Skip to content

Security Risk Mitigations

This document outlines the comprehensive risk mitigation strategies implemented across all container scanning approaches in the Secure CINC Auditor Kubernetes Container Scanning solution.

Universal Mitigations (All Approaches)

These mitigation strategies apply to all scanning approaches:

Least-Privilege RBAC

  • Limit service accounts to minimum required permissions
  • Use namespace-scoped roles, not cluster roles
  • Apply label selector constraints when possible
  • Regular review and audit of permissions

Short-lived Credentials

  • Generate tokens with 15-minute (or less) expiration
  • Revoke tokens after scan completion
  • Use token request API instead of long-lived secrets
  • Implement proper token lifecycle management

Scan Isolation

  • Run scans from isolated environments
  • Limit network access during scanning
  • Use resource quotas to prevent DoS conditions
  • Separate scanning infrastructure from application infrastructure

Security Context

  • Run scanner containers as non-root users
  • Apply seccomp and AppArmor profiles when possible
  • Use read-only root filesystem for scanner containers
  • Minimize container capabilities

Approach-Specific Mitigations

Kubernetes API Approach

  • Validate container integrity before scanning
  • Limit scan duration with timeout controls
  • Run scanner with minimal network access
  • Implement input validation for command parameters

Debug Container Approach

  • Use dedicated, minimal scanner image
  • Apply strict resource limits
  • Automatically terminate debug containers after scan
  • Monitor for unauthorized debug container creation
  • Implement timeout-based forced termination

Sidecar Container Approach

  • Implement process namespace security policies
  • Use dedicated service accounts for sidecar deployment
  • Consider short-lived pods dedicated to scanning
  • Monitor for unauthorized sidecar injection
  • Apply strict network policies to sidecar containers

Enterprise Security Recommendations

Scanning Governance

  • Implement approval processes for scanning operations
  • Log all scanning activities with detailed attribution
  • Setup alerts for unauthorized scanning attempts
  • Regular review of scanning access patterns

CI/CD Pipeline Controls

  • Ensure pipeline credentials are properly secured
  • Validate scanner configuration before deployment
  • Scan the scanner images themselves for vulnerabilities
  • Implement separation of duties in pipeline configuration

Network Controls

  • Implement network policies to restrict scanner communication
  • Consider running scanning operations in dedicated namespaces
  • Implement egress filtering for scanning components
  • Restrict scanner to internal Kubernetes API endpoint

Monitoring and Auditing

  • Monitor for abnormal scanning patterns
  • Audit scanner configuration changes
  • Review scanner logs for suspicious activities
  • Set up alerts for unauthorized scanning operations

Image Security

  • Ensure scanner images are from trusted sources
  • Regularly update scanner components
  • Sign scanner images with trusted signatures
  • Implement scanning image vulnerability management

Risk-Based Approach Selection

When selecting a scanning approach based on security risk profile:

Consideration Best Approach
Maximum Security Kubernetes API Approach
Universal Coverage Sidecar Container Approach
Feature Compatibility Debug Container Approach
Minimal Permissions Kubernetes API Approach
CI/CD Integration All approaches equal

Selection Framework

The following framework helps select the appropriate approach based on security requirements:

  1. If all containers have shell access → Use Kubernetes API Approach
  2. If using Kubernetes 1.16+ with ephemeral containers → Consider Debug Container approach for distroless containers
  3. If need universal solution or restricted environments → Use Sidecar Container approach with enhanced security controls

For critical or highly sensitive environments, consider implementing additional security controls regardless of chosen approach.

Mitigation Implementation Guidelines

RBAC Implementation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: scanner-role
  namespace: target-namespace
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]
  # Optional selector
  resourceNames: ["app-pod-1", "app-pod-2"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]
  resourceNames: ["app-pod-1", "app-pod-2"]

Token Generation

1
2
3
4
5
# Time-limited token generation (15 minutes)
kubectl create token scanner-service-account \
  --duration=900s \
  --bound-object-kind=Pod \
  --bound-object-name=scanner-pod

Security Context

1
2
3
4
5
6
7
8
securityContext:
  runAsNonRoot: true
  runAsUser: 10001
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL

Network Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: scanner-network-policy
  namespace: scanning-namespace
spec:
  podSelector:
    matchLabels:
      role: scanner
  policyTypes:
  - Ingress
  - Egress
  ingress: []  # No inbound traffic allowed
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - port: 443
      protocol: TCP

Conclusion

By implementing these comprehensive mitigation strategies, the security risks associated with container scanning are significantly reduced across all scanning approaches. The Kubernetes API approach inherently requires fewer mitigations due to its lower risk profile, while the Debug Container and Sidecar Container approaches require more extensive mitigations to address their higher inherent risks.

Organizations should select the scanning approach that best balances their security requirements with their operational needs, and implement the appropriate mitigations based on their risk tolerance and compliance requirements.