[Topic 263612]

Kaspersky Container Security 2.0 Help

Page top

[Topic 292907]

About the Kaspersky Container Security platform

Kaspersky Container Security (hereinafter referred to as the solution) allows you to discover security problems and provides protection throughout the lifecycle of container applications, from development and deployment control to runtime.

Solution functionality:

• Integration with image registries (for example, Docker Hub, JFrog Artifactory, Sonatype Nexus Repository OSS, GitLab Registry, Harbor) to scan images in the registry for known vulnerabilities published by the NVD and the Data Security Threats Database (FSTEC), secrets (passwords, access keys, tokens), misconfigurations, and malware.
• Integration into the
  CI/CD

  Continuous Integration/Continuous Delivery is the combination of continuous software integration and continuous delivery in the development process.

  Continuous Integration/Continuous Delivery is the combination of continuous software integration and continuous delivery in the development process.

  process as a pipeline stage, as well as scanning
  IaC

  Infrastructure as a Code is an approach to managing and describing infrastructure through configuration files instead of manually editing server configurations.

  Infrastructure as a Code is an approach to managing and describing infrastructure through configuration files instead of manually editing server configurations.

  for misconfigurations and container images for vulnerabilities, malware, and sensitive data (secrets).
• Checking of cluster nodes for compliance with information security benchmarks.
• Monitoring compliance with the configured security policies while building and running the applications, including container startup control in the runtime.
• Monitoring of resources used by the controlled clusters.

You can configure and access the functionalities of Kaspersky Container Security through the Management Console. The console is implemented as a web interface which can be accessed through the Chromium (Google Chrome, Microsoft Edge, Apple Safari) or Mozilla Firefox browsers.

[Topic 290867]

What's new

Kaspersky Container Security 2.0 offers the following new features and improvements:

• Centralized investigation of vulnerabilities in CI/CD artifacts, image registries, and runtime.
• Enhanced capabilities of logging container events associated with network traffic (inbound and outbound), file operations, launched processes and File Threat Protection.
• Uninterrupted monitoring of infrastructures containing up to several thousand nodes.
• Integration with HashiCorp Vault external secret storage:
  • Reading of secrets created in advance for the Kaspersky Container Security components
  • Use of Vault PKI to create TLS certificates for cross-service interaction
• Integration with security information and event management (SIEM) software:
  • Configuration of integration with several products in UI
  • Specification of parameters for sending messages for various events (Administration, Alert, CI/CD, Policies, Resources, Scanners, Admission controller, API)
  • Specification of parameters for sending messages for container events associated with network traffic (inbound and outbound), file operations and launched processes
• Generation of reports in the .JSON and .XML formats.
• Scanning the infrastructure for compliance with cluster security benchmarks.
• Generation of cluster benchmarks summary report.
• Improved integration with LDAP (Bind DN scheme).
• Container Runtime Profile generation based on container performance analysis (autoprofiling).
• Improvement of OpenAPI:
  • Getting data on Core Health Check
  • Management of scanner policies, assurance policies, response policies and runtime policies
  • Runtime profiles management
  • Getting system event log
  • Getting container event log
  • Risk management
  • Autoprofiling tasks management
  • Getting information about integration with image signature validators
• Support for integration with the following external image registries:
  • Amazon Elastic Container Registry
  • Red Hat Quay
• Scanning of OCI directory in CI/CD processes.

[Topic 292932]

Distribution kit

For information about purchasing the application, please visit https://www.kaspersky.com or contact our partners.

The distribution kit includes a Helm Chart package with the containerized resources necessary for deploying and installing Kaspersky Container Security components. The containerized components from the distribution kit are listed in the table below.

Containerized components from the Kaspersky Container Security distribution kit

The Helm package also includes a values.yaml configuration file that contains the values of settings for installing and updating the solution.

After downloading and saving the Helm package in a selected directory, the orchestrator downloads the images from the source specified in the Helm package directly to the orchestration platform nodes.

The information required to activate the application is sent to you by email.

[Topic 287165]

Hardware and software requirements

To install and operate Kaspersky Container Security, the following infrastructure requirements must be met:

• One of the following orchestration platforms:
  • Kubernetes 1.21 or later
  • OpenShift 4.8, 4.11, or later
  • DeckHouse 1.52 or 1.53 (CNI: Flannel)
  • DropApp 2.1
• Availability of a CI system to scan container images within the development process (for example, GitLab CI).
• Installed package manager Helm 3.10.0 or later.

To implement runtime monitoring with container runtime profiles, orchestrator nodes must meet the following requirements:

• Linux kernel 4.18 or later.

  Some mechanisms to manage process privileges at the level of the Linux kernel are used with Linux kernel version 5.8 or later. If the Linux kernel version is prior to 5.8, when installing Kaspersky Container Security, you must disable the list of these process privilege management mechanisms for the kcs-ih component and set it to privileged mode.
  Example of setting privileged mode

  default:
kcs-ih:
privileged: true

• Container runtimes (CRI): containerd, CRI-O.
• Container Network Interface (CNI) plug-ins: Flannel, Calico, Cilium.

Architecture requirements:

Kaspersky Container Security supports the x86 architecture.

Minimum supported versions of Linux distributions and Linux kernels for implementing runtime monitoring using container runtime profiles:

• CentOS 8.2.2004 or later + kernel 4.18.0-193 or later.
• Ubuntu 18.04.2 or later + kernel 4.18.0 or later
• Debian 10 or later + kernel 4.19.0 or later
• Astra Linux SE 1.7. * + Kernel 6.1.50-1-generic.

  If Astra Linux OS is used, kernel configuration must have the CONFIG_DEBUG_INFO_BTF=y option.

• RHEL 9.4 or later + kernel 5.14 or later
• Red Hat Enterprise Linux CoreOS 416.94.202408200132-0 + kernel 5.14.0-427.33.1.el9_4.x86_64
• Sber Linux 8.9, 9.3 + kernel 5.14 (CNI: CRI-O, Calico, Cilium)

When using Cilium 1.16, you must set enableTCX to false.

If your infrastructure contains host servers running other Linux distributions, we recommend contacting Technical Support. Technical Support will check the compatibility of the solution with your distributions. If such compatibility is not available, the distributions may be supported by future versions of Kaspersky Container Security.

Kaspersky Container Security ensures correct operation when used in an Istio service mesh infrastructure.

The solution supports integration with Hashicorp Vault 1.7 or later.

When using external database management systems, Kaspersky Container Security supports the following DBMS:

• PostgreSQL 11.*, 13.*, 14.*, 15.*
• Pangolin 6.2.0

Kaspersky Container Security supports integration with the following image registries:

• GitLab 14.2 or later
• Docker Hub V2 API
• JFrog Artifactory 7.55 or later
• Sonatype Nexus Repository OSS 3.43 or later
• Harbor 2.х
• Yandex Registry (integration using the Yandex Container Registry API)
• Docker Registry (integration using the Docker V2 API)
• Red Hat Quay 3.x

Kaspersky Container Security supports both IPv4 and IPv6 networks.

Image requirements (OS, version, scanned packages):

• AlmaLinux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
• Alpine Linux, versions 2.2 - 2.7, 3.0 - 3.20, Edge. Packages installed via apk are scanned.
• Amazon Linux, versions 1, 2, 2023. Packages installed via dnf/yum/rpm are scanned.
• Astra Linux SE, versions 1.6.x, 1.7.x. Packages installed via apt/dpkg are scanned.
• CBL-Mariner, versions 1.0, 2.0. Packages installed via dnf/yum/rpm are scanned.
• CentOS, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
• Chainguard, all versions. Packages installed via apk are scanned.
• Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/dpkg are scanned.
• openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
• openSUSE Tumbleweed, all versions. Packages installed via zypper/rpm are scanned.
• Oracle Linux, versions 5, 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
• Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
• Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
• RedOS, versions 7.1, 7.2, 7.3.x, 8.0. Packages installed via dnf/yum/rpm are scanned.
• Rocky Linux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
• SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are being scanned.
• SUSE Linux Enterprise Micro, versions 5, 6. Packages installed via zypper/rpm are scanned.
• Ubuntu, all versions supported by Canonical. Packages installed via apt/dpkg are scanned.
• Wolfi Linux, all versions. Packages installed via apk are scanned.
• OS with the Conda command line tool installed. Packages installed via conda are scanned.

When configuring Kaspersky Container Security in a cluster with three worker nodes, three scanner pods (kcs-ih) and a maximum image scan size of 10 GB, the cluster working node must meet the following requirements:

• At least 10 processor cores
• At least 18 GB of RAM
• 40 GB of free disk space
• At least 1 Gbps of communication channel bandwidth between cluster components

To run agents in a cluster, each worker node must be provided with the following additional computing resources:

• 2 processor cores
• 3 GB of RAM
• 15 GB of free disk space

You must allocate free disk space for ClickHouse DBMS taking into account the number of monitored nodes. Each node requires 1 GB of free disk space for ClickHouse Persistent Volume.

The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.

Kaspersky Container Security user workstation requirements:

• Permanent Internet connection when deployed in a public corporate network.
• Access to the Management Console page of Kaspersky Container Security (address within customer's corporate network, specified during installation).
• Communication channels with at least 10 Mbit/s bandwidth.
• One of the following browsers:
  • Google Chrome version 73 or later.
  • Microsoft Edge version 79 or later.
  • Mozilla Firefox version 63 or later.
  • Apple Safari version 12.1 or later.
  • Opera version 60 or later.

Page top

[Topic 287063]

Scaling

To achieve and maintain optimal performance when scanning the incoming volume of Kaspersky Container Security images, you must take into account the number of scanning pods and cluster nodes supported by the solution.

[Topic 287064]

Scaling the number of scanning pods

Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.

When a scanning pod is added, the system resources increase as follows:

• The number of node processors—by 2.
• The amount of RAM on the nodes—by 4 GB.
• The amount of free disk space on a node hard drive—by 15 GB.

To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.

• The amount of RAM on the nodes—by 300 MB.
• The amount of free disk space on a node hard drive—by 1 GB.

If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.

To process the results of scanning many large objects faster, you can allocate more resources to the job handler service by updating variables in the Helm package.

To add more scan job handling resources:

1. Open the Helm package and specify the required number of handlers for the kcs-middleware parameter in the scanWorkers variable in the default section.
2. In the requests and limits variables, specify the size of RAM as determined according to the following formula:

   memory = X * scanWorkers / 2, where

   memory is the size of RAM allocated to the image handler service.

   X is the original value of the variable that denotes the size of RAM.

   scanWorkers is the number of handlers specified in step 1.

   The result of scanWorkers/2 can't be zero.

3. In the requests and limits variables, specify the CPU resources as calculated according to the following formula:

   cpu = X*scanWorkers, where

   cpu is the CPU resources allocated to the image handler service.

   X is the original value of the variable that denotes the CPU resources.

   scanWorkers is the number of handlers specified in step 1.

Example of adding more scan job handling resources

[Topic 265976]

System packages of base images

The following operating system images are used as base images by Kaspersky Container Security:

• Alpine 3.18.4.
• Ubuntu 23.10.
• Oracle Linux 9.2.

Package management systems ("package managers") are used to manage the installation, removal, configuration, and updating of various software components. Kaspersky Container Security uses the following package managers for its base operating systems:

• For Alpine, apk.
• For Ubuntu, apt.
• For Oracle Linux, rpm.

To get information about installed system packages,

use the standard orchestrator tools for accessing a running container and (depending on the package manager used) enter the following bash command:

• For apk:

  apk -q list | grep "installed".

• For apt:

  apt list --installed.

• For rpm:

  yum list installed.

Page top

[Topic 283462]

Scanned application software packages

Kaspersky Container Security supports the following scanned application software packages in the specified programming languages:

• Ruby:
  • gemspec (image is scanned).
  • Gemfile.lock (repository in CI/CD is scanned).
• Python:
  • egg package, wheel package, conda package (image is scanned).
  • Pipfile.lock, poetry.lock, requirements.txt (repository in CI/CD is scanned).
• PHP:
  • installed.json (image is scanned).
  • composer.lock (repository in CI/CD is scanned).
• Node.js:
  • package.json (image is scanned).
  • package-lock.json, yarn.lock, pnpm-lock.yaml (repository in CI/CD is scanned).
• .NET: packages.lock.json, packages.config, .deps.json, Packages.props (image and repository in CI/CD are scanned).
• Java:
  • * .jar, * .war, * .par and * .ear (image is scanned).
  • pom.xml, * gradle.lockfile, * .sbt.lock (repository in CI/CD is scanned).
• Go:
  • Binary files (image is scanned).
  • go.mod (repository in CI/CD is scanned).
• Rust:
  • Binaries checked by Cargo (image is scanned).
  • Cargo.lock (image and repository in CI/CD are scanned).
• C/C++: conan.lock (repository in CI/CD is scanned).
• Elixir: mix.lock (repository in CI/CD is scanned).
• Dart: pubspec.lock (repository in CI/CD is scanned).
• Swift: Podfile.lock, Package.resolved (repository in CI/CD is scanned).
• Julia: Manifest.toml (image and repository in CI/CD are scanned).

Page top

[Topic 292949]

Solution architecture

Kaspersky Container Security components are deployed based on the images included in the distribution kit. The table below shows which images correspond to which solution components.

Kaspersky Container Security components

The solution includes the following main components:

• Kaspersky Container Security Middleware
• Kaspersky Container Security Agents
• Kaspersky Container Security Scanner

  

  Overall architecture scheme of Kaspersky Container Security

Kaspersky Container Security can be deployed in a public or private corporate network.

[Topic 274610]

Middleware

The Kaspersky Container Security middleware has the following functions:

• Provides an interface for interactive management of the solution (Management Console).
• Ensures integration with external software components (SIEM, CI, image registries, LDAP, Telegram, email) and the receipt of information from them.
• Coordinates the operation of other solution components.
• Ensures the creation and management of security policies.
• Displays the results of solution operations.

Page top

[Topic 254415]

Scanner

Scanner is a Kaspersky Container Security software component that scans objects in real time to assess their security and detect known vulnerabilities, malware, signs of sensitive data, and misconfigurations. The scanner lets you conduct security checks based on active security policies.

Kaspersky Container Security employs the following types of scanners:

• Vulnerability scanner based on the Common Vulnerabilities and Exposures (CVE) database
• File threat scanner within the File Threat Protection component
• Configuration file scanner
• Sensitive data (secrets) scanner

[Topic 271778]

About object scanning

Kaspersky Container Security checks objects deployed in the solution during the scanning process. The scanning process searches for and analyzes threats and security risks associated with objects in the solution. Object scans must be performed regularly to keep track of emerging security threats.

When scanning, Kaspersky Container Security identifies the following security threats:

• Vulnerabilities
• Malware.
• Misconfigurations
• Sensitive data
• Non-compliance with security policy requirements

Page top

[Topic 274621]

Scanning process

The scanner receives scan jobs through the image handler. The image handler is a module deployed in the Kaspersky Container Security infrastructure that forwards scan jobs to the scanner and receives the scan results from the scanner.

When scan jobs are forwarded, the current status of the scanner is determined as one of the following:

• Free — the scanner is not processing objects and can accept a job from the image handler application if requested.
• Busy — the scanner is currently processing a scan job. A new job from the image handler application is put in the queue.

The scan job queue includes all forwarded scan jobs and is generated in the following cases:

• An image registry scan is manually started.
• An image registry scan is automatically started.
• A bulk scan of cluster objects is started.

Jobs in the scan queue receive the following statuses:

• Pending — status assigned by default when a job is created.
• In progress — the job is being processed by the image handler.
• Parsing results — the solution processes the job scanning results to display them in the interface.
• Error— scan job failed.
• Finished — the results of the scan job are available.

Scan jobs from the queue are submitted to the image handler in the order of their receipt. A scan job then goes to a scanner with Free status and is scanned for security issues. The scan results are sent back to the image handler. The scan job is considered completed and finished if scanning results are received. If a scan job was performed three or more times but received no results, the scan job is given the Error status.

When scanning many large objects, the solution may be slower to display scan results in the user interface. You may have to wait up to several minutes for the results to appear. During this time, the scan jobs are displayed in the Scanners section with the Parsing results status.

If you want to speed up the processing of scan results, you can allocate more resources to the scan job handler by updating the variables in Helm Chart (for more details, see Scaling).

When an error occurs, the solution displays an error message that consists of a code and a text message (for example, HNDL-004: scan time out).

Error messages are displayed in English. Examples of messages and their meanings are listed in the table below.

Examples of possible error messages when running scan jobs

After scanning, the solution displays the scan results. If security threats are detected in an object, Kaspersky Container Security prompts you to perform one of the following actions:

• Delete the security threat.
• Accept the risk.

Page top

[Topic 273082]

Standard deployment schemes

Kaspersky Container Security supports the following deployment scenarios:

• Deployment in a public corporate network (Internet access from the Kubernetes cluster is allowed):
  • Images from which the Kaspersky Container Security components are deployed are located in a public repository.
  • After installation, the solution components refer to the vulnerability databases on the Internet.
  • Databases are updated using the Kaspersky update server, available on the Internet.

  A private corporate network with access to servers in the allowed servers list may be considered a public corporate network.

• Deployment in a private corporate network (Internet access from the Kubernetes cluster is prohibited):
  • An internal repository is used to host the images from which the Kaspersky Container Security components are deployed.
  • Additionally, the component kcs-updates is installed, which is a special image containing the vulnerability databases and security benchmarks that the solution requires.
  • After installation, the solution components refer to the vulnerability databases and security standards located in the special image kcs-updates inside the corporate network.
  • The Update server providing threat database updates is deployed as a separate component in the corporate network.

A private corporate network also allows for deployment with a proxy server.

We do not recommend deploying the solution with a clustered infrastructure configuration in which network interaction between host servers (nodes) is conducted in the public Internet. If this configuration is used, network interaction in the cluster may be exposed to critical network security risks.

[Topic 291328]

Deployment in a public corporate network

When deployed in a public corporate network, Kaspersky Container Security is allowed to access the Internet from a cluster. The solution databases are updated from external databases containing updates for the vulnerabilities and malware databases.

Solution architecture when deployed in a public corporate network

[Topic 291329]

Deployment in a private corporate network

When deployed in a private corporate network, Kaspersky Container Security is prohibited from accessing the Internet from a cluster. The solution databases are updated by updating the images of the scanner that is run from the CI / CD and the image scanner.

Solution architecture when deployed in a private corporate network

[Topic 292927]

Preparing to install the solution

Prior to installing Kaspersky Container Security, you must install all certificates required for the corporate network and configure the proxy servers.

The solution can be deployed in a private or public corporate network.

Before installing Kaspersky Container Security, make sure that you have the following components and accesses:

• Virtual or physical machine with access to the Internet and the cluster.
• Helm package manager for packaging, configuring, and deploying applications and services in clusters.

  Kaspersky Container Security supports Helm 3.10.0 and later.

• Internet access to download Helm Chart packages.
• Orchestrator management tool, for example, kubectl for Kubernetes or oc for Openshift.
• Access to a cluster using the kubeconfig file.

  To install the solution in a private corporate network, configure a repository for container images. This repository accesses the Kaspersky Container Security vendor repository with the credentials provided by the solution vendor.

[Topic 276636]

Solution installation

Kaspersky Container Security components are supplied as images in the Kaspersky Container Security manufacturer registry and deployed as containers.

Installation of the Kaspersky Container Security platform consists of the following steps:

1. Installation of the Basic business logic module and the Scanner components.
2. First launch of the Management Console.
3. Configuration of the agent groups and agent deployment on the controlled cluster nodes.

After installation, you should prepare the solution for operation:

• Configure integration with image registries.
• Configure integration with outputs.
• Configure security policies.
• Add container runtime profiles.
• Configure the File Threat Protection parameters.
• Configure integration with image signature validators.
• Configure integration with CI/CD.
• Configure user accounts, roles, and scopes.
• Configure integration with LDAP server.

[Topic 292077]

Installing the basic business logic module and scanner

Before the solution installation, you must check the data integrity in the prepared Helm Chart package.

To check the data integrity:

1. Download the archive with the prepared Helm Chart package and hash file and go to this directory.
2. Run the command:

   sha256sum -c kcs-2.0.0.tgz.sha

   The data integrity is confirmed if the following message is displayed:

   kcs-2.0.0.tgz: OK

Before starting the installation (including on AWS EKS or Microsoft Azure), pay attention to the storageClass and ingressClass settings in the default and ingress.kcs blocks of the configuration file. These settings are cluster relevant and, if necessary, are to be changed according to your infrastructure. For example, the following variant is used for Azure:

default:
  storageClass: azurefile
  networkPolicies:
    ingressControllerNamespaces:
      - app-routing-system

ingress:
  kcs:
    ingressClass: webapprouting.kubernetes.azure.com

To install the basic business logic module and the scanner of Kaspersky Container Security,

After preparing the configuration file, run the solution installation:

cd kcs/

helm upgrade --install kcs . \

--create-namespace \

--namespace kcs \

--values values.yaml \

--set default.domain="example.com" \

--set default.networkPolicies.ingressControllerNamespaces="{ingress-nginx}" \

--set secret.infracreds.envs.POSTGRES_USER="user" \

--set-string secret.infracreds.envs.POSTGRES_PASSWORD="pass" \

--set secret.infracreds.envs.MINIO_ROOT_USER="user" \

--set-string secret.infracreds.envs.MINIO_ROOT_PASSWORD="password" \

--set-string secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD="pass" \

--set secret.infracreds.envs.MCHD_USER="user" \

--set-string secret.infracreds.envs.MCHD_PASS="pass" \

--set pullSecret.kcs-pullsecret.username="user" \

--set-string pullSecret.kcs-pullsecret.password="pass"

After installation, the solution components are deployed.

Also, when installing the Kaspersky Container Security Middleware module and scanner, you can configure the secure transfer of passwords, tokens, and secrets. This is achieved using a HashiCorp Vault storage, which you can configure in the values.yaml file and deploy when the Helm Chart package is started.

After installation is complete, a record about the execution of the solution installation command remains in the command shell. You can open the command history file and delete this record, or prevent the command history from being logged in the command shell before installation.

The control panel will be available at the address specified in the envs subsection of the environment variables section. This allows you to create the ConfigMap object for the API_URL parameter:

http://${DOMAIN}

[Topic 250380]

First launch of the Management console

To start the Kaspersky Container Security Management Console:

1. In your browser, navigate to the address specified for the Management Console during the Server installation.

   The authorization page opens.

2. Enter your user name and password and click the Login button.

   During the installation of the solution, the user name and password have the same value assigned—admin. You can change the user name and password after launching the Management Console.

   After 3 unsuccessful password entry attempts, the user is temporarily blocked. The default block duration is 1 minute.

3. Following the request, change the current password for the user account: enter a new password, confirm it, and click the Change button.

   Passwords have the following requirements:

   • The password must contain numerals, special characters, and uppercase and lowercase letters.
   • The minimum password length is 6 characters, and the maximum password length is 72 characters.

The main page of the Management Console opens.

By default, the logged-in user session in the Management Console is 9 hours. In the Settings → Authentication section, you can set your own session duration from the minimum of 1 hour to the maximum of 168 hours. After this time expires, the session ends.

You can change the connection settings in the Settings → Authentication section.

[Topic 255780]

Viewing and accepting the End User License Agreement

When you launch the Management Console in a browser for the first time, Kaspersky Container Security prompts you to read the End User License Agreement between you and Kaspersky. To continue working with the solution, confirm that you have fully read and accept the terms of the End User License Agreement for Kaspersky Container Security.

To confirm acceptance of the terms of the End User License Agreement,

at the bottom of the End User License Agreement window, click the Accept button.

The authorization page opens for launching the Management Console.

After installing a new version of the solution, accept the End User License Agreement again.

[Topic 266166]

Checking solution functionality

After installing Kaspersky Container Security and starting the administration console, you can make sure that the solution is detecting security problems and protecting containerized objects.

To check the functionality of Kaspersky Container Security:

1. Activate the solution using an activation code or key file.
2. Configure integration with image registries. Integration with a single registry is sufficient to check the functionality.
3. If necessary, configure the settings of the scanner policy that is created by default after installation of the solution.
4. Add an image for scanning and make sure that the scan task is sent for processing.
5. After the scan is complete, go to the page with detailed information about the image scan results.

Scanning an image and receiving valid results confirms that Kaspersky Container Security is operating correctly. After this, you can further configure the solution settings.

Page top

[Topic 283087]

Viewing and editing agent groups

The table under Components → Agents displays the created and deployed agent groups. The following information is provided for each of these groups:

• Agent group name
• Number of connected agents in the group
• Orchestrator
• Enabled node monitoring activities
• Linked SIEM

You can filter agent groups by connection status (All, Connected, Disconnected, Pending) using the buttons above the table.

By clicking on the deployment icon (), you can expand each agent group in the table to view the following agent details:

• The name of the agent and its connection status.
• Version of the node where the agent is deployed (primary or worker)
• The name of the pod with which the agent is associated.
• Node monitoring actions (Container processes, Network connections, File Threat Protection, and File operations).
• SIEM status
• Date and time when the agent last connected

By clicking the agent name link, you can expand the sidebar to view agent status information.

To edit the agent group settings:

1. Under Components → Agents, in the table with the list of agent groups, click the link in the agent group name.
2. In the window that opens, edit the group settings.
3. Click Save.

Page top

[Topic 293087]

Configuring a proxy server

In version 2.0, Kaspersky Container Security can proxy requests from private corporate networks to the external environment. The settings for connection through a proxy server are configured using the following environment variables in the Helm Chart package, which is included in the solution distribution kit:

• HTTP_PROXY – proxy server for HTTP requests.
• HTTPS_PROXY – proxy server for HTTPS requests.
• NO_PROXY – a variable that specifies domains or domain masks to be excluded from proxying.

  If HTTP_PROXY or HTTPS_PROXY is used, the NO_PROXY variable is automatically generated in the Helm Chart package, and all the components used by Kaspersky Container Security are indicated in this variable.

  You can change the NO_PROXY variable if you need to specify domains and masks for operation of Kaspersky Container Security in order to exclude them from proxying.

• SCANNER_PROXY – a specialized variable that specifies which proxy server receives requests from the scanner of the File Threat Protection component. These requests are used by Kaspersky servers to update databases.
• LICENSE_PROXY – a specialized variable that specifies the proxy server through which kcs-licenses module sends requests to Kaspersky servers to check and update information about the current license.

Depending on the domain name masks supported by your proxy server, you must use the following masks to specify Kaspersky servers in lists of permitted proxy servers: *.kaspersky.com or .kaspersky.com , *.kaspersky-labs.com or .kaspersky-labs.com. To access these proxy servers, port 80 must be opened.

You can specify the port in the proxy server parameters using IP address or FQDN.

Special characters must be escaped.

The table below lists the Kaspersky Container Security components that can use environment variables, and also indicates the purpose of these environment variables.

Environment variables used by Kaspersky Container Security components

You can configure the operation of agents using a proxy server, and the proxy server will pass requests to the Kaspersky Container Security installation address.

To configure the operation of agents using a proxy server:

1. Under Components → Agents, in the table with the list of agent groups, click the link in the agent group name.
2. In the window that opens, go to the Node monitoring tab and do the following:
   • Ensure that the File Threat Protection component is enabled by using the Disable/Enable toggle switch.
   • In the File Threat Protection section, specify the proxy server in Anti-malware database update proxy.
   • Click Save.
3. Click the Deployment data tab.
4. Copy or download the updated agent deployment instruction in a .YAML file again, and then apply it by using the kubectl apply -f <file> -n <namespace> command.
5. Configure the HTTP_PROXY, HTTPS_PROXY, or NO_PROXY environment variables in the Deployment and DaemonSet objects of the agents.

Page top

[Topic 276671]

Removing the solution

To uninstall the basic business logic module of Kaspersky Container Security, do one of the following:

• On a workstation with the Helm package manager installed, access to the target cluster and the namespace with Kaspersky Container Security installed, run the following command:

  helm uninstall kcs-release

  The Helm package manager does not delete PVC objects, PV objects or secrets. You should delete these manually using the following commands:

  kubectl delete pvc <PVC name>

  kubectl delete secret <secret name>

  kubectl delete pv <PV name>

• If Kaspersky Container Security is installed in a separate namespace, run the following command:

  kubectl delete ns <namespace>

To delete a Kaspersky Container Security agent:

Run the following command on the cluster node with the agent deployed:

kubectl delete -f <file> -n kcs

where <file> is the name of the YAML configuration file used to deploy the agent.

If you delete all agents on the nodes of a cluster, we recommend that you remove the group that included these agents.

To delete a group of agents:

1. In the main menu of Kaspersky Container Security, go to the Components → Agents section.
2. In the line containing the name of the agents group that you want to delete, click the delete icon ().
3. In the window that opens, confirm the action.

[Topic 292946]

Updating the solution

You can upgrade Kaspersky Container Security 1.2.x to version 2.0.

Updating the solution does not result in data loss.

Before you start updating the solution, you need to do the following:

• Delete the StatefulSet object for ClickHouse:

  kubectl delete statefulset/kcs-clickHouse -n kcs

• Delete the PVC object for ClickHouse:

  kubectl delete pvc/pvc-clickhouse-kcs-clickhouse-0 -n kcs

• If your version of the solution uses the kcs-nats component, and it is managed by the StatefulSet controller, you must remove the PVCs of this controller from the cluster:

  kubectl delete pvc/pvc-nats-js-kcs-nats-0 -n kcs

In all the commands listed above, you must replace -n kcs with the name of your namespace.

The rest of the update process is identical to the solution installation process.

The duration of the update depends on the volume of available databases and can take up to several hours. We recommend updating Kaspersky Container Security outside of active hours.

You can find information about the latest versions of the application on the Kaspersky website at https://www.kaspersky.com or contact our partners.

[Topic 250383]

Solution interface

The Management Console is implemented through the web interface and consists of the following elements:

• Main menu — sections and subsections of the main menu give access to the key functionalities of the solution.
• Work pane — information and controls in the work pane depend on the section or subsection that you select in the main menu.

[Topic 255368]

Dashboard

On the main Kaspersky Container Security page, you can configure the dashboard to receive up-to-date analytical data on objects that are processed by the solution. This configuration is performed using filters that let you sort information by object and period.

Analytical data is displayed using widgets or specialized tools that show analytic information.

The Kaspersky Container Security dashboard opens when logging in to an account or when clicking the area containing the logo and name of the solution above the main menu.

[Topic 255372]

Applying filters

Kaspersky Container Security provides the capability to configure the dashboard using the following filters:

• Filter by period:
  • For the entire period
  • For the year
  • For the quarter
  • For the month
  • For the week
  • For the past 24 hours
  • For a customized period

  For any period you select, the time count begins from the current day. By default, information is displayed for the week.

• Filter by resource:
  • All images
  • All images outside of clusters
  • All images in clusters
  • Images of a specific cluster
  • CI/CD images

  By default, information is displayed for all images.

[Topic 267266]

User profile

To go to the user profile page:

1. In the main menu, click on the block with the current user name.
2. Select My Profile.

On the My Profile page, Kaspersky Container Security displays key information about the active user account. This information is divided into the following sections:

• General information—shows the user's name and their displayed user name, a contact email address, and a list of the roles assigned to the user.

  In this section, you can also change the password to enter the Management Console by clicking the Change password button.

• API token—information about the token for connecting to and accessing the solution using API. The value of the valid API token is hidden by a mask and can be viewed by clicking the unmask icon () located to the right of the token. You can hide the token value with a mask by clicking the mask icon ().

  In this section, you can also copy the value of the active token by using the Copy button. If necessary, you can also generate a new API token by clicking the Reissue token button.

• Permissions - all rights and permissions assigned to the user are displayed.

Page top

[Topic 263603]

Specific ways to set up data display

Kaspersky Container Security interface provides the following ways to set up data displaying:

• Filtering: The filter fields are located above the data tables. Filter fields and ways to manage the filter depend on the specifics of the data to be displayed.

  In some sections, you must click the filter icon to open the filter fields ().

• Sorting in ascending or descending order. In some sections, you can sort the list of data by the selected column by using the sort icon () in the column header.
• Search: You can search the displayed data by using the Search field, located above the table and designated by the search icon ().
• Menu. In some tables, you can perform actions on the objects using the menu commands in the table rows. To open the menu for the selected object, click the menu icon () in the object row.
• Select. In some tables, you can select items by clicking the check box (). To unselect a check box, click the checkbox again.
• Delete. You can delete objects in the solution by using the delete icon () or the Delete link that appears when selecting objects.
• Expand or collapse lists. In some tables, you can click the expand icon () to expand an object row and view its contents. To collapse table elements, click the collapse icon ().

[Topic 250749]

Licensing the solution

This section provides information about the general terms related to the licensing of Kaspersky Container Security.

[Topic 251945]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab stipulating the terms on which you may use the application.

Please carefully read the terms of the End User License Agreement before you start using the application.

You can read the terms of the End User License Agreement during the Kaspersky Container Security installation.

By confirming that you agree with the text of the End User License Agreement during installation of the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must cancel installation of the application and must not use the application.

Updates functionality (including providing anti-virus signature updates and codebase updates) might not be available in the software in the U.S. territory.

[Topic 251954]

About the license

A license is a time-limited right to use Kaspersky Container Security as granted under the End User License Agreement.

A license includes the right to use the application in accordance with the terms of the End User License Agreement, and to receive technical support. The available functionality and application usage period depend on the type of license that was used to activate the application.

Kaspersky Container Security supports the following types of licenses:

• NFR (not for resale) is a free license for a specific period intended to familiarize the user with the application and to conduct test deployments.
• A Commercial license is a paid license that is provided when you purchase the solution.

Solution functionality depends on the type of license held. Kaspersky Container Security supports the following licenses:

• Standard license — allows for integration with image registries and platforms, security threat detection scans, risk assessment, and monitoring of object status.
• Enterprise license — in addition to the functionality of the standard license, this license also provides access to components used for the monitoring, control, and analysis of objects, misconfiguration detection and security threat protection.

When the license expires, the application continues to work but with limited functionality. For full Kaspersky Container Security functionality, you must purchase a commercial license or renew your commercial license.

[Topic 251955]

About the license certificate

A license certificate is a document that you receive together with a key file or activation code.

The license certificate contains the following license information:

• License number or order number
• Information about the user who is granted the license
• Information about the application that can be activated under the provided license
• Restrictions on the number of licensing units (for example, devices on which the application can be used under the provided license)
• Start date of the license term
• License expiration date or license term
• License type

[Topic 251956]

About the license key

A license key is a sequence of bits that you can use to activate and then use the application in accordance with the terms of the End User License Agreement. The license key is generated by Kaspersky experts.

You can add a license key to the application by either applying a key file or entering an activation code.

Kaspersky can block a license key over violations of the End User License Agreement. If the license key has been blocked, you have to add a different license key to continue using the application.

[Topic 251958]

About the key file

A key file is a file with the KEY extension that you receive from Kaspersky. The purpose of a key file is to add a license key that activates the application.

You receive a key file at the email address that you provided when you purchased Kaspersky Container Security.

You do not need to connect to Kaspersky activation servers to activate the solution with a key file.

You can restore a key file if it has been accidentally deleted.

To restore a key file, do one of the following:

• Contact the license vendor.
• Get a key file from the Kaspersky website based on an available activation code.

[Topic 251957]

About the activation code

An activation code is a unique sequence of 20 English letters and numbers. You must enter an activation code to add a license key that activates Kaspersky Container Security. Your activation code will be sent to the email address that you provided when you purchased Kaspersky Container Security.

To activate the application with an activation code, Internet access is required to connect to Kaspersky activation servers.

If you lose your activation code after activating the application, please contact the Kaspersky partner that you purchased the license from.

[Topic 253551]

Application activation procedure

Application activation is the process of activating a license that grants the right to use Kaspersky Container Security until expiry.

You can activate the application by using the activation code or key file provided to you when you purchased the solution.

An activation code is used for activation when you install the solution in a public corporate network with Internet access. A key file is used for activation when you install Kaspersky Container Security in a public corporate network or private corporate network without Internet connectivity.

To activate the application with an activation code:

1. In the Settings → Licensing section, click the Add license key button.
2. In the window prompting you to select how you want to add the license key, select Enter activation code.
3. In the Activation code field, enter the activation code and click Add.

The application is activated, and the license info page opens.

To activate the application with a key file:

1. In the Settings → Licensing section, click the Add license key button.
2. In the window prompting you to select how to add the license key, select Upload key file and click the Upload and add button.
3. In the window that opens, select a file with the KEY extension and click Open.

The application is activated, and the license info page opens.

When activating the application, the new activation code or key file will replace the previously entered activation code or key file.

[Topic 253956]

Viewing license information

You can view information about the active license in the Kaspersky Container Security web interface, in the Settings → Licensing section.

The license details page displays the following parameters:

• Licensing information. Kaspersky Container Security displays the following:
  • Name of the Kaspersky partner that you purchased the license from.
  • License term.

    The term begins from the moment you purchase the license, not from the moment you activate the application.

• Customer information. This subsection provides data on the company that purchased the license:
  • Company name
  • Country where the company is located
  • Email address of the customer representative
• Time period remaining until license expiration The solution displays the exact date and time of license expiration.
• Node count is the maximum number of nodes and number of active nodes allowed by the license.
• Image scans per month is the maximum number of image scans and completed scans allowed by the license. A month is considered to be the last 30 days (30 days from the current day).
• Functionality provided by the license. The solution displays a list of the available functionality under the license you purchased.

[Topic 254015]

Renewing the license

When the license is approaching its expiration date, Kaspersky Container Security displays the following notifications:

• Notification that the license is expiring soon, indicating the time remaining until expiration. You receive this notification 30, 14, and 7 days before the license expires.
• Notification that the license is expiring and the solution will switch to limited functionality mode. This notification is sent on the day of license expiration.

In limited functionality mode, the functionality of Kaspersky Container Security is limited as follows:

• No new object scans are performed.
• The web interface does not display the new nodes added to the previously created clusters after the license expired.
• New clusters cannot be added for monitoring purposes.
• Vulnerabilities databases are not updated.

You can renew a license by applying a new activation code or by adding a new key file. To renew a license, contact the Kaspersky partner you purchased the license from.

[Topic 255742]

Removing the license key

To remove the license key:

1. In the Settings → Licensing section, click the Delete license key button.
2. Confirm the removal by clicking the Delete button.

Page top

[Topic 250750]

Data provisioning

This section contains information about the data that Kaspersky Container Security can save on the device and forward to Kaspersky during its operation.

If you use an activation code to activate Kaspersky Container Security, you agree to automatically provide information to Kaspersky as part of the regular license key status confirmation process. To confirm the license key status, Kaspersky Container Security periodically contacts Kaspersky activation servers and forwards the following information to Kaspersky:

• regional activation center identifier;
• title of the license to use the solution;
• checksum type and checksum of the license key;
• date and time when the license key was created;
• date and time when the solution license expires;
• solution license identifier;
• identifier of the information model applied when providing a license to use the solution;
• current license key status;
• license type used to activate the solution;
• unique device identifier;
• family name of the device operating system;
• solution installation identifier (PCID);
• identifier, localization, and full version of the solution;
• solution identifier obtained from the license;
• set of compatible software identifiers;
• solution rebrand identifier;
• list of legal agreements shown to the solution user;
• type and version of the legal agreement accepted by the user while using the solution.

In addition, by using the activation code, you agree to forward the following information to Kaspersky:

• activation code entered by the user to activate the solution;
• date and time on the user device;
• version, build number, update number, and revision of the device operating system;
• flag indicating that the user accepted the terms of the legal agreement while using the solution.

By using the activation code, you agree to automatically forward the data listed above to Kaspersky. If you do not agree to provide this information, use a key file to activate Kaspersky Container Security.

If you use Kaspersky update servers to download updates, you agree to automatically provide the following information:

• Identifier of the Kaspersky Container Security solution obtained from the license;
• full version of the solution;
• solution license identifier;
• type of valid license;
• solution installation identifier (PCID);
• Identifier of the solution update launch;
• processed web address.

Kaspersky can use all the obtained data to generate statistical information about the distribution and use of Kaspersky software.

Any received information is protected in accordance with legally established requirements and applicable Kaspersky regulations. Data is transmitted over encrypted communication channels.

More detailed information about the processing, storage, and destruction of information obtained during the use of the solution and transferred to Kaspersky is provided in the End User License Agreement and the Privacy Policy on the Kaspersky website.

[Topic 294418]

Working with clusters

Kaspersky Container Security provides a tool for displaying and analyzing the connections between various objects within namespaces in clusters.

A cluster is a set of

By using clusters, you can perform bulk scans of images within those clusters. When doing so, the registries found in a cluster during a scan are automatically created. Kaspersky Container Security automatically reads and records the identification data used for accessing registries in a cluster (user name, password, token), and generates a link to this object. Registries are also assigned a name in the following format: <cluster name>_<registry name>. When working with cluster objects, the received identification data is used to access the registries.

Kaspersky Container Security displays a list of available clusters as a table under Resources → Clusters.

[Topic 294424]

View the list of clusters

The Resources → Clusters section displays a table of clusters available in Kaspersky Container Security. The following data is provided for each cluster:

• Cluster name. Clicking the cluster name in the Cluster name column takes you to the page where you can view the namespaces in that cluster
• Number of namespaces included in the cluster
• Name of the orchestrator where the cluster is deployed
• Maximum risk rating. The maximum risk rating assigned to the cluster is based on the risk ratings for the images in that cluster

You can use sorting to rearrange the data in the table as follows:

• By cluster name: you can arrange clusters alphabetically in the Cluster name column in ascending (A to Z) or descending (Z to A) order.
• By number of namespaces - You can sort clusters in descending or ascending order of the number of namespaces in the Namespaces column.
• By orchestrator name: by sorting on the Orchestrator column, you can group clusters by the orchestrator where they are deployed.
• By maximum risk rating: you can arrange clusters in descending or ascending order of the maximum risk rating, displayed in the Max risk rating column.

You can view the namespaces in the cluster and the links between these by clicking View in the View on graph column. Kaspersky Container Security opens the namespace graph for the selected cluster.

Cluster resources can be scanned and visually represented only if deployed agents are available.

Page top

[Topic 294420]

Namespaces in the cluster

To view the namespaces included in the cluster:

1. Go to the Table tab under Resources → Clusters.
2. In the Cluster name column of the table with the list of clusters, click the cluster name.

   Kaspersky Container Security opens a page displaying a table with a list of namespaces in the selected cluster.

The following information is indicated for each namespace in the cluster:

• Namespace name. Clicking the link in the name of the namespace in the Namespace column takes you to the page where you can view the pods in that namespace.
• The number of containers in all pods in the selected namespace.
• Number of scanned images. The Scanned images column displays this information in X/Y format, for example: 1/8. The first value (X) represents the number of images scanned, and the second value (Y) represents the total number of images in the namespace.
• Number of images with the Queued status. The Scans in queue column displays the number of images in the jobs that are queued and waiting to be scanned.
• Number of images with the Error status. The Failed scans column displays the number of images whose scanning completed with an error.
• The maximum risk rating assigned to images in the namespace.

You can use sorting to rearrange the data in the table as follows:

• By namespace name: you can arrange objects alphabetically in the Namespace column in ascending (A to Z) or descending (from Z to A) order.
• In the ascending or descending order of the number of containers in the pods in the selected namespace.
• In the ascending or descending order of the number of images with the Queued status.
• In the ascending or descending order of the number of images with the Error status.
• By maximum risk rating: you can arrange namespaces in descending or ascending order of the maximum risk rating, displayed in the Max risk rating column.

You can view the objects in the namespace by clicking View in the View on graph column. Kaspersky Container Security opens the application graph of the selected namespace.

To view the namespaces in a cluster and the relationships between them,

go to the Graph view tab under Resources → Clusters.

[Topic 294423]

Pods in the cluster

To view a list of pods in a namespace:

1. Under Resources → Clusters, open the table with a list of namespaces in the cluster.
2. In the Namespace column, click namespace name.

   Kaspersky Container Security opens a page that displays a table with a list of pods in the selected cluster.

The following is displayed for each pod in the selected namespace:

• Pod name.
• List of container names associated with the pod
• Name of the image the container was deployed from. By clicking the link in the image name, you can go to the page with the results of this image scanning under Resources → Registries.
• Status of compliance with security policy requirements
• Risk rating. Kaspersky Container Security displays the risk rating for the image specified in the Image column
• Number of security issues (vulnerabilities, malware, sensitive data, and misconfigurations) detected For vulnerabilities, the solution separately lists the number of security issues broken down by severity.
• Date and time of the last object scan

You can use sorting to rearrange the data in the table as follows:

• By pod name, container name, or image name: you can arrange objects in the Pod, Container and Image columns in ascending or descending alphabetical order.
• For compliance or non-compliance with security policies. Kaspersky Container Security can group objects in line with the Compliant and Non-compliant statuses.
• By risk rating: you can arrange objects according to the severity level.
• By date and time: Kaspersky Container Security can display objects starting with the earliest or latest by scan date and time.

Page top

[Topic 271446]

Visualization of cluster resources

Kaspersky Container Security visualizes objects within one or more clusters, as well as the links between objects in a cluster and resources out of cluster or scope. Depending on the level of the cluster resources visualization, it displays the following:

• Namespace graph: represents the cluster and the namespaces in it.
• Application graph of the selected cluster: shows the cluster, its namespaces, and the applications of the expanded namespaces. The application graph can shown in maximum detail by expanding objects to the lowest level.

When working with cluster resource graphs, one must take into account the following specifics of object display:

• The number on the upper right of the object icon shows the number of lower-level objects within the specified object (child objects).
• Objects on the graph may be highlighted in color. The object is identified if it meets the parameters established regarding risk assessment and compliance with security policies.
• Objects on the graph are grouped according to the following rules:
  1. Highlighted objects are grouped together if their number is more than five.
  2. Unhighlighted objects are grouped together if their number is more than two.
• Objects on the graph can be hidden if needed.

A visual representation of cluster resources is generated if active agents exist for this cluster.

[Topic 273534]

Cluster resources on a graph

Kaspersky Container Security scans and displays the resources of the cluster and the links between them. This scan is performed for all clusters with active agents.

Cluster resources are entities or objects that are stored in the orchestrator and used to represent the status of the cluster. With their help, you can get information about running containerized applications, where they are started (nodes), and the resources available to them. Cluster objects also define strategies for managing running applications (for example, restarting or updating).

In the interface of Kaspersky Container Security, the highest-level object (parent object) is the cluster. It includes namespaces in which applications are started. Applications, in turn, include pods and other objects.

A cluster is a set of physical or virtual machines (nodes) that run containerized applications. The following types of nodes are distinguished in Kubernetes:

• A master node implements API objects and is used to manage the cluster and its resources.
• A worker node is used to run the workload. A cluster includes one or more worker nodes.

Kaspersky Container Security displays the cluster as a graph using the cluster icon ().

Depending on the level of detail you want for the cluster resource display, Kaspersky Container Security displays the graph as a graph of namespaces or a graph of applications. The table below shows all objects that may be included in the cluster and are displayed on the graph.

Objects within the cluster

Page top

[Topic 272591]

Namespace graph

To view the namespace graph for the selected cluster,

in the table with the list of clusters, click View.

Kaspersky Container Security displays the cluster with its namespaces.

Kaspersky Container Security can display information about the cluster and namespaces on the namespace graph in the sidebar or in a table. The sidebar provides a brief summary of the object. The table shows a more detailed security scan status for objects in the cluster. The data is partially duplicated between the sidebar and the table.

[Topic 272699]

Viewing details about graph objects in the sidebar

To view cluster information in the sidebar:

1. Click the cluster () or namespace () icon on the namespace graph.
2. In the menu that opens, select Details.

   The details sidebar displays the following object-specific data:

   1. For a cluster:
      • Cluster name.
      • Number of namespaces in the cluster.
      • Cluster orchestration platform.
      • Maximum risk rating assigned to the objects in the cluster.
      • The security policy compliance status is Compliant or Not Compliant.
   2. For a namespace:
      • Namespace name.
      • Number of containers and applications in the namespace.
      • Number of scanned images in the namespace
      • Number of processed and failed scan tasks.
      • Maximum risk rating assigned to the objects in the cluster
      • The security policy compliance status is Compliant or Not Compliant.
      • Number of security issues across all risk types. For vulnerabilities, the number of security issues is specified, broken down by risk severity.

Page top

[Topic 272700]

Viewing details about graph objects in the table

To view information about the objects on a graph in a table:

1. Click one of the following icons in the namespace graph:
   • Cluster ()
   • Namespace group ()
   • Namespace ()
2. In the menu that opens, select Open in table.

   Kaspersky Container Security opens a table with information about the selected object or group of objects at the bottom of the work pane under the graph. Depending on the object, Kaspersky Container Security displays the following container details in the table that opens:

   1. For a cluster or a namespace group:
      • List of namespaces in the cluster.
      • Number of containers in each namespace.
      • Number of scanned images, scan jobs in queue, and failed scan jobs for each namespace.
      • Maximum risk rating assigned to the objects in the cluster
      • The security policy compliance status is Compliant or Not Compliant.
   2. For the selected namespace:
      • List of applications in this namespace and their types.
      • Number of pods and containers in each application.
      • Maximum risk rating assigned to the objects in the namespace.
      • The security policy compliance status is Compliant or Not Compliant.

You can also use the table to configure the way objects are displayed on the graph to hide or show namespaces.

[Topic 294421]

Application graph

To view the application graph for the selected cluster:

1. Go to Resources → Clusters.
2. Do one of the following:
   • On the Table view tab, open the table with the list of namespaces and click View.
   • On the Graph view tab, open the namespace graph and do one of the following:
     • Double-click to expand the namespace to applications.
     • Click the namespace icon () to open a menu and select Expand on graph.

   Kaspersky Container Security displays all applications in the selected namespace.

Each application can be expanded down to the pod level. You can view detailed information about the following objects on the application graph of the selected cluster:

• About applications.
• About objects within the selected application.
• About pods on the graph.

Page top

[Topic 273663]

Viewing information about application

To open information about an application in the application graph,

Click the application icon () to open a menu and select Details.

Kaspersky Container Security opens a side panel with detailed information about the application.

The solution displays the following information about the application:

• The object type and application type (for example, Application: Deployment).
• Application name.
• Maximum risk rating. The solution assigns a risk rating to the application according to the highest severity level of all the objects within that application.
• The security policy compliance status is Compliant or Not Compliant.
• The Containers tab contains the following information about the containers in the selected pod:
  • Name of the container.
  • Name of the image the container was deployed from.
  • The security policy compliance status is Compliant or Not Compliant.
  • Maximum risk rating assigned to containers in the pod.
  • Number of security issues across all risk types. For vulnerabilities, the number of security issues is specified, broken down by risk severity.
  • Date and time of the last scan of the image from which the container was deployed.
• The Policies tab displays information about assurance policies and runtime policies that are applied to the application.

  The following information is provided in the Assurance policies section:

  • Policy application status (Passed/Failed).
  • Policy name.
  • Indication of existing security threats. In terms of the applied policy, the scan results can be displayed as follows:
    • Scan was performed, security threats were identified ().
    • Scan was performed, no security threats were detected ().
    • No scan was performed for this type of security threat ().

  The Runtime policies section contains the following information:

  • Policy name.
  • Policy application mode (Audit/Enforce).

  By clicking the link on the name of a policy in the Policies tab, you can view its detailed description. The sidebar displays the following information:

  • Policy type and name.
  • Description of the policy (if any).
  • Author of the policy.
  • Mode (for runtime policy).
  • List of predefined scopes.
  • Actions that are performed when the policy is applied (for an assurance policy).
  • Set benchmarks and their parameters.

  You can edit the settings of an assurance policy by clicking the Edit policy button.

  To view the detailed description of policies, you must have rights to view them. Policy management rights are required to make changes to policy settings.

Page top

[Topic 273666]

Viewing information about objects in the application

To open information about objects on the applications graph:

1. On the applications graph, select the application about whose objects you want to obtain information and do one of the following:
   • Double-click the application to expand it to its constituent objects.
   • Click the application icon () to open a menu and select Expand on graph.
2. Select the object of interest and double-click to expand its information in the side panel.

   Kaspersky Container Security opens a side panel with detailed information about the selected object.

Depending on the type of the object, additional information about the selected entity is displayed. The table below describes the set of information that the solution displays for various objects in the application.

Information about objects in the application

You can generate and download a file with the description of the object current state in the .YAML format for all objects by using the Download .yaml button.

[Topic 273755]

Viewing information about pod

To open the pod information,

on the graph, select the pod about which you want to receive information, and double-click to expand its information in the side panel.

Kaspersky Container Security displays pods on all types of graphs: namespace graphs and application graphs.

The solution opens a side panel with detailed information about the pod.

Kaspersky Container Security displays the following information about the pod:

• Object type.
• Maximum risk score among pod images.
• The security policy compliance status is Compliant or Not Compliant.
• Pod name.
• The General tab contains the following information about the object:
  • Date and time of creation.
  • Labels.
  • Pod running status.
  • Pod lifetime—the period between the date and time of viewing the pod information and the date and time of its creation.
  • List of ports used by pod containers in the following format: <"port name" port protocol>. For example, "dns" UDP 53.
  • Available system functions of the pod.
  • The name of the PV used by the pod.
  • The name of the PVC used.
  • The name of the application, namespace and cluster within which the pod is located.

  Also in this tab, you can click Download *.yaml to generate and download a file with a description of the pod.

• The Containers tab contains the following information on containers within the pod:
  • Name of the container.
  • Name of the image the container was deployed from.
  • Compliance status of the deployed image: Compliant or Non-compliant.
  • Maximum risk rating of the deployed image.
  • Number of security issues across all risk types. For vulnerabilities, the number of security issues is specified, broken down by risk severity.
  • Date and time of the last scan of the image from which the container was deployed.
  • List of ports used by pod containers in the following format: <"port name" port protocol>.
  • Additional properties of the container—it is an
    init container

    A special container that is started when the pod is initialized before the main containers are started. Init containers prepare the environment for operation (for example, they access secrets or redirect network traffic) and may contain utilities that are not necessary or desirable in the main container.

    .
• The Policies tab displays information about assurance policies and runtime policies applied to the pod. Information about policies applied to the pod is presented in two sections (Assurance policies and Runtime policies), similarly to the information displayed about the applicable policies when viewing information about the application on the graph.

  To view the detailed description of policies, you must have rights to view them. Policy management rights are required to make changes to policy settings.

Page top

[Topic 274980]

Viewing details about application graph objects in the table

To view information about the objects on the application graph as a table:

1. Do one of the following:
   • Click the namespace icon () that indicates the number of applications within the namespace on the graph.
   • Click the icon of the application group within the namespace ().
2. In the menu that opens, select Open in table.

   The solution opens a table with information about applications in the lower part of the workspace below the graph. Kaspersky Container Security displays the following information:

   • The list of applications in this namespace and their types (types of parent objects).
   • Number of pods and containers in each application.
   • Maximum risk rating assigned to the objects in the namespace.
   • The security policy compliance status is Compliant or Not Compliant.

Page top

[Topic 273477]

Highlighting objects on the graph

To highlight objects on the graph:

1. Click the Highlight objects button above the graph.

   Kaspersky Container Security opens a sidebar where you can configure the settings for highlighting objects.

2. Select the check boxes to specify values for the following settings:
   1. Risk rating. You can select one or several risk severity levels (Critical, High, or Medium). If the check boxes are not selected, objects on the graph are not highlighted.

      The check boxes for the Critical and High values are selected by default.

   2. Compliance If the Non-compliant check box is selected, Kaspersky Container Security highlights objects that do not comply with applicable security policies. If this check box is not selected, objects on the graph will not be highlighted, regardless of their compliance or non-compliance with standards.

      Non-compliant is specified by default.

3. Click Apply.

   Kaspersky Container Security updates the graph and displays the objects according to your settings.

   For each user, the solution saves the highlighting settings that the user has specified and applies them when displaying cluster objects that this user opens later.

Page top

[Topic 272713]

Configuring visibility of objects on the graph

By default, Kaspersky Container Security displays all namespaces in the cluster on the graph. If necessary, you can hide namespaces if these namespaces and objects in them are not relevant to you for a specific analytical task.

You can configure graph object visibility:

• On the graph
• In the table with information about the child object

To hide a namespace with the help of the graph:

1. Click the object icon on the graph.
2. In the menu that opens, select Hide.

   Kaspersky Container Security updates the graph and hides the object.

   You can restore object visibility with the help of the table with detailed information about the parent object or group of objects.

To configure namespace visibility with the help of the table:

1. In the table with namespaces as part of the column, select one or more objects for which you want to change the visibility settings.
2. Use the buttons above the table to do one of the following:
   • To display the object on the graph, click Show on graph.
   • To hide the object on the graph, click Hide on graph.

   Kaspersky Container Security updates the graph and displays the objects according to your settings. The Data display column indicates whether the object is shown or hidden on the graph.

Page top

[Topic 294425]

Network connections on the graph

Kaspersky Container Security displays network interactions between objects on the graph, and also provides information about network connections between cluster resources.

To view network connections in the cluster:

1. In the Resources → Clusters section, go to the Graph view tab.
2. Click the Network connections button above the graph area.

   The solution opens the sidebar with the types of network connections available for display.

3. By selecting check boxes, select one or more network connections display options. You can select the following display options:
   • Show Audit-mode connections . This displays network connections that were detected in accordance with the applied runtime policies in Audit mode.
   • Show Enforce-mode connections. This displays network connection attempts that were blocked in accordance with the applied runtime policies in Enforce mode.
   • Show all the rest connections. This displays network connections that were not covered by the applied runtime policies in Audit and Enforce modes.
4. Click Apply.

   The graph is reloaded and the selected network connections are displayed.

Page top

[Topic 275395]

Principles of displaying network processes

The following principles apply to the display of network connections on the graph in Kaspersky Container Security:

• The solution displays processes as edges between two objects (groups of objects within a cluster), or between an object (group of objects) and resources outside the cluster. An arrow on the graph points from the sender object to the recipient object. If the same types of network activity (for example, audited activity) occurs between a pair of objects that are linked by a network connection and the traffic between the object goes both ways, the solution represents this activity with a bidirectional arrow.
• If the recipient object is outside the relevant cluster, infrastructure or the scope assigned to the user, the solution indicates it as Resources out of cluster or scope.
• The graph displays network connections to a group of namespaces or applications if inbound or outbound traffic is detected involving at least one object inside such a group. When you expand a group to its constituent objects, the connection is displayed to the specific resource.
• If multiple network processes go from one object to another, the solution takes the priority of network activity when displaying them. Blocked activity has the maximum priority, and other activity has the minimum priority.

The solution displays different types of network activity as follows:

• Blocked activity on the graph is represented by a dotted red line ().
• Audited activity on the graph is represented by a solid red line with an arrow ().
• Other activity on the graph is represented by a solid black line with an arrow ().
• Two-way network activity is represented on the graph as a line corresponding to one of the activity types, with arrows on both ends ().
• If you hover over a network connection line on the graph, it is highlighted and changes color ().

[Topic 275396]

Viewing information about network processes

Kaspersky Container Security can provide brief and detailed information about network activity.

To view brief information about network activity:

Hover over the network connection of interest.

A tooltip is displayed with the number of non-unique connections for each type of network activity (blocked, audited, and other).

To view detailed information about network activity:

Click the connection of interest.

This opens the sidebar with information about network activity for the selected connection.

The sidebar displays information about network activity for the 15 minutes before the sidebar was called up. Network activity information is presented in tables on the Audited activities, Blocked activities, and Other activities tabs. The number of connections is indicated next to tab captions.

The tables have the same structure and contain the following information:

• The Source column contains the name of the pod that is the sender of the network traffic and the IP address of the pod in the <pod IP address:outbound traffic port> format. You can click the link in the pod name to open a detailed description of the pod.
• The Protocol column indicates the pod interaction protocol.
• The Destination column contains the name of the pod that is the recipient of the network traffic and the IP address of the pod in the <pod IP address:inbound traffic port> format. You can click the link in the pod name to open a detailed description of the pod.
• The Number of connections column displays the total number of non-unique connections between the sender and the recipient of the traffic.
• The Last connection column displays the date and time of the last non-unique connection between the sender and the recipient of the traffic.

If the sender object or the recipient object is outside the relevant cluster, the Source or Destination columns display the domain name and IP address of such an object respectively (if the solution can obtain this information).

Page top

[Topic 275421]

Displaying the graph subject to applicable scope

When displaying cluster resources on the graph, the scope assigned to the user role is taken into account. In this case, the following must be considered:

• If the global scope is assigned to the user role, the graph displays all cluster resources.
• If a scope with access to a specific image within the namespace is assigned to the user role, the graph displays the entire namespace (all entities in the namespace are displayed).
• If a scope that does not have access to specific namespaces is assigned to the user role, such namespaces are not displayed on the graph.

  If there are no namespaces to display for the selected cluster in view of the assigned scope, the solution informs you that is no data to display.

[Topic 294300]

Working with images from registers

The Resources → Registries section contains a list of image repositories scanned by Kaspersky Container Security and the image scan results. The list includes images from registries integrated with Kaspersky Container Security. You can add images to the list automatically or manually.

The list of images is empty until you configure integration with registries and settings for pulling and scanning images for the registry in the Administration section.

The list of images is displayed as a table, the images are grouped by repositories.

You can perform the following actions in the Resources → Registries section:

• Search for images by name or checksum.

  A search is conducted only in the selected active image registry. If the sought image is absent from the selected registry but is part of a different registry, the search gives no results.

• Filter the list to display images that match the specified criteria:
  • Images only from the specified registries;
  • Images that comply with or fail to comply with benchmarks;
  • Images scanned during a specified period of time;
  • Images for which the specified risks are identified.
• Start rescanning of the specified images (the Rescan button is displayed above the table after you select one or more images).
• Generate reports on selected images (the Create report button is displayed above the table after you select one or more images).
• Add images to the list and remove images from the list.
• View detailed information about the image scanning results.

[Topic 294302]

Adding and removing images

Images from the registries integrated with Kaspersky Container Security can be added to the list of images automatically, in line with the configured settings for pulling and scanning images for each registry. You can also add images to the list of images from registries manually. New images are queued for scanning.

To manually add images to the list:

1. In the Resources → Registries section, click the Add images button above the table.

   You cannot add images to an image registry that is created at the request of the external Harbor registry.

2. In the displayed window, select a registry from the Registry drop-down list.
3. In the Search field, enter the name or part of the name of the repository or image and click the Search button.
4. Under Repositories, select a repository.
5. Under Image tags, select images using check boxes.

   You can select images from several repositories.

6. Click the Add images button.

To optimize the load on image registries, a list of images in the connected registries is generated every 10 minutes. After a new image appears in the registry, its appearance in the Kaspersky Container Security interface may be delayed by the specified period.

To remove images from the list:

1. In the Resources → Registries section, do one of the following:
   • Select one or more images that you want to remove from the list and start removal using the Delete link located above the table.
   • In the list, select the repository of images you want to delete, open the action menu on the row with the repository name, and select Delete repository.
2. In the window that opens, confirm the deletion.

[Topic 294283]

Viewing image scanning results from registries

Summary information about the scan results of all images in the repository and each specific image is displayed in the list of images within repositories in the Resources → Registries section.

Click the image name link to open a page with detailed information on image scanning results.

The tabs at the top of the window contain the following information:

• The Risk tab provides a summary of the scanning results. If threats are detected during scanning, recommended actions to protect the image are available at the bottom of the page. Click the Rescan image button to repeat scanning of the image.
• The Vulnerabilities tab shows the vulnerabilities detected in the image. Clicking the link in the name of the vulnerability can open a detailed description of the vulnerability and find out if it has an
  exploit

  Program code that takes advantage of some vulnerability in the system or in application software. Exploits are frequently used to install malware on a computer without the user's knowledge.

  .

  Kaspersky Container Security receives a description of vulnerabilities from the connected vulnerabilities database. The description is provided in the language of the vulnerabilities database. For example, a description of vulnerabilities from the NVD is displayed in English.
  The classification of vulnerabilities in the solution matches the classification used in the connected vulnerabilities database.

• The Layers tab displays layers used in the image with the specification of identified vulnerabilities. Click the layer name link to open a detailed description of the identified vulnerabilities.
• The Resources tab demonstrates resources (components) with the specification of identified vulnerabilities. Click the resource name link to open a detailed description of the identified vulnerabilities.
• Malware Scan lists malware that the scan detected in the image. Click the malware name link to open a detailed description.
• The Sensitive data tab shows sensitive data (secrets) found in the image such as passwords, access keys, or tokens.
• The Misconfigurations tab displays detected image misconfigurations that constitute a threat. Click the misconfiguration name link to open a detailed description.
• The Information tab provides the basic information about the image and image history.
• The Hash scan history displays the latest scan results for each version of the image. The results are updated if the same version of an image is scanned, or they are added in a separate row of the table if a different version of the image is scanned.

The following information is displayed for each image:

• Status of compliance with security policy requirements
• Risk rating with an indication of the risk severity level.
• Date and time of the last scan.
• The number of objects containing vulnerabilities, malware, sensitive data, and misconfigurations in the image. For vulnerabilities, the number of objects is indicated separately for each identified risk severity level.
• The results of image scanning using the appropriate security policies within the current scopes.

If an image is included in the registry of images created during integration with the solution by Harbor request, the solution indicates this and marks the image with the Harbor icon ().

By clicking the Create report button, you can generate a detailed report on images. You can also initiate a rescanning of the image by clicking the Rescan button.

Rescanning is not available for images received by Kaspersky Container Security from the image registry created during integration with the solution by Harbor request.

You can accept each identified risk.

[Topic 291077]

Detailed information about detected vulnerabilities

The list of vulnerabilities detected during image scans is presented as a table on the Vulnerabilities tab in the image scan results window. For each vulnerability, the following information is provided:

• Vulnerability entry identifier The identifier is given in the CVE-YYYY-X... format, where:
  • CVE is a prefix that indicates that the vulnerability is included in the database of known vulnerabilities and security defects.
  • YYYY is the year when the vulnerability was reported.
  • X... is the number assigned to the vulnerability by authorized bodies.
• The vulnerability's severity level based on its risk rating.

  If a vulnerability contains an exploit, an exploit icon () is displayed next to the severity level.

• Installed containerized resource in which the vulnerability was detected.
• Whether a fix for the vulnerability is available from the vendor. The solution shows the version number that has the fix, or indicates that no fix is available.

You can accept the risk of the vulnerability by clicking the Accept button in the Risk acceptance column.

To accept risks, risk management rights are required.

To view detailed information about a detected vulnerability:

1. Click the link with the vulnerability record ID in one of the following sections:
   • On the Vulnerabilities tab in the image scan results window.
   • In the Vulnerabilities block on the dashboard.
   • In the table with the complete list of vulnerabilities in the Investigation → Vulnerabilities section.
2. This opens the sidebar with the following information about the detected vulnerability:
   • Vulnerability entry identifier
   • Description of the vulnerability from the vulnerability database. The description is provided in the language of the vulnerabilities database. For example, descriptions of vulnerabilities from the NVD are displayed in English.
   • The General information tab displays the following:
     • The vulnerability's severity level based on its risk rating.
     • Installed resource in which the vulnerability was detected.
     • Vulnerability severity score based on the
       CVSS

       Common Vulnerability Scoring System is an open standard for scoring vulnerabilities. CVSS specifies a set of metrics and formulas for scoring vulnerability severity, with values from 0 (minimum) to 10 (maximum). CVSS makes it possible to allocate vulnerability response efforts based on vulnerability severity.

       open standard in the
       NVD

       The National Vulnerability Database is the United States Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol.

       ,
       VDB

       The Data Security Threats Database (also known as BDU) is a national vulnerability database maintained by the Russian Federal Service for Technical and Export Control (FSTEC).

       , and
       RED OS

       Russian general-purpose operating system RED OS supports scanning for vulnerabilities that can threaten the functioning of services and workstations.

       vulnerability databases, as well as the final consolidated vulnerability severity score.
   • The Artifacts tab displays detailed information on artifacts for images from registries and the runtime or CI/CD objects and indicates how many artifacts there are.

     The block for an image from a registry or runtime shows the following information:

     • Image object type and the name of the image. If autoprofiles were created based on the checksum of this image, an autoprofile icon () appears next to the image name.

       By clicking on the image name, you can go to a page containing detailed information about the image scan results.

       To view detailed information, you need the rights to view the image scan results.

     • Operating system of the image.
     • Compliance status of the image: Compliant or Not-compliant.
     • Risk rating.
     • Date and time of the last time the image was scanned
     • Date and time when the vulnerability was first detected in the image.

     The block for an object from the CI/CD pipeline shows the following information:

     • Object type, which corresponds to the artifact type, and the object name.

       By clicking the name of an artifact, you can go to a page containing detailed information about the results of scanning objects at the project building stage.

       To view detailed information, you need the rights to view the results of scanning objects in CI/CD processes.

     • Operating system in which the object was scanned.
     • Compliance status of the image: Compliant or Not-compliant.
     • Risk rating.
     • Date and time of the last object scan
     • Date and time when the vulnerability was first detected in the object.
     • Timestamp for scanning the object in a CI/CD process.
   • The Workloads tab displays a list of the pods containing images with the vulnerability and how many of them there are. For each object, the following information is provided:
     • Name of the cluster containing the pod in whose image or images the vulnerability was detected.
     • Name of the namespace containing the pod in whose image the vulnerability was detected.

       If you click the namespace name, the solution will open the namespace's side panel from the graph.

     • Name of the pod in whose image the vulnerability was detected.

       If you click the namespace name, the solution will open the pod's side panel from the graph.

   • The Risk acceptance tab displays the following information:
     • Risk acceptance date.
     • Risk acceptance period.
     • Subset.
     • Person who initiated risk acceptance.
     • Reason for risk acceptance.

     The Risk acceptance tab is available if you have rights to view accepted risks.

     For each accepted risk, you can do the following:

     • Click the icon to set the duration of the risk acceptance.
     • Click the icon to cancel the risk acceptance.

     This tab also lets you use the Add risk acceptance button to add a risk acceptance for the vulnerability.

     The "Manage risks" rights are required to edit the risk acceptance settings.

Page top

[Topic 294285]

Detailed information about detected malware

If image scanning detects malware, the solution displays this on the page with information about the image scan results. To view detailed information about a detected malicious object, in the window with image scan results, select the Malware scan tab.

For each object, the solution generates the MD5 or SHA256 hash and indicates the path to the location where it was detected.

You can view detailed information about detected malicious objects in the cyberthreat databases created in

A page with a threat description on the Kaspersky OpenTIP portal is publicly available. Users must enter their account credentials to access Kaspersky TIP.

Page top

[Topic 293438]

Misconfiguration control of images

Kaspersky Container Security allows detecting misconfigurations in configuration files using the configuration file scanner. This scanner can scan images, file systems, and repositories that contain IaC files (for example, Terraform, CloudFormation, Azure ARM templates, Helm Chart and Dockerfile packages).

Kaspersky Container Security scans the following configuration files:

• Configuration files of Kubernetes objects.
  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • DeploymentConfig
  • StatefulSet
  • DaemonSet
  • CronJob
  • Job
  • Services
  • ConfigMaps
  • Roles and СlusterRoles rights and commands
  • ClusterRoleBindings and RoleBindings
  • Network policy (ingress and egress connections)
• Configuration files of cluster components.
• Configuration files of images.
• Configuration files of Amazon cloud environment services.
  • Amazon IAM policies
  • API Gateway
  • Amazon Athena
  • Amazon CloudFront
  • Amazon CloudTrail
  • Amazon CloudWatch
  • Amazon CodeBuild
  • Amazon Config
  • Amazon DocumentDB databases
  • Amazon DynamoDB Accelerator
  • Amazon Elastic Compute Cloud
  • AWS Elastic Container Registry
  • Amazon Elastic Container Service
  • Amazon Elastic File System
  • Amazon Elastic Kubernetes Service
  • Amazon ElastiCache
  • Amazon Elasticsearch
  • Amazon Elastic Load Balancing
  • Amazon Elastic MapReduce
  • Amazon Identity and Access Management.
  • Amazon Kinesis
  • Amazon Key Management Service
  • Amazon Lambda
  • Amazon MQ Broker
  • Amazon Managed Streaming for Apache Kafka
  • Amazon Neptune
  • Amazon Relational Database Service
  • Amazon Redshift
  • Amazon Simple Storage Service
  • Amazon Serverless Application Model
  • Amazon Simple Notification Service
  • Amazon Simple Queue Service
  • Amazon Secrets Manager
  • Amazon Workspaces

• Configuration files of Azure cloud environment services.
  • Azure App Service
  • Azure Compute
  • Azure Container Service
  • Azure SQL Database
  • Azure Data Factory
  • Azure Data Lake
  • Azure Key Vault
  • Azure Monitor
  • Services responsible for the network interaction of Azure
  • Azure Security Center
  • Azure Storage
  • Azure Synapse Analytics
  • Azure IAM policies
• Configuration files of the DigitalOcean cloud environment.
• Configuration files of the ApacheCloudStack cloud environment.
• Configuration files of Terraform GitHub Provider.
• Configuration files of Google cloud environment services.
  • Google BigQuery
  • Google Compute Engine
  • Google Cloud DNS
  • Google Cloud IAM policies
  • Google Cloud Key Management Service
  • Google Cloud SQL
  • Google Cloud Storage
• Configuration files of Nifcloud Provider.
  • Computing
  • DNS
  • NAS
  • Network
  • Rdb
  • SSL certificates
• Configuration files of OpenStack.
  • Computing
  • Networking
• Configuration files of Oracle Compute Cloud.

The following table lists the types of configuration files and configuration files formats that Kaspersky Container Security supports.

Types and formats of configuration files

Page top

[Topic 271977]

About risk rating

A scan conducted by Kaspersky Container Security results in rating a risk of the scanned object. While scanning, the solution may detect all or some of the following security issues in objects:

• Vulnerabilities
• Malware
• Sensitive data
• Misconfigurations

Each risk detected is assigned one of the following risk ratings, based on the severity of the security threats:

• Negligible.
• Low.
• Medium.
• High.
• Critical.

If no security issues are detected during scanning, such an image is considered secure and is marked as Ok.

Risk ratings of the detected vulnerabilities, malware, sensitive data, or misconfigurations correspond to the ratings specified in the security threat databases, which are used for scanning (for example, NVD and Data Security Threats Database). These vulnerability and threat databases use special scoring scales to assess the severity of security threats. For example, the Common Vulnerability Scoring System (CVSS) is applied in the NVD.

The object is assigned the highest severity level of all the detected with an appropriate risk rating.

For example, the following security threats were detected during an object scan:

• vulnerabilities with the low level of severity;
• sensitive data with the high and critical levels of severity;
• configuration errors with the medium severity level;
• malware with the low severity level.

Here, the risk rating is critical in accordance with the highest severity level of the detected threats.

[Topic 250391]

Risk handling

Threats identified by Kaspersky Container Security (vulnerabilities, malware, sensitive data, and misconfigurations) are subject to the Risk acceptance procedure. If you accept the risk of a threat, it will not be considered by assurance policies when determining image security status (Compliant/Non-compliant with security policies) during the specified acceptance period. Image scanning continues to detect the threat, but does not label the image as Non-compliant.

If you accept the risk of a vulnerability detected in an image, this risk is accepted for the specific image registry. If the risk is accepted for all vulnerabilities in an image, the image is deemed compliant with security policy requirements and is given Compliant status.

If you change the settings of the assurance policy applied to images, the image security status also changes.

The risk from a threat is accepted for a period of 30 days by default. You can extend the period during which the risk is considered accepted. You can also cancel risk acceptance at any time. If you cancel risk acceptance, the associated threat will again affect the security status of the image.

You can view the list of all accepted risks in the Policies → Risk acceptance section.

[Topic 292001]

Risk acceptance

You can accept the risks found by the solution taking into account the following:

• In case of vulnerabilities, configuration errors, and sensitive data, you can accept risks with all severity levels.
• In case of malware, you can accept risks only with the Medium, Low, and Negligible severity levels.

  You cannot accept risks with the High and Critical severity levels.

You can accept risk in the following sections:

• In the Image scan results window, risks associated with all threat types (vulnerabilities, malware, misconfigurations, and sensitive data) detected by scanning a specific image can be accepted.
• In the Investigation → Vulnerabilities section, risks are accepted for all vulnerabilities detected by the solution. Risks are accepted in relation to all artifacts detected during the scanning process, including CI/CD objects.

To accept risks, risk management rights are required.

To accept a risk based on image scan results:

1. In the image scan results window, open the tab with information about the required threat type.
2. In the table, select a threat and click the Accept button in the Risk acceptance column.
3. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • For the selected image with the detected risk;
     • For all images in the repository containing the image with the detected security threat;
     • For all images in which this security threat has been or will be detected.
   • Specify the period after which this security threat must be considered again when determining the image security status.
   • Specify the reason for risk acceptance.
4. Click the Accept button.

The selected threat does not affect the security status of this specific image, images in the repository, or all images for the defined number of days (or for an unlimited term).

An accepted risk can be viewed in the Policies → Risk acceptance section.

To accept the risk of a detected vulnerability:

1. Click the vulnerability record ID in one of the following sections:
   • On the Vulnerabilities tab in the image scan results window.
   • In the Investigation → Vulnerabilities section.
2. In the sidebar that opens, go to the Risk acceptance tab.

   The Risk acceptance tab is available if you have rights to view accepted risks.

3. Click the Add risk acceptance button.
4. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • for the selected artifact (image or CI/CD object)
     • for the repository containing the object with the detected vulnerability
     • for artifacts in which this vulnerability is currently detected
     • for all artifacts, including artifacts that the solution may find during subsequent scans.

     The risk is assumed regardless of the scope.

   • Specify a period from 1 to 999 days after which the risk acceptance for this vulnerability will be revoked. By default, the period is 30 days.
   • Specify the reason for risk acceptance.
5. Click the Add button.

The accepted risk for the vulnerability is displayed on the Risk acceptance tab. It can also be viewed in the Policies → Accepted risks section.

[Topic 292012]

Viewing information about accepted risks

The list of all accepted risks is displayed in the Policies → Risk acceptances section.

You can use the list to do the following:

• Search by risk name, repository name, image, or resource where the risk is detected.
• Filter the list by risk type and manufacturer fix availability.
• Generate a Risk acceptance report by clicking the Create report button above the table.
• Sort the list by date of acceptance, risk name, scope (applied to all images or just one image), and acceptance period. Sorting is performed using the () sort icon.
• View detailed information about risk acceptance and the associated threat. Click the risk name link to open the window with the related detailed information.

Use the buttons in the detailed information window to do the following:

• Specify or extend the time period after which this security threat must be considered again when determining image security status.
• Cancel risk acceptance.

You can also view information about the accepted risk in the list of detected threats in the image scanning results. In the row with the threat with accepted risk, you can find the time of risk acceptance. You can click the link to open a window with detailed information about the risk acceptance and the associated threat.

Information about risk acceptance for a specific vulnerability is also indicated in the table with the list of all vulnerabilities detected by the solution in the Investigation → Vulnerabilities section. The Risk acceptance column displays the number of artifacts (images, CI/CD objects) for which the risk was accepted.

To view the accepted risks of a vulnerability, you need the "View accepted risks" rights.
Information about accepted risks is shown regardless of scopes.

More detailed information on each accepted risk for a specific vulnerability is provided in the detailed description of the vulnerability on the Risk acceptance tab.

[Topic 292016]

Cancelling risk acceptance

To cancel risk acceptance:

1. In one of the following sections, open the table with the list of objects in which the risk was detected:
   • On the tab corresponding to the risk in the image scan results window.
   • In the Investigation → Vulnerabilities section.
2. Select a risk and click the Edit button in the Risk acceptance column.

   The Edit button is shown only for previously accepted risks.

3. Click the Revoke button and confirm your action in the window that opens.

You can also revoke risk acceptance for vulnerabilities from the window with detailed information about the vulnerability by clicking the icon on the Risk acceptance tab.

Canceling risk acceptance means that the associated threat will again affect the security status of the image(s) for which the risk was accepted.

[Topic 279524]

Scanning Java packages in images

Kaspersky Container Security can scan Java packages contained in registry images. For this purpose, the solution uses Java vulnerability databases.

Scanning for Java packages is available in Kaspersky Container Security v1.2.1 and later. If you have an earlier version installed, you must update the solution to v1.2.1. to use this functionality.

You can configure scanning of Java packages by setting the value of the ENABLE_JAVA_VULN environment variable in the values.yaml file. If ENABLE_JAVA_VULN = true, Kaspersky Container Security performs scanning using the Java vulnerability databases. If ENABLE_JAVA_VULN = false, Java packages are not scanned.

By default, ENABLE_JAVA_VULN is set to false.

Starting from v1.2.1, the kcs-updates component provided in the distribution kit contains Java vulnerability databases. Using this component, you should make sure that the environment variables in the values.yaml file are defined as follows:

ENABLE_JAVA_VULN = true
KCS_UPDATES_TAG=vХ.Х.Х (the value of the version variable is specified in accordance with the version of the solution)
KCS_UPDATES=true

If Java packages scanning is activated (ENABLE_JAVA_VULN = true), the kcs-scanner solution component downloads Java vulnerability databases and notifies the kcs-middleware and kcs-ih components accordingly. Then the kcs-ih component receives the database files from kcs-scanner, assembles and validates the database, and uses it during scanning.

Vulnerabilities found using the Java vulnerability database are displayed in the image scanning results.

Kaspersky Container Security can also scan Java packages in images in external registries and during the CI/CD process when an external scanner is used. In this case, you must use the scanner with the vХ.Х.Х-with-db-java tag, which contains a pre-installed Java vulnerability database. The specified scanner is configured and used similarly to the vХ.Х.Х-with-db scanner.

Page top

[Topic 290879]

Investigating security events

To investigate events that occur in containers and the vulnerabilities detected in images, Kaspersky Container Security lets you do the following:

• Analyze container forensics. The solution lets you identify events in containers based on running processes, file operations, network traffic, and detected malware.
• Analyze vulnerabilities. The solution generates a list of vulnerabilities that were detected during static analysis of registry images, image scans in the runtime and CI/CD objects.

[Topic 291028]

Analyzing container forensics

In the Investigation → Container forensic section, Kaspersky Container Security lets you organize events that occurred in containers for further analysis. Information about events is presented in the form of a table.

This section is available if you have rights to view events.

In the table, the solution shows the following information about events:

• Date and time of the event.
• Event type — Process, File operations, Network traffic, or File Threat Protection.
• Additional information about the events, displayed in the following way:
  • for a process launch, the command executed in the container is shown
  • for file operations, the type of operation is indicated (for example, write or delete)
  • for network traffic, the source and destination of traffic is displayed, namely the name of the pod or domain of the source, ports and IP addresses
  • for events generated by the File Threat Protection component, the name of the detected malware is displayed.
• Runtime policy mode — Audit or Enforce.
• Full path and name of the container executable file to be started. For file operations, the path to the file is displayed as the name and location of the file or directory in the file system of the container on which any action was taken.

Using filters, you can customize the display of information in the table as follows:

• By event type:
  • By running processes
  • Bn file operations
  • By network traffic
  • By the malware detected by the File Threat Protection component
• By the time of the event (you must specify the date and time of the event). The solution shows events for the current day by default.
• By event data or path (you need to enter the data or path in the search field).

By clicking an event row in the table, you can expand the sidebar with detailed information about the selected event.

[Topic 293485]

Searching container forensics

Under Investigation → Container forensic, you can search for events that occurred in containers.

To find security events that occurred in the container:

In the Search by event data and path field, enter the event data for your search.

Depending on the event type, you must specify the following:

• Container ID or container name (for all event types).
• Path to the files (for Process, File operations, or File Threat Protection events).
• IP address or domain name (for events of the Network traffic type).

The solution displays search results in the security event table in the Investigation → Container forensic section.

[Topic 292170]

Detailed information about a running process

To open detailed information about a running process:

1. Click anywhere in the row of a Process event in the table of security events in the Investigation → Container forensic section.
2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

• The General information section contains general information:
  • Date and time the process was started.
  • Command used to start the process, including arguments.
  • Path to the file or directory.
  • Runtime policy mode.
• The Location details section contains the following information about the container where the process was started:
  • Container ID and name.
  • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

    To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

  • Pod name. You can display pod details by clicking the name of the pod.

    Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

  • Namespace name.
  • Cluster name.
  • Host name and IP address.
• The Process section contains the following data about the running process:
  • Parent process ID (PPID)
  • Process ID (PID) and a new PID.
  • Effective User ID (EUID).
  • Effective Group ID (EGID).
  • Group ID (GID).
• The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container with the running process. For each policy, the solution shows the name of the policy and its mode.

  You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292232]

Detailed information about file operations

To open detailed information about file operations,

1. Click anywhere in the row of a File operations event in the table of security events in the Investigation → Container forensic section.
2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

• The General information section contains general information:
  • Date and time the file operation was performed.
  • Type of file operation (for example, Create or Delete).

    Examples of file operations in Kaspersky Container Security

    Kaspersky Container Security detects the following types of file operations:

    • Open
    • Create
    • Read
    • Write
    • Rename or move
    • Delete
    • Change ownership
    • Change access permissions
  • Path to the file or directory.
  • New path to the file or directory (displayed only for the Rename or move file operation type).
  • New permissions (displayed only for the Change access permissions operation type).
  • Runtime policy mode.
  • Error code.
• The Location details block provides the following information about the container where the file operations were found:
  • Container ID and name.
  • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

    To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

  • Pod name. You can display pod details by clicking the name of the pod.

    Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

  • Namespace name.
  • Cluster name.
  • Host name and IP address.
• The Process section contains the following data about the process where file operations were found:
  • Parent process ID (PPID)
  • Process ID (PID) and a new PID.
  • User ID (UID).
  • Group ID (GID).
  • Effective User ID (EUID).
  • Effective Group ID (EGID).
  • UID of the new owner (displayed only for the Change ownership file operation type).
  • GID of the new owner (displayed only for the Change ownership file operation type).
• The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the file operations were detected. For each policy, the solution shows the name of the policy and its mode.

  You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292235]

Details information about network traffic

To open detailed information about file operations,

1. Click anywhere in the row of a Network traffic event in the table of security events in the Investigation → Container forensic section.
2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

• The General information section contains general information:
  • Date and time the file operation was performed.
  • Runtime policy mode.
  • Traffic type: ingress or egress connection.
• The Source section contains the following information about the connection:
  • Pod name or domain of the source of the connection. You can display pod details by clicking the name of the pod.

    Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

  • IP address of the source of network traffic.
  • Port used for the connection.
• The Destination section contains the following information about the connection:
  • Pod name or domain of the recipient of network traffic. You can display pod details by clicking the name of the pod.
  • IP address of the recipient of network traffic.
  • Port used for the connection.
• The Location details section provides the following information about the container where the network traffic was detected:
  • Container ID and name.
  • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

    To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

  • Pod name. You can display pod details by clicking the name of the pod.
  • Namespace name.
  • Cluster name.
  • Host name and IP address.
• The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the network connections were detected. For each policy, the solution shows the name of the policy and its mode.

  You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292237]

Detailed information about detected malicious objects

To open detailed information about detected malicious objects:

1. Click anywhere in the row of a File Threat Protection event in the table of security events in the Investigation → Container forensic section.
2. In the sidebar that opens, go to the Information tab.

Kaspersky Container Security displays the following information:

• The General information section contains general information:
  • Date and time the malware was detected.
  • Malware name.
  • Type of malware detected (for example, virus software).
  • Severity level of the malware.
  • File checksums in MD5 and SHA286 formats.
  • Event type (for example, detected threat).
  • Path to the file or directory.
  • Owner ID.
  • Object ID.
  • Runtime policy mode.
  • File interceptor mode (the file interceptor runs regardless of the runtime policy mode).
• The Location details section contains the following information about the container where malware was detected:
  • Container ID and name.
  • Image name and checksum. You can open the page with image scan results by clicking the name of the relevant image.

    To view the results of an image scan, you need the rights to view image scan results. You also need access to the scope for the clusters.

  • Pod name. You can display pod details by clicking the name of the pod.

    Viewing and managing cluster resources requires the corresponding rights. You also need access to the corresponding scope.

  • Namespace name.
  • Cluster name.
  • Host name and IP address.
• The Process section contains the following information about the process where malware was detected:
  • Process ID (PID) and a new PID.
  • Effective User ID (EUID).
• The table under Runtime policies impacting the container displays a list of all runtime policies that could be applied to the container in which the malware was detected. For each policy, the solution shows the name of the policy and its mode.

  You can open the sidebar with a detailed description of the applied by clicking the name of the policy. Policy information is displayed in a similar way to how information about applied policies is presented when viewing application information on the graph. Limitations apply when viewing policy information.

Page top

[Topic 292240]

Restrictions on runtime policies

For each event type, Kaspersky Container Security displays a list of all runtime policies that can be applied to the container where the security event was found. Access to the list of policies is provided subject to the following restrictions:

• If a user has the rights to manage runtime policies and has the same role as the author of the policy, the user has access to all information about the policies, and also has the ability to edit runtime policy settings.
• If a user is granted rights to view runtime policies, the user has access to all information about the policies.
• If a user is not granted rights to view runtime policies, the user cannot open the detailed description of a runtime policy. A user only has access to information about the list of applied runtime policies on the Information tab in the sidebar with a detailed description of the security event.

Page top

[Topic 292233]

Investigating container forensics while accounting for adjacent events

When investigating an event, you should pay attention to and analyze the events that occurred before and after the event in question.

To view the events that occurred before and after the event in question:

1. Click anywhere in the row of an event in the table of security events in the Investigation → Container forensic section.
2. Go to the Adjacent events tab.

By default, the solution displays a table with the following information:

• Event being examined.
• 3 events that occurred before the event being examined.
• 46 events that occurred after the event being examined.

For each event, you can also view events in a 90-day range. For example, if you are viewing an event from the current day, you can open events from the past 90 days. If an event of interest occurred 45 days ago, you can open events that occurred 45 days before the event being examined.

For each event in the table, the solution shows the following information:

• Date and time of the event.
• Event type.
• Additional information about the event
• Full path.

You can open the sidebar with detailed information about the selected event by clicking the row of the event in the table.

You can also download information about all events with a detailed description of each of them in text format.

[Topic 290891]

Analyzing detected vulnerabilities

Kaspersky Container Security detects vulnerabilities through static analysis of registry images, image scans in the runtime and CI/CD objects. For analysis purposes, the full list of detected vulnerabilities is presented as a table in the Investigation → Vulnerabilities section.

The table lists the following for each detected vulnerability:

• The Vulnerability column contains the ID of the vulnerability entry. By clicking on the identifier, you can open a page with detailed information about the vulnerability detected in the image.
• The Severity column displays the severity level of the detected vulnerability and whether it has an exploit.
• The Resource column contains the name of the resource where the vulnerability was detected.
• The Vendor fix column shows whether a fix for the vulnerability is available from the vendor. The solution shows the version number that has the fix, or indicates that no fix is available.
• The Artifacts column shows the number of artifacts (images in registries and the runtime environment, as well as CI/CD objects) that are scanned by Kaspersky Container Security.

  The solution displays the number of unique images based on imagename:tag for the selected scope. When determining the number of artifacts, the following rules apply:

  • If an image based on imagename:tag is part of the resources of a scope based on resources and clusters, then the image is counted once.
  • If a user has access to resources of a scope based on clusters, but does not have access to resources based on registries in this scope, only the number of images in the runtime is counted.
  • If you specify All in the scopes filter, the total number of artifacts for all scopes is displayed.
  • CI/CD artifacts are only countable when working with a global scope.
• The Workloads column shows the number of pods containing images with the vulnerability.

Using filters, you can select vulnerabilities to display in the table in the Investigation → Vulnerabilities section.

[Topic 291052]

Selecting vulnerabilities to display

To use the filter buttons located above the table to select vulnerabilities to display in the table:

1. Click the filter buttons with the values you want to display. Vulnerabilities can be selected based on the following criteria:
   • Vulnerabilities by detection location:
     • Image in registries.
     • Image deployed in a runtime.
     • CI/CD object.
   • Vulnerabilities by severity level:
     • Negligible.
     • Low.
     • Medium.
     • High.
     • Critical.

   By default, all detection locations and vulnerability severity levels are selected.

2. If necessary, use the Disabled / Enabled switch to enable or disable the display of only vulnerabilities with available exploits. By default, the switch is set to Disabled.
3. If necessary, enter a vulnerability ID or resource name in the search field.

To use a filter to select vulnerabilities to display in the table:

1. Click the filter icon () above the table with the list of users.
2. In the opened sidebar, use the Disabled / Enabled toggle switch to enable or disable the display of only vulnerabilities with available exploits. By default, the switch is set to Disabled.
3. To determine the severity level, select one of the following options: Severity level or Score, and then do the following:
   • If you select Severity level, select the buttons with the values that you want to display. You can select the following display values:
     • Negligible.
     • Low.
     • Medium.
     • High.
     • Critical.

     By default, all vulnerability severity levels are selected.

   • If you select Score, use the slider to define the vulnerability score. Values from 0 to 10 are available. The solution will display vulnerabilities that match the specified vulnerability score.
4. For the Vendor fix setting, specify whether a fix is available from the vendor: All, Available or Not available. The default value is All.
5. For the Risk acceptance setting, specify whether the selected vulnerability has been accepted in the specified resource: All, Accepted, or Not accepted. The default value is All.
6. For the Location details setting, specify the location where the vulnerability was detected:
   • Image in registries.
   • Image deployed in a runtime.
   • CI/CD object.

   By default, all detection locations are selected.

Page top

[Topic 291067]

Restrictions related to scopes

The list of detected vulnerabilities can be accessed by the scopes assigned to the user as follows.

• If a user is assigned a global scope, the has access to all information about the detected vulnerabilities, including CI/CD objects.
• If the scope assigned to a user entails access to resources based on registries, the user is shown vulnerabilities for which the value of the Workloads column is 0.
• If the scope assigned to a user entails access to resources based on clusters, the user is shown vulnerabilities for which the value of the Workloads column is greater than 0.
• If the scope assigned to a user entails access to resources based on registries and clusters, the user is shown vulnerabilities for which the value of the Workloads column is greater than or equal to 0.

Page top

[Topic 282364]

Integration with third-party resources

To identify security issues and ensure protection of containerized applications, Kaspersky Container Security can integrate with the following third-party resources:

• External image registries. The solution allows scanning container and IaC images hosted on repository management and storage platforms, including as part of the CI/CD process, for vulnerabilities, malware, misconfigurations, and the presence of sensitive data.
• Image signature validators. Kaspersky Container Security can validate digital signatures of images using an external signature application.
• Output. When implementing response policies, the solution can notify users about security events by sending messages via email or Telegram.
• External LDAP directory services. When defining user roles and scopes, the solution allows configuring user accounts based on data from an external directory service and map user roles to user groups from Active Directory.
• SIEM systems. Kaspersky Container Security allows connection to security information and event management systems to notify about events for analysis and further respond to potential threats.
• HashiCorp Vault external storage. The solution allows to securely store and use passwords, tokens and secrets by means of HashiCorp Vault.

[Topic 292431]

Setting up integration with external image registries

Kaspersky Container Security can scan images from the following external image registries:

• Harbor
• GitLab Registry
• JFrog Artifactory
• Sonatype Nexus Repository OSS
• Yandex Registry
• Docker Hub
• Docker Registry

  Integration with Docker Registry requires support of the Docker Registry V2 API on the external registry server side.

• Red Hat Quay
• Amazon Elastic Container Registry

You need to configure the integration of the solution with external registries so that the solution can scan images from external registries. Images from registries integrated with Kaspersky Container Security can be scanned automatically or manually, depending on the configured image pulling and scanning settings for each registry.

[Topic 294428]

Working with public registries without authorization

Kaspersky Container Security 2.0 does not work with public registries without authorization. For example, you cannot use the solution to scan images when Docker Hub is accessed anonymously.

If you do not authorize in public registries, you can use such image registries in a cluster, add them to Kaspersky Container Security and manually assign them to a specific scope. If the scope includes only one or several public registries in which you are not authorized, and you try to add an image in the Resources → Registries section, the solution displays an error indicating that it is impossible to add images because the solution has no registry integration.

[Topic 292488]

Adding integrations with external image registries

Integrated registries support only local image repositories that directly contain the images. In version 2.0, Kaspersky Container Security does not support working with remote or virtual repositories.

To add an integration with an external registry:

1. In the Administration → Integrations → Image registries section, click the Add registry button.

   The integration settings window opens.

2. On the Registry details tab, specify the settings for connection to the registry:
   1. Enter the name of the registry.
   2. If required, enter a description of the registry.
   3. Select the registry type from the drop-down list. Kaspersky Container Security supports the following types of registries:
      • Harbor (integration using the Harbor V2 API).
      • GitLab Registry (integration using the GitLab Container Registry API).
      • JFrog Artifactory (integration using the JFrog API).
      • Sonatype Nexus Repository OSS (integration using the Nexus API).
      • Yandex Registry (integration using the Yandex Container Registry API).
      • Docker Hub (integration using the Docker Hub API).
      • Docker Registry (integration using the Docker Registry V2 API).
      • Red Hat Quay (integration using the Red Hat Quay API).
      • Amazon Elastic Container Registry (integration using the Amazon Elastic Container Registry API).

      The Docker Registry can be accessed using the Docker Registry V2 API if you configure integration with the Sonatype Nexus Repository OSS, Harbor, JFrog Artifactory (using a port or a subdomain), or Yandex Registry. Integrations with GitLab Registry, Docker Hub, and JFrog Artifactory (via Repository Path) are not supported.

   4. If you set up a JFrog Artifactory registry integration, select one of the following methods in the Repository Path method drop-down list to access Docker:
      • Repository path.
      • Subdomain.
      • Port.
   5. If you configure integration with the Sonatype Nexus Repository OSS registry, select the pull mode: Tagged images or All images. If All images mode is selected, the solution pulls all registry images regardless whether they have or lack tags. Untagged images are displayed with the build hash.
   6. If you configure an integration with a registry such as JFrog Artifactory, Harbor, GitLab Registry, Sonatype Nexus Repository OSS, Docker Registry, or Red Hat Quay, enter the full URL of the registry that directly points to the container registry. We recommend that you use HTTPS connection (HTTP connection is also supported).

      If you use HTTP or HTTPS with a self-signed or invalid certificate, you should check the insecure-registry box for the Docker engine on the nodes where the server and scanner are installed.

   7. If you configure an integration with a registry such as JFrog Artifactory, Harbor, GitLab Registry, and Sonatype Nexus Repository OSS, or Red Hat Quay, enter the full URL that points to the registry API.
   8. Select an authentication method and specify the necessary data for it as follows:
      • If you configure an integration with such registry as GitLab Registry, select authentication using an account or an access token.
      • If you configure an integration with such a registry as Yandex Registry, select authentication using an API key (Yandex OAuth token) or using a user name and token. Specify oauth for the user name when using the Yandex OAuth token, or iam when using the Yandex IAM token.
      • For such registries as Sonatype Nexus Repository OSS and Docker Hub, authentication is performed only with an account.
      • For such a registry as Harbor, authentication is only permitted with an account of a user or a robot.
      • For such a registry as Docker Registry, authentication is only conducted using a user name and password, which are provided by the Docker V2 API.
      • For Red Hat Quay registries, organization name and access token is the only authentication method. Specify these parameters in the Organization name and OAuth token fields.
      • For Amazon Elastic Container Registries, you can authenticate by specifying the region, Access key ID, and Secret access key .

        In the Region field, you must specify one of the Amazon Web Services regions (for example, us-west-2 or us-east-2).

        For Access key ID and Access key settings, you must specify values that you can get using the AWS management console.

3. Go to the Repository caching tab and use the Disabled/Enabled toggle switch to enable repository caching if necessary. If caching is disabled, repositories and images in the Registry section are displayed only if the Search field is used. If caching is enabled, the solution displays the list of available repositories and images. By default, repository caching is disabled.

   Enabling repository caching may impact the performance of Kaspersky Container Security.

4. Go to the Image scan details tab and specify the following image scan settings:
   • Scan timeout in minutes for images from this registry. The default scan timeout is 60 minutes.

     If image scanning lasts longer than the specified time, the scanning stops and the image is returned to the scanning queue. The solution will requeue the image up to 3 times. This means that the time required to scan an image from the registry may be tripled.

     Image pull and scan settings for the registry. By default, the Manual option is selected in Pull and scan images: images are not automatically pulled from the registry, but the user can manually add images to the list of images for scanning. New images are automatically queued for scanning.

     If you want images to be pulled from the registry and queued for scanning automatically, select Automatic in Pull and scan images and configure the settings for image pulling and scanning. The following options are available:

     • Scan interval (days) is the interval in days of image pulling from the registry for scanning. The default setting is 1 day.
     • Scan time (GMT) is the time when the images in the registry were scanned.
     • If necessary, select the check box to re-scan previously pulled images whenever new images are scanned.
     • If necessary, under Advanced settings, select the Name / tag criteria check box to use image name or tag patterns to specify which images you want to be pulled and scanned. If you select the check box, Kaspersky Container Security will only pull those images that match the specified patterns for scanning.

       You can use the following patterns:

       • by image name and tag – <name><:tag>
       • by image name only – <name>
       • by image tag only – <:tag>

       For example:

       • for the alpine pattern, all images with the name "alpine" are pulled, regardless of the tag;
       • for the 4 pattern, all images with tag 4 are pulled, regardless of the image name;
       • for the alpine:4 pattern, all images with the name "alpine" and tag 4 are pulled.

       When generating patterns, you can use the * character, which replaces any number of characters.

       You can add one or more patterns.

     • Select one of the additional conditions for pulling images:
       • If no additional conditions are required, select No additional conditions.
       • If you want to pull only images created within a specific time frame, select this option and in the fields to the right, specify the duration of the period and the unit of measure. By default, the period is 60 days long.
       • If you want to download only images with the latest tags, counting from the date when the image was created, select this option and in the field to the right, specify how many of the latest tags from each repository you want to be taken into account.
     • If necessary, under Exceptions, select or clear check boxes to specify exceptions for image pulling:
       • Never pull images with the name/tag pattern - using image name/tag patterns you can specify, which images are excluded from pulling and scanning.
       • Always pull images with the name/tag pattern—using image name/tag patterns you can specify, which images are always pulled and scanned, regardless of other conditions set above.
5. Click Test connection to see if a connection with the registry can be established.
6. Click the Save button in the top of the window to save the registry integration settings.

Example of Red Hat Quay registry integration settings

[Topic 292566]

Viewing information about integrations with registries

You can view a table with the list of all registries integrated with Kaspersky Container Security in the Administration → Integrations → Image registries section.

The table displays the following information about integrated registries:

• Name of the image registry integration
• Description, if one was specified when creating the integration with the image registry
• The type of the connected registry.
• Registry URL
• Status of the last connection with the image registry: Success or Error. If Error is displayed, the solution also displays a brief description of the connection error.

In the table, you can:

• Add new registry integrations. Click Add registry above the table to open the integration settings window.
• View and modify registry integration settings, including image pull and scan settings. You can open the editing window by clicking the registry name link.

  In this window, you can also click Test connection to see if a connection with the registry can be established.

• Delete integrations with registries.

[Topic 274590]

Deleting integration with external registry

To delete an integration with an external registry:

1. In the Administration → Integrations → Image registries section, select the integration you want to delete by selecting the check box in the row with the registry name. You can select one or more integrations.
2. Click Delete above the table.

   The Delete button becomes enabled after you select one or more integrations.

3. In the window that opens, confirm the deletion.

Kaspersky Container Security does not scan images from a registry it is no longer integrated with.

[Topic 272923]

Harbor integration

Integration of Kaspersky Container Security with the external Harbor registry can be performed in two ways:

• In the same way as integration with other external registries
• Upon the request of the external Harbor registry

Harbor views the solution as an additional external scanner to scan objects for vulnerabilities. Integration with Kaspersky Container Security is configured using the Harbor scanner plugin. The solution names this automatically created image registry as Harbor External Integration and marks the repository in which it is located with the Harbor icon ().

This integration remains the only automatically created integration with Harbor, and the name assigned to the image registry cannot be changed.

To start the Harbor scan process, you need to know the endpoint of the Kaspersky Container Security API.

To create an integration by Harbor request it is required to have rights to view and configure scanning in CI/CD. If these rights are absent, Harbor will not be able to connect the solution as a scanner and scan objects as part of the CI/CD process.

[Topic 273008]

Creating an integration upon Harbor request

To create registry integration by Harbor request, you must have a Harbor account with administrator rights, as well as rights to view and configure scanning in CI/CD in Kaspersky Container Security. If these rights are not available, Harbor will not be able to connect the solution as a scanner.

To create a Harbor integration upon Harbor request:

1. From the main menu in the left pane of the Harbor web interface, select Administration → Interrogation Services.
2. Click the New Scanner button.
3. Enter the following information:
   • The unique name of the solution integration to be displayed in the Harbor interface.
   • If necessary, a description of the external scanner that is being added.
   • The address of the Kaspersky Container Security API endpoint displayed by Harbor.
4. In the Authorization drop-down list, select APIKey as the authorization method when connecting the registry to the solution.
5. In the APIKey field, enter the value of the API token.

   If the API token changes, you must specify its new value before starting the Harbor scan. If a new API token is not added to the external scanner settings in Harbor, the scan fails.

6. Select the Skip certificate verification check box to skip certificate verification.
7. If necessary, click Test Connection to verify that Harbor can connect to the solution.
8. Click Add to create the integration.

In the list of available scanners under Administration → Interrogation Services → Scanners, Harbor shows the name assigned to the solution in the Harbor.

The new scanner is used for scanning objects if it is specified as the default scanner in Harbor or assigned to the project. Both options require additional configuration in Harbor.

After scanning is started, an integration with the solution upon Harbor request is created in the external registry. Kaspersky Container Security displays the created Harbor External Integration registry in the list of image registries in the Administration → Integrations → Image registries section. The repository containing images from the external registry is marked with the Harbor icon (). Harbor External Integration is updated after starting and running another scan in the external registry.

You cannot add an image to an automatically created registry of images from Harbor by using the Add images button in the management console.

Harbor External Integration scans can be manually initiated or automatically started from the external registry. You cannot start scanning or rescanning images from the Harbor automatically created image registry in Kaspersky Container Security.

The Harbor External Integration registry (as well as the registry created as part of the standard integration with Harbor) is scanned in line with the applicable scanner policy.

At the end of the scan, the solution generates a report on vulnerabilities found during scanning of selected objects and sends it to Harbor. If sending a report takes more than five seconds (for example, because of the quality of the network connection), an error in receiving scan results is displayed in the external registry interface.

[Topic 273028]

Viewing and editing the Harbor External Integration settings

The Harbor External Integration image registry is displayed in the list of registries integrated with Kaspersky Container Security in the Administration → Integrations → Image registries section.

To change the Harbor External Integration settings:

1. Select the Harbor External Integration registry in the list of image registries in the Administration → Integrations → Image registries section.
2. Specify the values of the following configurable settings:
   • Description on the Registry details tab.
   • Scan timeout on the Image scan details tab.

   You cannot change other Harbor External Integration registry details.

3. Click Save.

[Topic 273010]

Rescanning

After receiving the scan results, objects from the Harbor External Integration registry cannot be sent for rescanning from Kaspersky Container Security. Rescanning can only be initiated from Harbor.

If you create an integration with Harbor from Kaspersky Container Security and the created image registry is similar to Harbor External Integration, the following rules are applied to rescanning:

• Scanning objects in the registry created in the solution does not trigger a rescan in Harbor External Integration.
• Scanning objects in Harbor External Integration does not trigger a rescan in the registry created in the solution.

[Topic 267228]

Integration with CI/CD

Kaspersky Container Security lets you scan images of containers and IaC residing in code repository management systems in the CI/CD process to detect vulnerabilities, malware, misconfigurations, and exposed sensitive data.

At the project build stage in the repository management system, you can run the Kaspersky Container Security scanner to check the objects in the repository for compliance with the enabled security policies. The scanner is started from a registry using an agent, such as GitLab Runner in GitLab. Data on the scan job and sending scan results are forwarded through the application programming interface (API).

When running an object scan during the project build stage, you must make sure that the Fail CI/CD step is not selected in the settings of the applied assurance policy. If this setting is activated, the solution will notify you of an error during the scan.

The scan results are displayed in the list of images in the Inventory → CI/CD → Scanning in CI/CD section.

For each of the objects in the table, Kaspersky Container Security displays the following:

• Date and time of the last scan.
• Name.
• Risk rating.
• Summary scan results with an indication of the identified objects related to vulnerabilities, malware, sensitive data and misconfigurations.
• Artifact type.
• The number and pipeline of the build in which the image was scanned.

In the Resources → CI/CD → Scanning in CI/CD section, you can also generate a report for images that are scanned within the CI/CD process.

Reports are generated only for objects with the Image artifact type. In this section, a report cannot be generated for other types of artifacts.

[Topic 273843]

Image scanning in CI/CD processes

Kaspersky Container Security allows you to scan images that are used in CI/CD. To scan images from CI/CD, you should configure the integration of Kaspersky Container Security with CI/CD processes.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

To scan images or repositories (in order to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security scanner.

To scan images from CI/CD, in the configuration file used to integrate the repository, specify the API_BASE_URL (web-address of the Kaspersky Container Security API server) and API_TOKEN (token to access API of the Kaspersky Container Security) environment variables for the scanner. You must also specify API_CA_CERT (certificate for verifying host server of the API solution) or SKIP_API_SERVER_VALIDATION = true to skip this scan.

The scanning results are forwarded to the server and displayed in the Management Console in the Resources → CI/CD section. The provided table lists the images that were scanned, shows the results of the risk assessment, and indicates the detected vulnerabilities.

You can click the image name link to open a page with detailed information about image scanning results. This page is similar to the page showing the results of registry images scanning.

Kaspersky Container Security also displays the type of artifact for each object. Two main artifacts are used:

• File system is repository containing configuration files.
• Container image is template used for runtime implementation of the container.

For each scan object, you can specify the build number (BUILD_NUMBER) and the build

For CI/CD images, rescanning is not provided.

Kaspersky Container Security performs the following types of scans in CI/CD:

• Scanning images from the image registry. The solution runs a scan after a successful build and saves the image into the image registry.
• Scanning of images in TAR archives. A TAR archive is stored as a build artifact that the solution scans in the next build pipeline.
• Scanning a Git repository, which can be performed in one of the following ways:
  • for a project branch (individual development path) in the Git repository
  • for a commit (state snapshot or checkpoint in the project's timeline)

To scan an image from an image registry:

Start the scan by running a command in the following format:

/scanner [TARGET] --stdout

where:

• <TARGET>—full address of the image in the registry;
• <--stdout> is the output to the security event log.

To access the registry, enter in the environment variables the login COMPANY_EXT_REGISTRY_USERNAME password (token) COMPANY_EXT_REGISTRY_PASSWORD.

Examples of scanning images in GitLab CI/CD and Jenkins CI/CD.

To scan an image from a TAR archive:

1. Build an image and save it as a TAR archive using any application for creating containerized images.
2. Start the scan by running a command in the following format:

   /scanner [TARGET] --file --stdout

   where:

   • <TARGET>—path to the file with the image to be scanned
   • <--file>—flag indicating scanning of the TARGET file
   • <--stdout> is the output to the security event log.

   Example of a configuration file with settings for scanning a TAR archive

   stages:

   - build_tar

   - scan_tar

   - push_image

   build_tar:

   stage: build_tar

   tags:

   - k8s

   - docker

   image:

   name: gcr.io/kaniko-project/executor:v1.9.0-debug

   entrypoint: [""]

   dependencies:

   - scan_source_branch

   - scan_source_commit

   script:

   - mkdir -p /kaniko/.docker

   - echo "${DOCKER_AUTH_CONFIG}" > /kaniko/.docker/config.json

   - /kaniko/executor

   --context "${CI_PROJECT_DIR}"

   --dockerfile "${CI_PROJECT_DIR}/Dockerfile"

   --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

   --compressed-caching=false

   --build-arg GITLAB_USER=gitlab-ci-token

   --build-arg GITLAB_TOKEN=${CI_JOB_TOKEN}

   --no-push

   --tarPath=image.tar

   artifacts:

   paths:

   - image.tar

   expire_in: 2 hours

   scan_tar:

   stage: scan_tar

   tags:

   - k8s

   - docker

   dependencies:

   - build_tar

   image:

   name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

   pull_policy: always

   entrypoint: [""]

   variables:

   API_BASE_URL: ${API_BASE_URL}

   API_TOKEN: ${API_TOKEN}

   API_CA_CERT: ${KCS_CA_CERT}

   script:

   - /scanner image.tar --file --stdout

   artifacts:

   paths:

   - image.tar

   expire_in: 2 hours

   push_image:

   stage: push_image

   tags:

   - k8s

   image:

   name: gcr.io/go-containerregistry/crane:debug

   entrypoint: [""]

   dependencies:

   - scan_tar

   script:

   - mkdir -p $HOME/.docker

   - echo "${DOCKER_AUTH_CONFIG}" > $HOME/.docker/config.json

   - /ko-app/crane push image.tar "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

To scan the Git repository:

1. In the configuration file of the Git repository, in the environment variables specify the token to access the repository (GITHUB_TOKEN or GITLAB_TOKEN).
2. Start the scan by running a command in the following format:

   /scanner [TARGET] --repo [--branch BRANCH] [--commit COMMIT] --stdout

   where:

   • <TARGET>—web address (URL) of the Git repository
   • <--repo> —flag indicating scanning of the TARGET file
   • <--branch BRANCH>—branch of the repository to be scanned
   • <--commit COMMIT>—hash of the commit to be scanned
   • <--stdout> is the output to the security event log.

   Example of a configuration file with environment variables for scanning an image from a Git repository

   stages:

   - scan_source_branch

   - scan_source_commit

   scan_source_branch:

   stage: scan_source_branch

   image:

   name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

   pull_policy: always

   entrypoint: [""]

   tags:

   - k8s

   - docker

   variables:

   API_BASE_URL: ${API_BASE_URL}

   API_TOKEN: ${API_TOKEN}

   API_CA_CERT: ${KCS_CA_CERT}

   script:

   - GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --branch ${CI_COMMIT_BRANCH} --stdout

   scan_source_commit:

   stage: scan_source_commit

   image:

   name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

   pull_policy: always

   entrypoint: [""]

   tags:

   - k8s

   - docker

   variables:

   API_BASE_URL: ${API_BASE_URL}

   API_TOKEN: ${API_TOKEN}

   API_CA_CERT: ${KCS_CA_CERT}

   script:

   - GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --commit ${CI_COMMIT_SHA} --stdout

Scan results can be viewed in Resources → CI/CD, or downloaded in the .SPDX, .JSON, and .HTML formats.

[Topic 271088]

Configuring integration with GitLab CI/CD

This example uses a specific scanner image with the built-in vulnerability databases located in the image registry of the Kaspersky Container Security manufacturer.

To use the image scanning feature in the GitLab CI/CD process, you should enable the use of the GitLab Container Registry.

Integration configuration includes the following steps:

1. Authorization of GitLab CI/CD in the image registry of the Kaspersky Container Security manufacturer.
   1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

   2. In the GitLab CI/CD environment variables, create the DOCKER_AUTH_CONFIG variable (in the GitLab repository select Settings → CI/CD, click the Expand button to expand Variables, and then click the Add variable button).
   3. Specify the variable in the following form:

      {

      "auths": {

      "repo.cloud.example.com": {

      "auth": "base64hash"

      }

      }

      }

      where base64hash is the string obtained in step 1a.

2. Authorization of requests from GitLab CI/CD when sending data to Kaspersky Container Security.
   1. Copy the API token on the My profile page.
   2. Specify the copied API token value in the API_TOKEN variable in the .gitlab-ci.yml configuration file.
3. Adding the image scanning stage to the CI/CD process.

   To add scanning to the CI/CD pipeline, you should add the following lines to the .gitlab-ci.yml file:

   1. Add information about the scanner image that contains databases of vulnerabilities and other malicious objects after the code build stage in the following form:

      scan_image:

      stage: scanner

      image:

      name: repo.cloud.example.com/repository/company/scanner:v2.0-with-db

      entrypoint: [""]

      pull_policy: always

      We recommend that you specify always for the pull_policy parameter to receive relevant builds with updated databases of vulnerabilities and other malicious objects for each scan.

   2. Specify the tag, build ID, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

      SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

      BUILD_NUMBER: ${CI_JOB_ID}

      BUILD_PIPELINE: ${CI_PIPELINE_ID}

      API_TOKEN: <API token value>

      The example here contains the master tag, you can also specify another tag.

   3. If you configure scanning for a private repository, specify the authorization data to ensure the scanner can access an image. The authorization data can be set as variables.

      COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

      COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

   4. If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:

      API_CA_CERT: ${KCS_CA_CERT}

      The CA certificate of the Ingress controller is specified in the text field as a string in the .PEM format:

      ----- BEGIN CERTIFICATE ----- \ n... <certificate details> ...\ n ----- END CERTIFICATE -----

      If the API_CA_CERT variable is not set, scanning will start but will not be completed.

      Use of the CA certificate of the Ingress controller allows the scanner running in CI/CD to verify the authenticity of the data receiving server.

      If you use a self-signed certificate, or want to skip checking the data receiving server using the CA certificate of the Ingress controller, specify the value of the variable to skip the check as follows:

      SKIP_API_SERVER_VALIDATION: 'true'

   5. Specify the web address of the API host server for Kaspersky Container Security:

      API_BASE_URL: <web address>

      variables:

      API_BASE_URL: ${API_BASE_URL}

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json

After configuring integration with an external registry, you can scan images within the CI/CD process, including scanning in SBOM mode. Scan results can be viewed in Resources → CI/CD, or downloaded in the .SPDX, .JSON, and .HTML formats.

[Topic 271087]

Configuring integration with Jenkins CI/CD

Configuring integration with Jenkins CI / CD consists of the following steps:

1. Authorization of Jenkins CI/CD in the image registry of the Kaspersky Container Security manufacturer. To do so, on the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

   printf "login:password" | openssl base64 -A

   where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

2. Authorization of Kaspersky Container Security API. To perform authorization, complete the following steps:
   1. Copy the API token on the My profile page.
   2. Specify the copied API token value in the API_TOKEN variable in the Jenkinsfile configuration file.
3. Authentication of the data receipt server in CI/CD using the CA certificate of the Ingress controller. To perform authentication, in the Jenkinsfile configuration file, specify one of the following variables:
   1. -e API_CA_CERT=${KCS_CA_CERT} means the authentication is performed, and the scanner started in CI/CD can make sure the receiving server is authentic.
   2. -e SKIP_API_SERVER_VALIDATION=true means authentication of the receiving server using the CA certificate of the Ingress controller is not performed.
4. Creating Jenkins environment variables.

   To create environment variables, add the following lines to Jenkinsfile:

   1. Add information about the container registry where the scanner is located as follows:

      LOGIN: the name of the account in the scanner registry

      PASS: the password for the scanner registry

   2. If you configure scanning for a private repository, specify the following authorization data to ensure the scanner access to an image:

      COMPANY_EXT_REGISTRY_USERNAME: the name of the account in the registry of the scanned image

      COMPANY_EXT_REGISTRY_PASSWORD: the password for the registry of the image being scanned

5. Adding information to start the scanner. Information for starting the scanner that contains databases of vulnerabilities and other malicious objects is added to the Jenkinsfile configuration file in the form of a declarative or scripted pipeline.

   Example of information for starting the scanner in the form of a declarative pipeline

   pipeline {

   agent any

   stages {

   stage('run scanner') {

   steps {

   sh 'docker login -u ${LOGIN} -p ${PASS} company.example.com'

   sh 'docker run -e API_BASE_URL=https://kcs.cust02.int.example.com/ -e SKIP_API_SERVER_VALIDATION=true -e API_TOKEN=${API_TOKEN} -e COMPANY_EXT_REGISTRY_USERNAME=${COMPANY_EXT_REGISTRY_USERNAME} -e COMPANY_EXT_REGISTRY_PASSWORD=${COMPANY_EXT_REGISTRY_PASSWORD} company.example.com:5050/company/kcs/scanner:v2.0.0-with-db jfrog.company.com/demo-kcs/bad:bad-project-test --html --stdout > result.html'

   }

   }

   }

   }

   Example of data for starting a scanner in the form of a scripted pipeline

   node {

   stage ('run scanner') {

   sh 'docker login -u ${LOGIN} -p ${PASS} company.example.com'

   sh 'docker run -e API_BASE_URL=https://kcs.cust02.int.company.com/ -e API_CA_CERT=${KCS_CA_CERT} -e API_TOKEN=${API_TOKEN} -e COMPANY_EXT_REGISTRY_USERNAME=${COMPANY_EXT_REGISTRY_USERNAME} -e COMPANY_EXT_REGISTRY_PASSWORD=${COMPANY_EXT_REGISTRY_PASSWORD} company.example.com:5050/company/kcs/scanner:v2.0.0-with-db jfrog.company.com/demo-kcs/bad:bad-project-test --html --stdout > result.html'

   }

   }

6. Generating an artifact for downloading.

   You can generate an artifact for downloading in the .HTML, or .JSON format to receive the scan results. You can specify an artifact format in --stout as follows:

   pipeline {

   agent any

   stages {

   stage('run scanner') {

   steps {

   sh 'docker login -u ${LOGIN} -p ${PASS} company.example.com'

   sh 'docker run -e API_BASE_URL=https://kcs.int.company.com -e SKIP_API_SERVER_VALIDATION=true -e API_TOKEN=${API_TOKEN} -e COMPANY_EXT_REGISTRY_USERNAME=${COMPANY_EXT_REGISTRY_USERNAME} -e COMPANY_EXT_REGISTRY_PASSWORD=${COMPANY_EXT_REGISTRY_PASSWORD} company.example.com:5050/company/kcs/scanner:v2.0.1-lite jfrog.company.com/demo-kcs/bad:bad-project-test --html --stdout > result.html'

   }

   }

   stage('archive') {

   steps {

   archiveArtifacts artifacts: 'result.html'

   }

   }

   }

   }

   To generate a .JSON artifact, rewrite the --html --stdout> result.html' line in the example above as follows:

   --json --stdout > result.json',

   and in the archiveArtifacts artifacts line, specify the file name in the defined format: 'result.json'.

   Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.

[Topic 275732]

Configuring integration with TeamCity CI/CD

To configure integration with TeamCity CI/CD:

1. Copy the API token on the My profile page to authorize the Kaspersky Container Security API in TeamCity.
2. In the settings menu in the TeamCity web interface, select Build Configuration Home → Parameters.
3. Click Add new parameters to add the values of the following environment variables:
   • API_TOKEN— specify the copied value of the Kaspersky Container Security API token.
   • API_BASE_URL — specify the URL of Kaspersky Container Security.
   • RUST_BACKTRACE — If necessary, specify full to use backtracing.
   • SKIP_API_SERVER_VALIDATION — specify true if you are using a self-signed certificate or if you need to skip authentication of the receiving server using the CA certificate of the Ingress controller.
4. Go to the Build Configuration Home → Build Step: Command Line section and click Add build step to add a build step.
5. In the window that opens, specify the following settings of the build step:
   • In the Runner type drop-down list, select Command Line.
   • In the Run drop-down list, select Custom script.
   • In the Custom script field, specify the path to the container for scanning (for example, /bin/sh /entrypoint.sh nginx:latest).
6. Under Docker Settings, specify the following settings:
   • In the Run step within Docker container field, specify the address of the scanner in the Docker registry. For example, company.gitlab.cloud.net:5050/companydev/example/scanner:v2.0.0-with-db.
   • In the Additional docker run arguments field, increase the privilege value to --privileged.
7. Click Save to save the settings.
8. Click Run in the upper-right corner of the page to start the build.
9. If necessary, download the scan results artifact, which is available on the Artifacts tab on the build scan results page in the TeamCity web interface.

Page top

[Topic 265788]

Defining the path to container images

To start scanning, the solution needs to determine the path to the container images that need to be scanned. The path to container images can be specified in two ways:

• By specifying an image tag after the registry name, repository name, and image name. The tag is a changeable and easy-to-read description of the image.

  In this case, the path looks as follows: <registry>/<repository>/<image name>:<tag>. For example, http://docker.io/library/nginx:1.20.1.

• By specifying an image digest after the registry name, repository, and image name. A digest is an integral internal property of an image, specifically a hash of its contents (the SHA256 hash algorithm is used).

  When using a digest, the path is formed as follows: <registry>/<repository>/<image name><digest>. For example, http://docker.io/library/nginx@sha256:af9c...69ce.

A tag can match different digests, whereas digests are unique for each image.

Depending on the method used to specify the image path, Kaspersky Container Security performs one of the following actions before scanning:

• Converts the tag to a trusted digest.
• Checks whether the digest specified in the image path is trusted. A digest is considered trusted if it ensures the required degree of confidence in maintaining the desired protection relative to the object encoded using the hash algorithm.

Only trusted digests are sent to the container runtime.

Before running a container, the content of the image is compared with the received digest. To recognize a digest as trusted and the image as not corrupted, Kaspersky Container Security checks the integrity and authenticity of the image signature.

Page top

[Topic 263762]

Monitoring the integrity and origin of images

When scanning images in CI/CD, Kaspersky Container Security protects against image spoofing at the registry level. The integrity and origin of images of containers deployed in an orchestrator cluster is controlled by verifying image signatures, starting at the build stage in CI.

Image integrity is monitored in two stages:

• Container images are signed after they are created. This process is implemented using external signature applications.
• Image signatures are checked before images are deployed.

  The solution saves a signature key, which is based on the SHA256 hash function and used as the code for signature validation. When deployed in an orchestrator, Kaspersky Container Security asks the signature server to confirm the authenticity of the signature.

Kaspersky Container Security checks image signatures as follows:

1. In the Administration → Integrations → Image signature validators section, you can configure the settings for integrating the solution with external image signature validation applications.
2. In the Policies → Runtime → Policies section, a runtime policy is added to protect the content of the image. This runtime policy validates the authenticity of signatures. Digital signatures are validated based on the configured image signature validators.
3. The orchestrator starts image deployment and uses a
   dynamic admission controller

   A configurable controller to access Kubernetes that helps enforce policies and supports the management and control system.

   to make a deployment request to the agent (kube-agent).

   To send the request to the Kaspersky Container Security agent, configure the dynamic admission controller in the values.yaml configuration file.

4. Based on the applicable runtime policy, the agent checks the signature validation settings configured in the Administration → Integrations → Image signature validators section.
5. If the check confirms the authenticity and validity of the signature, the solution allows image deployment. Otherwise, deployment is blocked.

[Topic 264539]

Running the scanner in SBOM mode

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in

The advantages of using SBOM are the following:

• Less resources required to scan images for vulnerabilities.
• Reduced scanning time due to automatic verification of correct operation and proper use of solution components.
• Capability to scan all existing vulnerabilities in an image without exceptions.
• High reliability of scanning results.

In CI/CD, the scanning process consists of two stages: receiving an SBOM file and scanning an image based on the received SBOM file. The image scanning process is implemented as follows:

• The CI/CD scanner generates a list of image components and sends the generated artifact to Kaspersky Container Security.
• Using the image handler, the solution forwards the received SBOM file to the scanner for scanning.

For subsequent scanning, Kaspersky Container Security generates an SBOM file in the

To generate an SBOM file in the .SPDX format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --spdx --stdout > example.spdx

where:

<--sbom-json> indicates the creation of an SBOM file.

<--spdx> indicates that an artifact is generated in the .SPDX format.

<--stdout > example.spdx> indicates data output to a file in the .SPDX format.

To generate an SBOM file in the .JSON format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --stdout > example.json

where:

<--sbom-json> indicates the creation of an SBOM file.

<--stdout > example.json> indicates data output to a file in .JSON format.

The resulting file (for example, example.json) is specified as an artifact: artifacts: paths:

Scanning using an SBOM file is only applicable when scanning an image for vulnerabilities. If your CI/CD process requires scanning for other risks and threats (such as misconfigurations), you must separately run the corresponding scanning and add its results to the image handler in addition to the SBOM file.

[Topic 265362]

Getting scan results in JSON or HTML format

When using Kaspersky Container Security to scan images in CI/CD, you can generate and save an artifact with the scan results within your CI/CD platform. This can be done using a configuration file of the external repository system that is integrated with the solution. For example, you can use a .gitlab-ci.yml configuration file in GitLab.

You can generate an artifact containing scan results in the following scenarios:

• When the scanner conducts a complete CI/CD scan - scanning results file can be generated in the .HTML format or the .JSON format.
• When the scanner operates with SBOM creation - file containing scanning results can be generated in the .SPDX format or the .JSON format.

To generate a scan results file in .HTML format:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > example.html

where:

<--html> indicates that an artifact is generated in .HTML format.

<--stdout > example.html> indicates data output to a file in .HTML format.

To generate a scan results file in .JSON format when performing a complete CI/CD scan:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > example.json

where:

<--stdout > example.json> indicates data output to a file in .JSON format.

The resulting file (for example, example.json) is specified as an artifact: artifacts: paths:

Page top

[Topic 276521]

Running the scanner in lite SBOM mode

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in the lite SBOM mode. In this case, the solution scans a specially created SBOM file, and the results of this scan become available at the CI/CD stage.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

You can generate an artifact for download in the .SPDX, .HTML, or .JSON format to receive the results.

Running a scanner in GitLab

To start the scanner in lite SBOM mode in GitLab, when configuring image scanning in CI/CD process, edit the .gitlab-ci.yml configuration file as follows:

1. Add information about the image of the scanner that is started for image scanning in CI/CD as follows:

   scan_image:

   stage: scanner

   image:

   name:repo.cloud.example.com/repository/company/scanner:v.2.0-lite

   entrypoint: [""]

   pull_policy: always

2. Specify the orchestration platform tag as follows:

   k8s

   In the example provided, the k8s tag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform.

3. Specify such variables as the build ID, private repository details, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

   SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

   COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

   COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

   BUILD_NUMBER: ${CI_JOB_ID}

   BUILD_PIPELINE: ${CI_PIPELINE_ID}

   API_TOKEN: <API token value>

4. If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:

   API_CA_CERT: ${KCS_CA_CERT}

   If the API_CA_CERT variable is not set, scanning will start but will not be completed.

5. Specify the web address of the API host server for Kaspersky Container Security:

   API_BASE_URL: <web address>

6. Specify the command to create an SBOM file when the scanner is started in one of the following supported formats:
   • To generate an artifact in the .JSON format:

     script:

     - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

     artifacts:

     paths:

     - artifact-result.json

   • To generate an artifact in the .HTML format:

     script:

     - /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html

     artifacts:

     paths:

     - artifact-result.html

   • To generate an artifact in the .SPDX format:

     script:

     - /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx

     artifacts:

     paths:

     - artifact-result.spdx

Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .HTML format in GitLab

Running a scanner in Docker

To start the scanner in lite SBOM mode in Docker:

1. Specify the web address of the API host server for Kaspersky Container Security:

   -e API_BASE_URL=https://company.local

2. Specify the value of the variable to skip checking the data receiving server using the CA certificate of the Ingress controller:

   -e SKIP_API_SERVER_VALIDATION=true

3. Specify the API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

   -e API_TOKEN=<API token value>

4. Specify data to start the scanner:

   repo.kcs.company.com/images/scanner:v2.0-lite

5. If you need to generate an artifact for downloading in the .SPDX, .HTML, or .JSON format, specify the following:

   - <artifact format> --stdout> result. <file format>

   For example:

   --html --stdout > result.html

6. Press the Enter key to start the scanner.

   If a domain name resolution error - Name does not resolve - appears when calling the scanner, you must specify the address before the API_BASE_URL variable before the internal DNS server of your organization. For example:

   --dns 10.0.xx.x

   API_BASE_URL: https://company.local/

Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .JSON format in Docker

Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.

[Topic 281598]

Specifying secrets when starting a scan

When starting a scan job in the CI/CD process, the registry containing the scanner image (the lite or with-db scanner for the corresponding version of Kaspersky Container Security) can be accessible only after authorization. For authorization, you can pass the required secrets in the scan job.

To be authorized for access to the registry when starting a scan job:

1. Create a secret:

   kubectl create secret docker-registry ci-creds --docker-server=client.repo.example.com --docker-username=username --docker-password=password

2. In the scan job, specify the value of the imagePullSecrets variable:

   imagePullSecrets:

   - name: ci-creds

3. Start the scan job.

   Example of a scan job with secrets for authorization

   kind: Job

   metadata:

   name: my-job

   spec:

   template:

   spec:

   containers:

   - name: my-container

   image: client.repo.example.com/scanner:master

   command: ["/bin/sh"]

   args: ["entrypoint.sh", "apline:latest"]

   env:

   - name: COMPANY_EXT_REGISTRY_USERNAME

   value: another_username

   - name: COMPANY_EXT_REGISTRY_PASSWORD

   value: another_password

   - name: API_BASE_URL

   value: https://some.kcs.env.example

   - name: API_TOKEN

   value: kcs_blablabla

   - name: SKIP_API_SERVER_VALIDATION

   value: 'true'

   imagePullPolicy: Always

   restartPolicy: Never

   imagePullSecrets:

   - name: ci-creds

   backoffLimit: 0

In this example, the scan job contains the following secrets:

• The secret for downloading the scanner image (specified in the imagePullSecrets variable).
• The password for downloading the image to be scanned if access to the relevant registry is restricted (specified in the COMPANY_EXT_REGISTRY_PASSWORD variable).

You can omit these passwords if the registry that the solution gains access to when running a scan job is accessible without authorization.

[Topic 265760]

Configuring integration with image signature validators

Kaspersky Container Security can verify the authenticity and validity of the digital signatures of images. To use this functionality, you need to configure integration of the solution with one or more external signature applications. The specifics of signing an image digest, the location of signatures, and protecting signatures depend on the signature application you have selected. The solution supports two configurable external signature validation applications:

• Notary v1 is a web service developed by Docker that is used to ensure the security of containers at various stages of their life cycle, including the creation and subsequent storage of signatures.
• Cosign is a web service designed to create signatures for containers, verify signatures, and place signed containers in repositories. The tool was developed as part of the
  Sigstore

  This project aimed to develop and provide tools and services for the verification of software through the use of digital signatures. Sigstore also maintains a public registry to confirm the authenticity of changes to an image.

  project.

You can configure integration with an image signature validator in the Administration → Integrations → Image signature validators section.

[Topic 274593]

Viewing the list of integrations with signature validators

In the Administration → Integrations → Image signature validators section, a table of all configured integrations with image signature validators is displayed.

The table displays the following information about the integrated image signature validators:

• Name of the validator
• Description, if one was specified when creating the integration
• Type of the image signature validator—Notary v1 or Cosign.
• Web address to which the image signature validator connects

In the table, you can:

• Add new integrations with signature verification modules. Click Add signature validator above the list to open the integration settings window.
• View and edit the settings for integration with an image signature verification module. You can open the editing window by clicking the link on the verification module name.
• Remove an integration with an image signature validator.

[Topic 265764]

Adding an integration with an image signature validator

To add an integration with an image signature validator:

1. In the Administration → Integrations → Image signature validators section, click the Add signature validator button.

   The integration settings window opens.

2. In the General information section, enter a policy name and, if necessary, a policy description.
3. In the Type section, select one of the following signature validators:
   • Notary v1.
   • Cosign.
4. Depending on the selected signature validator, specify the server authentication credentials:
   • For Notary v1, specify the following settings:
     • Web address – the full web address of the server where image signatures are stored.
     • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

       The secret must be in the Kaspersky Container Security namespace.

     • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
     • Delegations – list of signature holders participating in the signing process.
     • Under Trusted roots, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

       If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

   • For Cosign, specify the following settings:
     • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

       The secret must be in the Kaspersky Container Security namespace.

     • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
     • Under Trusted roots, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

       For Cosign, specify the public keys for the ECDSA or RSA algorithms provided by cosign.pub.

       If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

     • In the Signature requirements section, specify the minimum number of signatures and signature holders who must sign the image.
5. Click the Save button in the top of the window to save the settings for integration with an image signature validator.

You can use the configured integration in runtime policies to ensure protection of the image content.

[Topic 265792]

Viewing and editing information about integration with an image signature validator

To view and edit the settings for integration with an image signature validator:

1. In the Administration → Integrations → Image signature validators section, click the integration name link in the list of integrations with signature validators.
2. If necessary, in the window that opens, edit the integration settings, which depend on the selected signature validator, as follows:
   • For Notary v1, you can modify the following settings:
     • Validator name.
     • Description.
     • URL.
     • Signature server authentication secret name.
     • Certificate.
     • Delegations.
     • Key name.
     • Key value.
   • For Cosign, you can modify the following settings:
     • Signature server authentication secret name.
     • Certificate.
     • Key name.
     • Key value.
     • Threshold.
     • Required signers.
3. If necessary, add key pairs by clicking the Add key pair button.
4. Click the Save button in the upper part of the window.

[Topic 274595]

Removing an integration with an image signature validator

To remove an integration with an image signature validator:

1. Open the list of the configured integrations with image signature validators.
2. Select the integration that you want to delete by selecting the check box in the row with the integration name.
3. Click Delete above the table.

   The Delete button becomes enabled after you select one or more integrations.

4. In the window that opens, confirm the deletion.

[Topic 250406]

Setting up integration with notification outputs

Kaspersky Container Security can notify users about events while operating in accordance with the response policy settings. To use the notification feature, you should set up an integration of Kaspersky Container Security with one or more notification outputs.

Kaspersky Container Security can use the following outputs:

• Email
• Telegram instant messaging system

[Topic 274627]

Viewing the list of integrations with outputs

To view the list of configured integrations with outputs:

1. Go to the Administration → Integrations → Notifications section.
2. Depending on the type of notification you want, go to the Email tab or the Telegram tab.

The table with a list of all configured integrations displays the following information about existing integrations:

• Integration name.
• Updated by.
• Date and time of the last update.
• Status of the last connection to the output—Success or Error. If Error is displayed, the solution also displays a brief description of the connection error.

In the table, you can:

• Add new integrations with email or Telegram. Click Add integration above the table to open the integration settings window.
• View and edit the settings of integration with outputs. You can open the editing window by clicking the integration name link.

  In this window, you can also click Test connection to see if integration with an output is completed.

• Delete integration with outputs.

[Topic 275119]

Adding email integrations

To add an email integration:

1. Under Administration → Integrations → Notifications, in the Email section, click Add integration.

   The integration settings window opens.

2. Specify the following information in the form:
   • Name of the integration — Displayed in the response policy settings.
   • User name and password of the account used to send messages.
   • SMTP server name.
   • E-mail encryption method.
   • Port that the SMTP server uses.
   • Email address of the message sender.
   • Email addresses of message recipients. You can enter one or more addresses in this field.
3. Click Test connection to see if a connection with email can be established.
4. Click Add to save the email integration settings.

Example email integration settings

You can use the configured integration in response policies.

[Topic 275120]

Viewing information about email integration

To view and change an email integration:

1. In the Email section, under Administration → Integrations → Notifications, click the integration name link in the list of integrations.
2. In the editing window that opens, change the following integration settings if necessary:
   • Name.
   • User name.
   • Password of the user account that is used to send messages.
   • SMTP server name.
   • E-mail encryption method.
   • Port that the SMTP server uses.
   • Email address of the message sender.
   • Email addresses of message recipients.
3. Click Test connection to see if a connection with email can be established.
4. Click Save.

[Topic 275121]

Adding Telegram integrations

To add a Telegram integration:

1. Under Administration → Integrations → Notifications, under Telegram, click Add integration.

   The integration settings window opens.

2. Specify the following information in the form:
   • Name of the integration — Displayed in the response policy settings.
   • ID of the chat to post the messages — you can get the ID in the following way:
     1. Write the first message to the message bot. The chat ID is generated the first time a message is sent.
     2. In the address bar of your browser, type:

        https://api.telegram.org/bot<token>/getUpdates

        where <token> is the token of the message bot.

     3. In the received .json response file, find the "ID" value in the "chat" object. This is the chat ID.

     After changing the message history visibility settings for new participants in a Telegram chat, the chat ID is also changed. In this case, you must change the Telegram integration settings and specify the new value for the chat ID.

   • Token of the message bot — you receive this token as a result of executing the /newbot command in the BotFather bot to create a bot. You can also get the token of a previously created bot by running the /token command.
3. Click Test connection to see if a connection with Telegram can be established.
4. Click Add to save the Telegram integration settings.

Example Telegram integration settings

You can use the configured integration in response policies.

[Topic 275122]

Viewing and editing information about integration with Telegram

To view and change a Telegram integration:

1. Under Telegram in the Administration → Integrations → Notifications section, click the integration name link in the list of integrations.
2. In the editing window that opens, change the following integration settings if necessary:
   • Name.
   • Chat ID.
   • Bot token.
3. Click Test connection to see if a connection with Telegram can be established.
4. Click Save.

[Topic 274659]

Deleting integrations with notification outputs

To delete email integration or Telegram integration:

1. Open the list of configured email or Telegram integrations in the Administration → Integrations → Notifications section.
2. Select the integration that you want to delete by selecting the check box in the row with the integration name.
3. Click Delete above the table.

   The Delete button becomes enabled after you select one or more integrations.

4. In the window that opens, confirm the deletion.

You cannot delete an integration that is used in one or more response policies.

[Topic 254129]

Configuring LDAP server integration

Kaspersky Container Security lets you connect to servers of external

Connection to an external directory service over the LDAP protocol enables you to perform the following tasks:

• Configure user accounts to take into account data from an external directory service for working with Kaspersky Container Security.
• Correlate user roles in Kaspersky Container Security to groups of users from Active Directory. Users in these groups will be able to use their domain account credentials to log in to the solution web interface and access application functionality based on their assigned role.

  We recommended that you create these user groups in Active Directory in advance to allow them to complete authorization using their domain accounts in the Kaspersky Container Security web interface.
  An email address must be indicated for user accounts in Active Directory.

[Topic 274660]

Viewing, configuring, or deleting an LDAP server integration

To view the LDAP server connection:

Go to the Administration → Integrations → LDAP section.

Kaspersky Container Security displays the following information about the connected LDAP server:

• The web address of the connected LDAP server.
• The status of the last server connection—Success, Not available, or Error. If Error is displayed, the solution also displays a brief description of the connection error.

To edit LDAP server integration settings:

In the Administration → Integrations → LDAP section, click the Edit settings button.

Kaspersky Container Security opens the page containing the form for LDAP server integration data.

To delete an integration with an LDAP server:

1. In the Administration → Integrations → LDAP section, click Delete integration.
2. In the window that opens, confirm the deletion.

[Topic 286667]

Testing connection with LDAP server

To test connection with the LDAP server:

1. Go to the Administration → Integrations → LDAP section.
2. Do one of the following:
   • If the integration with the LDAP server is created, click the Test connection button.
   • If you are creating an integration with an LDAP server or editing its settings, click Test connection below the form for LDAP server integration data.

Kaspersky Container Security will display a notification informing you of the connection to the LDAP server or a failure to establish the connection.

Page top

[Topic 254187]

Gaining access to Active Directory group

After the integration with the LDAP server is configured, you can specify an Active Directory group for each Kaspersky Container Security role. After authorizing their account credentials, the users from this group gain access to solution functionality based on their defined roles.

[Topic 293678]

Configuring integration with SIEM systems

Kaspersky Container Security allows connecting to

Messages are sent to a SIEM system in the

CEF:0|Kaspersky|Kaspersky Container Security|2.0|PM-002|Process management|7|dpid=1846367 spid=1845879 flexString2=0ce05246346b6687cb754cf716c57f20f226e159397e8e5985e55b448cb92e3f flexString2Label=Container ID cs6=alpine cs6Label=Container name outcome=Success

The transmitted message consists of the following components:

• The
  Syslog

  A standard for sending and logging system event messages used for the UNIX and GNU/Linux platforms.

  header, which specifies the date, time, and host name.
• Prefix and CEF version number.
• Device vendor.
• Solution name.
• Solution version.
• Solution-generated unique event type code.
• Event description.
• Event severity assessment.
• Additional information, such as device IP address, event reason, event result, and event status.

For detailed information about the components, refer to the CEF message value matching table.

[Topic 293652]

Matching of CEF message fields

CEF messages are sent in the English language.

The table below lists the man components of the header and body of CEF messages sent by Kaspersky Container Security.

Components and values of CEF message components

Additional information about an event which is transferred by Kaspersky Container Security

Page top

[Topic 282786]

Creating an integration with a SIEM system

To add a SIEM integration:

1. In the Administration → Integrations → SIEM section, click Add SIEM.

   A sidebar is displayed, in which you can enter the parameters of SIEM system.

2. On the General tab, specify the following required parameters:
   • Name of the SIEM system.
   • Protocol for connecting to the SIEM system. TCP is selected by default.
   • Address of the SIEM system server in one of the following formats:
     • IPv4
     • IPv6
     • FQDN
   • Port for connecting to the SIEM system. You can specify ports 1 through 65535. The default setting is 514.
   • Event categories for which you want messages to be exported to the SIEM system. To configure this, select the check boxes next to one or more event categories from the following list:
     • Administration.
     • Alert.
     • CI/CD.
     • Policies.
     • Resources.
     • Scanners.
     • Admission controller.
     • Forensic data.
     • API.

       An advanced license is required to view events in the Resources, Scanners, Admission controller, and Forensic data categories.

     By default, all statuses are selected.

     Messages about selected event categories are sent to the specified SIEM system, regardless of whether it is linked to agent groups.

3. On the Agent group logs tab, select the check boxes next to one or more event types as part of node monitoring in the runtime.

   The log of event messages sent to the runtime environment can be very large, which can impact available disk space and network load.

4. If you want to verify the correctness of the specified SIEM integration parameters, click Test connection.

   The solution tests the connection to the SIEM system if the TCP connection protocol is selected. If the UDP connection protocol is selected, the Test connection button is disabled.

5. Click Save.

Page top

[Topic 283037]

Linking agent groups with a SIEM system

You can link agent groups to SIEM systems while creating agent groups or editing their parameters in the Components → Agents section.

To link an agent group in Kaspersky Container Security, you must have sufficient rights to manage agent groups; you must also create and configure at least one SIEM integration.

Page top

[Topic 283085]

Viewing and editing SIEM integration settings

To view a SIEM integration:

1. Open the list of SIEM integrations in the Administration → Integrations → SIEM section.
2. Click the integration name in the list of integrations.

To edit SIEM integration settings:

1. In the Administration → Integrations → SIEM section, click the integration name in the list of integrations.
2. If necessary, in the displayed sidebar, edit the integration parameters as follows:
   1. On the General tab, edit the following required parameters:
      • Name of the SIEM system
      • Protocol for connecting to the SIEM system
      • SIEM system server address
      • SIEM system connection port
      • Categories of events to be exported
   2. If necessary, on the Agent group logs tab, you can edit the list of network node monitoring event types selected for the runtime.
3. If TCP is used for the connection, click Test connection to see if the connection to the SIEM system is can be established.
4. Click Save.

[Topic 283084]

Deleting an integration with a SIEM system

To delete a SIEM integration:

1. Open the list of configured SIEM integrations in the Administration → Integrations → SIEM section.
2. Select the integration that you want to delete by selecting the check box in the row with the integration name.
3. Click Delete above the table.

   The Delete button becomes enabled after you select one or more integrations.

4. In the window that opens, confirm the deletion.

Page top

[Topic 294179]

Integrating with HashiCorp Vault

Kaspersky Container Security provides the ability to securely transfer passwords, tokens, and secrets using HashiCorp Vault, an external storage service. The solution generates pod annotations, which the Vault injector uses to mount the necessary secrets from storage at startup.

Kaspersky Container Security supports integration with Hashicorp Vault 1.7 or later.

Version 2.0 of Kaspersky Container Security supports working with HashiCorp Vault only in sidecar mode using sidecar containers; in this case, only the Kubernetes authentication method is supported.

If the service accounts for pods are not defined, and default service accounts are used, we recommend against assigning roles dedicated to the storage to such service accounts, in line with a critical security requirement.

Values of HashiCorp Vault settings are specified in the values.yaml configuration file and deployed when the Helm Chart package is launched.

HashiCorp Vault settings are configured in the values.yaml configuration file as follows:

• If the enabled setting in the vault block is set to false, integration with the vault is not used.
• If the enabled setting in the vault block is set to true, integration with the vault is enabled, and the values of the variables in the vault settings block take precedence.

The vault settings block contains the following sections:

• secret – to specify secrets and credentials.
• certificate – to specify certificates and certificate keys.

The secret section lists the paths to files that contain the secrets for the following parameters:

• Secrets of proxy servers for requests to the external information environment.
• Credentials for the PostgreSQL database.
• Credentials for an s3-compatible file storage for storing files that are generated by the solution.
• Credentials for the ClickHouse database management system.

Secrets are specified in key:value format

where:

• <key> is the name of the environment variable
• <value> is the full path to the secret in the secret storage, followed by the @ sign and the name of the key of the secret created in the storage.

For example: POSTGRES_USER: kv/secret/kcs/psql@POSTGRES_USER

To get a certificate, in the vault.certificate section, you must specify the following in the fields:

• To get a CA certificate, the ca setting is set to true. In this case, the path to access the certificate is formed based on the standard cert/ca path based on the name in the public key infrastructure (Public Key Infrastructure, PKI). If the CA certificate is not a root certificate, use the caList parameter to list all certificates, including the root certificate. For example:

  cert-ca:

  ca: true

  tls.crt: pki_kcs/cert/ca

  caList:

  - pki/cert/ca

• To generate certificates and keys, you need to specify the path from the PKI name with the standard issue path and the name of the created role. The common name (cn) and all possible alternative names (altname) are automatically added to the certificate. If necessary, the cn, altname and ipsans values can be specified manually as shown below for an external database:

  cert-pguser:

  cn: pguser

  altname: pguser,pguser.psql,pguser.psql.svc,pguser.psql.svc.cluster.local,localhost

  ipsans: 0.0.0.0,127.0.0.1

• To set the certificate lifetime, you need to specify the value of the ttl parameter. The default value is 8760 hours.

  The parameter value cannot be greater than the value set in the PKI HashiCorp Vault.