Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates K8s node scanning documentation #500

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Updates K8s node scanning documentation #500

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions docs/platform/infra/cloud/kubernetes/scan-kubernetes-with-operator.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,17 @@ import Partial from "../../../partials/\_editor-owner.mdx";

3. To continuously assess the security posture of nodes in your Kubernetes cluster, enable **Scan nodes**.

Choose how to scan cluster nodes:
:::important

- We strongly recommend that you leave **CronJob-based** selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes.
Mondoo can scan both a Kubernetes (K8s) cluster using the Mondoo K8s Operator as well as the account (AWS account, GCP project, or Azure subscription) where the cluster is deployed. To avoid duplication of assets, if the account is integrated with VM scanning enabled, or if you plan to enable it, ensure that Node Scanning is disabled for the Kubernetes cluster.
Copy link
Contributor

@misterpantz misterpantz Dec 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Mondoo can scan both a Kubernetes (K8s) cluster using the Mondoo K8s Operator as well as the account (AWS account, GCP project, or Azure subscription) where the cluster is deployed. To avoid duplication of assets, if the account is integrated with VM scanning enabled, or if you plan to enable it, ensure that Node Scanning is disabled for the Kubernetes cluster.
Mondoo can scan Kubernetes clusters in two ways:
- Directly, using the Mondoo Kubernetes Operator
- As part of the cloud account (AWS account, GCP project, or Azure subscription) where the cluster is deployed
If you enable (or plan to enable) VM scanning when you set up your AWS, GCP, or Azure integration AND you enable **Scan nodes** in your Kubernetes integration, you create duplicate assets (two of the same cluster). To prevent this, be sure to disable **Scan nodes** in the Kubernetes integration.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not that easy to understand, I'm afraid. Partly just because it's a hard thing to describe but also because (1) the setting name is different than in the UI and (2) the structure.
Does my suggestion help without mucking up the meaning?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@misterpantz I think your change is drastically better! 🙌 🥳

I have slight tweaks that you can take or leave:

Suggested change
Mondoo can scan both a Kubernetes (K8s) cluster using the Mondoo K8s Operator as well as the account (AWS account, GCP project, or Azure subscription) where the cluster is deployed. To avoid duplication of assets, if the account is integrated with VM scanning enabled, or if you plan to enable it, ensure that Node Scanning is disabled for the Kubernetes cluster.
Mondoo can scan Kubernetes clusters in two ways:
- **Directly**, using the Mondoo Kubernetes Operator.
- **Indirectly**, as part of the cloud account (AWS account, GCP project, or Azure subscription) where the cluster is deployed.
If both VM scanning is enabled for your cloud account integration and Scan nodes is enabled for your Kubernetes integration, this will create duplicate assets (the same cluster appearing twice). To avoid duplication, disable Scan nodes in your Kubernetes integration.

The only other thought I had would be to add something explaining Scan nodes:

What is “Scan nodes”?

This setting allows Mondoo to scan Kubernetes cluster nodes directly. If you’re scanning the cloud account, the nodes will already be scanned as part of VM scanning.

For steps to disable Scan nodes, see [link to instructions].

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because you're adding this note WITHIN the instructions, right below the step that tells you to enable Scan nodes if you want to assess the security posture of nodes in your Kubernetes cluster, there's no need to link to it. :)

And I don't want to reintroduce the passive voice. Active voice makes it clear that you/your team is doing the enabling.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has some of your suggestions and some of mine:

Suggested change
Mondoo can scan both a Kubernetes (K8s) cluster using the Mondoo K8s Operator as well as the account (AWS account, GCP project, or Azure subscription) where the cluster is deployed. To avoid duplication of assets, if the account is integrated with VM scanning enabled, or if you plan to enable it, ensure that Node Scanning is disabled for the Kubernetes cluster.
Mondoo can scan Kubernetes clusters in two ways:
- Directly, using the Mondoo Kubernetes Operator
- Indirectly, as part of the cloud account (AWS account, GCP project, or Azure subscription) where the cluster is deployed
If you enable **Scan virtual machines** in your cloud account integration AND your enable **Scan nodes** in your Kubernetes integration, Mondoo creates duplicate assets (the same cluster represented twice). To prevent duplication, disable **Scan nodes** in your Kubernetes integration.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh crap... I just checked and, of the cloud integrations you listed, the only one that has a Scan virtual machines option is Azure!


- If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select **DaemonSet-based** scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times.
:::

Choose how to scan cluster nodes:

- We strongly recommend that you leave **CronJob-based** selected. It's ideal for most infrastructures. A CronJob executes regularly to run the scans without permanently allocating any resources for Mondoo on cluster nodes.

- If your nodes tend to run near 100% resource utilization, that leaves no resources available for a CronJob to run a Mondoo scan. If you experience consistently failing Mondoo node scans, select **DaemonSet-based** scanning instead. This approach reserves resources for Mondoo on each cluster node. It relies on a DaemonSet to assure that Mondoo scans the nodes continuously, even during high-traffic times.

4. To continuously assess the security posture of workloads and resources in your cluster, enable **Scan workloads**.

Expand Down
Loading