k9s icon indicating copy to clipboard operation
k9s copied to clipboard
verified publisher icon derailed

Please Explain what `imageScan` does exactly. It is not documented anywhere

Open adamency opened this issue 1 year ago • 5 comments

Hi @derailed,

In the documentation for the config of k9s, there is a section called imageScan, but nowhere in the project's README, the project website or anywhere else I looked do you actually explain what this section does and how. Especially, mentioning if this needs an external dependency or not, and how does this affect the cluster.

Can you please document this feature of your program ?

adamency avatar Jun 29 '24 18:06 adamency

Hi, i saw it in this video here. https://www.youtube.com/watch?v=ULkl0MsaidU I tried it on a system with no internet access and it is not working. Is there a way to download the database manually ?

8:37AM ERR VulDb load failed error="vulnerability database is invalid (run db update to correct): database metadata not found: /home/XXXXX/XXXXX/.cache/k9s/db/5"

joawin avatar Jul 26 '24 08:07 joawin

@derailed Can you please provide at least a short answer ?

adamency avatar Jul 26 '24 15:07 adamency

Hi Dear Sir,

The imageScan feature is present in K9s config but is undocumented in terms of functionality, dependencies, and cluster impact.

There is no official guidance on whether it needs external tools or how it works.

Users have requested clear documentation on this feature from the maintainers.

Until the maintainers provide official documentation, it is safest to leave imageScan disabled unless you are experimenting in a non-production environment. If you need image scanning, consider using dedicated tools like Trivy or Clair alongside K9s.

sumansuhag avatar May 03 '25 22:05 sumansuhag

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Jun 10 '25 02:06 github-actions[bot]

Hi @derailed, would you please mind giving a short answer to this issue ?

adamency avatar Jun 11 '25 22:06 adamency

When I use K9s to monitor an EKS cluster in AWS and enable the imageScan feature, then the "VS" column appears for pods, replicaSets, daemonSets, and deployments. The VS column shows a 6-digit value of 1's and 0's only that act as flags for whether SEV-1 - SEV-5 and SEV-U vulnerabilities have been found for the pod. A value of "100001" means that 1 or more SEV-1 vulnerabilities and 1 or more SEV-U vulnerabilities have been found.

K9s isn't doing the scans. For AWS, it's picking them up from the Elastic Container Registry where "basic scanning" is performed for "free". I believe it might also work in Azure cloud Kubernetes clusters, too.

If you're running with pods that rely on a private registry, then ECR cannot scan them so they get a VS value of "000000". If I were to request a feature, I'd suggest that for "undefined" VS value, use dashes instead, like "------" because all zeroes makes it look like the scan turned up no vulnerabilities when instead, no actual scan was performed.

If you mirror your private registry pods up to ECR, then ECR can scan them for vulnerabilities and, if the deployment in Kubernetes is configured to actually pull those pods from ECR, then K9s will show an actual VS score for them.

Pretty cool, really.

I hope the plan is to allow for K9s to alternatively use local cluster scanning (when installed) from Trivy or Kubescape or similar.

rocoll avatar Jul 01 '25 19:07 rocoll

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Aug 01 '25 02:08 github-actions[bot]