Shielding your Kubernetes runtime with image scanning and the Sysdig Admission Controller

Shielding your Kubernetes runtime with image scanning and the Sysdig Admission Controller

Feb 18, 2021

Implementing image scanning on a Kubernetes admission controller is an interesting strategy to apply policies that need Kubernetes context, and create a last line of defense for your cluster.

You are probably following the image scanning best practices already, detecting vulnerabilities and misconfigurations before they can be exploited.

However, not everything you deploy goes through your CI/CD pipeline or known registries. There are also third-party images and, sometimes, manual deploys.

By implementing image scanning on admission controllers, you can rest assured that anything deployed conforms to your security policies.

The Sysdig Admission Controller adds enforcing to detection and reporting. After a quick installation and a simple configuration on our UI, the images in your cluster will be secure by default.

What sets this admission controller apart are key details like:

Images don't need to be re-scanned. The Sysdig backend can speed up the admission controller for faster deployments, as it centralizes all of your scan results. If an image has been scanned recently, you can skip scanning on the admission controller.

You can reuse your existing scanning policies. This ensures consistency between scans done in different steps of the image life cycle. Also, you can build admission policies with an amigable UI.
It's failproof. If your webhook loses connection with the Sysdig backend, it can still apply the scanning policies.

And it also ships with all the trademark Sysdig perks: It is easy to install, you can map compliance controls to scanning policies, you can create vulnerability reports, and it is a single pane of glass for all of your cloud infrastructure security.

To learn more about Kubernetes admission controllers, visit:

And to learn more about image scanning on admission controller, visit:

To learn more about the Sysdig Admission Controller, visit: