Skip to content

Kubernetes Scripts

This directory contains links to the scanning and Kubernetes setup scripts used in the Kube CINC Secure Scanner project.

Available Scripts

Script Details

scan-container.sh

1
Usage: ./scan-container.sh <namespace> <pod-name> <container-name> <profile-path> [threshold_file]

This script scans standard containers using the Kubernetes API approach (train-k8s-container transport). It requires a namespace, pod name, container name, and a path to an InSpec profile.

scan-distroless-container.sh

1
Usage: ./scan-distroless-container.sh <namespace> <pod-name> <container-name> <profile-path> [threshold_file]

This script scans distroless containers by creating an ephemeral debug container and using a chroot approach to access the container filesystem.

scan-with-sidecar.sh

1
Usage: ./scan-with-sidecar.sh <namespace> <pod-name> <profile-path> [threshold_file]

This script scans containers using a sidecar container approach with shared process namespace.

setup-minikube.sh

1
Usage: ./setup-minikube.sh [--with-distroless]

This script sets up a Minikube environment for testing. The --with-distroless flag adds support for distroless container scanning.

generate-kubeconfig.sh

1
Usage: ./generate-kubeconfig.sh <service-account> <namespace> <context>

This script generates a kubeconfig file with appropriate permissions for a given service account, namespace, and context.

Usage Examples

Scanning a Standard Container

1
./scan-container.sh default test-pod test-container examples/cinc-profiles/container-baseline

Scanning a Distroless Container

1
./scan-distroless-container.sh default test-pod test-container examples/cinc-profiles/container-baseline

Scanning with Sidecar Approach

1
./scan-with-sidecar.sh default test-pod examples/cinc-profiles/container-baseline

Setting Up Minikube

1
./setup-minikube.sh --with-distroless

Generating a Kubeconfig File

1
./generate-kubeconfig.sh scanner-sa default my-scanner-context