Hardware and software requirements
To install and operate Kaspersky Container Security, the following infrastructure requirements must be met:
- One of the following orchestration platforms:
- Kubernetes 1.21 or later
- OpenShift 4.8, 4.11, or later
- DeckHouse 1.52 or 1.53 (CNI: Flannel)
- DropApp 2.1
- Availability of a CI system to scan container images within the development process (for example, GitLab CI).
- Installed package manager Helm 3.10.0 or later.
To implement runtime monitoring with container runtime profiles, orchestrator nodes must meet the following requirements:
- Linux kernel 4.18 or later.
- Container runtimes (CRI): containerd, CRI-O.
- Container Network Interface (CNI) plug-ins: Flannel, Calico, Cilium.
Architecture requirements:
Kaspersky Container Security supports the x86 architecture.
Minimum supported versions of Linux distributions and Linux kernels for implementing runtime monitoring using container runtime profiles:
- CentOS 8.2.2004 or later + kernel 4.18.0-193 or later.
- Ubuntu 18.04.2 or later + kernel 4.18.0 or later
- Debian 10 or later + kernel 4.19.0 or later
- Astra Linux SE 1.7. * + Kernel 6.1.50-1-generic.
If Astra Linux OS is used, kernel configuration must have the
CONFIG_DEBUG_INFO_BTF=yoption. - RHEL 9.4 or later + kernel 5.14 or later
- Red Hat Enterprise Linux CoreOS 416.94.202408200132-0 + kernel 5.14.0-427.33.1.el9_4.x86_64
- Sber Linux 8.9, 9.3 + kernel 5.14 (CNI: CRI-O, Calico, Cilium)
When using Cilium 1.16, you must set enableTCX to false.
If your infrastructure contains host servers running other Linux distributions, we recommend contacting Technical Support. Technical Support will check the compatibility of the solution with your distributions. If such compatibility is not available, the distributions may be supported by future versions of Kaspersky Container Security.
Kaspersky Container Security ensures correct operation when used in an Istio service mesh infrastructure.
The solution supports integration with Hashicorp Vault 1.7 or later.
When using external database management systems, Kaspersky Container Security supports the following DBMS:
- PostgreSQL 11.*, 13.*, 14.*, 15.*
- Pangolin 6.2.0
Kaspersky Container Security supports integration with the following image registries:
- GitLab 14.2 or later
- Docker Hub V2 API
- JFrog Artifactory 7.55 or later
- Sonatype Nexus Repository OSS 3.43 or later
- Harbor 2.х
- Yandex Registry (integration using the Yandex Container Registry API)
- Docker Registry (integration using the Docker V2 API)
- Red Hat Quay 3.x
Kaspersky Container Security supports both IPv4 and IPv6 networks.
Image requirements (OS, version, scanned packages):
- AlmaLinux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
- Alpine Linux, versions 2.2 - 2.7, 3.0 - 3.20, Edge. Packages installed via apk are scanned.
- Amazon Linux, versions 1, 2, 2023. Packages installed via dnf/yum/rpm are scanned.
- Astra Linux SE, versions 1.6.x, 1.7.x. Packages installed via apt/dpkg are scanned.
- CBL-Mariner, versions 1.0, 2.0. Packages installed via dnf/yum/rpm are scanned.
- CentOS, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
- Chainguard, all versions. Packages installed via apk are scanned.
- Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/dpkg are scanned.
- openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
- openSUSE Tumbleweed, all versions. Packages installed via zypper/rpm are scanned.
- Oracle Linux, versions 5, 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
- Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
- Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
- RedOS, versions 7.1, 7.2, 7.3.x, 8.0. Packages installed via dnf/yum/rpm are scanned.
- Rocky Linux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
- SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are being scanned.
- SUSE Linux Enterprise Micro, versions 5, 6. Packages installed via zypper/rpm are scanned.
- Ubuntu, all versions supported by Canonical. Packages installed via apt/dpkg are scanned.
- Wolfi Linux, all versions. Packages installed via apk are scanned.
- OS with the Conda command line tool installed. Packages installed via conda are scanned.
When configuring Kaspersky Container Security in a cluster with three worker nodes, three scanner pods (kcs-ih) and a maximum image scan size of 10 GB, the cluster working node must meet the following requirements:
- At least 10 processor cores
- At least 18 GB of RAM
- 40 GB of free disk space
- At least 1 Gbps of communication channel bandwidth between cluster components
To run agents in a cluster, each worker node must be provided with the following additional computing resources:
- 2 processor cores
- 3 GB of RAM
- 15 GB of free disk space
You must allocate free disk space for ClickHouse DBMS taking into account the number of monitored nodes. Each node requires 1 GB of free disk space for ClickHouse Persistent Volume.
The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.
Kaspersky Container Security user workstation requirements:
- Permanent Internet connection when deployed in a public corporate network.
- Access to the Management Console page of Kaspersky Container Security (address within customer's corporate network, specified during installation).
- Communication channels with at least 10 Mbit/s bandwidth.
- One of the following browsers:
- Google Chrome version 73 or later.
- Microsoft Edge version 79 or later.
- Mozilla Firefox version 63 or later.
- Apple Safari version 12.1 or later.
- Opera version 60 or later.