Kaspersky Container Security
1.2
English

Contents

About the Kaspersky Container Security platform

Kaspersky Container Security (hereinafter referred to as the solution) allows you to discover security problems and ensures protection throughout the container application lifecycle, from development and deployment control to runtime.

Solution functionalities:

  • Integration with image registries (Docker Hub, JFrog Artifactory, Sonatype Nexus Repository OSS, GitLab Registry, Harbor) to scan images in the registry for known vulnerabilities published by the NVD and VDB (DSTD), secrets (passwords, access keys, tokens), misconfigurations, and malware.
  • Integration into the continuous integration / continuous delivery (CI/CD) process as a pipeline stage, as well as scanning IaC for misconfigurations and container images for vulnerabilities, malware, and sensitive data (secrets).
  • Checking of cluster nodes for compliance with industry information security benchmarks.
  • Monitoring compliance with the configured security policies while building and operating the applications, including monitoring container runs in the runtime.
  • Monitoring of resources used by the controlled clusters.

You can configure and access the functionalities of Kaspersky Container Security through the Management Console. The console is implemented as a web interface which can be accessed through the Chromium (Google Chrome, Microsoft Edge, Apple Safari) or Mozilla Firefox browsers.

In this Help section

What's new

Distribution kit

Hardware and software requirements

Scaling

System packages of base images

Scanned application software packages

Working in cloud-based environments
Page top
[Topic 258853]

What's new

Kaspersky Container Security 1.2 offers the following new features and improvements:

Kaspersky Security for Containers 1.2.1 has the following updates:

  • LDAP-based authentication method was improved.
  • Operations for working in Telegram (sending messages, chat searching) were improved.
  • Application of filters for results of checking for compliance with the Kubernetes standard was corrected.
  • The Vendor Fix field in the Risk acceptance report was amended.
  • Capability to work with vulnerabilities in Java dependencies for the CI agent was added.
  • Performance of the following controls in runtime policies was improved: Block non-compliant images and Block unregistered images.
  • Logic of deleting scopes with policies assigned to them was improved.
  • Work with image signature validators was optimized.
  • Procedure for authentication of Kaspersky Container Security users was improved.
  • API token reissue functionality was corrected.
  • Display of a large number of tags when adding images for analysis was corrected.
  • Adding a new registry using API was improved (the logic of saving information about tags was fixed).
  • Image report templates were amended (links to vulnerabilities in images are displayed).
  • Work with email servers when using CRAM-MD5 authentication was ijmproved.
  • Capability to configure the frequency of accessing an image registry was added.
  • Web interface was improved.

Kaspersky Security for Containers 1.2.2 has the following updates:

  • Yandex Registry support was implemented.
  • General way to support image registries using the Docker V2 API was added.
  • Work with the JFrog Artifactory image registry to support accounts with reduced privileges was improved.
  • Mechanism for saving artifacts in CI/CD was improved.
  • Agent operation errors in older versions of Kubernetes (version 4.18) were fixed.
  • Scheduled scanning of image registries in case of errors with codes 4XX and 5XX was corrected.
  • Logic of operation during an integration with a subdomain (using names other than standard names) in the JFrog Artifactory was improved.
Page top
[Topic 275547]

Distribution kit

For information about purchasing the application, please visit https://www.kaspersky.com or contact our partners.

The distribution kit includes a Helm Chart package with the containerized resources necessary for deploying and installing Kaspersky Container Security components. The containerized components from the distribution kit are listed in the table below.

Containerized components from the Kaspersky Container Security distribution kit

Component

Image

Pod

ClickHouse DBMS

clickhouse

kcs-clickhouse

PostgreSQL DBMS

postgresql

kcs-postgres

PGBouncer connection pooler

pgbouncer

kcs-pgbouncer

Middleware

middleware

kcs-middleware

Event Broker

event-broker

kcs-eb

Image Handler, client scanner

image-handler

kcs-ih

Scanner

scanner-server

kcs-scanner

Licenses

licenses

kcs-licenses

File storage (Minio)

minio

kcs-s3

Message Broker

nats

kcs-nats

Update file server for private corporate networks (Updates)

updates

kcs-updates

Solution interface (Panel)

nginx

kcs-panel

Agents

node-agent
kube-agent

node-agent
kube-agent

The Helm package also includes a values.yaml configuration file that contains the values of settings for installing and updating the solution.

After downloading and saving the Helm package in a selected directory, the orchestrator downloads the images from the source specified in the Helm package directly to the orchestration platform nodes.

The information required to activate the application is sent to you by email.

Page top
[Topic 274382]

Hardware and software requirements

To install and operate Kaspersky Container Security, the following infrastructure requirements must be met:

  • One of the following orchestration platforms:
    • Kubernetes (version 1.21 or later)
    • OpenShift (version 4.11 or later)
    • DeckHouse (versions 1.52, 1.53. CNI: Flannel)
  • Availability of a CI system to scan container images within the development process (for example, GitLab CI).
  • Installed package manager Helm v3.10.0 or later.

To implement runtime monitoring with container runtime profiles, orchestrator nodes must meet the following requirements:

  • Linux kernel 4.18 or later.
  • Container runtimes (CRI): containerd, CRI-O.
  • Container Network Interface (CNI) plug-ins: Flannel, Calico, Cilium.

Minimum supported versions of Linux distributions and Linux kernels to implementing runtime monitoring using container runtime profiles:

  • CentOS 8.2.2004 or later + kernel 4.18.0-193 or later.
  • Ubuntu 18.04.2 or later + kernel 4.18.0 or later
  • Debian 10 or later + kernel 4.19.0 or later
  • Astra Linux SE 1.7. * + Kernel 6.1.50-1-generic.

If your infrastructure contains host servers running other Linux distributions, we recommend contacting Technical Support. Technical Support will check the compatibility of the solution with your distributions. If such compatibility is not available, the distributions may be supported by future versions of Kaspersky Container Security.

Kaspersky Container Security ensures correct operation when used in the Istio service mesh infrastructure.

When using external database management systems, Kaspersky Container Security supports PostgreSQL 11.*, 13.*, 14.*.

Kaspersky Container Security supports integration with the following image registries:

  • GitLab 14.2 or later
  • Docker Hub V2 API or later
  • JFrog Artifactory 7.55 or later
  • Sonatype Nexus Repository OSS 3.43 or later
  • Harbor 2.х.

Image requirements (OS, version, scanned packages):

  • AlmaLinux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
  • Alpine Linux, versions 2.2 - 2.7, 3.0 - 3.20, Edge. Packages installed via apk are scanned.
  • Amazon Linux, versions 1, 2, 2023. Packages installed via dnf/yum/rpm are scanned.
  • Astra Linux SE, versions 1.6.x, 1.7.x. Packages installed via apt/dpkg are scanned.
  • CBL-Mariner, versions 1.0, 2.0. Packages installed via dnf/yum/rpm are scanned.
  • CentOS, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
  • Chainguard, all versions. Packages installed via apk are scanned.
  • Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/dpkg are scanned.
  • openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
  • Oracle Linux, versions 5, 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
  • Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
  • Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
  • RedOS, versions 7.1, 7.2, 7.3.x, 8.0. Packages installed via dnf/yum/rpm are scanned.
  • Rocky Linux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
  • SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are scanned.
  • Ubuntu, all versions supported by Canonical. Packages installed via apt/dpkg are scanned.
  • Wolfi Linux, all versions. Packages installed via apk are scanned.
  • OS with the Conda command line tool installed. Packages installed via conda are scanned.

When configuring Kaspersky Container Security in a cluster with three worker nodes, three scanner pods (kcs-ih) and a maximum image scan size of 10 GB, the cluster working node must meet the following requirements:

  • At least 10 processor cores
  • At least 18 GB of RAM
  • 40 GB of free disk space
  • At least 1 Gbps of communication channel bandwidth between cluster components

For agents operation in the cluster, each working node must be provided with the following additional computational resources:

  • 2 processor cores
  • 3 GB of RAM
  • 15 GB of free disk space

You must allocate 1 GB of free disk space for ClickHouse Persistent Volume for each monitored node in the cluster where the solution is installed.

The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.

Kaspersky Container Security user workstation requirements:

  • Permanent Internet connection when deployed in a public corporate network.
  • Access to the Management Console page of Kaspersky Container Security (address within customer's corporate network, specified during installation).
  • Communication channels with at least 10 Mbit/s bandwidth.
  • One of the following browsers:
    • Google Chrome version 73 or later.
    • Microsoft Edge version 79 or later.
    • Mozilla Firefox version 63 or later.
    • Apple Safari version 12.1 or later.
    • Opera version 60 or later.

Page top

[Topic 274380]

Scaling

Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.

When a scanning pod is added, the system resources increase as follows:

  • The number of node processors—by 2.
  • The amount of RAM on the nodes—by 4 GB.
  • The amount of free disk space on a node hard drive—by 15 GB.

To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.

  • The amount of RAM on the nodes—by 300 MB.
  • The amount of free disk space on a node hard drive—by 1 GB.

If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.

To process the results of scanning many large objects faster, you can allocate more resources to the job handler service by updating variables in the Helm package.

To add more scan job handling resources:

  1. Open the Helm package and specify the required number of handlers for the kcs-middleware parameter in the scanWorkers variable in the default section.
  2. In the requests and limits variables, specify the size of RAM as determined according to the following formula:

    memory = X * scanWorkers / 2, where

    memory is the size of RAM allocated to the image handler service.

    X is the original value of the variable that denotes the size of RAM.

    scanWorkers is the number of handlers specified in step 1.

    The result of scanWorkers/2 can't be zero.

  3. In the requests and limits variables, specify the CPU resources as calculated according to the following formula:

    cpu = X*scanWorkers, where

    cpu is the CPU resources allocated to the image handler service.

    X is the original value of the variable that denotes the CPU resources.

    scanWorkers is the number of handlers.

Example of adding more scan job handling resources

Adding more scan job handling resources

Initial value

Increased value

 

default:

# kcs-middleware:

#scanWorkers: 1

## Default values for 'resources'

# resources:

# requests:

# memory: "2Gi"

# cpu: "400m"

# limits:

# memory: "4Gi"

# cpu: "800m"

 

 

default:

kcs-middleware:

scanWorkers: 4

## Default values for 'resources'

resources:

requests:

memory: "4Gi"

cpu: "1600m"

limits:

memory: "8Gi"

cpu: "3200m"

 

Page top
[Topic 271781]

System packages of base images

The following operating system images are used as base images by Kaspersky Container Security:

  • Alpine 3.18.4.
  • Ubuntu 23.10.
  • Oracle Linux 9.2.

Package management systems ("package managers") are used to manage the installation, removal, configuration, and updating of various software components. Kaspersky Container Security uses the following package managers for its base operating systems:

  • For Alpine, apk.
  • For Ubuntu, apt.
  • For Oracle Linux, rpm.

To get information about installed system packages,

use the standard orchestrator tools for accessing a running container and (depending on the package manager used) enter the following bash command:

  • For apk:

    apk -q list | grep "installed".

  • For apt:

    apt list --installed.

  • For rpm:

    yum list installed.

Page top

[Topic 265976]

Scanned application software packages

Kaspersky Container Security supports the following scanned application software packages in the specified programming languages:

  • Ruby:
    • gemspec (image is scanned).
    • Gemfile.lock (repository in CI/CD is scanned).
  • Python:
    • egg package, wheel package, conda package (image is scanned).
    • Pipfile.lock, poetry.lock, requirements.txt (repository in CI/CD is scanned).
  • PHP:
    • installed.json (image is scanned).
    • composer.lock (repository in CI/CD is scanned).
  • Node.js:
    • package.json (image is scanned).
    • package-lock.json, yarn.lock, pnpm-lock.yaml (repository in CI/CD is scanned).
  • .NET: packages.lock.json, packages.config, .deps.json, Packages.props (image and repository in CI/CD are scanned).
  • Java:
    • * .jar, * .war, * .par and * .ear (image is scanned).
    • pom.xml, * gradle.lockfile, * .sbt.lock (repository in CI/CD is scanned).
  • Go:
    • Binary files (image is scanned).
    • go.mod (repository in CI/CD is scanned).
  • Rust:
    • Binaries checked by Cargo (image is scanned).
    • Cargo.lock (image and repository in CI/CD are scanned).
  • C/C++: conan.lock (repository in CI/CD is scanned).
  • Elixir: mix.lock (repository in CI/CD is scanned).
  • Dart: pubspec.lock (repository in CI/CD is scanned).
  • Swift: Podfile.lock, Package.resolved (repository in CI/CD is scanned).
  • Julia: Manifest.toml (image and repository in CI/CD are scanned).

Page top

[Topic 283462]

Working in cloud-based environments

Kaspersky Container Security can operate in various cloud environments. For more information on launching the solution in cloud environments, contact your Presales Manager.

Page top
[Topic 270192]