SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Insights setup: Kubernetes connector

What is Kubernetes connector for Insights?

One of the goals of Insights is to identify risk factors for workloads that are publicly accessible via network configuration. To do that, Snyk needs to understand what images are deployed on which workloads, and how they are configured.

So Snyk needs to collect the following information:

  • The list of images and their IDs and SHAs that are deployed.

  • The services and associated configuration, for example, the networking services you are using.

The Kubernetes connector for Insights is the agent deployed in your Kubernetes clusters to collect this information.

Getting started with Kubernetes connector for Insights

Prerequisites

Before you can deploy the Kubernetes connector for Insights in your Kubernetes clusters, be sure you have the following:

  • Snyk Organization: You need a Snyk Organization to which the Kubernetes information collected will be sent to be stored. This could be a new Organization, it does not have to be the same one containing the Snyk Projects you wish to use with Insights, but it must be in the same Snyk Group.

  • Snyk service account: You need to create a service account specifically to be used with the Kubernetes connector for Insights. For instructions on creating a service account, see Service accounts.

    • For the roles and permissions, Snyk recommends creating a new specific role for this service account and taking a least privilege approach, granting that role the sole permission required to Publish Kubernetes Resources.

Step 1: Create a Snyk Organization

If you create a separate Organization for the Kubernetes connector for Insights, follow the steps in the Snyk documentation to create a Snyk Organization. The new Snyk Organization must be in the same Snyk Group as your other Snyk Organization.

If you are not creating a separate Snyk Organization, go to step 2.

Step 2: Create a new role

Follow the steps in this documentation to create a new role.

This example illustrates creating a new role called Kubernetes connector for Insights.

Create the Kubernetes connector for Insights role
Create the Kubernetes connector for Insights role

Step 3: Assign permissions to this role

Navigate to the newly created role and select edit; you will also be taken to this page immediately after creating the role.

Scroll to the bottom of the page, tick the Publish Kubernetes Resources permission, and save the changes by clicking the Update Role Permissions button.

Publish Kubernetes Resources permission
Publish Kubernetes Resources permission

Step 4: Create a service account and assign it to a role

Next, you need to create a new service account for this integration.

Snyk recommends creating this service account for the Snyk Organization used or created for the Kubernetes agent.

Navigate to that Snyk Organization -> Settings -> Service Account.

Create a new service account with your chosen name, and from the drop-down, select the role you created in the previous step.

Select the Insights k8s Agent role
Select the Insights k8s Agent role

After the service account is created, you will be shown the API token. Copy this down and store it somewhere safe; you’ll need this to configure the agent in the Helm chart.

Step 5: Install Kubernetes connector for Insights in your Kubernetes clusters

Snyk recommends using the Helm Chart to deploy the agent; the Helm Chart will create the associated permissions for the agent to run on your cluster. The user installing the Helm Chart needs sufficient permissions on the Kubernetes cluster to create new roles. Follow the instructions on the kubernetes-scanner GitHub repo to use the Helm Chart to deploy the latest released version.

To make sure you have set up your Kubernetes connector properly, navigate to the Data tab on the Insights page and check the Kubernetes resources table to view the data that Insights has access to.

FAQ

What is the difference between the Kubernetes monitor (also called Snyk Controller) and the Kubernetes connector for Insights?

The Kubernetes monitor extracts images from a Kubernetes cluster’s workloads and scans them for vulnerabilities. The Kubernetes connector for Insights extracts workload configurations from a Kubernetes cluster.

For Insights to work, do I need both or only the Kubernetes connector for Insights?

You need only the Kubernetes connector for Insights installed in your Kubernetes clusters.

If I’m a customer and already use the existing agent, do I also need to install the Kubernetes connector for Insights?

If you want to use Insights, you must install the Kubernetes connector for Insights into your Kubernetes clusters.

What workload configuration the Kubernetes connector for Insights is collecting?

Here is the list of data Snyk is collecting.

PreviousInsights setup: User PermissionsNextInsights setup: Image scanning

Last updated

Was this helpful?

#4707: More info: Update pricing plans page

Change request updated