Contents
About the Kaspersky Container Security platform
The Kaspersky Container Security platform (hereinafter also referred to as "the solution") provides comprehensive protection for container environments and for applications and services implemented in containers. Kaspersky Container Security allows you to discover security problems and ensures protection throughout the container application lifecycle, from development and deployment control to runtime.
Solution functionalities:
- Integration with image registries (Docker Hub, JFrog Artifactory, Sonatype Nexus Repository OSS, GitLab Registry, Harbor) to scan images in the registry for known vulnerabilities published by the NVD and VDB (DSTD), secrets (passwords, access keys, tokens), misconfigurations, and malware.
- Integration into the continuous integration / continuous delivery (CI/CD) process as a pipeline stage, as well as scanning IaC for misconfigurations and container images for vulnerabilities, malware, and sensitive data (secrets).
- Checking of cluster nodes for compliance with industry information security benchmarks.
- Monitoring compliance with the configured security policies while building and operating the applications, including monitoring container runs in the runtime.
- Monitoring of resources used by the controlled clusters.
You can configure and access the functionalities of Kaspersky Container Security through the Management Console. The console is implemented as a web interface which can be accessed through the Chromium (Google Chrome, Microsoft Edge, Apple Safari) or Mozilla Firefox browsers.
Distribution kit
For information about purchasing the application, please visit https://www.kaspersky.com or contact our partners.
The distribution kit includes a Helm Chart package with the containerized resources necessary for deploying and installing Kaspersky Container Security components, including the following:
- kcs-db-server — update server image that is used when deploying the solution in private corporate networks. An update server is a remote server hosting the data that is used to update Kaspersky Container Security.
- kcs-ih— image of the image handler that forwards jobs to the scanner and receives the scan results. The image handler can be scaled to fit your needs.
- kcs-scanner — image of the scan server that is used to handle object scan requests.
- kcs-middleware — image of the server part of the solution that implements business logic for data processing and provides a REST API for the graphical interface.
- nats and nats-box—images of the service that determines the ordered sequence of requests, thereby enabling the exchange of data that is segmented as messages.
- kcs-postgres — image of the database management system containing tools for analysis and optimization of request parsing and mechanisms for processing requests (rules).
- kcs-panel— image for deploying the graphical user interface of Kaspersky Container Security.
- kcs-updates—image that contains updates and is run to deliver updates when the solution is deployed in private corporate networks.
- kcs-licenses — image of the licensing service containing the text of the End User License Agreement. The End User License Agreement specifies the terms of use of the application.
- values.yaml — configuration file containing the values of settings for configuring the Helm Chart package and installing the solution.
After the Helm Chart package is downloaded, its resources are stored in the directory that you chose.
During the deployment process, the solution interface can be used to generate the following installation files in YAML format to install system agents:
- kube-agent;
- node-agent.
The information required to activate the application is sent to you by email.
Page topHardware and software requirements
To install and operate Kaspersky Container Security, the following hardware and software requirements must be met:
- One of the following orchestration platforms:
- Kubernetes 1.22 or later
- OpenShift 4.11 or later
- DeckHouse, versions 1.52, 1.53.
- CI system – GitLab CI.
- Pre-installed Helm package manager.
Kaspersky Container Security supports integration with the following image registries:
- GitLab 14.2 or later.
- Docker Hub V2 API or later.
- JFrog Artifactory 7.55 or later.
- Sonatype Nexus Repository OSS 3.43 or later.
- Harbor 2.х.
Image requirements (OS, version, scanned packages):
- Alpine Linux, versions 2.2—2.7, 3.0—3.18, Edge. Packages installed via apk are scanned.
- Red Hat Universal Base Image, versions 7, 8, 9. Packages installed via yum/rpm are scanned.
- Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via yum/rpm are scanned.
- CentOS, versions 6, 7, 8. Packages installed via yum/rpm are scanned.
- AlmaLinux, versions 8, 9. Packages installed via yum/rpm are scanned.
- Rocky Linux, versions 8, 9. Packages installed via yum/rpm are scanned.
- Oracle Linux, versions 5, 6, 7, 8. Packages installed via yum/rpm are scanned.
- CBL-Mariner, versions 1.0, 2.0. Packages installed via yum/rpm are scanned.
- Amazon Linux, versions 1, 2, 2023. Packages installed via yum/rpm are scanned.
- openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
- SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are scanned.
- Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
- Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/apt-get/dpkg are scanned.
- Ubuntu, all versions supported by Canonical. Packages installed via apt/apt-get/dpkg are scanned.
- Distroless, all versions. Packages installed via apt/apt-get/dpkg are scanned.
- RedOS, versions 7.1, 7.2, 7.3.x. Packages installed via yum/rpm are scanned.
- Astra, versions ce 2.12.x., se 1.7.x. Packages installed via apt/apt-get/dpkg are scanned.
When configuring Kaspersky Container Security with three scanner pods (kcs-ih service) and the maximum size of images to be scanned up to 10 GB, the cluster must meet the following requirements:
- At least 7 node processors
- 15 GB of RAM node capacity
- 40 GB of free disk space on a node hard drive
- At least 1 Gbps of communication channel bandwidth between cluster components
The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.
Kaspersky Container Security user workstation requirements:
- Permanent Internet connection when deployed in a public corporate network.
- Access to the Kaspersky Container Security Management Console page (address within customer's corporate network, specified during Kaspersky Container Security Server installation).
- Communication channels with at least 10 Mbit/s bandwidth.
- One of the following browsers:
- Google Chrome version 73 or later.
- Microsoft Edge version 79 or later
- Mozilla Firefox version 63 or later
- Apple Safari version 12.1 or later
- Opera version 60 or later.
Scaling
Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.
When a scanning pod is added, the system resources increase as follows:
- The number of node processors—by 2.
- The amount of RAM on the nodes—by 4 GB.
- The amount of free disk space on a node hard drive—by 15 GB.
To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.
- The amount of RAM on the nodes—by 300 MB.
- The amount of free disk space on a node hard drive—by 1 GB.
If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.