# Kubernetes Reachability

Kubernetes reachability defines how OX Security collects K8s workloads context from your Kubernetes clusters.

## Kubernetes visibility in OX

Regardless of the connection model, OX enriches security findings with the Kubernetes Workloads context.

This includes:

* Identifying which container images are actively running in workloads such as deployments and jobs.
* Enriching issues with severity factors based on actual reachability and exposure.
* Supporting prioritization based on whether workloads are internet-exposed or internally restricted.

### Cloud provider context

When a cloud provider is connected (GCP, AWS, or Azure), OX adds cloud-level context to Kubernetes data.

This is used to:

* Authenticate access to your cloud project or account as a prerequisite for Kubernetes connectivity
* Enrich Kubernetes workloads with internet exposure
* Generate a Cloud Bill of Materials (Cloud BOM) reflecting deployed assets

This applies to:

* Direct integrations with GKE, EKS, and AKS
* Inspector-based deployments that run in cloud environments

## Kubernetes connection models

OX supports the following connection models:

* Direct cloud integrations
* Inspector-based model

In general, if your cluster is externally reachable, use direct cloud integration. Otherwise, deploy the Inspector.

The following table provides detailed explanations about how to choose a connection model.

| Connection model                | How OX connects                                                             | When this applies                                                                                                                   | Supported combinations                                                                                                                                                                                                        |
| ------------------------------- | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Direct cloud integration**    | OX connects to the Kubernetes service through the cloud provider API.       | Use this model when the cluster is externally reachable and inbound access is allowed by your network and security policies.        | <p><a href="/pages/S9qiT9YYlLve0pzWKVuE">GKE with GCP</a><br><a href="/pages/aSG4WcLe0bLE1IuqZRCY">EKS</a> with <a href="/pages/g8YDS5TJEPSK8yd3wQc5">AWS</a><br><a href="/pages/ScSRUkiSrcOpguBdiPcI">AKS with Azure</a></p> |
| **Inspector-based integration** | The Inspector runs inside your environment and sends Kubernetes data to OX. | Use this model when the cluster is private, inbound connections are restricted, or the cluster is a native Kubernetes installation. | <p>Inspector with GCP<br>Inspector with AWS<br>Inspector with Azure<br>Inspector with native Kubernetes</p>                                                                                                                   |

## Enriched visibility across OX

When you connect your GKE clusters to OX Security, the platform adds context to enhance visibility and prioritization across the system:

* The **Applications** page is enriched with cloud deployment details, including Application Flow and Tags that reflect Kubernetes deployment and internet exposure.
* Issues from **SAST**, **SCA**, and **container scanning** are enhanced with Kubernetes reachability severity factors.

<figure><img src="/files/c4nD0rWh7exog3RbkQWD" alt="" width="563"><figcaption></figcaption></figure>

* The **Attack Path** tab in Active Issues reflects full cloud reachability, helping you understand how issues can be exploited in your Kubernetes environment.

<figure><img src="/files/mnIhLAUUV1wp1iQVF8yB" alt="" width="563"><figcaption></figcaption></figure>

* **Artifact integrity issues** are raised for images that are running in the cluster but originate from untrusted or unknown sources.

<figure><img src="/files/j6PvQPuYBYMsz0yCZOFZ" alt="" width="563"><figcaption></figcaption></figure>

* The **Artifact BOM** page includes cloud deployment visibility, helping track where and how artifacts are used across clusters.

<figure><img src="/files/LGFdeqEyoUfXpeGFr2P7" alt="" width="563"><figcaption></figcaption></figure>

* OX scans the **specific versions of container images found in the cloud**, not just the latest versions available in your registry.
* OX surfaces vulnerability findings for public container images referenced by workloads and scans these images by pulling them from the public registry.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/kubernetes-reachability.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.