Skip to content

Helm Chart Security

Directory Inventory

See the Security Directory Inventory for a complete listing of files and resources in this directory.

Overview

This section outlines security considerations for deploying and using the Secure Kubernetes Container Scanning Helm charts. Security is a core design principle of our solution, with all charts implementing a least-privilege model, short-lived credentials, and other security best practices.

Security Architecture

Security-First Design

Our Helm charts implement a layered security architecture:

  1. Core Security Layer (scanner-infrastructure)
  2. Least-privilege RBAC implementation
  3. Short-lived access tokens
  4. Namespace isolation

  5. Service account permissions

  6. Operational Security Layer (common-scanner)

  7. Secure script execution
  8. Result data protection

  9. Failure handling

  10. Approach-Specific Security Controls

  11. Different security models for each scanning approach
  12. Approach-specific hardening options

Security Documentation

The security documentation is organized into the following sections:

  • Best Practices: Recommended security practices for deploying and using the Helm charts
  • RBAC Hardening: Detailed guidance for securing RBAC configurations
  • Risk Assessment: Security risk assessment for each Helm chart component

Security Considerations by Scanning Approach

Kubernetes API Approach (standard-scanner)

This approach offers the strongest security posture:

  • Minimal Attack Surface: Uses only Kubernetes API exec
  • No Additional Containers: Maintains container isolation
  • Clean Security Boundary: Clear separation between scanner and target

Debug Container Approach (distroless-scanner)

This approach has specific security considerations:

  • Temporary Attack Surface Increase: Ephemeral debug container
  • Process Namespace Consideration: Debug container can access target processes
  • Limited Duration: Container exists only during scanning

Sidecar Container Approach (sidecar-scanner)

This approach has the highest security impact:

  • Persistent Attack Surface Increase: Sidecar container remains with pod
  • Process Namespace Sharing: Breaks container isolation boundary
  • Resource Consumption: Additional container in every pod

Getting Started with Security

To implement a secure scanning solution:

  1. Review the Security Best Practices for deployment recommendations
  2. Follow the RBAC Hardening guide for proper access control
  3. Understand the Risk Assessment for each component
  4. Choose the appropriate scanning approach based on your security requirements
  5. Implement the recommended security controls for your environment