Kubernetes API Node

Once a Connection Manager has been set up, you can add nodes for Agentless scanning and monitoring. Cloudhouse Guardian (Guardian) supports Kubernete API nodes using a service account bearer token. The following topic describes how to add a Kubernetes API node to your instance for monitoring.

Dependencies

To add a Kubernetes API, the following dependencies must be met:

  • Linux Connection Manager – Set up in Guardian. For more information, see Linux Connection Manager.

  • Kubernetes API Service Account – Set up with a bearer token generated. For more information, see for Kubernetes API Service Account.

  • Kubernetes Command Line Tools – Set up to communicate with your cluster.

Add a Kubernetes API Node

Adding a Kubernetes API node to your Guardian instance lets you monitor and track the configuration of a Kubernetes cluster.

To add the Kubernetes API node for Agentless scanning, complete the following steps:

  1. In the Guardian web application, navigate to the Add Nodes tab (Inventory > Add Nodes). The Add Nodes page is displayed.

  2. Select the 'Kubernetes API' from the list of node types and click the Go Agentless button to proceed. The Connect Agentlessly to [Node Type] page is displayed.

  3. Here, complete the following options:

    Option

    Description
    Connection Manager group drop-down list The Connection Manager group that is responsible for scanning your Kubernetes node. Select a Connection Manager group from the drop-down list.
    Node Name field

    The name of the node. The value you enter here will be used as the display name in Guardian.
    URL of the Kubernetes API endpoint field

    The URL of the Kubernetes API endpoint. To source this information, run the following command:

    Copy 
    kubectl config view --minify --flatten | grep 'server:' | awk '{print $2}.
    Kubernetes API bearer token field

    The bearer token required to grant Guardian access to the API. For more information on how to source this, see Kubernetes API Service Account.
    Kubernetes API certificate authority data field

    The certificate authority required to establish trust with Guardian. To source this data, run the following command:

    Copy 
    kubectl config view --minify --flatten | grep 'certificate-authority-data:' | awk '{print $2}
    Limit data collection to this namespace, blank otherwise field

    Option to restrict data collection to a specific namespace. Enter the namespace name here. Leave this field blank to collect data from all namespaces.

  4. Once you've completed the above options click Scan Node to add the Kubernete API node to your Guardian instance.

Now, Guardian performs an initial scan of the node. You can wait on this page for the scan to finish, at which point you will see a View Scan button. To view the results of this initial scan, click View Scan. However, you can also navigate elsewhere while Guardian performs its initial scan of the node. You can then view the status of the scan on the Job History page (Inventory > Job History). For more information on what to do next after adding a node, see below.

Next Steps

Once you've added nodes to Guardian, there are a few next steps you can take to get the most out of Guardian and the data it collects. Refer to the topics below for more information on where to go from here.

  • Node Scan Results – View and filter the data collected by Guardian every time a node is scanned.

  • Node Groups – Group nodes together based on similar properties like node type, location, and more.

  • Scan Options – Customize what is scanned on a given node during a node scan.

  • Configuration Differencing – View differences between two nodes, a group of nodes, two scans of the same node, and more.

  • Policies – Define expected configuration states and apply them to nodes or node groups.

  • Integrations – Bring together different systems, applications, or components to work as a unified view and perform different tasks.