Connect a Kubernetes cluster
Ctadel needs read-only access to your cluster's API server. Coverage starts immediately once the connection is established: Kubernetes posture, image vulnerability correlation, network policy auditing.
Cloud-managed cluster (EKS / AKS / GKE / Kapsule)
If you connected the parent cloud account, the cluster is already discovered as a resource. To enable Kubernetes-level scanning, provide a read-only credential for the API server.
- Settings, Kubernetes, Connect cluster.
- Pick the cluster from the list (auto-discovered from your cloud connection).
- Pick the auth method offered by the wizard.
- Test, save.
Self-hosted cluster
For clusters you run yourself (kubeadm, k3s, on-prem):
- Settings, Kubernetes, Connect cluster, Self-hosted.
- Follow the wizard. It walks you through creating a read-only service account in the cluster and pasting the API server URL, CA certificate, and token in Ctadel.
- Test, save.
Network reachability
Ctadel reaches your cluster's API server from our European infrastructure. The API server must be reachable from a small set of static egress IPs (shown in the wizard).
If your API is private:
- Whitelist Ctadel's egress IPs in your master-authorized-networks (or the equivalent per cloud).
- Or use cloud-native peering when supported by your provider.
What gets scanned
| Cadence | What |
|---|---|
| Regularly | Workloads, RBAC, network policies, service accounts |
| Less often | Cluster-level config (audit policy, admission webhooks) |
| On change | Image references, then triggers a vulnerability scan |
What's next
- Kubernetes Security concept
- KSPM module
- Kubernetes module, the topology view