!!! info "Directory Context" This document is part of the Operations Directory. See the Operations Directory Inventory for related resources.
This guide provides strategies for optimizing the performance of the Secure Kubernetes Container Scanning Helm charts. Proper performance tuning is essential for running efficient scanning operations, particularly in environments with many containers or limited resources.
Several factors affect container scanning performance:
- Profile Complexity: The number of controls and their complexity
- Container Size: The size of the target container's filesystem
- Network Latency: The latency between scanner and target
- Resource Allocation: CPU and memory allocated to scanner components
- Concurrency: The number of concurrent scans
- Scanning Approach: Different approaches have different performance characteristics
Optimize your CINC Auditor profiles for better performance:
# Efficient file checking using wildcards
describe file('/etc/passwd') do
it { should exist }
end
# Instead of checking every file in a directory individually,
# use a single check with wildcard for better performance
describe command('find /etc -name "*.conf" -type f -perm -o+w | wc -l') do
its('stdout.strip') { should eq '0' }
endCreate focused, purpose-specific profiles:
# Create a lightweight profile for basic checks
cat > basic-profile/inspec.yml << EOF
name: basic-profile
version: 1.0.0
depends:
- name: container-baseline
path: ../container-baseline
skip_controls:
- filesystem_checks
- process_checks
EOF
# Use the lightweight profile for faster scans
./kubernetes-scripts/scan-container.sh scanning-namespace target-pod container-name ./basic-profileAdjust resource limits and requests for scanner containers:
# Optimize sidecar scanner resources
helm install sidecar-scanner ./helm-charts/sidecar-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set scanner.resources.requests.cpu=200m \
--set scanner.resources.requests.memory=256Mi \
--set scanner.resources.limits.cpu=500m \
--set scanner.resources.limits.memory=512MiFor debug containers:
# Optimize debug container resources
helm install distroless-scanner ./helm-charts/distroless-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set debugContainer.resources.requests.cpu=100m \
--set debugContainer.resources.requests.memory=128Mi \
--set debugContainer.resources.limits.cpu=200m \
--set debugContainer.resources.limits.memory=256MiSchedule scans during off-peak hours:
# Example cron job for off-peak scanning
apiVersion: batch/v1
kind: CronJob
metadata:
name: nightly-scan
namespace: scanning-namespace
spec:
schedule: "0 2 * * *" # Run at 2 AM daily
jobTemplate:
spec:
template:
spec:
containers:
- name: scanner
image: scanner-image:latest
command: ["/bin/sh", "-c"]
args:
- |
./kubernetes-scripts/scan-container.sh scanning-namespace target-pod container-name ./profiles/container-baseline
restartPolicy: OnFailureImplement parallel scanning for multiple containers:
#!/bin/bash
# parallel-scan.sh
NAMESPACE="scanning-namespace"
PODS=$(kubectl get pods -n $NAMESPACE -l app=target-app -o jsonpath='{.items[*].metadata.name}')
# Scan pods in parallel
for POD in $PODS; do
./kubernetes-scripts/scan-container.sh $NAMESPACE $POD container-name ./profiles/container-baseline --output-file=results-$POD.json &
done
# Wait for all background processes to complete
wait
# Process results
for POD in $PODS; do
echo "Results for $POD:"
saf summary --input results-$POD.json --output-md summary-$POD.md
done# Optimize standard scanner
helm install standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set common-scanner.scripts.includeScanScript=true \
--set common-scanner.scripts.includeDistrolessScanScript=false \
--set common-scanner.scripts.includeSidecarScanScript=falseUse direct transport invocation for faster scanning:
# Direct transport for better performance
KUBECONFIG=./kubeconfig.yaml cinc-auditor exec ./profiles/container-baseline \
-t k8s-container://scanning-namespace/target-pod/container --sudo=false# Optimize debug container approach
helm install distroless-scanner ./helm-charts/distroless-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set debugContainer.image=alpine:3.15 # Smaller imageUse minimal debug container image:
# Minimal debug container for faster startup
debugContainer:
image: busybox:musl # Smaller than alpine
command: null
args: null
timeout: 300 # Shorter timeout# Optimize sidecar scanner
helm install sidecar-scanner ./helm-charts/sidecar-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set scanner.image=chef/inspec:slim # Use smaller image if availableEnable CINC Auditor caching:
# Use caching for repeated scans
INSPEC_CACHE_ENABLED=true \
INSPEC_CACHE_LOCATION=/tmp/inspec-cache \
./kubernetes-scripts/scan-container.sh scanning-namespace target-pod container-name ./profiles/container-baselineDisable unnecessary reporters:
# Use only required reporters
./kubernetes-scripts/scan-container.sh scanning-namespace target-pod container-name \
./profiles/container-baseline --reporter json:/results/scan-results.json| Approach | Small Container | Medium Container | Large Container |
|---|---|---|---|
| Kubernetes API | 5-10 seconds | 10-30 seconds | 30-120 seconds |
| Debug Container | 15-30 seconds | 30-60 seconds | 60-180 seconds |
| Sidecar Container | 5-15 seconds | 15-45 seconds | 45-150 seconds |
Note: Actual times will vary based on profile complexity, container content, and system resources.
| Profile Type | Controls | Scan Time Impact |
|---|---|---|
| Basic Security | 10-20 | Minimal |
| CIS Benchmark | 50-100 | Moderate |
| Full Compliance | 100+ | Significant |
Monitor resource usage during scans:
# Monitor scanner pod resource usage
kubectl top pod -n scanning-namespace scanner-pod --containers
# Monitor debug container usage
kubectl top pod -n scanning-namespace target-podCollect scan timing metrics:
# Add timing to scan script
time ./kubernetes-scripts/scan-container.sh scanning-namespace target-pod container-name ./profiles/container-baseline
# Output detailed timing in profiles
control 'container-1.1' do
impact 0.7
title 'Ensure container has proper permissions'
describe.one do
start_time = Time.now
describe file('/etc/passwd') do
it { should exist }
it { should be_owned_by 'root' }
end
puts "Executed control container-1.1 in #{Time.now - start_time} seconds"
end
endFor CI/CD environments, focus on speed:
# CI/CD optimized scan
./kubernetes-scripts/scan-container.sh ci-namespace target-pod container-name ./profiles/ci-profile \
--reporter json-min:/results/scan-results.jsonUse a streamlined CI profile:
# ci-profile/inspec.yml
name: ci-profile
version: 1.0.0
depends:
- name: container-baseline
path: ../container-baseline
controls:
- critical_controls # Only run critical controls for faster CIFor production environments, balance thoroughness with performance:
# Production scan with optimal balance
./kubernetes-scripts/scan-container.sh prod-namespace target-pod container-name ./profiles/prod-profile \
--reporter json:/results/scan-results.json \
--ignore-warning-controls # Skip warning-level controlsFor environments with many containers:
# Distributed scanning with multiple scanners
for NAMESPACE in namespace1 namespace2 namespace3; do
kubectl create job --from=cronjob/scanner-job scanner-$NAMESPACE -n scanning-namespace
doneOptimizing container scanning performance requires a multi-faceted approach. By fine-tuning profiles, resource allocation, and scanning strategies, you can significantly improve scanning efficiency while maintaining security effectiveness.