Limitations and warnings

Kaspersky Container Security 2.0 has a number of limitations that are not critical to the operation of the solution:

• When working with PostgreSQL 11.* or later, you need to use the uuid-ossp and pgcrypto extensions with the Kaspersky Container Security database.
• The duration of the Kaspersky Container Security update depends on the volume of available databases. If your database contains a many records of tables with image scanning results, vulnerability descriptions, and accepted risks, the update may take up to several hours.

  We recommend updating Kaspersky Container Security outside of active hours.

• If you need to run many image vulnerability scans, we advise you to disable the misconfiguration scan option in the scanner policy because this operation may consume substantially more resources, especially when working with large-sized images.
• If the misconfiguration control is enabled in the scanner policy for the scanner operation, scanning time significantly increases. Images containing up to 1000 configuration files in the YAML, YML and JSON formats were successfully tested, but the correct operation of the scanner on images containing over 1000 configuration files may not be guaranteed.
• You are not recommended to scan images for sensitive data, if the image size is over 10 GB.
• In cases where an attempt is made to run the solution simultaneously with other container security applications, Kaspersky Container Security has been noted to operate incorrectly. If another application in use is interfering and / or integrating with the operation of containers, the File Threat Protection component may not function correctly. You can temporarily disable the File Threat Protection component in scanner policies.

  We recommend that you do not use Kaspersky Container Security simultaneously with other container security applications.

• To use network policies supplied with Kaspersky Container Security, ensure the following:
  • In the Helm Chart used to deploy and install the solution, the networkPolicies.create parameter is set to true (the default value).
  • The network plug-in in the cluster, where the solution is deployed, supports Kubernetes network policies. If network policies are not supported, Kaspersky Container Security will create NetworkPolicies objects, but they will not be applied and will not filter traffic.

    If the NetworkPolicies objects are missing or not applied, the security level of the solution is lower.

• Kaspersky Container Security supports correct scanning only of images for the linux/amd64 architecture. When scanning multi-platform images, the scanner automatically attempts to apply the linux/amd64 architecture option.
• To ensure maximum compatibility of BPF programs used by Kaspersky Container Security with numerous Linux distributions and Linux kernel versions, the solution uses eBPF CO-RE technology. Kaspersky Container Security works directly with the kernel of the Linux host server (node), thus the following requirements and restrictions must be observed:
  • To use eBPF CO-RE, the Linux kernel must be compiled with configuration value CONFIG_DEBUG_INFO_BTF = y. Most Linux distributions have this configuration value enabled when building the kernel that is supplied with the distribution.
  • If kernel versions are updated manually, you must check the availability of the above mentioned configuration value.

  For earlier versions of Linux distributions and Linux kernels that do not have built-in support for eBPF CO-RE, backward compatibility is ensured by Kaspersky Container Security.

• If a manually compiled Linux kernel is used on a host server (node), the following settings must be enabled during the kernel configuration to ensure runtime monitoring using container runtime profiles:
  • CONFIG_BPF=y
  • CONFIG_BPF_SYSCALL=y
  • CONFIG_BPF_EVENTS=y
  • CONFIG_NET_CLS_BPF=m
  • CONFIG_NET_ACT_BPF=m

  To ensure better BPF code performance, we recommend enabling the following settings:
  CONFIG_BPF_JIT = y
CONFIG_HAVE_BPF_JIT = y

• If runtime monitoring using Kaspersky Container Security container runtime profiles is to be conducted simultaneously with CNI Cilium (node-agent pods are deployed on the same host servers with cilium-agent), the following actions must be performed:
  • In the cluster with the deployed node-agent, specify the value of the data.bpf-filter-priority parameter for ConfigMap cilium-config greater than 1.

    We recommend to specify 5 for the data.bpf-filter-priority parameter.

  • Restart the cilium-agent pods to apply the specified setting.
• To access Kubernetes, Kaspersky Container Security uses the functionality of the dynamic admission controller provided in Kubernetes. The security of your cluster can be hardened by configuring authorization between the Kubernetes API and kube-agent, which ensures the operation of the solution's dynamic admission controller. Authorization must be configured in accordance with the Kubernetes instructions.