Jit Kubernetes Agent

The Jit Kubernetes Agent is a comprehensive security and resource monitoring solution that automatically collects Kubernetes cluster information and performs security scanning using Kubescape. The agent runs as a scheduled job in your cluster to keep your security posture up-to-date in Jit.

Overview

The Jit Kubernetes Agent provides:

  • Automated Resource Collection: Gathers comprehensive Kubernetes resource information
  • Security Scanning: Performs automated security assessments using Kubescape NSA framework
  • Unified Reporting: Integrates security findings and resource data in your Jit dashboard

Prerequisites

Before installing the Jit Kubernetes Agent, ensure you have:

  • A Kubernetes cluster with appropriate permissions
  • Jit service credentials (Client ID and Client Secret)
  • Helm 3.x installed on your local machine
  • Minimum 2GB memory available on cluster nodes

Quick Start

1. Add the Jit Helm Repository

helm repo add jitsecurity https://jitsecurity.github.io/helm-charts
helm repo update

2. Get Your Jit Credentials

  1. Log in to your Jit dashboard
  2. Navigate to SettingsAPI Tokens
  3. Generate a new API token or use an existing one
  4. Note your Client ID and Client Secret

3. Install the Agent

helm install jit-k8s-agent \
  --set jit.clientId=<YOUR_CLIENT_ID> \
  --set jit.clientSecret=<YOUR_CLIENT_SECRET> \
  --set cluster.name=<YOUR_CLUSTER_NAME> \
  -n jit-k8s-agent --create-namespace \
  jitsecurity/jit-k8s-agent

Note: Replace <YOUR_CLUSTER_NAME> with a unique identifier for your cluster. You can use kubectl config current-context to get your current context name.

The agent will automatically start collecting cluster information and performing security scans.

Configuration

The Jit Kubernetes Agent works out-of-the-box with minimal configuration. You only need to provide:

ParameterDescriptionExample
jit.clientIdYour Jit Client IDjit_1234567890abcdef
jit.clientSecretYour Jit Client Secretsecret_abcdef1234567890
cluster.nameUnique cluster identifierproduction-us-east-1

Optional: Disable Security Scanning

If you need to disable security scanning (e.g., for resource-constrained environments):

helm upgrade jit-k8s-agent \
  --set kubescape.enabled=false \
  -n jit-k8s-agent \
  jitsecurity/jit-k8s-agent

Security Scanning

The Jit Kubernetes Agent includes Kubescape security scanning by default, which:

  • Scans your cluster
  • Identifies security misconfigurations and vulnerabilities
  • Uploads findings to your Jit dashboard for analysis
  • Runs automatically with each resource collection cycle

Monitoring and Verification

Check Agent Status

# View recent job logs
kubectl logs -n jit-k8s-agent job/jit-k8s-agent-initial-job

# Check CronJob status
kubectl get cronjobs -n jit-k8s-agent

# View job history
kubectl get jobs -n jit-k8s-agent

Success Indicators

Look for these log messages to confirm successful operation:

✅ "Starting Kubescape security scan..."
✅ "Kubescape security scan completed"
✅ "Successfully uploaded Kubescape scan results"
✅ "Reported 2 upload paths"

Troubleshooting

Common Issues

IssueSolution
Memory pressureEnsure nodes have adequate resources or disable Kubescape: --set kubescape.enabled=false
Authentication errorsVerify your Jit credentials are correct and have proper permissions
Network connectivityEnsure the cluster can reach api.jit.io and public.ecr.aws
RBAC permissionsThe agent requires cluster-wide read permissions for resource collection

Rollback

If you need to rollback to a previous version:

helm rollback jit-k8s-agent -n jit-k8s-agent

Uninstall

To completely remove the agent:

helm uninstall jit-k8s-agent -n jit-k8s-agent
kubectl delete namespace jit-k8s-agent

Resource Requirements

The Jit Kubernetes Agent requires minimal resources and will work on most Kubernetes clusters. No persistent storage is required.

What's Next

After successful installation and scan:

  1. View Results: Check your Jit dashboardBacklog page and filter by asset name = <YOUR_CLUSTER_NAME>