!!! info "Directory Context" This document is part of the Infrastructure Directory. See the Infrastructure Directory Inventory for related resources.
The scanner-infrastructure chart manages Kubernetes namespaces for container scanning operations. Proper namespace management is important for security isolation, resource management, and multi-team deployments.
The chart can optionally create a dedicated namespace:
apiVersion: v1
kind: Namespace
metadata:
name: scanning-namespace
labels:
app.kubernetes.io/name: scanner-infrastructure
app.kubernetes.io/instance: scannerThis namespace:
- Isolates scanning operations from other workloads
- Groups scanning resources together
- Enables namespace-level security controls
For existing namespaces, disable namespace creation:
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set createNamespace=false \
--set targetNamespace=existing-namespaceFor centralized scanning operations:
# Create a dedicated scanning namespace
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set targetNamespace=security-scanningFor environment-specific scanning:
# Development environment
helm install dev-scanner-infra ./helm-charts/scanner-infrastructure \
--set targetNamespace=dev-scanning
# Production environment
helm install prod-scanner-infra ./helm-charts/scanner-infrastructure \
--set targetNamespace=prod-scanningFor multi-team deployments:
# Team A scanner infrastructure
helm install team-a-scanner-infra ./helm-charts/scanner-infrastructure \
--set targetNamespace=team-a-scanning
# Team B scanner infrastructure
helm install team-b-scanner-infra ./helm-charts/scanner-infrastructure \
--set targetNamespace=team-b-scanningAdd network policies to restrict scanner communication:
# network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: scanner-policy
namespace: scanning-namespace
spec:
podSelector:
matchLabels:
role: scanner
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: scanning-namespace
- podSelector:
matchLabels:
scan-target: "true"
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: TCP
port: 443 # Kubernetes APIApply resource quotas to scanning namespaces:
# resource-quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: scanner-quota
namespace: scanning-namespace
spec:
hard:
pods: "10"
requests.cpu: "2"
requests.memory: 4Gi
limits.cpu: "4"
limits.memory: 8GiFor scanning pods in other namespaces:
# Install infrastructure in scanning namespace
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set targetNamespace=scanning-namespace \
--set rbac.clusterWide=true # Creates ClusterRole instead of Role| Parameter | Description | Default | Required |
|---|---|---|---|
createNamespace |
Create the namespace | true |
No |
targetNamespace |
Target namespace for installation | inspec-test |
Yes |
namespace.labels |
Labels for the namespace | {} |
No |
namespace.annotations |
Annotations for the namespace | {} |
No |
rbac.clusterWide |
Enable cluster-wide permissions | false |
No |
- Use Dedicated Namespaces: Isolate scanning operations from other workloads
- Apply Namespace Labels: Label namespaces for identifying scanning resources
- Implement Network Policies: Restrict scanner communication to necessary endpoints
- Define Resource Quotas: Limit resource consumption by scanning operations
- Consider Namespace Hierarchy: Organize namespaces by environment, team, or application
- Avoid Cluster-Wide Permissions: Use namespace-specific permissions when possible