CAST AI Security Basics

Overview

Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.

Prerequisites

• CAST AI agent installed on cluster
• Cluster admin access for RBAC configuration
• Secrets manager (AWS Secrets Manager, Vault, etc.)

Instructions

Step 1: API Key Management

# Use separate keys per environment
# console.cast.ai > API > API Access Keys

# Development: Read-Only key (monitoring only)
# Staging: Full Access key with limited cluster scope
# Production: Full Access key, rotated every 90 days

# Store in secrets manager, never in code
aws secretsmanager create-secret \
  --name "castai/prod/api-key" \
  --secret-string "${CASTAI_API_KEY}"

# Rotate key procedure:
# 1. Generate new key in console
# 2. Update secrets manager
# 3. Restart CAST AI agent pods to pick up new key
# 4. Verify agent reconnects
# 5. Revoke old key in console

Step 2: RBAC Least-Privilege Review

# Audit CAST AI ClusterRoles
kubectl get clusterroles -l app.kubernetes.io/managed-by=castai -o yaml

# The CAST AI agent needs these minimum permissions:
# - get/list/watch: pods, nodes, events, namespaces, replicasets
# - get: persistentvolumes, storageclasses
# The cluster controller additionally needs:
# - create/delete: nodes (for autoscaling)
# - patch: pods/eviction (for evictor)

# Check for overly broad permissions
kubectl auth can-i --list --as=system:serviceaccount:castai-agent:castai-agent

Step 3: Enable Kvisor Security Agent

# Kvisor scans for CVEs, misconfigurations, and runtime threats
helm upgrade --install castai-kvisor castai-helm/castai-kvisor \
  -n castai-agent \
  --set castai.apiKey="${CASTAI_API_KEY}" \
  --set castai.clusterID="${CASTAI_CLUSTER_ID}" \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true

# Verify Kvisor is running
kubectl get pods -n castai-agent -l app.kubernetes.io/name=castai-kvisor

Step 4: Network Policies

# Restrict CAST AI agent egress to only api.cast.ai
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: castai-agent-egress
  namespace: castai-agent
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: castai-agent
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0  # api.cast.ai resolves dynamically
      ports:
        - protocol: TCP
          port: 443
    - to:  # Allow DNS
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53

Step 5: Security Checklist

• API keys stored in secrets manager, not Helm values files
• Separate keys per environment (dev/staging/prod)
• Read-only keys for monitoring-only clusters
• Key rotation scheduled every 90 days
• Kvisor enabled for image scanning and CIS benchmarks
• CAST AI namespace has network policies
• Agent RBAC reviewed and minimized
• Helm values files in .gitignore
• Audit logs enabled in CAST AI console

Error Handling

Issue	Detection	Mitigation
API key in git history	git log -S "CASTAI"	Rotate key immediately
Agent has cluster-admin	kubectl auth can-i --list	Apply scoped ClusterRole
Kvisor high resource use	kubectl top pods -n castai-agent	Adjust scan intervals
Network policy blocks agent	Agent goes offline	Allow egress to 443

Resources

• CAST AI Security
• Kvisor Agent
• CAST AI RBAC

Next Steps

For production deployment checklist, see castai-prod-checklist.