Kaspersky Container Security
1.0
English

Contents

Security policies configuration

Kaspersky Container Security components use the following security policies:

  • Scanner policy determines the settings for scanning different types of resources. The scanner policy uses sensitive data detection rules.
  • Assurance policies define Kaspersky Container Security actions to provide security if threats detected during image scanning meet the criteria specified in the policy.
  • Response policies define the actions of the solution in case events specified in the policy occur. For example, Kaspersky Container Security can notify the user or delete an image with detected threats.
  • Runtime policies allow you to control and, where appropriate, restrict the deployment and operation of containers on the cluster in line with your corporate security requirements.

Kaspersky Container Security applies only enabled policies during its operation. Disabled policies cannot be used during checks.

In this Help section

Scanner policy

Assurance policies

Response policies

Runtime control policies

Deleting policies
Page top
[Topic 250396]

Scanner policy

Scanner policy determines the settings for scanning different types of resources.

The configured scanner policies are displayed as a table in the PoliciesScanner policy section.

You can use the list to do the following:

  • Change policy settings. You can open the editing window by clicking the policy name link.

    You can also enable and disable policies in the edit window. Kaspersky Container Security does not use disabled policies when operating.

  • Delete policies.

The release 1.0 distribution kit includes the default scanner policy. You can change the settings of this policy, but you cannot delete it. Scanner policy customization is not available.

Page top

[Topic 250397]

Editing scanner policy settings

To change scanner policy settings:

  1. In the Policies → Scanner policies section, click the policy name link.

    The policy settings editing window opens.

  2. If required, use the Disable / Enable toggle switch to change the policy status (enabled / disabled).
  3. Make changes to the policy settings. The following settings are open for editing:
    • The policy's name, description, and scope.
    • Vulnerability control settings. Select the check boxes for the vulnerabilities database(s) to check images against.
    • Malware control settings. Select the check box if you need to scan images for malware and other file threats. This control is conducted by using the File Threat Protection component.
    • Misconfiguration control settings. Select the check box if you need to check images for misconfigurations. The control is conducted with the default settings configured by the Kaspersky Container Security manufacturer.
  4. Click Save.

Page top

[Topic 255392]

Configuration of sensitive data detection rules

The list of configured rules for detecting sensitive data (hereinafter referred to as Secrets) during image scanning is displayed in the Policies → Scanner policiesSensitive data section.

The rules are grouped into categories depending on the purpose and scope of secrets to be detected. The list of categories is determined by the Kaspersky Container Security manufacturer. Categories contain predefined rules.

You can use the list to do the following:

  • View and change the settings for secrets detection rules. You can open the editing window by clicking the rule ID link.
  • Add new rules to the selected category. Click the Add rule button located above the table to open the integration settings window. To add rules that do not belong to any of the preset categories, use the Other category.
  • Delete rules. Check the box next to one or more rules in the list. The delete icon is then displayed.

To change the settings of sensitive data detection rules:

  1. In the table, in the PoliciesScanner policiesPolicies section, select the scanner policy.
  2. In the Sensitive data section, select the necessary rules by selecting the check boxes in the rule lines.
  3. Use the Disable / Enable toggle switch in the Status column in the table with the list of policy rules to enable or disable this policy component.

    Do not click the Save button.

    Kaspersky Container Security immediately applies the changes to the sensitive data settings and displays the corresponding notification. You can also refresh the page to see the settings change.

Page top
[Topic 250398]

Assurance policies

Assurance policy defines Kaspersky Container Security actions to provide security if threats detected during image scanning meet the criteria specified in the policy.

The configured assurance policies are displayed as a table in the PoliciesAssurance policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.
  • Delete policies.

If you add an assurance policy, modify its settings, or delete a policy, the compliance status is reviewed (Compliant / Non-compliant) for the images to which the policy is applied.

Page top
[Topic 250399]

Creating an assurance policy

To add an assurance policy:

  1. In the PoliciesAssurance policy section, click the Add policy button.

    The policy settings window opens.

  2. Enter a policy name and, if required, policy description.
  3. In the Scope field, select the scope for the image security policy from the available options.
  4. Specify the actions that Kaspersky Container Security should perform in accordance with the policy:
    • Fail CI/CD step—if Kaspersky Container Security scanner detects threats while scanning the image in the CI/CD pipeline matching the severity level specified in the policy, the scanning ends with an error (Failed). This result is transferred to the CI system.
    • Label images as non-compliant—Kaspersky Container Security labels images containing detected threats that meet the criteria specified in the policy.
  5. In the Vulnerability level section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure the scan based on the vulnerability severity level.
    • Set the assigned severity level based on the vulnerability databases. You can select this from the Severity level drop-down list or specify a severity score from 0 to 10.
    • Use the Disabled / Enabled toggle switch to configure blocking in case of specific vulnerabilities and specify these vulnerabilities in the Vulnerabilities field.
  6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image.
  7. In the Misconfigurations section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure the scan based on the misconfiguration severity level.
    • Select the misconfiguration severity level from the Severity level drop-down list.

      The severity level is assigned based on the vulnerability databases.

  8. In the Sensitive data section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure the scan based on the sensitive data severity level.
    • Select the sensitive data severity level from the Severity level drop-down list.

      The severity level is assigned based on the vulnerability databases.

  9. Click Save.

By default, the added policy is Enabled.

Page top
[Topic 255379]

Editing assurance policy settings

To change assurance policy settings:

  1. In the PoliciesAssurance policies section, click the policy name in the list of existing assurance policies.

    The policy settings editing window opens.

  2. Make changes to the relevant policy settings:
    • The policy's name, description, and scope.
    • Actions of the solution in accordance with this policy.
    • Required scans.
    • Severity level of vulnerabilities detected during scans.
    • Identify number of vulnerabilities for blocking purposes.
  3. Click Save.
Page top
[Topic 255381]

Response policies

Response policy defines the actions of the solution in the case that events specified in the policy occur. For example, Kaspersky Container Security can notify the user about the detected threats.

If you want to configure response policies to notify the user, you should first set up integration with notification outputs.

The configured response policies are displayed as a table in the PoliciesResponse policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

    If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

  • Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
  • Delete policies.

In this version of the solution, response policies define only the actions that Kaspersky Container Security takes to notify the user when a specific event detailed in the policy occurs. For example, if an object with a critical vulnerability is detected, the solution can send an email notification to the user.

Page top
[Topic 250400]

Creating a response policy

To add a response policy:

  1. In the PoliciesResponse policies section, click the Add policy button.

    The policy settings window opens.

  2. Enter a policy name and, if required, policy description.
  3. In the Scope field, select the scope for the response policy from the available options.
  4. In the Trigger field, use the drop-down list to select an event that will trigger Kaspersky Container Security to notify the user if this event occurs during a scan. One of the following events can be selected as a trigger event:
    • Sensitive data. A notification is sent if the solution detects signs of exposed sensitive data in an object during a scan.
    • Non-compliant. Kaspersky Container Security notifies you if a scanned object contains images that do not comply with the requirements of security policies.
    • Critical vulnerabilities. A notification is sent if a scanned object contains vulnerabilities with the Critical status.
    • Malware. A notification is sent if a scan finds malware.
    • Risk acceptance expiration. Kaspersky Container Security notifies you if a scanned object contains risks that you had previously accepted but the risk acceptance period has expired.
  5. Configure the required notification methods:
    1. Select an Output: Email or Telegram.
    2. From the drop-down list in the Integration name field, select the name of the pre-configured integration with the selected notification output.
    3. To add another notification method, click the Add button and fill in the fields as described in paragraphs a and b above.
    4. If required, you can remove the added notification methods by clicking the icon located to the right of the Integration name field.
  6. Click Save.

By default, the added policy is Enabled.

Page top
[Topic 255375]

Editing response policy settings

To change response policy settings:

  1. In the PoliciesResponse policies section, click the policy name in the list of existing response policies.

    The policy settings editing window opens.

  2. If necessary, make changes to the relevant policy settings:
    • Change the policy name.
    • Add or edit the policy description.
    • Add or edit the policy scope.
    • Change the trigger event by selecting it from the drop-down list.
    • Add an output by clicking the Add button.
    • Delete the output by clicking the delete icon ("Delete" icon.) located next to the line of the selected output.
  3. Click Save.

Page top

[Topic 255376]

Runtime control policies

A runtime policy determines the actions that are taken by the solution when monitoring and controlling runtime operations of containers in accordance with the security policies. Kaspersky Container Security maintains control based on security threats detected in an image, the severity level of these threats, and the availability of

digital signatures
.

Containers in the runtime may run from verified images or from images that are still unknown to the solution.

The configured runtime policies are displayed as a table in the PoliciesRuntime policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

    Kaspersky Container Security does not use disabled policies when operating.

  • Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
  • Delete policies.

Page top

[Topic 255361]

Creating a runtime policy

To add a runtime policy:

  1. In the PoliciesRuntime policies section, click the Add policy button.

    The policy settings window opens.

  2. Enter a policy name and, if required, policy description.
  3. In the Mode section, select one of the following policy enforcement modes:
    • Audit. In this mode, a scan takes into account the contents of containers.
    • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
  4. In the Scope section, define the policy enforcement scope. In the Clusters field, select the applicable group of clusters from the drop-down list.

    If necessary, define exclusions for which the runtime policy will not be applied. To do so, select the relevant objects from the drop-down list, specify their names, then click Add.

    Existing exclusions in the policy are checked when deploying a container.

  5. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
  6. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
  7. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block an image check if the image is unknown and has not been fully scanned by Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
  8. In the Capabilities block section, use the Disabled / Enabled toggle switch to activate a usage lock of defined system functions of Unix. To do so, select specific system functions from the drop-down list. You can also lock the use of all system functions of Unix by selecting ALL from the drop-down list.
  9. In the Limit container privileges section, use the Disabled / Enabled toggle switch to activate blocked startup of containers with a specific set of rights and permissions. From the list of settings, select the settings of rights and permissions to lock the settings of pods.
  10. In the Registries allowed section, use the Disabled / Enabled toggle switch to set the permission to deploy containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
  11. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do so, specify the names of the relevant volumes in the Volumes field.
  12. Click Save.

By default, the added policy is Enabled.

Page top
[Topic 260379]

Editing runtime policy settings

To change runtime control policy settings:

  1. In the PoliciesRuntime policies section, click the policy name in the list of existing runtime policies.

    The policy settings editing window opens.

  2. Change the policy name.
  3. Add or edit the policy description.
  4. Make changes to the relevant sections of the policy:
    • Mode.
    • Scope.
    • Bypass criteria.
    • Best practice check.
    • Block non-compliant images.
    • Block unregistered images.
    • Capabilities block.
    • Limit container privileges.
    • Registries allowed.
    • Volumes blocked.
  5. Click Save.
Page top
[Topic 260380]

Deleting policies

To delete a policy:

  1. Open the list of configured scanner policies, assurance policies, response policies or runtime policies.
  2. In the line containing the name of the policy that you want to delete, click the delete icon ("Delete" icon.).
  3. In the window that opens, confirm the action.
Page top
[Topic 250401]