This document outlines security best practices for deploying and using the Secure Kubernetes Container Scanning Helm charts. Following these practices will help ensure a secure deployment that minimizes potential security risks.
# Use resource name restrictions for maximum securityhelminstallscanner-infrastructure./helm-charts/scanner-infrastructure\--settargetNamespace=scanning-namespace\--setrbac.useResourceNames=true\--setrbac.useLabelSelector=true\--setrbac.podSelectorLabels.app=target-app
This configuration limits the scanner's access to only pods with the specific label and name.
# Reduce token validity period for production environmentshelminstallscanner-infrastructure./helm-charts/scanner-infrastructure\--settargetNamespace=scanning-namespace\--settoken.duration=15# 15 minutes
Always generate fresh tokens for each scanning operation:
# Generate a short-lived token before each scan./kubernetes-scripts/generate-kubeconfig.shscanning-namespaceinspec-scanner./kubeconfig.yaml
# Run scan with the fresh token./kubernetes-scripts/scan-container.shscanning-namespacetarget-podcontainer-name./profiles/container-baseline
# Remove token after scanrm./kubeconfig.yaml
# network-policy.yamlapiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:scanner-policynamespace:scanning-namespacespec:podSelector:matchLabels:role:scannerpolicyTypes:-Ingress-Egressingress:[]egress:-to:-namespaceSelector:matchLabels:kubernetes.io/metadata.name:scanning-namespace-podSelector:matchLabels:scan-target:"true"-to:-namespaceSelector:matchLabels:kubernetes.io/metadata.name:kube-systemports:-protocol:TCPport:443# Kubernetes API
# Set resource limits for sidecar scannerhelminstallsidecar-scanner./helm-charts/sidecar-scanner\--setscanner.resources.requests.cpu=100m\--setscanner.resources.requests.memory=256Mi\--setscanner.resources.limits.cpu=200m\--setscanner.resources.limits.memory=512Mi
#!/bin/bash# revoke-scanner-tokens.shNAMESPACE="scanning-namespace"SERVICE_ACCOUNT="inspec-scanner"# Find all secrets for the service accountSECRETS=$(kubectlgetserviceaccount$SERVICE_ACCOUNT-n$NAMESPACE-ojson|jq-r'.secrets[].name')# Delete each secret to force recreationforSECRETin$SECRETS;dokubectldeletesecret$SECRET-n$NAMESPACEdoneecho"All tokens for $SERVICE_ACCOUNT in $NAMESPACE have been revoked."
Scanner Shutdown: Process to immediately stop all scanning operations