Plugin Customization¶
Directory Inventory
See the Plugins Directory Inventory for a complete listing of files and resources in this directory.
This section provides documentation for customizing InSpec plugins for specialized container scanning needs.
Plugin Customization Overview¶
InSpec uses plugins for transport-specific operations. The train-k8s-container plugin enables scanning Kubernetes containers via the Kubernetes API. This section covers how to modify and extend this plugin for advanced scanning scenarios.
STRATEGIC PRIORITY: Enhancing the train-k8s-container plugin to support distroless containers through the Kubernetes API Approach represents our highest strategic priority for enterprise container scanning. This is the recommended approach for production environments and is essential for comprehensive security compliance.
Customization Guides¶
- Distroless Container Support - Modifications for scanning distroless containers
- Implementation Guide - Detailed implementation steps
- Testing Guide - Testing modifications and customizations
Common Use Cases¶
| Use Case | Guide | Description |
|---|---|---|
| Distroless Containers | Distroless Support | Enable scanning for containers without shells |
| Implementation | Implementation | Step-by-step implementation guide |
| Testing | Testing | Test your modifications thoroughly |
Getting Started¶
Before customizing plugins, you should understand the current architecture. The train-k8s-container plugin works by:
- Creating a connection to a Kubernetes cluster via kubeconfig
- Using
kubectl execto execute commands in the target container - Running CINC Auditor controls that rely on command execution
Key files in the plugin that would need modification:
lib/train/k8s/container/connection.rb- Main connection classlib/train/k8s/container/kubectl_exec_client.rb- Handles command executionlib/train/transport/k8s_container.rb- Transport entry point
Strategic Importance¶
Plugin customization, particularly for distroless container support, is a top strategic priority because:
- Consistent User Experience: Users will use identical commands for all container types
- Maximum Security Compliance: The Kubernetes API Approach maintains all security boundaries
- Enterprise Scalability: One solution for all container types simplifies deployment
- Simplified CI/CD Integration: CI/CD pipelines can use a single approach for all workloads
- Unified Documentation: Streamlined documentation and training