Skip to content

Advanced Features

Overview

Security Emphasis

This learning path focuses on advanced security features and optimizations that enhance the security posture of your Kube CINC Secure Scanner implementation. These features provide deeper security controls and more robust compliance capabilities.

This learning path guides you through the advanced features of Kube CINC Secure Scanner. By completing this path, you will understand how to implement advanced security controls, optimize performance, integrate with enterprise security tools, and customize the scanner for specialized environments.

Time to complete: 2-3 hours

Target audience: Security engineers, DevSecOps engineers, Compliance officers

Security level: Advanced

Prerequisites

  • A working Kube CINC Secure Scanner implementation
  • Completed the Implementation Guide learning path
  • Understanding of Kubernetes security concepts
  • Familiarity with container security principles
  • Administrative access to your Kubernetes cluster

Learning Path Steps

Step 1: Advanced RBAC Configuration

Security Consideration

Fine-grained RBAC is critical for maintaining the principle of least privilege and preventing unauthorized access to sensitive resources.

  1. Implement label-based RBAC for targeted scanning:
  2. Review Label-Based RBAC
  3. Create namespace labels for controlling scan access:
1
kubectl label namespace default scan-allowed=true
  1. Apply enhanced RBAC configuration:
1
kubectl apply -f kubernetes/templates/label-rbac.yaml
  1. Configure time-bound tokens:
  2. Review Token Management

  3. Implement token expiration controls

  4. Verify RBAC restrictions:

1
2
3
4
5
# Test access to labeled namespaces
kubectl auth can-i --as=system:serviceaccount:scanner-system:scanner list pods -n default

# Test access to unlabeled namespaces (should fail)
kubectl auth can-i --as=system:serviceaccount:scanner-system:scanner list pods -n kube-system

Estimated time: 30 minutes

Success criteria: Scanner has restricted access to only labeled namespaces with appropriate time-bound tokens.

Step 2: Enhanced Security Controls

Security Consideration

Implementing defense-in-depth requires multiple layers of security controls that work together to provide comprehensive protection.

  1. Implement network policies:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: scanner-network-policy
  namespace: scanner-system
spec:
  podSelector:
    matchLabels:
      app: scanner
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          scan-allowed: "true"
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          scan-allowed: "true"
  - to:
    - podSelector:
        matchLabels:
          app: scanner-results
  1. Apply security context enhancements:
  2. Review Security Hardening
  3. Update Helm values for enhanced pod security:
1
2
3
4
5
6
helm upgrade standard-scanner standard-scanner/ \
  --namespace scanner-system \
  --set securityContext.readOnlyRootFilesystem=true \
  --set securityContext.runAsNonRoot=true \
  --set securityContext.runAsUser=10001 \
  --set securityContext.allowPrivilegeEscalation=false
  1. Implement resource quotas and limits:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
kubectl apply -f - <<EOF
apiVersion: v1
kind: ResourceQuota
metadata:
  name: scanner-quota
  namespace: scanner-system
spec:
  hard:
    requests.cpu: "2"
    requests.memory: 4Gi
    limits.cpu: "4"
    limits.memory: 8Gi
EOF

Estimated time: 30 minutes

Success criteria: Enhanced security controls applied to scanner components with verified restrictions.

Step 3: Advanced Thresholds and Reporting

Security Consideration

Advanced threshold configurations allow for more granular control over security requirements, helping to balance operational needs with security requirements.

  1. Implement advanced threshold configurations:
  2. Review Advanced Thresholds
  3. Create environment-specific threshold files:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# strict-production.yml
compliance:
  total_pass: 95.0
  critical_controls_pass: 100.0
scoring:
  critical:
    points: 100
    maximum_allowed_fail: 0
  high:
    points: 40
    maximum_allowed_fail: 0
  medium:
    points: 15
    maximum_allowed_fail: 2
  low:
    points: 5
    maximum_allowed_fail: 5
  1. Configure custom reporting formats:
  2. Review Reporting Configuration

  3. Set up JSON, XML, and HTML report formats

  4. Implement compliance mapping:

  5. Map controls to compliance frameworks

  6. Create compliance-specific threshold files

  7. Test advanced threshold configurations:

1
./kubernetes-scripts/scan-container.sh default test-pod test-container examples/cinc-profiles/container-baseline examples/strict-production.yml

Estimated time: 30 minutes

Success criteria: Advanced threshold configurations implemented with custom reporting formats.

Step 4: Enterprise Integration

Security Consideration

When integrating with enterprise systems, ensure proper authentication, secure communication channels, and appropriate access controls.

  1. Integrate with security information and event management (SIEM):
  2. Configure report forwarding to SIEM systems

  3. Set up alerts for critical findings

  4. Implement automated remediation workflows:

  5. Create ticket integration for findings
  6. Set up notification systems

  7. Configure escalation paths

  8. Integrate with compliance dashboards:

  9. Configure report aggregation

  10. Map findings to compliance controls

  11. Set up multi-environment scanning:

  12. Configure scanning for development, staging, and production
  13. Implement different threshold levels per environment

Estimated time: 45 minutes

Success criteria: Scanner integrated with enterprise security and compliance systems.

Step 5: Custom Profile Development

Security Consideration

Custom security profiles allow you to address organization-specific security requirements and enhance your security posture beyond baseline standards.

  1. Create a custom security profile:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# custom-controls/controls/01_custom_checks.rb
control 'CUSTOM-001' do
  impact 1.0
  title 'Custom Security Control'
  desc 'This control verifies organization-specific security requirements'

  describe file('/etc/custom-security-config') do
    it { should exist }
    its('content') { should match /security_level=high/ }
  end
end
  1. Add custom control to your profile:
1
2
3
4
5
6
7
# custom-profile/inspec.yml
name: custom-container-profile
title: Custom Container Security Profile
version: 1.0.0
depends:
  - name: container-baseline
    path: ../container-baseline
  1. Test your custom profile:
1
./kubernetes-scripts/scan-container.sh default test-pod test-container examples/custom-profile examples/thresholds/strict.yml
  1. Implement profile versioning and distribution process:
  2. Set up profile versioning
  3. Create profile distribution mechanism
  4. Document profile customization process

Estimated time: 45 minutes

Success criteria: Custom security profile created, tested, and implemented in your scanning workflow.

Security Considerations

This section provides a comprehensive overview of security considerations for advanced features:

  • Custom Security Controls:

    • Develop controls that address specific organizational security requirements
    • Ensure controls are properly tested and validated
    • Maintain version control for security profiles
    • Document and review custom controls regularly

  • Enterprise Integration Security:

    • Secure API tokens and credentials for integration points
    • Implement TLS for all communications
    • Apply the principle of least privilege for integration accounts
    • Audit integration activities regularly

  • Advanced Defense-in-Depth:

    • Implement multi-layered security controls
    • Apply network segmentation using network policies
    • Utilize admission controllers for additional security
    • Consider implementing service mesh for enhanced security controls

  • Operational Security:

    • Implement secure operational practices
    • Regularly rotate credentials and certificates
    • Monitor scanning activities and resource usage
    • Conduct regular security reviews of scanner configuration

Compliance Relevance

This learning path helps address the following compliance requirements:

  • Organization-Specific Security Requirements - Custom profiles address unique security needs
  • Advanced Compliance Frameworks - Enhanced capabilities for mapping to complex compliance requirements
  • Zero Trust Architecture - Supports implementation of zero trust principles through granular access controls
  • Audit Evidence Collection - Robust reporting capabilities provide detailed evidence for compliance audits
  • Continuous Compliance Monitoring - Advanced threshold configurations enable continuous compliance assessment

Next Steps

After completing this learning path, consider:

  • Implementing continuous improvement processes for your scanning infrastructure
  • Contributing to the Kube CINC Secure Scanner project
  • Exploring integration with additional security tools and frameworks
  • Developing advanced custom profiles for your specific use cases