Specialized Environments
This guide covers deployment configurations for specialized environments, including air-gapped and high-security Kubernetes deployments.
Overview
Some environments have specific requirements that necessitate specialized deployment approaches. This guide covers deployment in air-gapped environments (without internet access) and high-security environments with strict security controls.
Air-Gapped Environments
Air-gapped environments have no internet connectivity, requiring all resources to be pre-downloaded and available locally.
Image Bundling
Create a bundle of all required container images for air-gapped deployment:
#!/bin/bash
# create-image-bundle.sh
REGISTRY = "docker.io"
IMAGES =(
"cinc/auditor:latest"
"bitnami/kubectl:latest"
"busybox:latest"
)
mkdir -p ./airgap-bundle/images
for image in " ${ IMAGES [@] } " ; do
echo "Pulling $image ..."
docker pull $image
filename = $( echo $image | tr '/:' '_' )
echo "Saving $image to ./airgap-bundle/images/ $filename .tar"
docker save $image > ./airgap-bundle/images/$filename .tar
done
# Bundle profiles and configurations
cp -r ./profiles ./airgap-bundle/
cp -r ./helm-charts ./airgap-bundle/
cp -r ./kubernetes ./airgap-bundle/
cp -r ./scripts ./airgap-bundle/
tar -czf scanner-airgap-bundle.tar.gz ./airgap-bundle
Local Registry Setup
Set up and configure a local container registry:
# local-registry-values.yaml
registry :
internal :
enabled : true
persistence :
enabled : true
size : 50Gi
imageOverrides :
repository : registry.local:5000/cinc/auditor
tag : latest
Air-Gapped Deployment Configuration
Configure the scanner to use local resources:
# airgapped-values.yaml
global :
imageRegistry : registry.local:5000
airgapped : true
scanner :
image :
repository : registry.local:5000/cinc/auditor
tag : latest
profiles :
source : configmap
configMap :
name : airgapped-profiles
Air-Gapped Updates
Manage updates in air-gapped environments:
# airgapped-updates-values.yaml
updates :
source : local
bundle :
path : /path/to/updates
verification :
enabled : true
checksum : true
signature : true
High-Security Environments
High-security environments require additional security controls beyond standard deployments.
Enhanced Security Controls
Implement enhanced security controls:
# high-security-values.yaml
security :
enhanced :
enabled : true
seccompProfile :
type : RuntimeDefault
seLinux :
enabled : true
apparmor :
enabled : true
psp :
enabled : true
admission :
enabled : true
validateImages : true
validateSecrets : true
Mutual TLS Configuration
Implement mutual TLS for secure communications:
# mtls-values.yaml
tls :
enabled : true
mutual : true
certificateAuthority :
create : true
certificates :
server :
create : true
client :
create : true
verifyDepth : 2
Audit Logging
Enable comprehensive audit logging:
# audit-values.yaml
audit :
enabled : true
level : RequestResponse
maxAge : 30
maxBackups : 10
maxSize : 100
path : /var/log/scanner-audit.log
policy :
create : true
rules :
- level : RequestResponse
resources :
- group : ""
resources : [ "pods" ]
Defense in Depth Measures
Implement multiple layers of security:
# defense-in-depth-values.yaml
defensiveControls :
network :
denyByDefault : true
allowedRoutes :
- source : scanner
destination : kubernetes-api
- source : scanner
destination : containers
application :
securityFilters :
- type : input-validation
enabled : true
- type : output-encoding
enabled : true
runtime :
secureDefaults : true
failClosed : true
FedRAMP/FISMA Compliance
Configure for FedRAMP or FISMA compliance:
# compliance-values.yaml
compliance :
fedramp :
enabled : true
level : high # moderate or high
controls :
- id : AC-2
implementation : automatic
- id : AC-3
implementation : automatic
- id : AU-2
implementation : automatic
Disconnected Edge Environments
Configure for disconnected edge deployments:
# edge-values.yaml
edge :
enabled : true
autonomousOperation : true
resilience :
offlineMode : true
dataRetention :
local :
enabled : true
size : 10Gi
synchronization :
mode : manual
schedule : "0 0 * * *" # When connected
Sensitive Data Environments
Configure for environments with sensitive data:
# sensitive-data-values.yaml
dataProtection :
encryption :
enabled : true
provider : vault
vault :
address : https://vault.example.com
path : secret/scanner
masking :
enabled : true
patterns :
- type : regex
pattern : "([0-9]{3}-[0-9]{2}-[0-9]{4})"
replacement : "XXX-XX-XXXX"
Regulated Environments
Configure for regulated industries:
# regulated-values.yaml
regulated :
enabled : true
industry : healthcare # healthcare, finance, government
compliance :
hipaa :
enabled : true
pci :
enabled : false
gdpr :
enabled : false
documentation :
generateReports : true
auditEvidence : true
Cross-Regional Deployments
Configure for multi-region deployments:
# multi-region-values.yaml
regions :
enabled : true
primary : us-east
secondaries :
- name : eu-central
replication :
enabled : true
mode : async
- name : ap-southeast
replication :
enabled : true
mode : async
failover :
enabled : true
automatic : false