The Aqua Connector is a Kubernetes operator that dynamically provisions and manages Aqua Security’s runtime security agents (like the Aqua kube-bench and compliance scanners) based on your defined policies. It’s designed to integrate seamlessly with your Kubernetes cluster, ensuring your workloads are continuously monitored and secured without manual intervention.
Let’s see it in action. Imagine you have a Kubernetes cluster and you want to ensure all pods running in the default namespace are scanned for compliance issues. You’d create a CompliancePolicy resource.
apiVersion: aqua.security/v1alpha1
kind: CompliancePolicy
metadata:
name: default-namespace-compliance
spec:
namespaceSelector:
matchNames:
- default
schedule: "0 * * * *" # Run every hour
complianceConfig:
open-cis-benchmark-v1.0.0: true
open-cis-benchmark-v1.1.0: true
open-cis-benchmark-v1.2.0: true
When you apply this YAML to your cluster:
kubectl apply -f compliance-policy.yaml
The Aqua Connector, running as a controller in your cluster, watches for CompliancePolicy resources. Upon detecting default-namespace-compliance, it understands that it needs to deploy the necessary Aqua scanning components to the default namespace. It doesn’t just deploy a single pod; it orchestrates the creation of a ComplianceScanJob custom resource. This job definition tells Aqua Security’s backend services what to scan and when.
The Aqua Connector’s primary role is to bridge the gap between your declarative Kubernetes policies and Aqua Security’s powerful backend. It acts as the eyes and ears of Aqua within your cluster, translating your intent into actionable tasks for the Aqua platform. It’s not just about deploying agents; it’s about intelligent, policy-driven deployment and management.
Here’s a breakdown of what the Connector does internally:
- Watch for Policies: It continuously monitors the Kubernetes API server for changes to Aqua-related custom resources like
CompliancePolicy,RuntimePolicy, andVulnerabilityPolicy. - Policy Evaluation: When a new policy is created or an existing one is updated, the Connector evaluates it against the cluster’s current state. This involves checking
namespaceSelector,labelSelector, and other criteria to determine which workloads or namespaces the policy applies to. - Resource Provisioning: Based on the evaluated policy, the Connector creates or updates other Kubernetes resources. For
CompliancePolicy, this means creatingComplianceScanJobresources. ForRuntimePolicy, it might involve deployingRuntimeAgentcustom resources, which then instruct the Aqua Security agent to be installed on the relevant nodes or pods. - State Reconciliation: The Connector ensures that the actual state of the cluster (e.g., deployed agents, running jobs) matches the desired state defined by the policies. If an agent is missing or a job fails to start, the Connector will attempt to correct it.
The most surprising thing about the Aqua Connector’s operation is that it doesn’t actually perform the scans or enforce the runtime policies itself. It’s a facilitator. It tells the Aqua Security platform what needs to be done and where, and the platform’s cloud-based services execute the heavy lifting. This separation of concerns allows the Connector to remain lightweight within your cluster while leveraging the full power of Aqua Security’s scanning and analysis engines.
Consider a RuntimePolicy that aims to prevent specific file writes in pods labeled with app=nginx. The Connector would watch for this RuntimePolicy. If it sees pods with app=nginx that don’t have the Aqua runtime agent deployed, it would orchestrate the deployment of that agent to those specific pods or nodes. The agent then establishes a connection back to the Aqua platform, which streams the policy rules to it. The agent, running in your cluster’s context, enforces these rules locally by intercepting syscalls.
The exact levers you control are primarily through these custom resources:
CompliancePolicy: Defines schedules and specific compliance benchmarks to run against your cluster’s resources.RuntimePolicy: Defines rules for detecting and preventing malicious activity at runtime (e.g., unauthorized file access, network connections, process execution).VulnerabilityPolicy: Defines how and when vulnerability scans should be performed on your container images.
Each policy type has selectors (namespaceSelector, labelSelector, workloadSelector) to target specific parts of your cluster, and configuration options to fine-tune the behavior of the Aqua agents or scan jobs.
A common misconception is that the Aqua Connector is the "agent" itself. It’s not. The Connector is the Kubernetes operator that manages the deployment and configuration of the actual Aqua Security agents and scan jobs. It’s the intelligence that translates your Kubernetes-native desires into instructions for the Aqua Security ecosystem.
Once you have your compliance and runtime policies fully defined and the Connector is managing them, your next step will be to explore how to integrate vulnerability scanning for your container images.