Kaspersky Container Security
2.0
English

Contents

Scaling

To achieve and maintain optimal performance when scanning the incoming volume of Kaspersky Container Security images, you must take into account the number of scanning pods and cluster nodes supported by the solution.

In this section

Scaling the number of scanning pods

Accounting for the number of served cluster nodes when scaling
Page top
[Topic 287063]

Scaling the number of scanning pods

Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.

When a scanning pod is added, the system resources increase as follows:

  • The number of node processors—by 2.
  • The amount of RAM on the nodes—by 2 GB.
  • The amount of free disk space on a node hard drive—by 12 GB.

To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.

  • The amount of RAM on the nodes—by 300 MB.
  • The amount of free disk space on a node hard drive—by 1 GB.

If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.

To process the results of scanning many large objects faster, you can allocate more resources to the job handler service by updating variables in the Helm package.

To add more scan job handling resources:

  1. Open the Helm package and specify the required number of handlers for the kcs-middleware parameter in the scanWorkers variable in the default section.
  2. In the requests and limits variables, specify the size of RAM as determined according to the following formula:

    memory = X * scanWorkers / 2, where

    memory is the size of RAM allocated to the image handler service.

    X is the original value of the variable that denotes the size of RAM.

    scanWorkers is the number of handlers specified in step 1.

    The result of scanWorkers/2 can't be zero.

  3. In the requests and limits variables, specify the CPU resources as calculated according to the following formula:

    cpu = X*scanWorkers, where

    cpu is the CPU resources allocated to the image handler service.

    X is the original value of the variable that denotes the CPU resources.

    scanWorkers is the number of handlers specified in step 1.

Example of adding more scan job handling resources

Adding more scan job handling resources

Initial value

default:

# kcs-middleware:

#scanWorkers: 1

## Default values for 'resources'

# resources:

# requests:

# memory: "2Gi"

# cpu: "400m"

# limits:

# memory: "4Gi"

# cpu: "800m"

 

Increased value

default:

kcs-middleware:

scanWorkers: 4

## Default values for 'resources'

resources:

requests:

memory: "4Gi"

cpu: "1600m"

limits:

memory: "8Gi"

cpu: "3200m"

 

Page top
[Topic 287064]

Accounting for the number of served cluster nodes when scaling

One instance of Kaspersky Container Security supports working with up to 600 monitored clusters. The number of served nodes of each cluster is scaled by changing the following components:

  • kcs-ab to increase or reduce the number of component replicas.
  • kcs-memcached to increase or reduce the resource allocation requirements of the component.

By default, Kaspersky Container Security is shipped with the following values set for these components:

  • kcs-ab:
    • 1 pod per replica allowing to serve 2000 nodes.
    • Requested amount of resources: 0.5 CPU core for nodes; 512 MB of RAM for nodes.
    • Maximum resource usage: 1 CPU core for nodes; 1 GB of RAM for nodes.
  • kcs-memcached:
    • Requested amount of resources: 2 CPU core for nodes; 2 GB of RAM for nodes.
    • Maximum resource usage: 4 CPU core for nodes; 4 GB of RAM for nodes.

Kaspersky Container Security scales by increasing the following parameters:

  • For kcs-ab, adding one pod to a replica increases the number of supported nodes by 2000.
  • For kcs-memcached, adding one pod to the kcs-ab component requires increasing the requested resources and the maximum resource usage of the kcs-memcached component by the following amounts:
    • Requested amount of resources: 0.5 CPU core for nodes; 2 GB of RAM for nodes.
    • Maximum resource usage: 0.5 CPU core for nodes; 2 GB of RAM for nodes.

For example, if an instance of Kaspersky Container Security serves 10,000 nodes in a user's clusters, the following parameters apply:

  • kcs-ab:
    • 5 pods per replica.
    • Requested amount of resources: 0.5 CPU core per node; 512 MB of RAM per node.
    • Maximum resource usage: 1 CPU core for nodes; 1 GB of RAM for nodes.
  • kcs-memcached:
    • Requested amount of resources: 4 CPU core for nodes; 10 GB of RAM for nodes.
    • Maximum resource usage: 6 CPU core for nodes; 12 GB of RAM for nodes.

The values given are approximate because the deployment requires taking into account the specifics of virtualization settings and the performance of host servers (nodes) in the given infrastructure.

Page top
[Topic 295413]