Scanning Approach Comparison¶
This document provides a comprehensive comparison of the three container scanning approaches implemented in this project. This analysis will help you select the most appropriate approach based on your specific environment, requirements, and constraints.
Approach Overview¶
| Approach | Description | Best For |
|---|---|---|
| Kubernetes API Approach | Uses train-k8s-container transport plugin directly | Production environments, compliance-focused organizations, CI/CD pipelines at scale |
| Debug Container Approach | Attaches ephemeral debug containers to pods with distroless containers | Interim solution for distroless containers when ephemeral containers are supported |
| Sidecar Container Approach | Deploys scanner containers alongside target containers with shared process namespace | Interim solution for distroless containers with minimal Kubernetes version requirements |
Feature Comparison Matrix¶
| Feature | Kubernetes API Approach | Debug Container Approach | Sidecar Container Approach |
|---|---|---|---|
| Kubernetes Compatibility | Any version | 1.16+ (requires ephemeral containers) | Any version |
| Works with existing pods | ✅ Yes | ✅ Yes | ❌ No (requires pod modification) |
| Standard container support | ✅ Best approach | ✅ Supported | ✅ Supported |
| Distroless container support | 🔄 In progress | ✅ Best interim approach | ✅ Supported |
| No pod modification required | ✅ Yes | ❌ No | ❌ No |
| Minimal privileges | ✅ Yes | ❌ No | ✅ Yes |
| Implementation complexity | 🟢 Low | 🟠 Medium | 🟠 Medium |
| User experience | 🟢 Seamless | 🟠 Complex | 🟠 Medium |
| Security footprint | 🟢 Minimal | 🟠 Moderate | 🟠 Moderate |
| Runtime dependencies | kubectl, inspec | kubectl, ephemeral containers | kubectl, pod access |
| CI/CD integration ease | 🟢 Simple | 🟠 Complex | 🟠 Medium |
| Development status | 🔄 In progress (for distroless) | ✅ Complete | ✅ Complete |
| GitHub Actions support | ✅ Yes | ✅ Yes | ✅ Yes |
| GitLab CI support | ✅ Yes | ✅ Yes | ✅ Yes |
| GitLab Services support | ✅ Yes | ✅ Yes | ✅ Yes |
Technical Requirements¶
Kubernetes API Approach¶
- Standard Kubernetes cluster (any version)
- RBAC permissions to execute commands in target containers
- For distroless containers: Enhanced plugin capabilities (in development)
Debug Container Approach¶
- Kubernetes 1.16+ with ephemeral containers feature enabled
- Permissions to create debug containers
- Privileges to access target container filesystem
Sidecar Container Approach¶
- Standard Kubernetes cluster (any version)
- Ability to modify pod definitions to enable shared process namespace
- Permissions to create pods with sidecar containers
Recommended Usage Scenarios¶
Enterprise Production Environments¶
Recommended Approach: Kubernetes API Approach
- Lowest security risk profile
- Simplest implementation with minimal overhead
- Most transparent to end users
- Minimal permissions required in production clusters
- Best for multi-team environments
Distroless Containers (Interim)¶
Recommended Approach: Debug Container or Sidecar Container Approach
- If on Kubernetes 1.16+: Debug Container Approach
- If needing universal compatibility: Sidecar Container Approach
- Long-term: Plan for migration to Kubernetes API Approach as distroless support matures
Local Development and Testing¶
Recommended Approach: Any approach depending on container types
- For standard containers: Kubernetes API Approach is simplest
- For mixed container types: Sidecar Container Approach is most flexible
CI/CD Pipeline Integration¶
Recommended Approach: Any approach, depending on container types
- All approaches work well with CI/CD pipelines
- For standard containers, Kubernetes API Approach is preferred
- For distroless containers, choose based on environment capabilities
Migration Paths¶
To Kubernetes API Approach (Recommended)¶
- For standard containers: Immediate adoption
- For distroless containers: Plan adoption as enhanced distroless support is completed
- Maintain same commands and workflows for consistent user experience
Between Approaches¶
- Debug Container to Sidecar: Modify pod definitions to enable shared process
- Sidecar to Debug Container: Ensure cluster supports ephemeral containers
- Either to Kubernetes API: Wait for distroless support completion
Enterprise Adoption Strategy¶
For enterprise environments implementing container scanning at scale:
- Phase 1: Standard Containers
- Implement Kubernetes API Approach for all standard containers
-
Document and train teams on standardized workflow
-
Phase 2: Distroless Containers (Interim)
- Implement appropriate fallback based on environment
-
Document temporary approach and plan for migration
-
Phase 3: Complete Migration
- Migrate all scanning to Kubernetes API Approach once distroless support is complete
- Standardize on universal approach for all container types