Solution installation

Kaspersky Container Security components are supplied as images in the Kaspersky Container Security manufacturer registry and deployed as containers.

Installation of the Kaspersky Container Security platform consists of the following steps:

1. Installation of the Basic business logic module and the Scanner components.
2. First launch of the Management Console.
3. Configuration of the agent groups and agent deployment on the controlled cluster nodes.

After installation, you should prepare the solution for operation:

• Configure integration with image registries.
• Configure integration with outputs.
• Configure security policies.
• Add container runtime profiles.
• Configure the File Threat Protection parameters.
• Configure integration with image signature validators.
• Configure integration with CI/CD.
• Configure user accounts, roles, and scopes.
• Configure integration with LDAP server.

Installing the basic business logic module and scanner

Before the solution installation, you must check the data integrity in the prepared Helm Chart package.

To check the data integrity:

1. Download the archive with the prepared Helm Chart package and the hash file into the same directory.
2. From this directory, execute the following command:

   sha256sum -c kcs-1.2.0.tgz.sha

   The data integrity is confirmed if the following message is displayed:

   kcs-1.2.0.tgz: OK

Before starting the installation (including on AWS EKS or Microsoft Azure), pay attention to the storageClass and ingressClass settings in the default and ingress.kcs blocks in the values.yaml configuration file. These settings are cluster relevant and, if necessary, are to be changed according to your infrastructure. Below is the example of the default settings option for Azure:

default:
  storageClass: azurefile
  networkPolicies:
    ingressControllerNamespaces:
      - app-routing-system

ingress:
  kcs:
    ingressClass: webapprouting.kubernetes.azure.com

To install the basic business logic module and the scanner of Kaspersky Container Security,

After preparing the configuration file, run the solution installation:

cd kcs/

helm upgrade --install kcs . \

--create-namespace \

--namespace kcs \

--values values.yaml \

--set default.domain="kcs.example.domain.ru" \

--set default.networkPolicies.ingressControllerNamespaces="{ingress-nginx}" \

--set secret.infracreds.envs.POSTGRES_USER="user" \

--set secret.infracreds.envs.POSTGRES_PASSWORD="pass" \

--set secret.infracreds.envs.MINIO_ROOT_USER="user" \

--set secret.infracreds.envs.MINIO_ROOT_PASSWORD="pass" \

--set secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD="pass" \

--set secret.infracreds.envs.NATS_USER="user" \

--set secret.infracreds.envs.NATS_PASSWORD="pass" \

--set pullSecret.kcs-pullsecret.username="user" \

--set pullSecret.kcs-pullsecret.password="pass"

After installation, the solution components are deployed.

After installation is complete, a record about the execution of the solution installation command remains in the command shell. You can open the command history file and delete this record, or prevent the command history from being logged in the command shell before installation.

The control panel will be available at the address specified in the envs subsection of the environment variables section. This allows you to create the ConfigMap object for the API_URL parameter:

http://${DOMAIN}

First launch of the Management console

To start the Kaspersky Container Security Management Console:

1. In your browser, navigate to the address specified for the Management Console during the Server installation.

   The authorization page opens.

2. Enter your user name and password and click the Login button.

   During the installation of the solution, the user name and password have the same value assigned—admin. You can change the user name and password after launching the Management Console.

   After 3 unsuccessful password entry attempts, the user is temporarily blocked. The default block duration is 1 minute.

3. Following the request, change the current password for the user account: enter a new password, confirm it, and click the Change button.

   Passwords have the following requirements:

   • The password must contain numerals, special characters, and uppercase and lowercase letters.
   • The minimum password length is 6 characters, and the maximum password length is 72 characters.

The main page of the Management Console opens.

By default, the logged-in user session in the Management Console is 9 hours. In the Settings → Authentication section, you can set your own session duration from the minimum of 1 hour to the maximum of 168 hours. After this time expires, the session ends.

You can change the connection settings in the Settings → Authentication section.

Viewing and accepting the End User License Agreement

When you launch the Management Console in a browser for the first time, Kaspersky Container Security prompts you to read the End User License Agreement between you and Kaspersky. To continue working with the solution, confirm that you have fully read and accept the terms of the End User License Agreement for Kaspersky Container Security.

To confirm acceptance of the terms of the End User License Agreement,

at the bottom of the End User License Agreement window, click the Accept button.

The authorization page opens for launching the Management Console.

After installing a new version of the solution, accept the End User License Agreement again.

Checking solution functionality

After installing Kaspersky Container Security and starting the administration console, you can make sure that the solution is detecting security problems and protecting containerized objects.

To check the functionality of Kaspersky Container Security:

1. Activate the solution using an activation code or key file.
2. Configure integration with image registries. Integration with a single registry is sufficient to check the functionality.
3. If necessary, configure the settings of the scanner policy that is created by default after installation of the solution.
4. Add an image for scanning and make sure that the scan task is sent for processing.
5. After the scan is complete, go to the page with detailed information about the image scan results.

Scanning an image and receiving valid results confirms that Kaspersky Container Security is operating correctly. After this, you can further configure the solution settings.

Page top

Agent deployment

You should install Agents on all nodes of the cluster that you want to protect.

A separate group of agents is installed on each cluster.

To deploy agents in the cluster:

1. In the main menu, go to the Components → Agents section.
2. In the work pane, click the Add agent group button.
3. Fill in the fields in the form.
   1. Enter the group name. For convenient agent management, we recommend naming the group after cluster whose nodes the agents will be deployed on.
   2. If required, enter a description of the agent group.
   3. Select the type of agent.
   4. Select the type of target node operating system.
   5. Select the orchestrator to use.
4. In the KCS registry section, enter the web address of the registry where the images used to install agents are located. To access the registry, you must specify the correct user name and password.
5. Under Node monitoring, use the Disable/Enable toggle to start monitoring and analyzing the status of the network, processes inside containers, and file threat protection for the following settings:
   • Network connections monitoring. The status of network connections is monitored with traffic capture devices (network monitors) and eBPF modules. This process considers applicable runtime policies and container runtime profiles.
   • Container processes monitoring. Container processes are monitored using eBPF programs based on applicable runtime policy rules and container runtime profile rules.
   • File threat protection. To track malware database updates, specify one of the following values:
     • Malware DB update URL: the web address of the Kaspersky Container Security update service.
     • Malware DB update proxy: the HTTP proxy for a cloud or local update server.

     If the kcs-updates container is used to update malware databases, the URL of the database update tool must be specified as follows: <domain>/kuu/updates (for example, https://kcs.company.com/kuu/updates).

     By default, File Threat Protection databases are updated from Kaspersky cloud servers.

   Monitoring steps that are not needed can be disabled to avoid unnecessary load on the nodes.

6. Under Deployment data, specify the name of the cluster namespace.
7. Click Save.

   The work pane below the completed form will display data required to continue deploying agents to the cluster.

8. To copy an automatically generated deployment token, click Copy. Deployment token: the identifier that the agent uses to connect to the server.
9. Use the instruction from the Configuration field to deploy agents in the cluster. For example:

   kubectl apply -f <file> -n <namespace>

   You can copy the instruction or download it in the .YAML format. Following the application of the instruction, the agent is deployed on all worker nodes of the cluster.

If you change the following settings:

• TLS certificates of the solution,
• URL, user name and password for downloading the kube-agent and node-agent images,
• settings in the Node status monitoring section,

the solution automatically updates the agent deployment instruction.

You must copy or download the updated instruction in a .YAML file again, and then apply it by using the kubectl apply -f file > -n namespace > command. Otherwise, changes to the agent deployment settings are not applied.

Viewing and editing agent groups

The table under Components → Agents displays the created and deployed agent groups. The following information is provided for each of these groups:

• Agent group name
• Number of connected agents in the group
• Type of connected agents
• Orchestrator
• Enabled node monitoring activities

You can filter agent groups by connection status (All, Connected, Disconnected, Pending) using the buttons above the table.

By clicking on the deployment icon (), you can expand each agent group in the table to view the following agent details:

• The name of the agent and its connection status.
• Version of the node where the agent is deployed (primary or worker)
• The name of the pod with which the agent is associated.
• Node monitoring activities (Container processes, Network connections, and File Threat Protection).
• Date and time when the agent last connected

By clicking the agent name link, you can expand the sidebar to view agent status information.

To edit the agent group settings:

1. Under Components → Agents, in the table with the list of agent groups, click the link in the agent group name.
2. In the window that opens, edit the group settings.
3. Click Save.

Configuring a proxy server

In version 1.2, Kaspersky Container Security can proxy requests from private corporate networks to the external environment. The settings for connection through a proxy server are configured using the following environment variables in the Helm Chart package, which is included in the solution distribution kit:

• HTTP_PROXY – proxy server for HTTP requests.
• HTTPS_PROXY – proxy server for HTTPS requests.
• NO_PROXY – a variable that specifies domains or domain masks to be excluded from proxying.

  If HTTP_PROXY or HTTPS_PROXY is used, the NO_PROXY variable is automatically generated in the Helm Chart package, and all the components used by Kaspersky Container Security are indicated in this variable.

  You can change the NO_PROXY variable if you need to specify domains and masks for operation of Kaspersky Container Security in order to exclude them from proxying.

• SCANNER_PROXY – a specialized variable that specifies which proxy server receives requests from the scanner of the File Threat Protection component. These requests are used by Kaspersky servers to update databases.
• LICENSE_PROXY – a specialized variable that specifies the proxy server through which kcs-licenses module sends requests to Kaspersky servers to check and update information about the current license.

To specify Kaspersky servers in the permission lists of proxy servers, you must use a *.kaspersky.com or .kaspersky.com mask (depending on the domain name masks supported by your proxy server).

The table below lists the Kaspersky Container Security components that can use environment variables, and also indicates the purpose of these environment variables.

Environment variables used by Kaspersky Container Security components

Page top