Skip to content

Standard Container Workflow

This document details the standard container scanning workflow, which is the primary method for scanning containers with a shell and common utilities.

Workflow Overview

The standard container workflow uses the Kubernetes API approach with the train-k8s-container transport plugin to directly access the target container.

Detailed Workflow Steps

1. Setup Phase

flowchart TD
    A[Start Setup] --> B[Identify Target Container]
    B --> C[Create Service Account]
    C --> D[Apply RBAC Roles and Bindings]
    D --> E[Generate Short-lived Token]
    E --> F[Create Restricted Kubeconfig]
    F --> G[Setup Complete]

    style A fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style G fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF

Setup Tasks

  1. Identify Target Container:
  2. Namespace, pod name, and container name are identified

  3. Container status is verified to ensure it's running

  4. Create Service Account:

  5. Temporary service account created in target namespace

  6. Account is marked for cleanup after scan completion

  7. Apply RBAC:

  8. Role created with minimal permissions:
    • pods/exec permission for target container
    • pods GET permission for target pod

  9. RoleBinding created to link service account to role

  10. Generate Token:

  11. Short-lived token generated for service account

  12. Token expiration set to minimal required time

  13. Create Kubeconfig:

  14. Restricted kubeconfig file created with token
  15. File permissions set to restrict access

2. Scanning Phase

flowchart TD
    A[Start Scanning] --> B[Initialize CINC Auditor]
    B --> C[Configure train-k8s-container Transport]
    C --> D[Connect to Target Container]
    D --> E[Verify Container Access]
    E --> F[Execute Compliance Profile]
    F --> G[Collect Scan Results]
    G --> H[Scanning Complete]

    style A fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style F fill:#217645,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style H fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF

Scanning Tasks

  1. Initialize CINC Auditor:
  2. CINC Auditor (InSpec) initialized with appropriate profile

  3. Scanner configuration loaded

  4. Configure Transport:

  5. train-k8s-container transport configured with:

    • Target namespace
    • Pod name
    • Container name
    • Kubeconfig file path

  6. Connect to Container:

  7. Transport plugin establishes connection to container

  8. Connection validated with simple command

  9. Execute Profile:

  10. Compliance profile run against target container
  11. Commands executed within container context

  12. Filesystem examined as needed

  13. Collect Results:

  14. Scan results collected in structured JSON format
  15. Results stored for processing

3. Results Processing Phase

flowchart TD
    A[Start Processing] --> B[Format Raw Results]
    B --> C[Generate JSON Report]
    C --> D[Process with SAF CLI]
    D --> E[Apply Threshold Validation]
    E --> F{Thresholds Met?}
    F -->|Yes| G[Mark as Passed]
    F -->|No| H[Mark as Failed]
    G --> I[Processing Complete]
    H --> I

    style A fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style D fill:#217645,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style E fill:#217645,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style F fill:#DD6100,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style G fill:#217645,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style H fill:#DD6100,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style I fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF

Processing Tasks

  1. Format Results:
  2. Raw scan results formatted for readability

  3. Results organized by control

  4. Generate Reports:

  5. JSON report generated with full scan details

  6. Additional report formats created as needed

  7. Process with SAF CLI:

  8. MITRE SAF CLI processes scan results

  9. Results evaluated against compliance standards

  10. Threshold Validation:

  11. Results compared to configured thresholds
  12. Pass/fail status determined

4. Cleanup Phase

flowchart TD
    A[Start Cleanup] --> B[Delete Kubeconfig]
    B --> C[Delete Service Account]
    C --> D[Delete Role and RoleBinding]
    D --> E[Verify Resource Removal]
    E --> F[Cleanup Complete]

    style A fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF
    style F fill:#505050,stroke:#FFFFFF,stroke-width:2px,color:#FFFFFF

Cleanup Tasks

  1. Delete Kubeconfig:
  2. Temporary kubeconfig file securely deleted

  3. File permissions verified during deletion

  4. Delete Kubernetes Resources:

  5. Service account removed
  6. Role and RoleBinding removed

  7. Any other temporary resources removed

  8. Verify Cleanup:

  9. Resource deletion confirmed
  10. No leftover resources remain

Implementation Details

The standard container workflow is implemented in the scan-container.sh script with the following parameters:

1
./kubernetes-scripts/scan-container.sh <namespace> <pod-name> <container-name> <profile-path> [threshold_file]

Required Parameters

  • namespace: Kubernetes namespace containing the target container
  • pod-name: Name of the pod containing the target container
  • container-name: Name of the target container
  • profile-path: Path to the InSpec profile to run

Optional Parameters

  • threshold_file: Path to threshold configuration file for validation

Error Handling

The workflow includes robust error handling:

  1. Connection Failures: Detected and reported with clear error messages
  2. Permission Issues: Identified with troubleshooting guidance
  3. Container Availability: Checked before attempting scan
  4. Resource Cleanup: Attempted even after scan failures

Integration with CI/CD

For CI/CD integration, the workflow can be adapted to run as part of:

  • GitHub Actions workflows
  • GitLab CI pipelines
  • Other CI/CD systems

See CI/CD Integration for specific integration examples.