Skip to content

Threat Mitigations

This document outlines the comprehensive mitigations implemented to address the threats identified in the threat model for the Secure CINC Auditor Kubernetes Container Scanning solution.

Spoofing Mitigations

Spoofing involves impersonating a legitimate user, system, or component.

Identity Controls

Mitigation Implementation Target Threats
Service Account Authentication Dedicated service accounts for scanner components Impersonation attacks
Short-lived Tokens Tokens expire after 15-30 minutes Stolen credential reuse
TLS Client Verification API server certificate validation Man-in-the-middle attacks
Token Binding Tokens bound to specific pods or operations Token reuse across contexts

Configuration Example

1
2
3
4
5
6
7
8
# Service account configuration
apiVersion: v1
kind: ServiceAccount
metadata:
  name: scanner-service-account
  namespace: scanner-namespace
  annotations:
    kubernetes.io/enforce-mountable-secrets: "true"

Tampering Mitigations

Tampering involves malicious modification of data or code.

Data Integrity Controls

Mitigation Implementation Target Threats
Read-only Filesystem Immutable container filesystems Scanner code modification
Signed Scanner Images Image signature verification Supply chain attacks
Result Validation Cryptographic validation of scan results Result tampering
Non-privileged Execution No ability to modify container state Target container modification

Configuration Example

1
2
3
4
5
# Pod security context
securityContext:
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10001

Repudiation Mitigations

Repudiation involves denying that an action was performed.

Audit Controls

Mitigation Implementation Target Threats
API Audit Logging Comprehensive Kubernetes API auditing Unauthorized access denial
Scanner Logging Detailed scanner operation logs Scan tampering denial
Unique Identifiers Unique scan and operation IDs Activity attribution
Result Signatures Cryptographic signing of scan results Result authenticity verification

Configuration Example

1
2
3
4
5
6
7
8
# API server audit policy
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
  resources:
  - group: ""
    resources: ["pods/exec"]

Information Disclosure Mitigations

Information disclosure involves unauthorized access to sensitive information.

Data Protection Controls

Mitigation Implementation Target Threats
TLS Encryption Encrypted API server communication Network eavesdropping
Minimal Container Access Access only to required containers Sensitive data exposure
Result Encryption Encryption of scan results Unauthorized result access
Log Sanitization Removal of sensitive data from logs Log-based information leakage

Configuration Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
# Network policy for scanner pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: scanner-network-policy
spec:
  podSelector:
    matchLabels:
      role: scanner
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - port: 443
      protocol: TCP

Denial of Service Mitigations

Denial of service involves disrupting services or resource availability.

Availability Controls

Mitigation Implementation Target Threats
Resource Limits CPU and memory constraints Resource exhaustion attacks
Scanner Timeouts Automatic termination of long-running scans Scan operation hanging
Rate Limiting Limiting scan frequency API server flooding
Graceful Error Handling Proper handling of failures Service disruption attacks

Configuration Example

1
2
3
4
5
6
7
8
# Resource limits for scanner containers
resources:
  limits:
    cpu: "500m"
    memory: "512Mi"
  requests:
    cpu: "100m"
    memory: "128Mi"

Elevation of Privilege Mitigations

Elevation of privilege involves gaining access or capabilities beyond what is authorized.

Privilege Controls

Mitigation Implementation Target Threats
Least Privilege RBAC Minimal permissions for service accounts Permission escalation
Non-root Execution Containers run as non-root users Root access exploitation
Capability Restrictions Dropping all unnecessary capabilities Linux capability abuse
No Privilege Escalation allowPrivilegeEscalation: false Container breakout

Configuration Example

1
2
3
4
5
6
7
8
# Security context with privilege restrictions
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  seccompProfile:
    type: RuntimeDefault

Approach-Specific Mitigations

Kubernetes API Approach

Threat Category Specific Mitigations
Spoofing Standard API authentication, no additional requirements
Tampering No container modification, standard controls sufficient
Information Disclosure Limited container visibility through exec operations only
Elevation of Privilege Standard RBAC controls, no additional attack paths

Debug Container Approach

Threat Category Specific Mitigations
Spoofing Standard mitigations plus ephemeral container authentication
Tampering Read-only filesystem access to target container
Information Disclosure Short-lived access, automatic container removal
Elevation of Privilege Strict security context for ephemeral containers

Sidecar Container Approach

Threat Category Specific Mitigations
Spoofing Standard mitigations plus process namespace controls
Tampering Read-only filesystem access, no modification capabilities
Information Disclosure Process namespace security contexts, enhanced monitoring
Elevation of Privilege Enhanced isolation controls, strict security policies

Defense-in-Depth Strategy

Our mitigation strategy implements defense-in-depth with multiple security layers:

Authentication Layer

  • Service account separation
  • Time-limited tokens
  • Audience-bound tokens
  • TLS client validation

Authorization Layer

  • Namespace-scoped RBAC
  • Resource-specific permissions
  • Resource name constraints
  • Verb-limited operations

Isolation Layer

  • Pod security contexts
  • Network policies
  • Non-privileged execution
  • Container hardening

Monitoring Layer

  • API server audit logging
  • Scanner operation logging
  • Token usage monitoring
  • Abnormal access detection

CI/CD Pipeline Security

Special considerations for CI/CD pipeline integration:

  1. Variable Masking: Configure CI/CD systems to mask token values
  2. Pipeline-scoped Tokens: Generate unique tokens for each pipeline run
  3. Immutable Reference Images: Use immutable image references with digests
  4. Pipeline-specific Service Accounts: Dedicated service accounts per pipeline
  5. Scanner Verification: Verify scanner image integrity before use

Conclusion

The comprehensive threat mitigation strategy addresses the key threats identified in the threat model. By implementing multiple layers of protection and specific controls for each threat category, the solution provides a robust security posture for container scanning operations.

The Kubernetes API Approach inherently requires fewer additional mitigations, while the Debug Container and Sidecar Container approaches require more extensive controls to address their expanded attack surface and isolation implications.