cluster is out-of-the-box ready to use without configuration. It runs as a daemonset in a managed cluster where images are located, and is installed on all nodes in the cluster.

Vulnerability detection consists of these steps:

  • Image Assurance scanner - generates a dependency list Software Bill of Materials (SBOM) using Syft
  • Vulnerability lookup - Calico Cloud uploads the SBOM where packages are matched with known CVEs in the vulnerability databases based on dependencies using Grype

vulnerability-detection

Calico Cloud checks running images for new vulnerabilities every 24 hours and reports scan results to the Image dashboard in Manager UI.

Before you begin​

Unsupported

  • OpenShift
  • GCP-Kubeadm
  • AWS-Kubeadm
  • GKE

Cluster requirements

  • Containerd is the container runtime
  • AKS clusters: if you are using Kubernetes v1.19 or higher, containerd should be your default runtime
  • Containerd must be using overlays or native file system snapshotter

How to​

Get latest version of Image Assurance​

  1. On the Managed Clusters page, select the cluster from the list, and click Reinstall.
  2. Copy the updated installation script command and run it against your cluster.

Enable scanner​

Complete the following steps for each managed cluster you want enabled with the cluster scanner:

  1. Modify the imageassurance installation resource.
   kubectl edit imageassurance default
  1. Set the clusterScanner field to Enabled and save the file.

The cluster scanner is deployed as a container inside the tigera-image-assurance-crawdad daemonset.

  1. Verify that a new container with name, cluster-scanner is created inside the daemonset.

That’s it. The cluster scanner will start scanning images on running pods in the cluster. For help viewing image events in Manager UI, see View scanned and running images.

Customize scanner settings​

To change default settings, modify the imageassurance installation resource.

  • Container runtime socket path

    Set the criSocketPath field to the path of the container runtime socket. Default: /run/containerd/containerd.sock

  • Containerd file system root path

    Set the containerdVolumeMountPath. Default: /var/lib/containerd/.

Disable scanner​

  1. Modify the imageassurance installation resource.
 kubectl edit imageassurance default
  1. Set the clusterScanner field to Disabled and save the file. This deletes the cluster scanner container from the daemonset from your cluster.

Next step​

Set up alerts on vulnerabilities