diff --git a/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md b/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md index 2a82fce03..a9cda9432 100644 --- a/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md +++ b/docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md @@ -48,11 +48,17 @@ import Partial from "../../../partials/\_editor-owner.mdx"; 3. To continuously assess the security posture of nodes in your Kubernetes cluster, enable **Scan nodes**. - Choose how to scan cluster nodes: +:::important - - We strongly recommend that you leave **CronJob-based** selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes. +Mondoo can scan both a Kubernetes (K8s) cluster using the Mondoo K8s Operator as well as the account (AWS account, GCP project, or Azure subscription) where the cluster is deployed. To avoid duplication of assets, if the account is integrated with VM scanning enabled, or if you plan to enable it, ensure that Node Scanning is disabled for the Kubernetes cluster. - - If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select **DaemonSet-based** scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times. +::: + +Choose how to scan cluster nodes: + +- We strongly recommend that you leave **CronJob-based** selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes. + +- If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select **DaemonSet-based** scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times. 4. To continuously assess the security posture of workloads and resources in your cluster, enable **Scan workloads**.