Kaspersky Container Security

Working with clusters

Kaspersky Container Security provides a tool for displaying and analyzing the connections between various resources within namespaces in clusters.

A cluster is a set of nodes that run applications placed in containers.

By using clusters, you can perform bulk scans of images within those clusters. When doing so, the registries found in a cluster during a scan are automatically created. Kaspersky Container Security automatically reads and records the identification data used for accessing registries in a cluster (user name, password, token), and generates a link to this object. Registries are also assigned a name in the following format: <cluster name>_<registry name>. When working with cluster objects, the received identification data is used to access the registries.

The Inventory → Assets → Clusters section displays a table of clusters where Kaspersky Container Security Agents are installed. This table indicates the number of namespaces and orchestrators included in each cluster.

Cluster resources can be scanned and visually represented only if deployed Agents are available.

In this Help section

Cluster resources

Viewing cluster resources

Page top
[Topic 252215]

Cluster resources

Kaspersky Container Security scans and displays objects included in the cluster and the links between them for all clusters with active Agents. The possible types of objects are presented in the table below.

Components of a cluster infrastructure

Component

Description

Node

Base unit of a cluster where pods with applications are run under the management of services.

In most cases, a node is a physical or virtual machine used for data processing.

A cluster normally includes multiple nodes. The following types of nodes are distinguished as follows:

  • The Master node is responsible for cluster management and providing API settings for the configuration and management of resources in the cluster.
  • A Worker node is used to run applications in containers and ensure compatibility between the applications within the cluster and outside of it. Worker nodes perform the actions started through the API on the master node.

An Agent is added for each node. This Agent manages the node and interacts with the master node of Kubernetes.

Pod

Object consisting of one or more containers of an application (for example, Docker or rkt) that is deployed and run in a runtime environment with shared namespaces and resources. Resources include the following:

  • Shared storage (volumes)
  • Network resources (unique IP address of the cluster)
  • Data on each container (container image version or used port numbers)

Service

Object determining the set of pods and the access policy for them. Interaction between services and pods occurs via intermediate objects known as entry points.

Services provide applications with the capability to exchange data with objects outside of the cluster.

Endpoints

Resource which contains the IP addresses and ports of one or more pods. A service contacts this object for communication with pods.

The following types of entry points are distinguished:

  • Internal IP address of the pod running in the runtime environment in the cluster. These entry points are created automatically and are the most common types used.
  • External IP address of an object residing outside the cluster (for example, an external web server or database).

Persistent volume

Allocated resource for storing cluster data.

Permanent storage helps prevent data loss issues in case there are problems with a pod, and allows data to be used by another pod.

Persistent volume claim

Mechanism for managing cluster data storage by dynamically allocating block drives with the necessary specifications and connecting them to pods.

The request parameters must include the storage volume and the type of access to this storage.

Ingress rules

Set of rules enabling external traffic to reach services within the cluster.

Ingress rules are set in the same namespace in which the services are deployed.

An active Ingress controller is required to route Ingress traffic.

Ingress controller

Resource for balancing traffic to applications in the cluster.

Page top

[Topic 255534]

Viewing cluster resources

Kaspersky Container Security allows you to view available clusters and quickly receive consolidated information on specific groups of cluster objects. You can use a filter to define the settings for displaying objects. You can search for objects by, for example, the namespace name or the image name.

To view the resources of a cluster and their interaction schematic:

  1. In the InventoryAssetsClusters section, click the cluster name link in the table.

    In the cluster viewing window that opens, resources are displayed on the following tabs:

    • Namespaces
    • Pods
    • Visual representation
  2. On the Namespaces tab, in the Namespaces drop-down list, select the group of namespaces that you want to view.

    The table that opens shows all namespaces of the selected group within the cluster. The following information is indicated for each namespace:

    • Number of containers in the namespace.
    • Number of scanned images.
    • Number of processed scan tasks.
    • Number of incomplete scan tasks.
    • Risk assessment.
    • Detected security issues.

    You can click the namespace link to view the image registry for the selected namespace.

  3. On the Pods tab, in the Namespaces drop-down list, select the group of namespaces that you want to view:
    • All namespaces.
    • Agent. Kaspersky Container Security displays objects in the cluster based on the Agent that is active within them.

    An object search can be performed by using a filter that allows you to define the following search parameters:

    • Image name
    • Pod name
    • Compliance with security policy requirements

      An image is assigned the Compliant status if no security issue (such as a vulnerability) is detected in that image.

    • Date of last scan
    • Detected risks. In this case, the search is performed on objects for which security issues were found. For example, vulnerabilities, malware, traces of sensitive data or misconfigurations were found in these objects.

    For each namespace, the table that opens indicates the pod, container running agent, image, status of compliance with security policy requirements, risk assessment, and identified security issues.

    You can click the link on the image name to view it in the image registry.

  4. On the Visualization tab, click the object icon on the cluster resource interaction schematic to open its details window.

    A visual representation of cluster resources is generated if active Agents exist for this cluster.

Page top

[Topic 250386]