Changelog NotificationsAPIAikido login

Kubernetes In-Cluster Image Scanning

This page describes how Aikido can scan container images within the Kubernetes cluster where they are deployed.

This functionality is available only for Pro and Advanced plans. Contact us via chat for more information.

The Aikido Kubernetes integration supports scanning container images in your Kubernetes clusters without connecting the container registry to Aikido.

Benefits of In-Cluster Image Scanning

  • Complete coverage of all images deployed on a cluster, including public images.

  • Real-time scanning: whenever a pod is launched with a new image, Aikido scans it, and any findings end up in your Aikido feed within minutes.

  • Images never leave your environments: the Aikido agent only reports SBOMs back to the platform.

  • Less bandwidth: the Aikido agent first tries to use images cached on the Kubernetes nodes, falling back to pulling them from the registry only if it cannot find or access them. This aspect is especially relevant for organizations using container registries that charge based on traffic.

Getting Started

You can enable image scanning during the Kubernetes cluster onboarding

Aikido Kubernetes cluster onboarding with image scanning enabled
Kubernetes cluster onboarding with image scanning enabled

It will also require setting the sbomCollector.enabled=true value when installing the Helm chart.

Once running, you will see the images in Aikido on the containers page.

Container images reported via the in-cluster Kubernetes scanning
Containers reported in Aikido

How Images Are Pulled

The agent (aka the SBOM collector) will attempt to pull images from the local node cache (this is why, by default, it runs as a DaemonSet as root user, allowing it to mount the containerd and Docker sockets).

If the SBOM collector cannot find the images from the node cache (or cannot mount the runtime sockets), it pulls the images from the corresponding registry. For accessing private registries, it supports most authorization mechanisms (node IAM role, imagePullSecrets, workload identity). For more details and how to configure access (where necessary), see the Helm chart README.

SBOM Collector Secrets Access

By default, the SBOM collector has access to all secrets from the cluster. This is strictly to allow access when imagePullSecret is used. You can specify the name of the secrets containing the registry access credentials, thus minimizing the access granted to the SBOM collector.

FAQs

  • What happens when I deploy a new version/tag of an image?

Aikido keeps one tag per image per cluster. As you deploy new tags, it will update the image displayed in the Aikido platform.

  • Does this form of scanning benefit from the other container-related features Aikido offers?

Yes. Images scanned using the in-cluster scanning benefit from all the features offered by Aikido, such as noise reduction, linking to repos, AutoFix, and ELS.

  • Can I ignore specific images?

The in-cluster scanning will respect the excluded namespaces you set during the cluster onboarding. If you need to exclude specific images from a scanned namespace, we recommend deactivating the container in Aikido.

Known Limitations

  • If you stop using an image in your cluster altogether, Aikido will not automatically remove it from the platform. We recommend confirming that the image is no longer present in any workload on the cluster (using the Containers tab in the corresponding cluster) and deactivating the container on the settings page.

Last updated

Was this helpful?