!!! info "Directory Context" This document is part of the Usage Directory. See the Usage Directory Inventory for related resources.
This guide provides detailed instructions for customizing the Secure Kubernetes Container Scanning Helm charts to meet your specific needs. Our charts are designed to be highly customizable while maintaining security best practices and operational efficiency.
To add your own custom compliance profiles:
# Create a custom profile ConfigMap
kubectl create configmap custom-profiles -n scanning-namespace \
--from-file=./my-custom-profile
# Reference custom profile in sidecar scanner
helm install sidecar-scanner ./helm-charts/sidecar-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set profiles.default.enabled=false \
--set profiles.custom[0].name=my-profile \
--set profiles.custom[0].configMap=custom-profiles \
--set profiles.custom[0].path=/my-custom-profileAlternatively, build a custom scanner image with embedded profiles:
# Dockerfile for custom scanner image
FROM chef/inspec:5.18.14
# Add custom profiles
COPY ./my-profiles /profiles
# Add custom scripts
COPY ./scripts /scripts
RUN chmod +x /scripts/*.shThen use this custom image:
helm install sidecar-scanner ./helm-charts/sidecar-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set scanner.image=my-registry/custom-scanner:latestCreate different threshold files for various environments:
# development-threshold.yml
compliance:
min: 70
failed:
critical:
max: 0
high:
max: 5
medium:
max: 10# production-threshold.yml
compliance:
min: 95
failed:
critical:
max: 0
high:
max: 0
medium:
max: 2Use them in your installations:
# Development environment
helm install standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=dev-namespace \
--set common-scanner.safCli.thresholdFilePath=/path/to/development-threshold.yml
# Production environment
helm install standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=prod-namespace \
--set common-scanner.safCli.thresholdFilePath=/path/to/production-threshold.ymlFor the sidecar scanner, set resource constraints:
helm install sidecar-scanner ./helm-charts/sidecar-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set scanner.resources.requests.cpu=100m \
--set scanner.resources.requests.memory=256Mi \
--set scanner.resources.limits.cpu=500m \
--set scanner.resources.limits.memory=512MiFor test pods:
helm install standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set testPod.deploy=true \
--set testPod.resources.requests.cpu=50m \
--set testPod.resources.requests.memory=64Mi \
--set testPod.resources.limits.cpu=100m \
--set testPod.resources.limits.memory=128MiFor complex configurations, use custom value files:
# values-production.yaml
common-scanner:
scanner-infrastructure:
targetNamespace: production
rbac:
useResourceNames: true
useLabelSelector: true
podSelectorLabels:
app: myapp
env: production
rules:
ephemeralContainers:
enabled: true
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/scanner-role
safCli:
thresholdConfig:
compliance:
min: 95
failed:
critical:
max: 0
high:
max: 0
testPod:
deploy: falseThen use it for installation:
helm install standard-scanner ./helm-charts/standard-scanner -f values-production.yamlYou can use Kustomize with Helm to manage multiple environments:
# kustomization.yaml for Development
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: standard-scanner
repo: file://../helm-charts
releaseName: dev-scanner
namespace: development
valuesFile: values-development.yaml# kustomization.yaml for Production
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: standard-scanner
repo: file://../helm-charts
releaseName: prod-scanner
namespace: production
valuesFile: values-production.yamlFor specialized environments, build custom scanner images:
# Dockerfile for air-gapped environment scanner
FROM registry.example.com/chef/inspec:5.18.14
# Add all required profiles
COPY ./profiles /profiles
# Add custom scripts
COPY ./scripts /scripts
RUN chmod +x /scripts/*.sh
# Add SAF CLI
RUN pip install saf-cli==1.2.3
# Add required gems
RUN inspec plugin install inspec-kubernetesTo upgrade existing chart installations:
# Check for changes first
helm diff upgrade standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace
# Perform upgrade
helm upgrade standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespaceMigrating from Debug Container Approach to Kubernetes API Approach (once distroless support is added):
# First, uninstall the debug container scanner
helm uninstall distroless-scanner
# Then, install the standard scanner with distroless support
helm install standard-scanner ./helm-charts/standard-scanner \
--set common-scanner.scanner-infrastructure.targetNamespace=scanning-namespace \
--set common-scanner.scripts.includeDistrolessScanScript=true \
--set distrolessSupport=trueFor GitOps workflows using tools like ArgoCD or Flux:
# Example application manifest with scanner sidecar
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: application-with-scanner
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/your-org/your-app
targetRevision: HEAD
path: helm
helm:
valueFiles:
- values.yaml
- scanner-values.yaml
destination:
server: https://kubernetes.default.svc
namespace: application-namespace