Network Security Recommendations

This document provides network security recommendations for deploying and operating the Secure CINC Auditor Kubernetes Container Scanning solution.

Overview

Network security is a critical aspect of container scanning, ensuring that communications remain secure and that scan results and credentials are protected during transit.

Network Security Controls

Transport Layer Security

• TLS Encryption: All communications between components should use TLS 1.2 or higher
• Certificate Validation: Properly validate certificates for all components
• Certificate Rotation: Implement regular certificate rotation procedures

Network Policies

• Restrict Pod Communication: Implement Kubernetes Network Policies to limit pod-to-pod communication
• Egress Filtering: Control outbound connections from scanning components
• Ingress Protection: Limit inbound connections to only required endpoints

Scanning Approach Considerations

Kubernetes API Approach

• Configure proper TLS for all API communications
• Implement Network Policies to restrict scanner pods
• Use internal Kubernetes DNS for service discovery

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: scanner-network-policy
spec:
  podSelector:
    matchLabels:
      app: scanner
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: scanner-namespace
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: scan-target-namespace

Debug Container Approach

• Ensure debug containers have limited network access
• Apply Network Policies to restrict debug container communications
• Limit egress to required services only

Sidecar Container Approach

• Configure proper TLS for sidecar communications
• Implement pod-level network restrictions
• Isolate scanner network traffic from application traffic

Air-Gapped Environments

For air-gapped or high-security environments:

1. Pre-package all required container images
2. Implement proper image transfer procedures
3. Configure scanning without external dependencies
4. Use internal artifact repositories for profiles and dependencies

Implementation Recommendations

1. Default Deny Network Policies: Start with default deny policies and add specific allowances
2. Separate Control Plane Traffic: Isolate scanner control communications from data traffic
3. Encrypt All Communications: Ensure all network traffic is encrypted, even within the cluster
4. Monitor Network Traffic: Implement network monitoring to detect unusual patterns

Related Documentation

• Enterprise Recommendations - Enterprise deployment security
• CI/CD Security - CI/CD integration security
• Kubernetes Setup - Kubernetes configuration guidelines