Kubernetes Managed

Visualize Kubernetes resources and monitor changes through queries and alerts.

Installation
Data Model
Types

Installation

Prerequisites

Before installing the Kubernetes Managed integration, you must have a Kubernetes collector running. For instructions on setting up the Kubernetes collector, see the Kubernetes collector documentation.

Configuration in JupiterOne

Navigate to the Integrations tab in JupiterOne and select Kubernetes Managed.
Click New Instance to begin configuring your integration and provide the following:
- The Account Name used to identify the Kubernetes account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.
- Description to assist in identifying the integration instance, if desired.
- When prompted about where should this run, select the Kubernetes collector you created in the prerequisites.
Click Create after all values are provided and your instance appears in the list of all your Kubernetes Managed instances.

RBAC

The Kubernetes collector installs with a ClusterRole that provides read-only access to Kubernetes resources. The collector has permissions to get, list, and watch the following:

Core Resources:

Pods, namespaces, service accounts, config maps, nodes, services, secrets, and events

Application Workloads:

Deployments, replica sets, stateful sets, daemon sets, jobs, and cron jobs

Networking:

Ingresses and network policies

RBAC and Security:

Cluster roles, cluster role bindings, roles, and role bindings
Self-subject access reviews and subject access reviews
Token reviews

Extensions:

All resources in the extensions API group

Integration Management:

Integration instance jobs, integration runners, and their status and finalizers (for managing integration workloads)

All permissions are read-only (get, list, watch) and do not allow modification of any cluster resources.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Entities

The following entities are created:

Resources	Entity `_type`	Entity `_class`
Kubernetes Certificate Signing Request	`kube_certificate_signing_request`	Certificate
Kubernetes Cluster	`kube_cluster`	Cluster
Kubernetes Cluster Role	`kube_cluster_role`	AccessRole
Kubernetes Cluster Role Binding	`kube_cluster_role_binding`	AccessPolicy
Kubernetes ConfigMap	`kube_config_map`	Configuration
Kubernetes Container	`kube_container`	Container
Kubernetes CronJob	`kube_cron_job`	Task
Kubernetes DaemonSet	`kube_daemon_set`	Deployment
Kubernetes Deployment	`kube_deployment`	Deployment
Kubernetes Image	`kube_image`	Image
Kubernetes Ingress	`kube_ingress`	Gateway
Kubernetes Job	`kube_job`	Task
Kubernetes Namespace	`kube_namespace`	Group
Kubernetes Network Policy	`kube_network_policy`	Configuration
Kubernetes Node	`kube_node`	Host
Kubernetes Pod	`kube_pod`	Task
Kubernetes ReplicaSet	`kube_replica_set`	Deployment
Kubernetes Role	`kube_role`	AccessRole
Kubernetes Role Binding	`kube_role_binding`	AccessPolicy
Kubernetes Secret	`kube_secret`	Secret
Kubernetes Service	`kube_service`	Service
Kubernetes Service Account	`kube_service_account`	User
Kubernetes StatefulSet	`kube_stateful_set`	Deployment
Kubernetes User	`kube_user`	User
Kubernetes Volume	`kube_volume`	Disk

Relationships

The following relationships are created:

Source Entity `_type`	Relationship `_class`	Target Entity `_type`
`kube_cluster`	CONTAINS	`kube_node`
`kube_cluster`	CONTAINS	`kube_namespace`
`kube_cluster`	CONTAINS	`kube_cluster_role`
`kube_cluster`	CONTAINS	`kube_cluster_role_binding`
`kube_cluster`	CONTAINS	`kube_user`
`kube_cluster`	CONTAINS	`kube_certificate_signing_request`
`kube_cluster_role`	ASSIGNED	`kube_cluster_role_binding`
`kube_cluster_role_binding`	ASSIGNED	`kube_service_account`
`kube_container`	CONTAINS	`kube_pod`
`kube_container`	USES	`kube_image`
`kube_cron_job`	MANAGES	`kube_job`
`kube_daemon_set`	MANAGES	`kube_pod`
`kube_ingress`	CONNECTS	`kube_service`
`kube_job`	CONTAINS	`kube_namespace`
`kube_job`	MANAGES	`kube_pod`
`kube_namespace`	CONTAINS	`kube_role`
`kube_namespace`	CONTAINS	`kube_role_binding`
`kube_namespace`	CONTAINS	`kube_cron_job`
`kube_namespace`	CONTAINS	`kube_daemon_set`
`kube_namespace`	CONTAINS	`kube_config_map`
`kube_namespace`	CONTAINS	`kube_secret`
`kube_namespace`	CONTAINS	`kube_deployment`
`kube_namespace`	CONTAINS	`kube_replica_set`
`kube_namespace`	CONTAINS	`kube_network_policy`
`kube_namespace`	CONTAINS	`kube_ingress`
`kube_namespace`	CONTAINS	`kube_service`
`kube_pod`	CONTAINS	`kube_namespace`
`kube_pod`	USES	`kube_secret`
`kube_pod`	USES	`kube_volume`
`kube_pod`	HAS	`kube_certificate_signing_request`
`kube_replica_set`	MANAGES	`kube_pod`
`kube_role_binding`	USES	`kube_role`
`kube_role_binding`	USES	`kube_cluster_role`
`kube_role_binding`	ASSIGNED	`kube_service_account`
`kube_service`	CONNECTS	`kube_pod`
`kube_service_account`	CONTAINS	`kube_namespace`
`kube_stateful_set`	CONTAINS	`kube_namespace`
`kube_stateful_set`	MANAGES	`kube_pod`
`kube_volume`	USES	`kube_config_map`

Kube Certificate Signing Request

kube_certificate_signing_request inherits from Certificate

Property	Type	Description	Specifications
`groups`	`array` of `string`s
`signerName`	`string`
`status.lastUpdatedOn`	`number`
`status.message`	`string`
`status.reason`	`string`
`status.type`	`string`
`subject.commonName`	`string`
`subject.dnsSAN`	`array` of `string`s
`subject.organization`	`string`
`uid` *	`string`
`usages`	`array` of `string`s
`userId`	`string`
`username`	`string`

Kube Cluster

kube_cluster inherits from Cluster

Property	Type	Description	Specifications
`server` *	`string`
`skipTlsVerify` *	`boolean`

Kube Cluster Role

kube_cluster_role inherits from AccessRole

Property	Type	Description	Specifications
`apiVersion`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`kind`	`string`
`namespace`	`string`
`resourceVersion`	`string`

Kube Cluster Role Binding

kube_cluster_role_binding inherits from AccessPolicy

Property	Type	Description	Specifications
`apiVersion`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`kind`	`string`
`namespace`	`string`
`resourceVersion`	`string`

Kube Config Map

kube_config_map inherits from Configuration

Property	Type	Description	Specifications
`apiVersion`	`string`
`binaryDataKeys`	`array` of `string`s
`dataKeys`	`array` of `string`s
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`immutable`	`boolean`
`kind`	`string`
`namespace`	`string`
`resourceVersion`	`string`

Kube Container

kube_container inherits from Container

Property	Type	Description	Specifications
`allowPrivilegeEscalation`	`boolean`
`appArmorProfile.localhostProfile`	`string`
`appArmorProfile.type`	`string`
`args`	`array` of `string`s
`command`	`array` of `string`s
`containerId`	`string`
`cpuLimit`	`string`
`cpuRequest`	`string`
`finishedAt`	`number`
`hasStarted`	`boolean`
`image`	`string`
`imagePullPolicy`	`string`
`isReady`	`boolean`
`isUsingEnvironmentVariableSecrets`	`boolean`
`memoryLimit`	`string`
`memoryRequest`	`string`
`namespace`	`string`
`normalizedCpuLimit`	`number`
`normalizedCpuRequest`	`number`
`normalizedMemoryLimit`	`number`
`normalizedMemoryRequest`	`number`
`privileged`	`boolean`
`procMount`	`string`
`readOnlyRoolFilesystem`	`boolean`
`restartCount`	`number`
`runAsGroup`	`number`
`runAsNonRoot`	`boolean`
`runAsUser`	`number`
`running`	`boolean`
`seccompProfile.localhostProfile`	`string`
`seccompProfile.type`	`string`
`seLinuxOptions.level`	`string`
`seLinuxOptions.role`	`string`
`seLinuxOptions.type`	`string`
`seLinuxOptions.user`	`string`
`startedAt`	`number`
`terminated`	`boolean`
`terminatedExitCode`	`number`
`terminationMessagePath`	`string`
`terminationMessagePolicy`	`string`
`type`	`string`
`waiting`	`boolean`
`waitingMessage`	`string`
`waitingReason`	`string`
`windowsOptions.gmsaCredentialSpec`	`string`
`windowsOptions.gmsaCredentialSpecName`	`string`
`windowsOptions.hostProcess`	`boolean`
`windowsOptions.runAsUserName`	`string`

Kube Cron Job

kube_cron_job inherits from Task

Property	Type	Description	Specifications
`apiVersion`	`string`
`concurrencyPolicy`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`failedJobsHistoryLimit`	`number`
`kind`	`string`
`lastScheduledOn`	`number`
`lastSuccessfulOn`	`number`
`namespace`	`string`
`resourceVersion`	`string`
`schedule`	`string`
`startingDeadlineSeconds`	`number`
`successfulJobsHistoryLimit`	`number`
`suspend`	`boolean`
`timeZone`	`string`

Kube Daemon Set

kube_daemon_set inherits from Deployment

Property	Type	Description	Specifications
`apiVersion`	`string`
`collisionCount`	`number`
`currentNumberScheduled`	`number`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`desiredNumberScheduled`	`number`
`kind`	`string`
`minReadySeconds`	`number`
`namespace`	`string`
`numberAvailable`	`number`
`numberMisscheduled`	`number`
`numberReady`	`number`
`numberUnavailable`	`number`
`observedGeneration`	`number`
`resourceVersion`	`string`
`revisionHistoryLimit`	`number`
`updatedNumberScheduled`	`number`
`updateStrategyType`	`string`

Kube Deployment

kube_deployment inherits from Deployment

Property	Type	Description	Specifications
`apiVersion`	`string`
`availableReplicas`	`number`
`collisionCount`	`number`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`kind`	`string`
`minReadySeconds`	`number`
`namespace`	`string`
`observedGeneration`	`number`
`paused`	`boolean`
`progressDeadlineSeconds`	`number`
`readyReplicas`	`number`
`replicas`	`number`
`resourceVersion`	`string`
`revisionHistoryLimit`	`number`
`statusReplicas`	`number`
`strategyType`	`string`
`unavailableReplicas`	`number`
`updatedReplicas`	`number`

Kube Image

kube_image inherits from Image

Property	Type	Description	Specifications
`digest`	`string`
`imageId`	`string`

Kube Ingress

kube_ingress inherits from Gateway

Property	Type	Description	Specifications
`category` *	`array` of `string`s
`deletionOn`	`number`
`finalizers`	`array` of `string`s
`function` *	`array` of `string`s
`generation`	`number`
`hasDefaultBackend`	`boolean`
`hosts`	`array` of `string`s
`ingressClassName`	`string`
`namespace`	`string`
`paths`	`array` of `string`s
`public` *	`boolean`
`resourceVersion`	`string`
`status.loadBalancer.ingress`	`array` of `string`s
`tlsEnabled`	`boolean`
`tlsHosts`	`array` of `string`s
`tlsSecretNames`	`array` of `string`s

Kube Job

kube_job inherits from Task

Property	Type	Description	Specifications
`activeDeadlineSeconds`	`number`
`backoffLimit`	`number`
`completions`	`number`
`createdOn`	`number`
`deletedOn`	`number`
`deletionGracePeriodSeconds`	`number`
`generation`	`number`
`manualSelector`	`boolean`
`namespace`	`string`
`parallelism`	`number`
`resourceVersion`	`string`
`status.active`	`number`
`status.completionTime`	`number`
`status.failed`	`number`
`status.startTime`	`number`
`status.succeeded`	`number`
`ttlSecondsAfterFinished`	`number`

Kube Namespace

kube_namespace inherits from Group

Property	Type	Description	Specifications
`createdOn`	`number`
`deletionGracePeriodSeconds`	`number`
`finalizers`	`array` of `string`s
`generation`	`number`
`ownerNames`	`array` of `string`s
`resourceVersion`	`string`
`status.phase`	`string`

Kube Network Policy

kube_network_policy inherits from Configuration

Property	Type	Description	Specifications
`apiVersion`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`kind`	`string`
`namespace`	`string`
`podSelectorMatchExpressions`	`string`
`policyTypes`	`array` of `string`s
`resourceVersion`	`string`

Kube Node

kube_node inherits from Host

Property	Type	Description	Specifications
`architecture`	`string`
`capacity.cpu`	`string`
`capacity.memory`	`string`
`capacity.pods`	`string`
`containerRuntimeVersion`	`string`
`kernelVersion`	`string`
`kubeletVersion`	`string`
`operatingSystem`	`string`
`osImage`	`string`
`providerID`	`string`
`unschedulable` *	`boolean`

Kube Pod

kube_pod inherits from Task

Property	Type	Description	Specifications
`activeDeadlineSeconds`	`number`
`automountServiceAccountToken`	`boolean`
`cpuLimit`	`string`
`cpuRequest`	`string`
`deletionGracePeriodSeconds`	`number`
`dnsPolicy`	`string`
`enableServiceLinks`	`boolean`
`finalizers`	`array` of `string`s
`generation`	`number`
`hasSecurityContext`	`boolean`
`hostIPC`	`boolean`
`hostname`	`string`
`hostNetwork`	`boolean`
`hostPID`	`boolean`
`imagePullSecrets`	`array` of `string`s
`memoryLimit`	`string`
`memoryRequest`	`string`
`namespace`	`string`
`nodeName`	`string`
`normalizedCpuLimit`	`number`
`normalizedCpuRequest`	`number`
`normalizedMemoryLimit`	`number`
`normalizedMemoryRequest`	`number`
`podAnnotations`	`array` of `string`s
`preemptionPolicy`	`string`
`priority`	`number`
`priorityClassName`	`string`
`resourceVersion`	`string`
`restartPolicy`	`string`
`runtimeClassName`	`string`
`schedulerName`	`string`
`securityContext.apparmorProfile.localhostProfile`	`string`
`securityContext.apparmorProfile.type`	`string`
`securityContext.fsGroup`	`number`
`securityContext.fsGroupChangePolicy`	`string`
`securityContext.runAsGroup`	`number`
`securityContext.runAsNonRoot`	`boolean`
`securityContext.runAsUser`	`number`
`securityContext.seccompProfile.localhostProfile`	`string`
`securityContext.seccompProfile.type`	`string`
`securityContext.seLinuxChangePolicy`	`string`
`securityContext.seLinuxOptions.level`	`string`
`securityContext.seLinuxOptions.role`	`string`
`securityContext.seLinuxOptions.type`	`string`
`securityContext.seLinuxOptions.user`	`string`
`securityContext.supplementalGroups`	`array` of `number`s
`securityContext.supplementalGroupsPolicy`	`string`
`securityContext.sysctls`	`array` of `string`s
`securityContext.windowsOptions.gmsaCredentialSpec`	`string`
`securityContext.windowsOptions.gmsaCredentialSpecName`	`string`
`securityContext.windowsOptions.hostProcess`	`boolean`
`securityContext.windowsOptions.runAsUserName`	`string`
`serviceAccount`	`string`
`serviceAccountName`	`string`
`setHostnameAsFQDN`	`boolean`
`shareProcessNamespace`	`boolean`
`status.hostIP`	`string`
`status.hostIPs`	`array` of `string`s
`status.message`	`string`
`status.nominatedNodeName`	`string`
`status.phase`	`string`
`status.podIP`	`string`
`status.podIPs`	`array` of `string`s
`status.qosClass`	`string`
`status.reason`	`string`
`status.startTime`	`number`
`subdomain`	`string`
`terminationGracePeriodSeconds`	`number`

Kube Replica Set

kube_replica_set inherits from Deployment

Property	Type	Description	Specifications
`annotations`	`array` of `string`s
`apiVersion`	`string`
`currentSize`	`number`
`desiredSize`	`number`
`generation`	`number`
`kind`	`string`
`labels`	`array` of `string`s
`minReadySeconds`	`number`
`namespace`	`string`
`ownerReferences`	`array` of `string`s
`resourceVersion`	`string`
`selector`	`string`
`status.availableReplicas`	`number`
`status.fullyLabeledReplicas`	`number`
`status.observedGeneration`	`number`
`status.readyReplicas`	`number`

Kube Role

kube_role inherits from AccessRole

Property	Type	Description	Specifications
`apiVersion`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`kind`	`string`
`namespace` *	`string`
`resourceVersion`	`string`

Kube Role Binding

kube_role_binding inherits from AccessPolicy

Property	Type	Description	Specifications
`admin`	`boolean`
`apiVersion`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`kind`	`string`
`namespace` *	`string`
`resourceVersion`	`string`
`roleRefApiGroup`	`string`
`roleRefKind`	`string`
`roleRefName`	`string`
`subjectCount`	`number`
`subjects`	`array` of `string`s

Kube Secret

kube_secret inherits from Secret

Property	Type	Description	Specifications
`apiVersion`	`string`
`deletionGracePeriodSeconds`	`number`
`deletionOn`	`number`
`immutable`	`boolean`
`kind`	`string`
`namespace`	`string`
`resourceVersion`	`string`
`type`	`string`

Kube Service

kube_service inherits from Service

Property	Type	Description	Specifications
`allocateLoadBalancerNodePorts`	`boolean`
`category` *	`array` of `string`s
`clusterIP`	`string`
`clusterIPs`	`array` of `string`s
`deletionGracePeriodSeconds`	`number`
`endpoints`	`array` of `string`s
`externalIPs`	`array` of `string`s
`externalName`	`string`
`externalTrafficPolicy`	`string`
`function` *	`array` of `string`s
`healthCheckNodePort`	`number`
`ipFamilies`	`array` of `string`s
`ipFamilyPolicy`	`string`
`loadBalancerIP`	`string`
`loadBalancerSourceRanges`	`array` of `string`s
`namespace`	`string`
`portName`	`array` of `string`s
`portNumber`	`array` of `number`s
`protocol`	`array` of `string`s
`publishNotReadyAddresses`	`boolean`
`resourceVersion`	`string`
`selectors`	`array` of `string`s
`sessionAffinity`	`string`
`targetPort`	`array` of `string`s
`type`	`string`

Kube Service Account

kube_service_account inherits from User

Property	Type	Description	Specifications
`deletionGracePeriodSeconds`	`integer`
`generation`	`integer`
`namespace`	`string`
`resourceVersion`	`string`
`secretIds`	`array` of `string`s
`secretNames`	`array` of `string`s

Kube Stateful Set

kube_stateful_set inherits from Deployment

Property	Type	Description	Specifications
`deletionGracePeriodSeconds`	`number`
`generation`	`number`
`namespace`	`string`
`podManagementPolicy`	`string`
`replicas`	`number`
`resourceVersion`	`string`
`revisionHistoryLimit`	`number`
`serviceName`	`string`
`status.collisionCount`	`number`
`status.currentReplicas`	`number`
`status.currentRevision`	`string`
`status.observedGeneration`	`number`
`status.readyReplicas`	`number`
`status.replicas`	`number`
`status.updatedReplicas`	`number`
`status.updateRevision`	`string`
`strategy.partition`	`number`
`strategy.type`	`string`

Kube User

kube_user inherits from User

Property	Type	Description	Specifications
`certFile`	`string`
`keyFile`	`string`

Kube Volume

kube_volume inherits from Disk

Property	Type	Description	Specifications
`awsVolumeID`	`string`
`azureDiskName`	`string`
`azureDiskURI`	`string`
`claimName`	`string`
`configMapName`	`string`
`csiDriver`	`string`
`csiFsType`	`string`
`csiReadOnly`	`boolean`
`emptyDirMedium`	`string`
`emptyDirSizeLimit`	`string`
`gcePdName`	`string`
`hostPath`	`string`
`hostPathType`	`string`
`namespace`	`string`
`nfsPath`	`string`
`nfsServer`	`string`
`readOnly`	`boolean`
`secretName`	`string`
`volumeName` *	`string`
`volumeType` *	`string`

Installation​

Prerequisites​

Configuration in JupiterOne​

RBAC​

Next steps​

Entities​

Relationships​

Kube Certificate Signing Request​

Kube Cluster​

Kube Cluster Role​

Kube Cluster Role Binding​

Kube Config Map​

Kube Container​

Kube Cron Job​

Kube Daemon Set​

Kube Deployment​

Kube Image​

Kube Ingress​

Kube Job​

Kube Namespace​

Kube Network Policy​

Kube Node​

Kube Pod​

Kube Replica Set​

Kube Role​

Kube Role Binding​

Kube Secret​

Kube Service​

Kube Service Account​

Kube Stateful Set​

Kube User​

Kube Volume​