
Built on top [KubeEye](https://github.com/kubesphere/kubekey), an open-source automatic inspection tool, KubeSphere Inspector is a cluster inspection SaaS service designed for multi-cloud Kubernetes environments. It helps users scan cluster vulnerabilities to detect possible risks and enhance cluster security, which ensures that Kubernetes clusters run securely, stably, and efficiently.

KubeSphere Inspector is applicable to the following use cases:

- **Ensure Kubernetes security**

   Eliminates Kubernetes vulnerabilities and blind spots and leverages DevSecOps to ensure Kubernetes and container security.

- **Meet compliance and security audit requirements**

   Detects whether security configurations and permission management comply with regulations to prevent potential problems from affecting security audit.

- **Diagnose cluster abnormalities**

   Detects cluster abnormalities in time and makes optimization suggestions to ensure that clusters always run stably and efficiently.

- **Reduce costs**

   Collects resource consumption statistics and makes resource optimization suggestions to prevent resource overuse and reduce the cost of using Kubernetes.




Describes features and use cases of KubeSphere Inspector.

Overview


This topic introduces the billing items, subscriptions, and renewal methods of KubeSphere Inspector.

## Billing items

KubeSphere Inspector is billed based on the number of protected clusters, that is, inspection times.

## Billing mode

KubeSphere Inspector is charged on a monthly, quarterly, and yearly basis.

## Subscriptions

For registered new users, KubeSphere Inspector offers a one-month free trial of the Standard subscription. After the trial period ends, you can use the free version. In case that you have demanding cluster inspection requirements, we offer the Standard, Professional, and Exclusive subscriptions. The following table lists differences between these versions.

   <table border="1">
    <tbody>
      <tr>
      	<th width="10%">Version</th>
       	<th width="15%">Applicable To</th>
       	<th width="15%">Protected Clusters (Times/Month)</th>
       	<th width="15%">Simultaneously Inspected Clusters</th>
        <th width="20%">Retained Duration of Reports (Day)</th>
        <th width="10%">Service Hours</th>
        <th width="15%">Pricing</th>
      </tr>
      <tr>
        <td>Free</td>
        <td>Individuals</td>
        <td>2</td>
        <td>1</td>
        <td>3</td>
        <td>Community support</td>
        <td>Free</td>
      </tr>
      <tr>
        <td>Standard</td>
        <td>Small and medium-sized teams</td>
        <td>50</td>
        <td>3</td>
        <td>30</td>
        <td>8 x 5 (GMT+8, working hours)</td>
        <td>USD 30/month; 85/quarter; 300/year</td>
      </tr>
      <tr>
        <td>Professional</td>
        <td>Routine inspection by small and medium-sized enterprises</td>
        <td>300</td>
        <td>10</td>
        <td>90</td>
        <td>8 x 5 (GMT+8, working hours)</td>
        <td>USD 80/month; 220/quarter; 800/year</td>
      </tr>
      <tr>
         <td>Exclusive</td>
         <td>Small and medium-sized enterprises with demanding inspection requirements</td>
        <td>Customizable</td>
        <td>Customizable</td>
        <td>180 days by default, and customization supported</td>
        <td>24 x 7</td>
        <td>Contact the sales personnel</td>
      </tr>
    </tbody>
  </table>

  <Notice type='note'>

  The Free version does not support the ability to export inspection reports or configure email notifications for inspection reports. If you need to use these features, please upgrade to a higher version.

  </Notice>

## Change of subscription

After you subscribe to the service, you can change your subscription according to your needs. The billing formula is described as follows:

Amount paid = Amount payable of new subscription － (Amount payable of current subscription/Days of current subscription) x (Days of current subscription － Used days of current subscription)

<Notice type='note'>

When you upgrade the subscription, the subscription duration of the new subscription must be equal to or greater than the current subscription duration. For example, if your current subscription has a duration of one quarter, then the new subscription duration can only be one quarter or one year.

</Notice>

## Renewal

The Service currently supports renewal of the same subscription or upgrading to a higher-level subscription. Renewal to a lower-level subscription is not supported.

If you renew the current subscription before it expires, the current subscription ends immediately, and a new subscription duration will begin.

## Out of credit

The Service will send you a notice starting from 7 days before your subscription expires. You can click **Subscribe Now** to renew your subscription. On the last day of each month, if you have not used up the inspection times, it will be automatically reset to zero.

If you fail to renew in a timely manner, after your subscription expires, KubeSphere Inspector will continue providing the Free service, but you only have two inspection times.


Introduces the billing items, subscriptions, and renewal methods of KubeSphere Inspector.

Billing

Describes KubeSphere Inspector on the KubeSphere Cloud platform.

KubeSphere Inspector


This topic walks you through the process of enabling KubeSphere Inspector, inspecting clusters, and viewing the inspection reports.

## Prerequisites

You have [imported an existing cluster](../../ks-backup/quickstart/import-k8s-cluster/) or [created a lite cluster](../../ks-lite/quickstart/create-lite-cluster/), and the cluster in the **Ready** state.

## Enabling the cluster inspection component

1. Log in to the KubeSphere Cloud platform with your account.

2. In the upper-right corner, hover your cursor over the username area and click **Console** from the drop-down list.

3. In the navigation pane on the left, click **Cluster Inspection**.

4. On the **Inspection List** page, locate **Clusters to Inspect**, and click **On** in the target cluster area.

   <Notice type='note'>

   You can also enable KubeSphere Inspector cluster on the **Overview** and **Resource Management** pages.

   </Notice>

5. On the **Install Cluster Inspection Component** dialog box, click **Confirm**. The system automatically installs the cluster inspection component.

   <Notice type='warning'>

   If the version of your inspection component is low, the system will prompt you to upgrade the inspection component. You can not cancel or roll back the upgrade. After the upgrade is completed, the previous inspection reports will not be saved. If you need to keep a record of the inspection results, please make a backup before upgrading.

   </Notice>

## Inspect clusters

Both manual and scheduled inspection are supported.

If you want to manually inspect clusters, you can click **Inspect Clusters** in the **Inspected Clusters** area after cluster inspection component has been installed. If you want to set up scheduled inspections, follow these steps:

1. In the **Inspected Clusters** area of the **Inspection List** page, click the target cluster to go to the details page.

2. In the **Cluster Info** area on the right of the page, click **Scheduled**.

3. In the **Enable Scheduled Inspection** dialog box, set the time zone, inspection frequency, and inspection time, and then click **OK**.

   In the **Cluster Info** area, you can view the **Scheduled Policy** and **Next Inspection Time**.

4. If you want to disable the scheduled inspection, click the button next to **Scheduled**.

## View the inspection result

1. After the inspection is completed, in the **Inspected Clusters** area of the **Inspection List** page, click the target cluster to go to the details page.

2. In the **Overview** area, select the inspection time period to view the health check items and health score. The severity of clusters is highlighted and classified into **Normal**, **Warning**, **Risky**, and **Ignore**.

3. Click **Health Trend** to view the health trend of the cluster.

4. In the lower part, you can view the following information.

   <table border="1">
     <tbody>
     	<tr>
       	<th width="30%">Parameter</th>
        <th width="70%">Description</th>
       </tr>
       <tr>
       	<td><b>Inspection Name</b></td>
         <td>System-generated name of the inspection task.</td>
       </tr>
       <tr>
       	<td><b>Start Time</b></td>
         <td>Time when the inspection starts.</td>
       </tr>
       <tr>
       	<td><b>End Time</b></td>
         <td>Time when the inspection ends.</td>
       </tr>
       <tr>
       	<td><b>Health Score</b></td>
         <td>Health score of clusters.</td>
       </tr>
       <tr>
       	<td><b>Check Item</b></td>
         <td>
         	You can click the inspection name to expand its details page, where you can search for alerts of the target resources, or you can filter the alerts. Inspection items include the following:
           <ul>
             <li>Resource Name: name of the inspected resource.</li>
             <li>Resource Name: resource type, such as deployment and node.</li>
             <li>Cluster Resources: whether it belongs to cluster resources.</li>
             <li>Namespace: namespace where the alert is reported.</li>
             <li>Alerts: after you click the alert, alert description, solution, reference, and sample will be displayed on the right of the page.</li>
           </ul>
         </td>
       </tr>
       <tr>
       	<td><b>Status</b></td>
         <td>Status of the inspection task.</td>
       </tr>
     </tbody>
   </table>

## View inspection reports

After inspection reports are generated, you can either export the reports to the local or set an email for receiving the reports.
### Export inspection reports

1. In the **Overview** area of the details page, click **Export Report**.

2. In the **Export Cluster Inspection Report** dialog box, set the time range for the inspection report, and click  **Export**.

3. Open the exported report, and you can view the following information.

   <table border="1">
     <tbody>
     	<tr>
       	<th width="30%">Parameter</th>
        <th width="70%">Description</th>
       </tr>
       <tr>
       	<td><b>Namespace</b></td>
         <td>Namespace where the alert is reported.</td>
       </tr>
       <tr>
       	<td><b>Resource Type</b></td>
         <td>Type of inspection resources.</td>
       </tr>
       <tr>
       	<td><b>Inspection Info</b></td>
         <td>Name of the inspection item.</td>
       </tr>
       <tr>
       	<td><b>Severity</b></td>
         <td>Severity of an alert.</td>
       </tr>
       <tr>
       	<td><b>Best Practice</b></td>
         <td>Solutions for reference.</td>
       </tr>
     </tbody>
   </table>

   <Notice type='note'>

   For more information about alerts and solutions of inspected clusters, refer to [View inspection items and solutions](../user-guide/view-items-and-solutions/).

   Please note that the solutions mentioned in the **Best Practices** tab page are for reference only. Please handle them based on your actual situation.

   </Notice>

### Set an email for receiving reports

1. In the **Cluster info** area on the right, click the button next to **Email Report** to set an email.

2. In the confirmation dialog box, click **Yes** to go to the **Account Settings** page.

3. In the **Work email** area, set an email for receiving the reports. You can view the email address in the **Cluster info** area after the email has been set successfully.

Describes how to use KubeSphere Inspector on KubeSphere Cloud.

QuickStart


This topic describes how to view inspection items and solutions on KubeSphere Cloud.

## Alert severity: risky

### NoCPULimits

**Alert description**: CPU limits are not set, so some malicious applications may occupy most available CPU resources, resulting in excessive resource consumption.

**Solution**: Set CPU limits for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set higher CPU limits.

**Reference**: <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "64Mi"
        cpu: "250m"
```

### NoCPURequests

**Alert description**: CPU requests are not set.

**Solution**: Set CPU requests for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set the same value for the CPU limits and CPU requests to ensure that application resources are exclusive.

**Reference**: <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "64Mi"
        cpu: "250m"
```

### HostNetworkAllowed

**Alert description**: The host network is enabled, so that a container is allowed to share its host's network namespace, access local network listeners, and leverage it to probe the host's local network.

**Solution**: Set **hostNetwork** to **false**.

**Reference**: <https://kubernetes.io/docs/concepts/security/pod-security-policy/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  hostNetwork: false
```

### HostPIDAllowed

**Alert description**: When this value is enabled, containers in the same pod can share the same PID namespace. This will result in elevated privileges when **ptrace** is set to **true**.

**Solution**: Set **hostPID** to **false**.

**Reference**: <https://kubernetes.io/docs/concepts/security/pod-security-policy/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  hostPID: false
```

### NotRunAsNonRoot

**Alert description**: If **runAsNonRoot** and **runAsUser** are not set in a pod，**runAsNonRoot** will be set to **true**. In this case, you are advised to set **allowPrivilegeEscalation** to **false**.

**Solution**: Set **readOnlyRootFilesystem** to **true**.

**Reference**: <https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/>.

**Example**

```yaml

apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
  securityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    runAsNonRoot: true
```

### NoMemoryLimits

**Alert description**: Memory limits are not set, so some malicious applications may occupy most available memory resources.

**Solution**: Set memory limits for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set higher memory limits.

**Reference**: <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "64Mi"
        cpu: "250m"
```

### NoMemoryRequests

**Alert description**: Memory requests are not set.

**Solution**: Set memory requests for each container. For mission-critical or user-facing applications, for example, KubeEye, you are advised to set the same value for the memory limits and memory requests to ensure that application resources are exclusive.

**Reference**: <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "64Mi"
        cpu: "250m"
```

### PrivilegedAllowed

**Alert description**: In Linux, you can enable the privileged mode using the `privileged` parameter for containers in the same pod. This parameter is useful for containers that require OS privileges.

**Solution**: Set **allowPrivilegeEscalation** to **false**.

**Reference**: <https://kubernetes.io/docs/concepts/workloads/pods/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
  securityContext:
    allowPrivilegeEscalation: false
```

## Alert severity: warning

### ImagePullPolicyNotAlways

**Alert description**: Whenever the kubelet launches a container, it queries the container's image registry and resolves the name to an image digest. If the kubelet has a container image and its corresponding digest is already cached locally, the kubelet uses the cached image. Otherwise, the kubelet pulls the image with the resolved digest and uses that image to launch the container.

**Solution**: Set **imagePullPolicy** to **Always**.

**Reference**: <https://kubernetes.io/docs/concepts/containers/images/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    imagePullPolicy: Always
```


### NotReadOnlyRootFilesystem

**Alert description**: Containers are required to run with the root file system mounted as read-only, meaning that writable layers are not allowed.

**Solution**: Set **readOnlyRootFilesystem** to **true**.

**Reference**: <https://kubernetes.io/docs/concepts/security/pod-security-policy/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  readOnlyRootFilesystem: true
  containers:
  - name: demo
    image: demo
```

### InsecureCapabilities

**Alert description**: Enabling insecure capabilities results in elevated privileges of pods, for example, the KILL capability grants the container the ability to kill host processes.

**Solution**: Do not enable insecure capabilities, such as CHOWN, FSETID, SETFCAP, SETPCAP, and KILL.

**Reference**: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    imagePullPolicy: Always
```

### NoReadinessProbe

**Alert description**: Note that if **readinessProbe** is not set correctly, the number of processes in a container may keep increasing, which will potentially lead to resource exhaustion.

**Solution**: Set **readinessProbe** properly.

**Reference**: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    readinessProbe:
      httpGet:
        path: /healthy
        port: 8080
      initialDelaySeconds: 5
      periodSeconds: 5
```

### NoLivenessProbe

**Alert description**: **livenessProbe** is used to detect and handle the application damage status.

**Solution**: Set **livenessProbe** properly.

**Reference**: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8080
      initialDelaySeconds: 5
      periodSeconds: 5
```

### CanImpersonateUser

**Alert description**: A user can act as another user through impersonation headers. These let requests manually override the user info a request authenticates as. For example, an admin could use this feature to debug an authorization policy by temporarily impersonating another user and seeing if a request was denied.

**Solution**: Impersonating a user or group allows you to perform any action as if you were that user or group; for that reason, impersonation is not namespace scoped. If you want to allow impersonation using Kubernetes RBAC, this requires using a ClusterRole and a ClusterRoleBinding, not a Role and RoleBinding.

**Reference**: <https://kubernetes.io/docs/reference/access-authn-authz/authentication/>.



### CanModifyWorkloads

**Alert description**: Users are allowed to create, modify, and delete workloads.

**Solution**: Check RBAC settings.

**Reference**: <https://kubernetes.io/docs/reference/access-authn-authz/rbac/>.

**Example**

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: demo
spec:
  containers:
  - name: demo
    image: demo
  securityContext:
    allowPrivilegeEscalation: false
```




Describe how to view inspection items and solutions.

View inspection items and solutions


This topic describes how to suspend KubeSphere Inspector on the KubeSphere Cloud platform.

## Prerequisites

You have [installed the KubeSphere Inspector component](../enable-cluster-inspector/), and the cluster in the **Ready** state.

## Procedure

1. Log in to the KubeSphere Cloud Platform with your account.

2. In the upper-right corner, hover your cursor over the username area and click **Console** from the drop-down list.

3. In the navigation pane on the left, click **Cluster Inspection**.

4. On the **Inspection List** page, locate **Inspected Clusters**, click <img src='/images/docs/ks-inspector/drop-down.svg' width='15px'/>, and click **Suspend** from the drop-down list.

5. In the **Suspend Cluster Inspection Component** dialog box, click **Suspend anyway > Suspend**. You can view the suspended cluster in the **Suspended Clusters** area.

   <Notice type='note'>

   After suspending the cluster inspection component, you will not be able to inspect clusters. However, your inspection history will be retained.

   </Notice>

6. To resume cluster inspection, in the **Suspended Clusters** area, click <img src='/images/docs/ks-inspector/drop-down.svg' width='15px'/> in the upper right corner of the target cluster, and click **Resume** from the drop-down list.


Describes how to suspend KubeSphere Inspector on KubeSphere Cloud.

Suspend and resume KubeSphere Inspector


This topic describes how to uninstall KubeSphere Inspector on the KubeSphere Cloud platform.

## Prerequisites

You have [installed the KubeSphere Inspector component](../enable-cluster-inspector/), and the cluster in the **Ready** state.

## Procedure

1. Log in to the KubeSphere Cloud platform with your account.

2. In the upper-right corner, hover your cursor over the username area and click **Console** from the drop-down list.

3. In the navigation pane on the left, click **Cluster Inspection**.

4. On the **Inspection List** page, locate **Inspected Clusters**, click <img src='/images/docs/ks-inspector/drop-down.svg' width='15px'/>, and click **Uninstall** from the drop-down list.

5. In the **Uninstall Cluster Inspection Component** dialog box, click **Uninstall**.

   <Notice type='note'>

   Exercise caution when you uninstall the component, because you will not be able to use the health check and security enforcement features.
   If the uninstallation fails, click **Uninstall** again, and select **Forcibly uninstall the component**. In the **Clusters to Inspect** area, you can view the uninstalled cluster.
   </Notice>

6. Run the following command to check whether the inspection component has been uninstalled. If **not found** is displayed, the uninstallation is successful.

   ```bash
    kubectl get deploy kubeeye-controller-manager -n kubesphere-cloud-system
    ```

7. If the inspection component still runs in the cluster, run the following command to manually uninstall it:

   ```bash
    kubectl delete -f https://kubesphere.cloud/clusterinsight/v1/auditmanifest
    ```


Describes how to uninstall KubeSphere Inspector on KubeSphere Cloud.

Uninstall KubeSphere Inspector

Introduce how to use KubeSphere Inspector.

User Guide

Built on top of open-source cluster inspection tool KubeEye, KubeSphere Inspector is a cluster inspection SaaS service designed for multi-cloud Kubernetes environments.