Kubernetes Cluster Scanning
This page describes the scanning capabilities for your Kubernetes clusters. It applies to managed Kubernetes environments, such as EKS, AKS, and GKE, as well as self-managed/on-prem clusters.
Why connect your Kubernetes clusters?
While Aikido scans your infrastructure as code files, including Kubernetes manifests and Helm charts, connecting your cluster enables Aikido to perform more (and more powerful) checks, as well as validating your actual environments.
Aikido assesses your Kubernetes resources against a set of rules, generating issues for any deviation. You can see the generated issues in your feed, by sorting for "Kubernetes Configurations".
Getting Started
Go to the Clouds page, click "Connect Cloud", and choose "Kubernetes". This applies to all Kubernetes environments, including AWS EKS, Azure Kubernetes Service, Google Kubernetes Engine, and other managed Kubernetes services, as well as self-managed on-premises or cloud-based deployments.
In the first step, you will provide the following:
Cluster name: This is used only in Aikido. You can provide any name you see fit, but it must be unique within the Aikido workspace.
Excluded namespaces: Optionally, you can exclude the collection of resources from specific Kubernetes namespaces. An option to quickly add commonly excluded namespaces is available. (e.g., kube-system, kube-public, cloud provider-specific namespaces, etc.).
Environment: This is identical to the purpose of cloud, allowing Aikido to adjust the severity of the findings.
Next, you will install the Aikido agent in your cluster. You will need:
Access to the cluster and permissions to install a Helm chart
Follow the in-app steps to install the chart that will deploy the Aikido agent as a deployment (currently running as a single pod). The agent should start in a few seconds and you should be able to finalize the onboarding.
FAQs
1. What can the Aikido agent do in my cluster?
The Aikido agent can only read your Kubernetes resources. Additionally, it has minimal permissions, limited to its own namespace, for self-management. You can inspect the provided permissions in the Helm chart.
2. What performance impact will the Aikido agent have in my cluster?
The agent's sole purpose is to collect the resources from your Kubernetes cluster. As such, the agent's resource utilization will be negligible. You can customize the resource requests and limits when installing the Helm chart.
3. Does my cluster need to be public?
No. The traffic only flows from the agent to the Aikido platform.
4. Is there any maintenance for the Aikido agent?
No. When we release new versions of the agent, it will update itself automatically. Note that the agent can only update/patch its own deployment and secret.
5. Does the Aikido agent read my Kubernetes secrets?
The agent only reads the metadata of the secret, discarding the actual data. Additionally, Aikido redacts any information that resembles a secret found in your ConfigMaps or environment variables.
6. What if the Aikido agent cannot communicate with the platform? Will it try indefinitely?
The agent uses an exponential backoff mechanism for resource collection. If it cannot establish the connection with the Aikido platform, it will sit idle, without consuming any additional resources.
Last updated
Was this helpful?