Implementation Guide

Overview

Security Emphasis

This learning path ensures that your implementation balances functional requirements with security considerations. By following this path, you'll deploy a secure scanner setup that follows defense-in-depth principles.

This learning path guides you through a complete implementation of Kube CINC Secure Scanner. It provides detailed steps for setting up the scanner in different environments with a focus on security, maintainability, and integration.

Time to complete: 2-3 hours

Target audience: DevOps engineers, Platform engineers, Security engineers

Security risk: 🟡 Medium - Involves cluster-level installations and service account configuration

Security approach: Implements principle of least privilege, namespace isolation, and secure deployment patterns with proper security context configuration

Security Architecture

Understanding Permission Layers

A secure implementation requires managing permissions across distinct boundaries:

1. Cluster Administrative Permissions * Control: Installation of core components, namespace creation, and RBAC setup * Risk area: Overly broad administrative access could compromise cluster security * Mitigation: Use dedicated service accounts with time-limited tokens for installation

2. Scanner Runtime Permissions * Control: Scanner's ability to access and scan target containers * Risk area: Excessive permissions could allow unintended container access * Mitigation: Implement granular RBAC with namespace isolation and specific verb limitations

3. Integration Permissions * Control: How external systems interact with the scanner infrastructure * Risk area: Integration points could expose scanner capabilities inappropriately * Mitigation: Create dedicated integration service accounts with minimal required access

Prerequisites

• Kubernetes cluster with administrative access
• kubectl installed and configured
• Helm v3 installed (for Helm-based deployment)
• Completed the Core Concepts learning path or have equivalent knowledge
• Understanding of RBAC and Kubernetes security concepts

Learning Path Steps

Step 1: Environment Preparation

Security Consideration

Plan your deployment with security boundaries in mind. Create dedicated namespaces with proper RBAC restrictions to maintain isolation.

1. Determine your deployment requirements:
2. Review the Decision Matrix to choose the best scanning approach
3. Identify required permissions and resource constraints

4. Document security requirements and boundaries

5. Create a dedicated namespace:

kubectl create namespace scanner-system

1. Apply necessary RBAC configurations:

# For standard approach
kubectl apply -f kubernetes/templates/rbac.yaml -n scanner-system

# For label-based RBAC (more restrictive)
kubectl apply -f kubernetes/templates/label-rbac.yaml -n scanner-system

1. Verify RBAC permissions:

# Test service account permissions
kubectl auth can-i --as=system:serviceaccount:scanner-system:scanner list pods -n default

Estimated time: 30 minutes

Success criteria: You have a dedicated namespace with proper RBAC permissions configured.

---

Step 2: Scanner Infrastructure Deployment

Security Consideration

Use appropriate security context settings and resource limits to protect your cluster from potential resource exhaustion or privilege escalation.

1. Deploy the scanner infrastructure:

Option A: Using Helm Charts (Recommended)

# Install scanner infrastructure
cd helm-charts
helm install scanner-infra scanner-infrastructure/ \
  --namespace scanner-system \
  --values scanner-infrastructure/examples/values-production.yaml

Option B: Using Kubernetes Manifests

# Apply core manifests
kubectl apply -f kubernetes/templates/service-account.yaml -n scanner-system
kubectl apply -f kubernetes/templates/rbac.yaml -n scanner-system

1. Verify infrastructure deployment:

kubectl get serviceaccounts -n scanner-system
kubectl get roles,rolebindings -n scanner-system

1. Configure scanner security settings:
2. Review and apply security-hardened values from Security Best Practices
3. Apply network policies if needed

Estimated time: 30 minutes

Success criteria: Scanner infrastructure components are running and properly configured with security controls.

---

Step 3: Scanner Deployment Based on Approach

Security Consideration

Each scanning approach has different security implications. Ensure you understand the security tradeoffs and implement appropriate mitigations.

Choose your scanner deployment based on your selected approach:

Option A: Standard Scanner (Kubernetes API)

helm install standard-scanner standard-scanner/ \
  --namespace scanner-system \
  --values standard-scanner/examples/values-ci.yaml

Option B: Distroless Scanner (Debug Container)

helm install distroless-scanner distroless-scanner/ \
  --namespace scanner-system \
  --values distroless-scanner/examples/values-distroless-golang.yaml

Option C: Sidecar Scanner

helm install sidecar-scanner sidecar-scanner/ \
  --namespace scanner-system

Review your deployment:

helm list -n scanner-system
kubectl get all -n scanner-system

Configure any specific scanner options:

• Review Configuration Reference
• Adjust resource limits and security context settings
• Configure threshold values based on your security requirements

Estimated time: 30 minutes

Success criteria: Scanner is deployed according to your chosen approach with appropriate security configurations.

---

Step 4: Testing Your Implementation

Security Consideration

Validate that your scanner implementation maintains the security boundaries you've established and doesn't introduce new security risks.

1. Create a test pod:

kubectl apply -f test-pod.yaml -n default

1. Run your first scan based on your chosen approach:

Standard Scanner

./kubernetes-scripts/scan-container.sh default test-pod test-container examples/cinc-profiles/container-baseline examples/thresholds/strict.yml

Distroless Scanner

./kubernetes-scripts/scan-distroless-container.sh default test-pod test-container examples/cinc-profiles/container-baseline examples/thresholds/strict.yml

Sidecar Scanner

./kubernetes-scripts/scan-with-sidecar.sh default test-pod examples/cinc-profiles/container-baseline examples/thresholds/strict.yml

1. Review scan results:

# Check the results file
cat results/container-scan-results.json

1. Test with multiple containers and scan configurations to ensure everything works as expected.

Estimated time: 30 minutes

Success criteria: Successfully performed container scans and received valid results.

---

Step 5: Integration Setup

Security Consideration

When integrating with CI/CD systems, ensure credentials are properly secured and limit privileges to only what's necessary for scanning operations.

1. Configure integration with your CI/CD platform:

GitHub Actions - Review GitHub Actions Integration - Implement workflow using GitHub Workflow Examples

GitLab CI - Review GitLab CI Integration - Implement pipeline using GitLab Pipeline Examples

1. Configure threshold values:
2. Review Thresholds Integration

3. Create custom threshold files for different environments

4. Configure reporting:

5. Set up results handling in your CI/CD platform
6. Implement notification mechanisms for scan failures

Estimated time: 30 minutes

Success criteria: Scanner is integrated with your CI/CD platform and produces actionable reports.

---

Security Considerations

This section provides a comprehensive overview of security considerations for implementation:

• Defense in Depth:

  • Apply multiple security controls at different layers
  • Implement least privilege RBAC configurations
  • Use network policies to restrict communication between components
  • Consider pod security policies or Pod Security Standards

• Credential Management:

  • Use short-lived service account tokens
  • Implement proper secret management for sensitive configurations
  • Rotate credentials regularly
  • Review Security Credentials Management

• Isolation Strategies:

  • Run scanner components in dedicated namespaces
  • Implement resource quotas to prevent resource exhaustion
  • Use node selectors or taints/tolerations for specialized workloads

• Monitoring and Alerting:

  • Implement monitoring for scanner components
  • Set up alerts for scanner failures or security issues
  • Log and audit scanner activities

Compliance Relevance

This learning path helps address the following compliance requirements:

• Container Security Standards - Implements controls for container security assessment
• Continuous Monitoring - Establishes continuous security assessment for container environments
• Change Management - Integrates security scanning into change management processes
• Vulnerability Management - Creates a workflow for identifying and addressing container security issues

Next Steps

After completing this learning path, consider:

• Advanced Features - Explore advanced security capabilities
• Security-First Implementation - Enhance security controls
• Implement advanced configurations from Advanced Topics

Related Resources

• Deployment Scenarios
• Security Components
• Operations Guide

Related Tasks

• Script Deployment - Deploy using scripts directly
• Helm Deployment - Deploy using Helm charts
• Kubernetes Setup - Set up Kubernetes environment
• RBAC Setup - Configure RBAC permissions
• Token Management - Manage access tokens
• Thresholds Configuration - Configure security thresholds
• GitHub Integration - Integrate with GitHub Actions
• GitLab Integration - Integrate with GitLab CI