Kubernetes
Integrating Kubernetes with Escape's ASM enables discovery of services (including those managed by Istio) running on your Kubernetes clusters.
How it works¶
Escape connects to your Kubernetes cluster through the Kubernetes API server, making authenticated API calls to list and retrieve cluster resources. The integration uses a Service Account with read-only permissions to query:
- The Kubernetes API for native resources (Services, Ingresses)
- The Istio API (if available) for service mesh resources (VirtualServices, Gateways, DestinationRules)
Once connected, Escape periodically queries these APIs to maintain an up-to-date inventory of your cluster's exposed services and routes.
Discovered Resources¶
The Kubernetes integration automatically discovers and inventories the following resources from your Kubernetes cluster:
Kubernetes:
- Ingresses: HTTP/HTTPS routing rules exposing services outside the cluster
- Services: Service definitions including LoadBalancer and NodePort types with external access
Istio Service Mesh (optional):
- Istio Gateways: Ingress/egress gateways managing traffic entering or leaving the service mesh
- Istio VirtualServices: Traffic routing rules for services within the mesh
These discovered resources are analyzed to identify APIs, routes, and service dependencies, then automatically classified as Assets (APIs, WebApps) in Escape's ASM, enabling continuous security monitoring and testing.
Automatic Installation¶
If you installed a Private Location with helm, the container will self register your kubernetes cluster within Escape integrations list if it's available.
Manual Installation¶
You can also manually configure an integration by following the steps below.
1. Create a Service Account and ClusterRoleBinding¶
Create a Service Account and corresponding RBAC rules that grant Escape access to the cluster resources you want to monitor, including Istio objects if needed. Here is a sample YAML (replace default with the namespace where you deploy Escape):
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: escape-repeater
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: escape-repeater
rules:
# Allow listing and getting namespaces
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
# Allow listing and getting services
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list"]
# Allow listing and getting ingresses
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list"]
# Allow listing and getting Istio resources (optional)
- apiGroups: ["networking.istio.io"]
resources: ["virtualservices", "gateways", "destinationrules"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: escape-repeater
subjects:
- kind: ServiceAccount
name: escape-repeater
namespace: default # the namespace where the ServiceAccount is created
roleRef:
kind: ClusterRole
name: escape-repeater
apiGroup: rbac.authorization.k8s.io
Finally, add serviceAccountName: escape-repeater to the spec section of your deployment to bind the Service Account to the pod.
2. Create a Private Location¶
Now follow the Private Location documentation to create a 1 pod deployment. In addition, set the deployment service account to the previously created resource by setting:
This ensures that your Escape Repeater pod is granted the appropriate permissions to discover and monitor both native Kubernetes and Istio resources.
3. Create a Kuberenetes integration on the escape platform¶
On the Escape Platform, go the the Kuberenetes Integration page and create the integration by selecting your Private Location in the drop down list.