Kaspersky Container Security
2.0
English

Contents

Security policies configuration

Kaspersky Container Security components use the following security policies:

  • Scanner policies determine the settings for scanning different types of resources. Scan policies use rules to detect sensitive data, as well as vulnerabilities, malware, and misconfiguration.
  • Assurance policies define Kaspersky Container Security actions to provide security if vulnerabilities, malware, sensitive data and misconfigurations detected during image scanning meet the criteria specified in the policy.
  • Response policies define the actions of the solution in case events specified in the policy occur. For example, Kaspersky Container Security can notify the user about an event.
  • Runtime policies allow you to control and, where appropriate, restrict the deployment and operation of containers on the cluster in line with your corporate security requirements.

Kaspersky Container Security applies only enabled policies during its operation. Disabled policies cannot be used during checks.

In this Help section

Scanner policies

Assurance policies

Response policies

Runtime policies

Deleting policies
Page top
[Topic 266783]

Scanner policies

Scanner policy determines the settings for scanning different types of resources.

When installing Kaspersky Container Security, a default scanner policy is created; it can be applied to all resources and executed in all environments. It is called the global scan policy (default). This policy is assigned default scope by default.

You can enable, disable, or configure global scanner policy settings if your role has been assigned the rights to manage scanner policies and view the default scope.

The following actions cannot be performed on a global scanner policy:

  • Change the assigned default scope.
  • Remove the global scanner policy.

The list of configured scanner policies is displayed as a table in the Policies → Scanner policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Enable or disable policies by using the Disabled / Enabled toggle button in the Status column of the table.
  • Change policy settings. You can open the editing window by clicking the policy name link.

    You can also enable and disable policies in the edit window. Kaspersky Container Security does not use disabled policies when operating.

  • Configure rules for detecting sensitive data. To do this, go to the Sensitive data tab.
  • Delete policies.

In this section

Creating a scanner policy

Editing scanner policy settings

Configuration of sensitive data detection rules
Page top
[Topic 266135]

Creating a scanner policy

Rights to manage scanner policy settings are required to add a scanner policy in Kaspersky Container Security.

To add a scanner policy:

  1. In the PoliciesScanner policies section, click the Add policy button.

    The policy settings window opens.

  2. Use the Disabled / Enabled toggle switch to disable the added policy, if necessary. In this case, it will be added but not applied until it is activated.

    By default, the status of a newly added scanner policy is Enabled.

  3. Enter a policy name and, if required, policy description.
  4. In the Scope field, select the scope for the scanner policy from the available options.

    If you plan to implement the policy with the default scope, one of your user roles must be granted the rights to view default scopes.

  5. In the Vulnerabilities section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure scanning using the National Vulnerability Registry (NVD) databases.
    • Use the Disabled / Enabled toggle switch to configure scanning using the Data Security Threats Database.
  6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image as part of the File Threat Protection component.
  7. In the Misconfigurations section, use the Disabled / Enabled toggle switch to configure a scan for configuration errors.
  8. Click Save.
Page top
[Topic 266137]

Editing scanner policy settings

You can edit the scanner policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change scanner policy settings:

  1. In the Policies → Scanner policies section, click the policy name link.

    The policy settings editing window opens.

  2. If required, use the Disable / Enable toggle switch to change the policy status (enabled / disabled).
  3. Make changes to the policy settings. The following settings are open for editing:
    • The policy's name, description, and scope.
    • Vulnerability control settings. Select the check boxes for the vulnerabilities database(s) to check images against.
    • Malware control settings. Select the check box if you need to scan images for malware and other file threats. This control is conducted by using the File Threat Protection component.
    • Misconfiguration control settings. Select the check box if you need to check images for misconfigurations. The control is conducted with the default settings configured by the Kaspersky Container Security manufacturer.
  4. Click Save.

Page top
[Topic 266436]

Configuration of sensitive data detection rules

The list of configured rules for detecting sensitive data (hereinafter referred to as Secrets) during image scanning is displayed in the Policies → Scanner policiesSensitive data section.

The rules are grouped into categories depending on the purpose and scope of secrets to be detected. The list of categories is determined by the Kaspersky Container Security manufacturer. Categories contain predefined rules.

You can use the list to do the following:

  • View and change the settings for secrets detection rules. You can open the editing window by clicking the rule ID link.
  • Add new rules to the selected category. Click the Add rule button located above the table to open the integration settings window. To add rules that do not belong to any of the preset categories, use the Other category.
  • Delete rules. Check the box next to one or more rules in the list. The delete icon is then displayed.

To change the settings of sensitive data detection rules:

  1. In the table, in the PoliciesScanner policiesPolicies section, select the scanner policy.
  2. In the Sensitive data section, select the necessary rules by selecting the check boxes in the rule lines.
  3. Use the Disable / Enable toggle switch in the Status column in the table with the list of policy rules to enable or disable this policy component.

    Do not click the Save button.

    Kaspersky Container Security immediately applies the changes to the sensitive data settings and displays the corresponding notification. You can also refresh the page to see the settings change.

Page top
[Topic 250398]

Assurance policies

Assurance policy defines Kaspersky Container Security actions to provide security if threats detected during image scanning meet the criteria specified in the policy.

The configured assurance policies are displayed as a table in the PoliciesAssurance policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.
  • Delete policies.

If you add an assurance policy, modify its settings, or delete a policy, the compliance status is reviewed (Compliant / Non-compliant) for the images to which the policy is applied.

In this section

Creating an assurance policy

Editing assurance policy settings
Page top
[Topic 250399]

Creating an assurance policy

Rights to manage security policy settings are required to add a security policy in Kaspersky Container Security.

To add an assurance policy:

  1. In the PoliciesAssurance policy section, click the Add policy button.

    The policy settings window opens.

  2. Enter a policy name and, if required, policy description.
  3. In the Scope field, select the scope for the image security policy from the available options.

    If you plan to implement the policy with the default scope, one of your user roles must be granted the rights to view default scopes.

  4. Specify the actions that Kaspersky Container Security should perform in accordance with the policy:
    • Fail CI/CD step—if Kaspersky Container Security scanner detects threats while scanning the image in the CI/CD pipeline matching the severity level specified in the policy, the scanning ends with an error (Failed). This result is transferred to the CI system.
    • Label images as non-compliant—Kaspersky Container Security labels images containing detected threats that meet the criteria specified in the policy.
  5. In the Vulnerability level section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure the scan based on the vulnerability severity level.
    • Set the assigned severity level based on the vulnerability databases. You can select it from the Severity level drop-down list or specify a severity score from 0 to 10.
    • Use the Disabled / Enabled toggle switch to configure blocking in case of specific vulnerabilities and specify these vulnerabilities in the Vulnerabilities field.
  6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image.
  7. In the Misconfigurations section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure the scan based on the misconfiguration severity level.
    • Select the misconfiguration severity level from the Severity level drop-down list.

      The severity level is assigned based on the vulnerability databases.

  8. In the Sensitive data section, configure the following settings:
    • Use the Disabled / Enabled toggle switch to configure the scan based on the sensitive data severity level.
    • Select the sensitive data severity level from the Severity level drop-down list.

      The severity level is assigned based on the vulnerability databases.

  9. Click Save.

By default, the added policy is Enabled.

Page top
[Topic 266504]

Editing assurance policy settings

You can edit the image security policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change assurance policy settings:

  1. In the PoliciesAssurance policies section, click the policy name in the list of existing assurance policies.

    The policy settings window opens.

  2. Make changes to the relevant policy settings:
    • The policy's name, description, and scope.
    • Actions of the solution in accordance with this policy.
    • Required scans.
    • Severity level of vulnerabilities detected during scans.
    • Identify number of vulnerabilities for blocking purposes.
  3. Click Save.
Page top
[Topic 266506]

Response policies

Response policy defines the actions of the solution in the case that events specified in the policy occur. For example, Kaspersky Container Security can notify the user about the detected threats.

If you want to configure response policies to notify the user, you should first set up integration with notification outputs.

The configured response policies are displayed as a table in the PoliciesResponse policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

    If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

  • Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
  • Delete policies.

In this version of the solution, response policies define only the actions that Kaspersky Container Security takes to notify the user when a specific event detailed in the policy occurs. For example, if an object with a critical vulnerability is detected, the solution can send an email notification to the user.

In this section

Creating a response policy

Editing response policy settings
Page top
[Topic 250400]

Creating a response policy

Rights to manage response policy settings are required to add a response policy in Kaspersky Container Security.

To add a response policy:

  1. In the PoliciesResponse policies section, click the Add policy button.

    The policy settings window opens.

  2. Enter a policy name and, if required, policy description.
  3. In the Scope field, select the scope for the response policy from the available options.

    If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

  4. In the Trigger field, use the drop-down list to select an event that will trigger Kaspersky Container Security to notify the user if this event occurs during a scan. One of the following events can be selected as a trigger event:
    • Sensitive data. A notification is sent if the solution detects signs of exposed sensitive data in an object during a scan.
    • Non-compliant. Kaspersky Container Security notifies you if a scanned object contains images that do not comply with the requirements of security policies.
    • Critical vulnerabilities. A notification is sent if a scanned object contains vulnerabilities with Critical status.
    • Malware. A notification is sent if a scan finds malware.
    • Risk acceptance expiration. Kaspersky Container Security notifies you if a scanned object contains risks that you had previously accepted but the risk acceptance period has expired.
  5. Configure the required notification methods:
    1. Select an Output: Email or Telegram.
    2. From the drop-down list in the Integration name field, select the name of the pre-configured integration with the selected notification output.
    3. To add another notification method, click the Add button and fill in the fields as described in paragraphs a and b above.
    4. If needed, you can remove the added notification methods by clicking the icon located to the right of the Integration name field.
  6. Click Save.

By default, the added policy is Enabled.

Page top
[Topic 266507]

Editing response policy settings

You can edit the response policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change response policy settings:

  1. In the PoliciesResponse policies section, click the policy name in the list of existing response policies.

    The policy settings window opens.

  2. If necessary, make changes to the relevant policy settings:
    • Change the policy name.
    • Add or edit the policy description.
    • Add or edit the policy scope.
    • Change the trigger event by selecting it from the drop-down list.
    • Add an output by clicking the Add button.
    • Delete the output by clicking the delete icon ("Delete" icon.) located next to the line of the selected output.
  3. Click Save.

Page top
[Topic 266508]

Runtime policies

A runtime policy determines the actions that are taken by the solution when monitoring and controlling runtime operations of containers in accordance with the security policies. Kaspersky Container Security maintains control based on security threats detected in an image, the severity level of these threats, and the availability of

digital signatures
.

Containers in the runtime may run from verified images or from images that are still unknown to the solution.

On the Policies tab, under PoliciesRuntime policies, a table lists configured runtime policies.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

    If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

  • Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
  • Delete policies.

To work optimally, a runtime policy must be supplemented by runtime container profiles, which define the rules and restrictions for running containers in the runtime environment.

In this section

Creating a runtime policy

Editing runtime policy settings

Managing container runtime profiles

Managing runtime autoprofiles
Page top
[Topic 264620]

Creating a runtime policy

Rights to manage runtime policy settings are required to add a runtime policy in Kaspersky Container Security.

To add a runtime policy:

  1. Under PoliciesRuntime policies, select the Policies tab.
  2. Click the Add policy button.

    The policy settings window opens.

  3. If necessary, use the Disabled / Enabled switch to set the policy status. By default, the added policy is Enabled.
  4. Enter a policy name and, if required, policy description.
  5. In the Scope field, select the scope for the runtime policy from the available options. Since runtime policies are only used for deployed and/or running containers, scopes containing resources across clusters can be selected.

    Scopes containing only registry resources are not available for selection. If necessary, you can specify individual images and pods for the runtime policy that you are creating in the Container runtime profiles section, as specified in step 11.

    If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

  6. In the Mode section, select one of the following policy enforcement modes:
    • Audit. In this mode, a scan takes into account the contents of containers.
    • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.

    If a scope includes an object subject to a runtime policy in Audit mode and a runtime policy in Enforce mode, all actions specified in the runtime policies are applied in Enforce mode.

  7. On the Admission controller tab, configure the following settings:
    • In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
    • In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
    • In the Block unregistered images section, use the Disabled / Enabled toggle switch to block image deployment if the image is unknown to Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
    • In the Dynamic Admission Controller bypass criteria block, use the Disabled / Enabled switch to define the exclusions for which the runtime policy will not be applied. To do so, select the relevant objects in the drop-down list, specify their names, and then click Add.

      Existing exclusions in the policy are checked when deploying a container.

    • In the Capabilities block section, use the Disabled / Enabled toggle switch to block the use of specified Unix functions. To do so, select specific system functions from the drop-down list. You can also lock the use of all Unix system functions by selecting ALL from the drop-down list.
    • In the Image content protection section, use the Disabled / Enabled toggle switch to enable verification of digital signatures that confirm the integrity and origin of images in the container. To do this, perform the following actions:
      1. In the Image registry URL template field, enter the template for the web address of the image registry in which you want to verify signatures.
      2. In the drop-down list, select Check to enable verification or Don't check to disable verification.
      3. In the drop-down list, select one of the configured image signature validators.
      4. If necessary, add signature verification rules by using the Add signature verification rule button. The solution will apply multiple signature verification rules under a single runtime policy.
    • In the Limit container privileges section, use the Disabled / Enabled toggle switch to block the start of containers with a specific set of rights and permissions. In the list of settings, select the rights and permissions configuration to block pod settings.
    • In the Registries allowed section, use the Disabled / Enabled toggle switch to allow deployment of containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
    • In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do this, specify the volume mount points on the host system in the Volumes field.

      The Volumes field must begin with a forward slash ("/") because this represents the operating system path.

  8. On the Container runtime tab, configure the following settings:
    • In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
      1. In the drop-down list, select an attribute to define the pods that the container runtime profiles will be applied to.
      2. Depending on the selected attribute, do the following:
        • If you selected By pod labels, enter the pod label key and the pod label value.

          You can add additional pod labels for pod selection by clicking the Add label pair button.

        • If you selected Image URL template, enter the template for the web address of the image registry.

          If the cluster contains images from the public Docker Hub registry, the solution equally considers the full path and the short path to the images. For example, if you specify the URL of the container image in the cluster as docker.io/library/ubuntu:focal, the solution accepts it equally as ubuntu: focal.

          You can add additional web addresses for pod selection by clicking the Add Image URL button.

        • If you selected Image digest, enter the image digest created using the SHA256 hash algorithm. You can specify the image digest with or without the sha256 prefix (for example, sha256:ef957...eb43 or ef957...eb43).

          You can add additional image digests to select pods by clicking the Add image digest button.

      3. In the Container runtime profile field, specify one or more runtime profiles that will be applied to pods that match the attributes you defined.
      4. If necessary, you can add pods for mapping using the Add pod mapping button. Pods with different attributes or applied runtime profiles will be mapped under the same runtime policy.
    • In the Container autoprofiles section, use the Disabled / Enabled switch to activate scanning of containers in the specified scope using the autoprofiles associated with images in these containers.

      You can view all autoprofiles included in the scope by clicking the Show autoprofiles attributed to the scope link. In the sidebar that opens, the solution shows a table with a list of autoprofiles. For each autoprofile, its name, date and time of the last modification, as well as the image associated with the autoprofile are displayed.

  9. Click the Add button.
Page top
[Topic 290415]

Editing runtime policy settings

You can edit the runtime policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change runtime policy settings:

  1. In the PoliciesRuntime policiesPolicies section, click the policy name in the list of existing runtime policies.

    The policy settings window opens.

  2. Change the status and name of the policy.
  3. Add or edit the policy description.
  4. Add or remove scopes.
  5. Select the policy mode — Audit or Enforce.
  6. On the Admission controller tab, make changes to the relevant sections of the policy:
    • Best practice check.
    • Block non-compliant images.
    • Block unregistered images.
    • Dynamic Admission Controller bypass criteria.
    • Capabilities block.
    • Image content protection.
    • Limit container privileges.
    • Registries allowed.
    • Blocking volumes.
  7. On the Container runtime tab, make changes to the relevant sections of the policy:
    • Container runtime profiles.
    • Container autoprofiles.
  8. Click Save.
Page top
[Topic 290416]

Managing container runtime profiles

When implementing runtime policies, Kaspersky Container Security can apply user-defined rules for monitoring processes and the network. To do so, add runtime profiles to the appropriate runtime policies. Runtime profiles are essentially lists of restrictions for containers. Image profiles define the settings for secure image deployment and safe activities of an application deployed from an image. The actions assigned in profiles can significantly reduce the capabilities of cybercriminals who could potentially infiltrate a facility, and can improve security during the runtime operation of containers.

The following settings specify restrictions in an image profile:

  • Executable files that should be blocked.
  • Network restrictions for inbound and outbound connections.

Container runtime profiles in runtime policies apply to images that are running in orchestration environments using objects within the cluster. If a container is started outside the orchestration environment (for example, using the docker run or ctr run command), the solution will not detect malware in such a container.

The solution does not automatically perform a malware scan when objects are saved in a container. We recommend additionally protecting containerized files outside the orchestration environment.

The list of configured profiles is displayed as a table on the Container runtime profiles tab under PoliciesRuntime policies. In this section, you can also do the following:

In this section

Creating a runtime profile

Examples of configured runtime profiles

Changing runtime profile settings

Deleting a runtime profile
Page top
[Topic 283062]

Creating a runtime profile

To add a container runtime profile:

  1. Under PoliciesRuntime policiesContainer runtime profiles, click the Add profile button.

    The profile settings input window opens.

  2. Enter a name for the runtime profile and, if necessary, a description.
  3. In the Scopes drop-down list, select one or more scopes.

    Scopes in runtime profiles allow profiles to be used correctly in runtime policies.

  4. Under File Threat Protection, use the Disabled / Enabled toggle to activate File Threat Protection. It is used to find and analyze potential file threats, and provides security for containerized objects, such as archives and email files.

    When a runtime profile is applied with the File Threat Protection component enabled, Kaspersky Container Security activates real-time file threat protection on all nodes within the scopes defined for that policy. The configuration of the deployed agents depends on the settings that you specify for File Threat Protection. You can configure the File Threat Protection settings by clicking the File Threat Protection settings button on the Container runtime profiles tab in the PoliciesRuntime section.

  5. In the Restrict container executable files section, use the Disabled / Enabled toggle switch to restrict executable files according to rules. In the list, select the blocking option that guarantees optimal container performance:
    • Block process from all executable files - application blocks all executable files from starting while the container is running.
    • Block specified executable files - application blocks the executable files that you select in the Block the specified executable files field. You can block all executable files or a list of specific executable files. You must specify the full original path to the executable file (for example, /bin/php). You can also use an * mask (for example, /bin/*) to apply a rule to an entire directory and its subdirectories.

      You can fine-tune the list of allowed and blocked executable files by specifying exclusions for blocking rules. For example, you can specifically exclude the path /bin/cat for a rule applied to /bin/*. In this case, all executable files from the directory /bin/ will be blocked from running except the /bin/cat application.

      Example path to executable files

      Specifying the direct path to executable binary files:

      /bin/bash

      Specifying a directory using a * mask:

      /bin/*

      In this example, all executable files from subdirectories of the /bin/ directory are allowed to run.

      When working with the busybox binary that is delivered with many basic container images (such as alpine), you must take into account that busybox contains a set of commands to fetch applications without an explicit specification of such applications. For example, the ls command is used to fetch the /bin/ls executable file, which in turn is a symbolic link to /bin/busybox. In this case, you must specify the path to the executable file as follows: /bin/busybox/ls (that is, you must concatenate the original path of the /bin/busybox executable file and its ls command with the / symbol).

      If you select the Allow exclusions check box, the application will block all executable files except those specified in the Allow exclusions field when a container is started and running.

      All rules and exceptions specified for this group of parameters are regular expressions (regexp). The solution uses the specified patterns and indicators to find all files that match a specific regular expression.

  6. In the Restrict ingress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict inbound connections of a container. When this restriction is active, Kaspersky Container Security will block all sources of inbound connections except those that you specified as exclusions.

    If you select the Allow exclusions check box, you can specify the parameters of one or more allowed sources of inbound network connections. To define exclusions, you must specify at least one of the following parameters:

    • Sources. In the Sources field, enter an IP address or a range of IP addresses for the inbound connection source in CIDR4 or CIDR6 notation.
    • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

      If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

      If you do not specify a value for the ports, the application will allow a connection over all ports.

  7. In the Restrict egress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict outbound connections for defined destinations.

    If you select the Allow exclusions check box, you can specify the parameters of one or more allowed destinations for outbound network connections. To define exclusions, you must specify at least one of the following parameters:

    • Destinations. In the Destinations field, enter an IP address or a range of IP addresses for an outbound connection destination in CIDR4 or CIDR6 notation, or the web address (URL) of a destination.
    • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

      If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

      If you do not specify a value for the ports, the application will allow a connection over all ports.

  8. In the File operations sections, use the Disabled / Enabled switch to enable the ability to monitor file operations in the container. To do this, specify values for the following settings:
    • Path. Paths to files or folders can be specified with or without a forward slash (/) at the end of the path. You can allow access to all subdirectories by placing an asterisk (*) after the forward slash (/) at the end of the path.

      When specifying paths to files, only enter full paths that begin with a forward slash.

    • If necessary, in the Exclusions field, you can specify paths to files for which file operations will not be monitored.
    • Operation type. You can specify the file operations that the solution monitors when the runtime policy is applied. To do this, use the check box to select one or more of the following operation types:
      • Create — The solution logs all file creation operations in the specified directories.
      • Open - the solution logs all file opening operations.
      • Read — The solution logs file read operations.
      • Write — The solution logs information about changes saved in files.
      • Rename or move — The solution logs operations that change the name of files or move files to other folders.
      • Delete — The solution logs information about the deletion of files or folders from the specified directories.
      • Change access permissions — The solution logs information about changes in the rights to access files and directories.
      • Change ownership — The solution monitors operations that change the owner of a file or folder in the specified directory.

    If necessary, add rules for monitoring file operations using the Add rule button. The solution will apply multiple file operation monitoring rules within a single runtime policy.

    For file operations, only Audit mode is supported. If the Enforce mode is specified in the applicable runtime policy, file operations are performed in Audit mode.

  9. Click the Add button.

The added runtime profile is displayed in the PoliciesRuntime policiesContainer runtime profiles section.

Page top
[Topic 296091]

Examples of configured runtime profiles

The table below presents a few of the images that are most frequently used by the application, and the settings for their configured restrictions in runtime profiles.

Images and their configured settings

Image name

Restrict container executable modules

Restrict network connections

Nginx

Allowed executable file:

/usr/sbin/nginx

Block outbound connections

Mysql

Allowed executable files:

/usr/bin/awk

/bin/sleep

/usr/bin/mawk

/bin/mkdir

/usr/bin/mysql

/bin/chown

/usr/bin/mysql_tzinfo_to_sql

/bin/bash

/bin/sed

/usr/sbin/mysqld

Block outbound connections

Wordpress

Allowed executable files:

/bin/dash

/usr/bin/mawk

/usr/bin/cut

/bin/bash

/usr/local/bin/php

/usr/bin/head

/usr/bin/sha1sum

/bin/tar

/bin/sed

/bin/rm

/usr/bin/awk

/bin/sh

/usr/sbin/apache2

/bin/chown

/usr/local/bin/apache2-foreground

/bin/ls

/bin/cat

"No" icon.

Node

Allowed executable file:

/usr/local/bin/node

Block outbound connections

MongoDB

Allowed executable files:

/bin/chown

/usr/local/bin/gosu

/usr/bin/mongod

/usr/bin/mongos

/usr/bin/mongo

/usr/bin/id

/bin/bash

/usr/bin/numactl

/bin/dash

/bin/sh

"No" icon.

HAProxy

Allowed executable files:

/bin/dash

/usr/bin/which

/usr/local/sbin/haproxy

/bin/busyboxal/sbin/haproxy-systemd-wrapper

/usr/loc

"No" icon.

Hipache

Allowed executable files:

/usr/bin/python2.7

/usr/bin/nodejs

/usr/bin/redis-server

/bin/dash

/usr/local/bin/hipache

"No" icon.

Drupal

Allowed executable files:

/bin/bash

/bin/rm

/usr/sbin/apache2

"No" icon.

Redis

Allowed executable files:

/bin/bash

/bin/chown

/usr/local/bin/gosu

/usr/bin/id

/usr/local/bin/redis-server

/bin/sh

/bin/dash

/sbin/redis-cli

/bin/redis-cli

/usr/sbin/redis-cli

/usr/bin/redis-cli

/usr/local/sbin/redis-cli

/usr/local/bin/redis-cli

/bin/busybox

Block outbound connections

Tomcat

Allowed executable files:

/usr/bin/tty

/bin/uname

/usr/bin/dirname

/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java

/bin/dash

/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Block outbound connections

Celery

Allowed executable files:

/bin/dash

/sbin/ldconfig

/bin/uname

/usr/local/bin/python3.4

/bin/sh

"No" icon.

Page top
[Topic 265052]

Changing runtime profile settings

To change container runtime profile settings:

  1. Under PoliciesRuntime policiesContainer runtime profiles, click the name of the profile in the list of existing container runtime profiles.
  2. In the window that opens, change the values of one or more of the following settings:
    • Name of the runtime profile.
    • Description of the runtime profile.
    • Scopes.
    • File threat protection.
    • Restrict container executable files.
    • Restrict inbound network connections.
    • Restrict outbound network connections.
    • File operations.
  3. Click Save.

Changes made to runtime profile settings are immediately applied to the running container and affect its operation.

Page top
[Topic 290421]

Deleting a runtime profile

To delete a container runtime profile:

  1. In the table of configured runtime profiles under PoliciesRuntime policiesImage profiles, click the delete icon ("Delete" icon.) in the row containing the name of the profile that you want to delete.
  2. In the window that opens, confirm the action.
Page top
[Topic 264973]

Managing runtime autoprofiles

Kaspersky Container Security can monitor processes, network traffic, and file operations in containers, and then use the obtained information to automatically generate container runtime profiles. The autoprofiling process is performed within a time interval set by the user and within the selected scope. Such a scope can be a cluster, a namespace, or a pod.

The content of an automatically generated profile (autoprofile) depends on the agent group's node monitoring settings. To start autoprofiling, you need to activate the monitoring settings for network connections, processes being started, and file operations of containers for the corresponding agent group.

The autoprofile is made unique by a combination of three settings: the name of the cluster, the name of the namespace, and the image digest. Accordingly, within one namespace, an autoprofile is generated for all containers with the selected build of an image.

In this section

Creating a runtime autoprofile

Viewing the list of runtime autoprofiles

Viewing runtime autoprofile settings

Editing runtime autoprofile settings

Stopping autoprofiling

Deleting a runtime autoprofile

Restrictions related to autoprofiles
Page top
[Topic 283940]

Creating a runtime autoprofile

We recommend that you restart the pods after autoprofiling begins so that the solution records the start of the pods in its rules. This will prevent pods from being incorrectly blocked when they restart.

Kaspersky Container Security allows creating autoprofiles at three levels:

  • At the cluster level
  • At the namespace level
  • At the pod level

At the cluster and namespace level, you can create an autoprofile using a table with a list of clusters or namespaces, or from a graph of objects within a cluster. At the pod level, an autoprofile can only be created using the table.

To create a container runtime autoprofile using the table with a list of objects:

  1. Go to ResourcesClusters.
  2. Follow these steps depending on the level at which you are creating an autoprofile:
    • If you want to create an autoprofile at the cluster level, in the cluster table, select check boxes for one or more clusters.
    • If you want to create an autoprofile at the namespace level, follow these steps:
      1. Click the name of the cluster in the cluster table.
      2. On the Table tab, in the table that lists the namespaces in the cluster, use the check box to select one or more namespaces.
    • If you want to create an autoprofile at the pod level, follow these steps:
      1. Click the name of the cluster in the cluster table.
      2. Click the name of the namespace in the table of namespaces in the cluster.
      3. In the displayed sidebar, select the Pods and containers tab, and in the table of pods within the namespace, select check boxes for one or more pods.

    Make sure that the autoprofiling process is not running in the selected objects. If the process is running, the solution will not allow another autoprofiling task to start.

  3. Click the Build autoprofile button above the table.

    In a cluster, you can run only one autoprofile creation task at a time. The solution will allow a new autoprofiling task only after the previous task has finished or has been stopped.

  4. This opens a window; in that window, specify the duration of autoprofiling. This duration can be 1 to 1440 minutes.

    The default setting is 60 minutes.

  5. Click Start.

    In the Autoprofiles column of the table of objects (clusters, namespaces, or pods), the solution displays the time remaining until the end of autoprofiling for that object or the number of autoprofiles created for the object.

To create a container runtime autoprofile from a graph:

  1. Go to ResourcesClusters.
  2. Follow these steps on the Graph view tab, according to the level at which you are creating an autoprofile:
    • If you want to create an autoprofile at the cluster level, left-click on the cluster icon (Cluster icon in Kubernetes) on a namespace graph.
    • If you want to create an autoprofile at the namespace level, follow these steps:
      1. Double-click to expand the group of namespaces within the cluster on the graph.
      2. In the namespace graph, left-click on the icon of the namespace you are interested in (Namespace icon on the graph).
  3. In the menu that opens, select Build autoprofile.

    If the autoprofiling process is already running in the cluster, you will not be able to select Build autoprofile. If you have the appropriate rights, you can stop the creation of an autoprofile in the selected cluster by selecting Stop autoprofiling in the menu. Alternatively, wait for previously started autoprofiling task to complete. The solution allows running only one autoprofiling task at a time in a cluster.

  4. This opens a window; in that window, specify the duration of autoprofiling. This duration can be 1 to 1440 minutes.

    The default setting is 60 minutes.

  5. Click Start.

The created runtime autoprofiles are displayed in the PoliciesRuntime policiesAutoprofiles section.

Page top
[Topic 287098]

Viewing the list of runtime autoprofiles

Kaspersky Container Security displays a list of all created runtime autoprofiles in the table under PoliciesRuntimeAutoprofiles. The following information is displayed for each autoprofile:

  • The name of the autoprofile, which is a concatenation of the following data:
    • Pod name.
    • Namespace name.
    • Cluster name.
    • The first 12 characters of the image checksum (after the SHA256 prefix)

    These components of the autoprofile name are separated by underscores (for example, kube-company_sampled-operations_docker-cluster__9a74fc18ee07).

  • The status of the autoprofile with regard to its verification by the user: Verified or Not verified. By default, an autoprofile is created with the Not verified status.

    If necessary, you can use the Verified/Not verified toggle switch to change the status of the autoprofile in the table. You can also assign the Verified status to one or more autoprofiles by clicking the Verify button above the table.

    Only autoprofiles with the Verified status can be applied.

  • Date and time of the last modification.
  • The cluster and namespace that the autoprofile is based on.
  • The image whose checksum the autoprofile was based on.

Kaspersky Container Security also displays a list of autoprofiles for each image whose digest was used to create the autoprofiles.

To view a list of autoprofiles created for an image:

  1. Go to ResourcesRegistries.
  2. In the desired registry, click the Right arrow icon. icon and expand the list of images in the registry. Images used to create autoprofiles are marked with the autoprofiling icon (Icon indicating the creation of a runtime autoprofile.).
  3. Click the name of an image, go to the page with detailed information about the scan results for this image.

    The list of all autoprofiles for the image is presented as a table in the Associated autoprofiles section. The following information is displayed for each autoprofile:

Page top
[Topic 290621]

Viewing runtime autoprofile parameters

To view autoprofile parameters:

  1. In PoliciesRuntime policiesAutoprofiles section, click the name of the autoprofile in the list of created container runtime autoprofiles.
  2. In the displayed sidebar, General and Building parameters tabs contain information about the parameters of the selected autoprofile. The General tab displays the following:
    • Autoprofile status.
    • Name of the runtime autoprofile.
    • Description of the runtime autoprofile, if it was specified manually. By default, no description is added when autoprofiling.
    • Under Parameters, you can view the parameters of the following modules:
      • File threat protection.
      • Restrict container executable files.
      • Restrict inbound network connections.
      • Restrict outbound network connections.
      • File operations.

    If necessary, you can make changes to the autoprofile parameters.

    The Building parameters tab displays the following data:

    • Name of the runtime autoprofile.
    • Date and time of the last modification of the autoprofile.
    • Name of the user that initiated the creation of the autoprofile.
    • Image checksum, namespace, and cluster the autoprofile was based on.
    • Name of the image whose checksum the autoprofile was based on. You can view the scan results for this image by clicking the image name.
Page top
[Topic 287239]

Editing runtime autoprofile settings

To edit autoprofile parameters:

  1. In PoliciesRuntime policiesAutoprofiles section, click the name of the autoprofile in the list of created container runtime autoprofiles.
  2. If necessary, in the displayed sidebar, on the General information tab, edit the values of one, multiple, or all of the following parameters:
    • Autoprofile status. Use the Verified/Not verified toggle switch to change the autoprofile status to Verified or Not verified.
    • Name of the runtime autoprofile. You can specify a custom autoprofile name to replace the name automatically generated by the solution.
    • Description of the runtime autoprofile. By default, no description is added when autoprofiling.
    • Under Parameters, edit the network status monitoring parameters as follows:
      • File threat protection. If necessary, use the Disabled/Enabled toggle switch to enable or disable File Threat Protection. By default, the settings under File Threat Protection are disabled.
      • Restrict container executable files. You can specify specific file names and paths to block, as well as specify exceptions.

        If processes are running inside containers in the relevant build, the solution performs the following actions:

        • When events are detected in processes in Audit and Enforce mode, the solution activates the Block specified executable files setting and all unique paths are indicated in the Executables or path field.
        • If there are no events in processes in Audit and Enforce mode, the solution applies the Block all executable files setting.
        • If it detects events other than the above, the solution activates the Allow exclusions setting and specifies all unique path values in the Executables or path field.
      • Restrict inbound network connections. If necessary, you can use the Disabled/Enabled toggle switch to disable the ability to restrict inbound connections of the container.

        If inbound traffic is observed in containers in the relevant build, the solution performs the following actions:

        • When events related to inbound connections are detected in Audit and Enforce mode, the solution activates the Restrict inbound network connections setting.
        • If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields contain all the unique recipients of inbound connections.
      • Restrict outbound network connections. If necessary, you can use the Disabled/Enabled toggle switch to disable the ability to restrict outbound connections of the container.

        If outbound traffic is observed in containers in the relevant build, the solution performs the following actions:

        • When events related to outbound connections are detected in Audit and Enforce mode, the solution activates the Restrict outbound network connections setting.
        • If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields specify all unique outbound connection sources.
      • File operations. You can edit the settings for monitoring file operations in the container.

        If actions are observed inside the containers in the relevant build, upon detection of file management events in Audit and Enforce mode, the solution activates the File operations setting. In this case, all unique paths are indicated in the Path field, and the check boxes of all detected operation types are selected in the Operation type field.

        You can also click Add rule to add rules to be applied when monitoring file operations.

      If a setting is enabled in the Settings section, the solution determines the specific build of the image and scans all containers deployed from that build.

  3. Save changes to the autoprofile by doing one of the following:
    • To save without changing the autoprofile status to Verified, click Save.
    • To save and change the status of the autoprofile to Verified, click Save and verify.
Page top
[Topic 287235]

Stopping autoprofiling

If an autoprofile task is running in the selected cluster, Kaspersky Container Security displays the time remaining until the process completes:

  • in the Autoprofiles column of the table with the list of clusters
  • in the Autoprofiles column of the table with the list of namespaces in the cluster
  • in the Autoprofiles column of the table with the list of pods in the selected namespace in the cluster.

You can stop a running autoprofiling process at three levels:

  • At the cluster level
  • At the namespace level
  • At the pod level

At the cluster and namespace level, you can stop creating an autoprofile using a table with a list of clusters or namespaces, or from a graph of objects within a cluster. At the pod level, autoprofiling can only be stopped using the table.

Autoprofiling can be stopped for the entire profiled object (cluster, namespace, or pod) or for specific entities within the profiled object (for example, for selected namespaces or pods).

You can stop a running autoprofiling process if you have the necessary rights.

Page top
[Topic 290589]

Stopping an autoprofiling task

To stop running an autoprofiling task using the table with a list of objects:

  1. Go to ResourcesClusters.
  2. Follow these steps depending on the level at which you are stopping the autoprofiling:
    • If you want to stop autoprofiling at the cluster level, use the check box to select one or more clusters for which the autoprofiling task has been started.
    • If you want to stop autoprofiling at the namespace level, follow these steps:
      1. Click the name of the cluster in the cluster table.
      2. On the Table tab, in the table that lists the namespaces in the cluster, use the check box to select one or more namespaces for which the autoprofiling task has been started.
    • If you want to stop autoprofiling at the pod level, do the following:
      1. Click the name of the cluster in the cluster table.
      2. Click the name of the namespace in the table of namespaces in the cluster.
      3. In the displayed sidebar, select the Pods and containers tab, and in the table of pods within the namespace, select check boxes for one or more pods for which the autoprofiling task has been started.
  3. Click the Stop autoprofiling button located above the table.

    If the list of selected objects includes a cluster, namespace, or subcluster where the autoprofiling process has not been started, the Stop autoprofiling button becomes inactive.

  4. Click the Stop button to confirm stopping the autoprofiling process.

To stop an autoprofiling task from a graph:

  1. Go to ResourcesClusters.
  2. Do the following on the Graph view tab, depending on the level at which you are creating an autoprofile:
    • If you want to stop an autoprofiling task at the cluster level, left-click on the cluster icon (Cluster icon in Kubernetes.) on a namespace graph.
    • If you want to stop an autoprofiling task at the namespace level, do the following:
      1. Double-click to expand the group of namespaces within the cluster on the graph.
      2. In the namespace graph, left-click on the icon of the namespace you are interested in (Namespace icon on the graph.).
  3. In the menu that opens, select Stop autoprofiling.
  4. Click the Stop button to confirm stopping the autoprofiling process.

Page top
[Topic 292046]

Stopping autoprofiling for individual objects

To stop autoprofiling for individual objects in an autoprofiling task:

  1. Start an autoprofiling task.
  2. Do one of the following:
    • If a cluster autoprofiling task is running, do the following:
      1. In the table with the list of clusters, click the name of the cluster for which an autoprofile is being created.
      2. In the window that opens, do one of the following:
        • Select one or more namespaces for which you want to stop auto-profiling.
        • Click the namespace name and in the window that opens, select one or more pods for which you want to stop autoprofiling.
    • If a namespace autoprofiling task is running, do the following:
      1. In the table with the list of namespaces in the cluster, click the name of the namespace for which an autoprofile is being created.
      2. In the window that opens, select one or more pods for which you want to stop autoprofiling.
  3. Click the Stop autoprofiling button located above the table with the list of objects.
  4. Click the Stop button to confirm stopping the autoprofiling process.

    Kaspersky Container Security stops the autoprofiling process for the selected objects. The solution will continue running the autoprofiling task for the rest of the objects in the cluster or namespace.

When stopping autoprofiling for individual objects, bear in mind that stopping the task at the level of a larger object will completely stop the task. For example, an autoprofiling task is completely stopped in the following cases:

  • If a task for autoprofiling namespaces or pods is started and you stop autoprofiling at the level of the cluster that includes the selected namespaces or pods.
  • If a task for autoprofiling pods is started and you stop autoprofiling at the level of the namespace that contains the selected pods.

Page top
[Topic 292052]

Deleting a runtime autoprofile

To delete a container runtime autoprofile:

  1. Open the table of the generated runtime autoprofiles in one of the following sections:
  2. Do one of the following:
    • In the PoliciesRuntimeAutoprofiles section, use the check box to select the autoprofile that you want to delete and click the Delete button located above the table.
    • On the page with detailed information about the image scan results, in the ResourcesRegistries section, in the row with the name of the autoprofile that you want to delete, click the delete icon ("Delete" icon.).
  3. In the window that opens, confirm the action.
Page top
[Topic 287224]

Restrictions related to autoprofiles

When working with runtime autoprofiles, consider the following restrictions related to scopes and user roles:

  • If an image is not added to the scopes assigned to the user as part of a namespace in a cluster, the user cannot access autoprofiles generated using the digest of the image.

    A user assigned the default scope can view all created autoprofiles.

  • If a user has the rights to manage autoprofiling, the user can start a task to build an autoprofile, change the settings and re-generate an autoprofile.
  • A user who did not start an autoprofiling task can change the settings, as well as rebuild and delete an autoprofile, if all of the following conditions are met:
    • The user has rights to manage autoprofiling
    • One of the user's roles coincides with the role of the autoprofiling task's creator at the time the autoprofile is created
    • The scopes assigned to the user include the image (as part of the namespace in the cluster) that the autoprofile is based on
Page top
[Topic 290938]

Deleting policies

You can delete security policies if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation. You also need rights to manage the corresponding types of policies in order to delete them.

To delete a policy:

  1. Open the list of configured scanner policies, assurance policies, response policies or runtime policies.
  2. In the line containing the name of the policy that you want to delete, click the delete icon ("Delete" icon.).
  3. In the window that opens, confirm the action.

If security policy configuration errors block Kaspersky Container Security and you cannot manage the solution using the Management Console, the security policies must be deleted manually.

To manually delete a policy and recover the solution:

  1. Run the following command to remove the agents (kube-agent and node-agent) as applicable:

    kubectl delete deployment kube-agent

    kubectl delete daemonset node-agent

  2. Delete all customer resources in the target cluster by running the following command:

    kubectl get crd -o name | grep 'kcssecurityprofiles.securityprobe.kcs.com' | xargs kubectl delete

  3. Restart all Kaspersky Container Security pods and access the Management Console.
  4. Make the necessary changes to the security policies.
  5. Install the agents using the instruction in the .YAML format.

Page top
[Topic 266509]