Skip to content

Commit

Permalink
Updates K8s node scanning documentation
Browse files Browse the repository at this point in the history 
Signed-off-by: scottford-io <[email protected]>
  • Loading branch information
@scottford-io
scottford-io committed Dec 11, 2024
1 parent 0bff661 commit 36e6080
Showing 1 changed file with 9 additions and 3 deletions.
12 changes: 9 additions & 3 deletions docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,17 @@ import Partial from "../../../partials/\_editor-owner.mdx";

3. To continuously assess the security posture of nodes in your Kubernetes cluster, enable **Scan nodes**.

Choose how to scan cluster nodes:
:::important

- We strongly recommend that you leave **CronJob-based** selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes.
Mondoo can scan both a Kubernetes (K8s) cluster using the Mondoo K8s Operator and the account (AWS account, GCP project, or Azure subscription) where the cluster is deployed. To avoid duplication of assets, if the account is integrated with VM scanning enabled, or if you plan to enable it, ensure that Node Scanning is disabled for the Kubernetes cluster.

- If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select **DaemonSet-based** scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times.
:::

Choose how to scan cluster nodes:

- We strongly recommend that you leave **CronJob-based** selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes.

- If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select **DaemonSet-based** scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times.

4. To continuously assess the security posture of workloads and resources in your cluster, enable **Scan workloads**.

Expand Down

0 comments on commit 36e6080

Please sign in to comment.