In-Cluster Image Scanning with Helm¶
AccuKnox offers an in-cluster container image scanning solution designed to periodically inspect container images deployed within your Kubernetes (K8s) environment. This automated scanning process detects known vulnerabilities, promoting compliance and enhancing your clusterβs overall security. All scan results, including detailed vulnerability insights, are automatically sent to the AccuKnox Control Plane, where they can be viewed and managed through an intuitive user interface.
π Installation Guide¶
Follow these steps to deploy the in-cluster image scanner using Helm:
1. Create a Label¶
In the AccuKnox Control Plane, create a unique Label. This will be associated with the container image scan reports.
2. Generate a Token¶
From the AccuKnox Control Plane:
- Generate an Artifact Token
- Note down both the Token and your Tenant ID
3. Schedule and Deploy the Scanner via Helm¶
Use the following Helm command to install the scanner in your Kubernetes cluster:
helm install kubeshield oci://public.ecr.aws/k9v9d5v2/kubeshield-chart -n agents --create-namespace \
--set scan.tenantId="" \
--set scan.authToken="" \
--set scan.url="" \
--set scan.label="" \
--set scan.cronTab="30 9 * * *" \
--version "v0.1.2"
Replace the parameters (,
, ,
and ``) with the appropriate values.
Sample Output¶
Pulled: public.ecr.aws/k9v9d5v2/kubeshield-chart:v0.1.1
Digest: sha256:a4c1a8948db7a24d8990b71b53184f564960b2b39dbd6cba1cd6104c12addd75
NAME: kubeshield
LAST DEPLOYED: Mon May 5 10:08:24 2025
NAMESPACE: agents
STATUS: deployed
REVISION: 1
TEST SUITE: None
βοΈ Parameters:¶
Variable | Sample Value | Description |
---|---|---|
tenantId | 11 | AccuKnox Tenant ID |
authToken | eyJhbGc... | AccuKnox Token |
url | cspm.accuknox.com | AccuKnox CSPM API Endpoint |
label | kubeshield | AccuKnox Label |
cronTab | 30 9 * * * | Schedule in Cron |
Note: Deploy the Scanner via Helm (One Time) If you don't want to schedule and just want to trigger scan for one time, remove this flag
--set scan.cronTab
β Post-Installation¶
Once the scanner is deployed and completes a scan cycle, results will be visible in the Findings or Registry Scan sections within the AccuKnox Control Plane.
- Navigate to Issues -> Findings
- Switch to Findings tab
- Select Container Image Findings & do Group by based on Label Name
- You should be able to see the data for the Label used in above command
π§ͺ Scan Status from Cluster¶
π§ Check if kubeshield-controller-manager
is running fine or not
kubectl get po -n kubeshield
NAME READY STATUS RESTARTS AGE
kubeshield-controller-manager-5dd5cbc6d4-8xg8k 1/1 Running 0 22s
STATUS should be Running