Kubernetes Runtime Inventory
anchore-k8s-inventory can be deployed via its helm chart, embedded within your Kubernetes cluster as an agent. It will require access to the Anchore API.
KAI (Kubernetes Automated Inventory)
Prior to the v1.0.0 release of
anchore-k8s-inventory Kubernetes inventory was called
kai. A future release of Anchore Enterprise will remove support for
However, Anchore Enterprise v4.7 will support both
anchore-k8s-inventory. For documentation related to the configuration of
please refer to the Anchore Enterprise v4.6 documentation.
The most common way to track inventory is to install
anchore-k8s-inventory as an agent in your cluster. To do this you will need to configure credentials
and information about your deployment in the values file. It is recommended to first configure a specific robot user
for the account where you’ll want to track your Kubernetes inventory.
To install the helm chart, follow these steps:
- Configure your username, password, Anchore URL and cluster name in the values file.
k8sInventory: # Path should not be changed, cluster value is used to tell Anchore which cluster this inventory is coming from kubeconfig: cluster: <unique-name-for-your-cluster> anchore: url: <URL for your> # Note: recommend using the inventory-agent role user: <user> password: <password>
- Run helm install in the cluster(s) you wish to track
$ helm repo add anchore https://charts.anchore.io $ helm install <release> -f <values.yaml> anchore/k8s-inventory
anchore-k8s-inventory must be able to resolve the Anchore URL and requires API credentials. Review the
anchore-k8s-inventory logs if you are not able to see the inventory results in the UI.
Note: the Anchore API Password can be provided via a Kubernetes secret, or injected into the environment of the
- For injecting the environment variable, see: injectSecretsViaEnv
- For providing your own secret for the Anchore API Password, see: useExistingSecret. K8s Inventory creates it’s own secret based on your values.yaml file for key
k8sInventory.anchore.password, but the
k8sInventory.useExistingSecretkey allows you to create your own secret and provide it in the values file. See the K8s Inventory repo for more information about the K8s Inventory specific configuration
To verify that you are tracking Kubernetes Inventory you can access inventory results with the command
anchorectl inventory list and look for results where the TYPE is
The UI also displays the Kubernetes Inventory and allows operators to visually navigate the images, vulnerability results, and see the results of the policy evaluation.
For more details about watching clusters, and reviewing policy results see the Using Kubernetes Inventory section.Last modified October 25, 2023