Kaspersky Container Security
2.0
English

Contents

About the Kaspersky Container Security platform

Kaspersky Container Security (hereinafter referred to as the solution) allows you to discover security problems and provides protection throughout the lifecycle of container applications, from development and deployment control to runtime.

Solution functionality:

  • Integration with image registries (for example, Docker Hub, JFrog Artifactory, Sonatype Nexus Repository OSS, GitLab Registry, Harbor) to scan images in the registry for known vulnerabilities published by the NVD and the Data Security Threats Database (FSTEC), secrets (passwords, access keys, tokens), misconfigurations, and malware.
  • Integration into the
    CI/CD
    process as a pipeline stage, as well as scanning
    IaC
    for misconfigurations and container images for vulnerabilities, malware, and sensitive data (secrets).
  • Checking of cluster nodes for compliance with information security benchmarks.
  • Monitoring compliance with the configured security policies while building and running the applications, including container startup control in the runtime.
  • Monitoring of resources used by the controlled clusters.

You can configure and access the functionalities of Kaspersky Container Security through the Management Console. The console is implemented as a web interface which can be accessed through the Chromium (Google Chrome, Microsoft Edge), Apple Safari or Mozilla Firefox browsers.

In this Help section

What's new

Distribution kit

Hardware and software requirements

Scaling

System packages of base images

Scanned application software packages

Working in cloud-based environments
Page top
[Topic 292907]

What's new

Kaspersky Container Security 2.0 offers the following new features and improvements:

  • Centralized investigation of vulnerabilities in CI/CD artifacts, image registries, and runtime.
  • Enhanced capabilities of logging container events associated with network traffic (inbound and outbound), file operations, launched processes and File Threat Protection.
  • Uninterrupted monitoring of infrastructures containing up to several thousand nodes.
  • Integration with HashiCorp Vault external secret storage:
    • Reading of secrets created in advance for the Kaspersky Container Security components
    • Use of Vault PKI to create TLS certificates for cross-service interaction
  • Integration with security information and event management (SIEM) software:
    • Configuration of integration with several products in UI
    • Specification of parameters for sending messages for various events (Administration, Alert, CI/CD, Policies, Resources, Scanners, Admission controller, API)
    • Specification of parameters for sending messages for container events associated with network traffic (inbound and outbound), file operations and launched processes
  • Generation of reports in the .JSON and .XML formats.
  • Scanning the infrastructure for compliance with cluster security benchmarks.
  • Generation of cluster benchmarks summary report.
  • Improved integration with LDAP (Bind DN scheme).
  • Container Runtime Profile generation based on container performance analysis (autoprofiling).
  • Improvement of OpenAPI:
    • Getting data on Core Health Check
    • Management of scanner policies, assurance policies, response policies and runtime policies
    • Runtime profiles management
    • Getting system event log
    • Getting container event log
    • Risk management
    • Autoprofiling tasks management
    • Getting information about integration with image signature validators
  • Support for integration with the following external image registries:
    • Amazon Elastic Container Registry
    • Red Hat Quay
  • Scanning of OCI directory in CI/CD processes.
Page top
[Topic 290867]

Distribution kit

For information about purchasing the application, please visit https://www.kaspersky.com or contact our partners.

The distribution kit includes a Helm Chart package with the containerized resources necessary for deploying and installing Kaspersky Container Security components. The containerized components from the distribution kit are listed in the table below.

Containerized components from the Kaspersky Container Security distribution kit

Component

Image

Pod

ClickHouse DBMS

clickhouse

kcs-clickhouse

PostgreSQL DBMS

postgresql

kcs-postgres

Middleware

middleware

kcs-middleware

Event Broker

event-broker

kcs-eb

Image Handler, client scanner

image-handler

kcs-ih

Scanner

scanner-server

kcs-scanner

Licenses

licenses

kcs-licenses

File storage (Minio)

minio

kcs-s3

Multi-threaded event-based key-value cache storage (Memcached)

memcached

kcs-memcached

Update file server for private corporate networks (Updates)

updates

kcs-updates

Solution interface (Panel)

nginx

kcs-panel

Agent Broker

agent-broker

kcs-ab

Agents

node-agent
kube-agent

node-agent
kube-agent

The Helm package also includes a values.yaml configuration file that contains the values of settings for installing and updating the solution.

After downloading and saving the Helm package in a selected directory, the orchestrator downloads the images from the source specified in the Helm package directly to the orchestration platform nodes.

The information required to activate the application is sent to you by email.

Page top
[Topic 292932]

Hardware and software requirements

To install and operate Kaspersky Container Security, the following infrastructure requirements must be met:

  • One of the following orchestration platforms:
    • Kubernetes 1.21 or later
    • OpenShift 4.8, 4.11, or later
    • DeckHouse 1.52 or 1.53 (CNI: Flannel)
    • DropApp 2.1
  • Availability of a CI system to scan container images within the development process (for example, GitLab CI).
  • Installed package manager Helm 3.10.0 or later.

To implement runtime monitoring with container runtime profiles, orchestrator nodes must meet the following requirements:

  • Linux kernel 4.18 or later.

    Some mechanisms to manage process privileges at the level of the Linux kernel are used with Linux kernel version 5.8 or later. If the Linux kernel version is prior to 5.8, when installing Kaspersky Container Security, you must disable the list of these process privilege management mechanisms for the kcs-ih component and set it to privileged mode.
    Example of setting privileged mode

    default:
    kcs-ih:
    privileged: true

  • Container runtimes (CRI): containerd, CRI-O.
  • Container Network Interface (CNI) plug-ins: Flannel, Calico, Cilium.

Architecture requirements:

Kaspersky Container Security supports the x86 architecture.

Minimum supported versions of Linux distributions and Linux kernels for implementing runtime monitoring using container runtime profiles:

  • CentOS 8.2.2004 or later + kernel 4.18.0-193 or later.
  • Ubuntu 18.04.2 or later + kernel 4.18.0 or later
  • Debian 10 or later + kernel 4.19.0 or later
  • Astra Linux SE 1.7. * + Kernel 6.1.50-1-generic.

    If Astra Linux OS is used, kernel configuration must have the CONFIG_DEBUG_INFO_BTF=y option.

  • RHEL 9.4 or later + kernel 5.14 or later
  • Red Hat Enterprise Linux CoreOS 416.94.202408200132-0 + kernel 5.14.0-427.33.1.el9_4.x86_64
  • RED OS 7.3 or later + kernel 6.1 or later (CRI: CRI-O, CNI: Calico).
  • Sber Linux 8.9, 9.3 + kernel 5.14 (CRI: CRI-O, CNI: Calico, Cilium)

    When using Cilium 1.16, you must set enableTCX to false.

If your infrastructure contains host servers running other Linux distributions, we recommend contacting Technical Support. Technical Support will check the compatibility of the solution with your distributions. If such compatibility is not available, the distributions may be supported by future versions of Kaspersky Container Security.

Kaspersky Container Security ensures correct operation when used in an Istio service mesh infrastructure.

The solution supports integration with Hashicorp Vault 1.7 or later.

When using external database management systems, Kaspersky Container Security supports the following DBMS:

  • PostgreSQL 11.*, 13.*, 14.*, 15.*
  • Pangolin 6.2.0

Kaspersky Container Security supports integration with the following image registries:

  • GitLab 14.2 or later
  • Docker Hub V2 API
  • JFrog Artifactory 7.55 or later
  • Sonatype Nexus Repository OSS 3.43 or later
  • Harbor 2.х
  • Yandex Registry (integration using the Yandex Container Registry API)
  • Docker Registry (integration using the Docker V2 API)
  • Red Hat Quay 3.x

Kaspersky Container Security supports both IPv4 and IPv6 networks.

Image requirements (OS, version, scanned packages):

  • AlmaLinux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
  • Alpine Linux, versions 2.2 - 2.7, 3.0 - 3.20, Edge. Packages installed via apk are scanned.
  • Amazon Linux, versions 1, 2, 2023. Packages installed via dnf/yum/rpm are scanned.
  • Astra Linux SE, versions 1.6.x, 1.7.x. Packages installed via apt/dpkg are scanned.
  • CBL-Mariner, versions 1.0, 2.0. Packages installed via dnf/yum/rpm are scanned.
  • CentOS, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
  • Chainguard, all versions. Packages installed via apk are scanned.
  • Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/dpkg are scanned.
  • openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
  • openSUSE Tumbleweed, all versions. Packages installed via zypper/rpm are scanned.
  • Oracle Linux, versions 5, 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
  • Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
  • Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via dnf/yum/rpm are scanned.
  • RedOS, versions 7.1, 7.2, 7.3.x, 8.0. Packages installed via dnf/yum/rpm are scanned.
  • Rocky Linux, versions 8, 9. Packages installed via dnf/yum/rpm are scanned.
  • SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are scanned.
  • SUSE Linux Enterprise Micro, versions 5, 6. Packages installed via zypper/rpm are scanned.
  • Ubuntu, all versions supported by Canonical. Packages installed via apt/dpkg are scanned.
  • Wolfi Linux, all versions. Packages installed via apk are scanned.
  • OS with the Conda command line tool installed. Packages installed via conda are scanned.

When configuring Kaspersky Container Security in a cluster with three worker nodes, three scanner pods (kcs-ih) and a maximum image scan size of 10 GB, the cluster working node must meet the following requirements:

  • At least 12 processor cores
  • At least 20 GB of RAM
  • 40 GB of free disk space
  • At least 1 Gbps of communication channel bandwidth between cluster components

To run agents in a cluster, each worker node must be provided with the following additional resources:

  1. Basic requirements:
    • 0.2 processor cores
    • 200 MB of RAM
    • 15 GB of free disk space
  2. Requirements when enabling the following agent functionalities (additional to the baseline requirements):
    • Network and process monitoring:
      • 2 installed processor cores
      • 2 GB of added RAM
    • Anti-malware protection:
      • 2 installed processor cores
      • 2 GB of added RAM

When all agent functionalities are enabled, the following requirements to additional resources must be met:

  • 2 processor cores
  • 4 GB of RAM

An agent on a worker node discontinues its operation if the worker node stops working.

You must allocate free disk space for ClickHouse DBMS taking into account the number of monitored nodes. Each node requires 1 GB of free disk space for ClickHouse Persistent Volume.

The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.

Kaspersky Container Security user workstation requirements:

  • Permanent Internet connection when deployed in a public corporate network.
  • Access to the Management Console page of Kaspersky Container Security (address within customer's corporate network, specified during installation).
  • Communication channels with at least 10 Mbit/s bandwidth.
  • One of the following browsers:
    • Google Chrome version 73 or later.
    • Microsoft Edge version 79 or later.
    • Mozilla Firefox version 63 or later.
    • Apple Safari version 12.1 or later.
    • Opera version 60 or later.

Page top
[Topic 287165]

Scaling

To achieve and maintain optimal performance when scanning the incoming volume of Kaspersky Container Security images, you must take into account the number of scanning pods and cluster nodes supported by the solution.

In this section

Scaling the number of scanning pods

Accounting for the number of served cluster nodes when scaling
Page top
[Topic 287063]

Scaling the number of scanning pods

Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.

When a scanning pod is added, the system resources increase as follows:

  • The number of node processors—by 2.
  • The amount of RAM on the nodes—by 2 GB.
  • The amount of free disk space on a node hard drive—by 12 GB.

To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.

  • The amount of RAM on the nodes—by 300 MB.
  • The amount of free disk space on a node hard drive—by 1 GB.

If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.

To process the results of scanning many large objects faster, you can allocate more resources to the job handler service by updating variables in the Helm package.

To add more scan job handling resources:

  1. Open the Helm package and specify the required number of handlers for the kcs-middleware parameter in the scanWorkers variable in the default section.
  2. In the requests and limits variables, specify the size of RAM as determined according to the following formula:

    memory = X * scanWorkers / 2, where

    memory is the size of RAM allocated to the image handler service.

    X is the original value of the variable that denotes the size of RAM.

    scanWorkers is the number of handlers specified in step 1.

    The result of scanWorkers/2 can't be zero.

  3. In the requests and limits variables, specify the CPU resources as calculated according to the following formula:

    cpu = X*scanWorkers, where

    cpu is the CPU resources allocated to the image handler service.

    X is the original value of the variable that denotes the CPU resources.

    scanWorkers is the number of handlers specified in step 1.

Example of adding more scan job handling resources

Adding more scan job handling resources

Initial value

default:

# kcs-middleware:

#scanWorkers: 1

## Default values for 'resources'

# resources:

# requests:

# memory: "2Gi"

# cpu: "400m"

# limits:

# memory: "4Gi"

# cpu: "800m"

 

Increased value

default:

kcs-middleware:

scanWorkers: 4

## Default values for 'resources'

resources:

requests:

memory: "4Gi"

cpu: "1600m"

limits:

memory: "8Gi"

cpu: "3200m"

 

Page top
[Topic 287064]

Accounting for the number of served cluster nodes when scaling

One instance of Kaspersky Container Security supports working with up to 600 monitored clusters. The number of served nodes of each cluster is scaled by changing the following components:

  • kcs-ab to increase or reduce the number of component replicas.
  • kcs-memcached to increase or reduce the resource allocation requirements of the component.

By default, Kaspersky Container Security is shipped with the following values set for these components:

  • kcs-ab:
    • 1 pod per replica allowing to serve 2000 nodes.
    • Requested amount of resources: 0.5 CPU core for nodes; 512 MB of RAM for nodes.
    • Maximum resource usage: 1 CPU core for nodes; 1 GB of RAM for nodes.
  • kcs-memcached:
    • Requested amount of resources: 2 CPU core for nodes; 2 GB of RAM for nodes.
    • Maximum resource usage: 4 CPU core for nodes; 4 GB of RAM for nodes.

Kaspersky Container Security scales by increasing the following parameters:

  • For kcs-ab, adding one pod to a replica increases the number of supported nodes by 2000.
  • For kcs-memcached, adding one pod to the kcs-ab component requires increasing the requested resources and the maximum resource usage of the kcs-memcached component by the following amounts:
    • Requested amount of resources: 0.5 CPU core for nodes; 2 GB of RAM for nodes.
    • Maximum resource usage: 0.5 CPU core for nodes; 2 GB of RAM for nodes.

For example, if an instance of Kaspersky Container Security serves 10,000 nodes in a user's clusters, the following parameters apply:

  • kcs-ab:
    • 5 pods per replica.
    • Requested amount of resources: 0.5 CPU core per node; 512 MB of RAM per node.
    • Maximum resource usage: 1 CPU core for nodes; 1 GB of RAM for nodes.
  • kcs-memcached:
    • Requested amount of resources: 4 CPU core for nodes; 10 GB of RAM for nodes.
    • Maximum resource usage: 6 CPU core for nodes; 12 GB of RAM for nodes.

The values given are approximate because the deployment requires taking into account the specifics of virtualization settings and the performance of host servers (nodes) in the given infrastructure.

Page top
[Topic 295413]

System packages of base images

The following operating system images are used as base images by Kaspersky Container Security:

  • Alpine 3.18.4.
  • Ubuntu 23.10.
  • Oracle Linux 9.2.

Package management systems ("package managers") are used to manage the installation, removal, configuration, and updating of various software components. Kaspersky Container Security uses the following package managers for its base operating systems:

  • For Alpine, apk.
  • For Ubuntu, apt.
  • For Oracle Linux, rpm.

To get information about installed system packages,

use the standard orchestrator tools for accessing a running container and (depending on the package manager used) enter the following bash command:

  • For apk:

    apk -q list | grep "installed".

  • For apt:

    apt list --installed.

  • For rpm:

    yum list installed.

Page top
[Topic 265976]

Scanned application software packages

Kaspersky Container Security supports the following scanned application software packages in the specified programming languages:

  • Ruby:
    • gemspec (image is scanned).
    • Gemfile.lock (repository in CI/CD is scanned).
  • Python:
    • egg package, wheel package, conda package (image is scanned).
    • Pipfile.lock, poetry.lock, requirements.txt (repository in CI/CD is scanned).
  • PHP:
    • installed.json (image is scanned).
    • composer.lock (repository in CI/CD is scanned).
  • Node.js:
    • package.json (image is scanned).
    • package-lock.json, yarn.lock, pnpm-lock.yaml (repository in CI/CD is scanned).
  • .NET: packages.lock.json, packages.config, .deps.json, Packages.props (image and repository in CI/CD are scanned).
  • Java:
    • * .jar, * .war, * .par and * .ear (image is scanned).
    • pom.xml, * gradle.lockfile, * .sbt.lock (repository in CI/CD is scanned).
  • Go:
    • Binary files (image is scanned).
    • go.mod (repository in CI/CD is scanned).
  • Rust:
    • Binaries checked by Cargo (image is scanned).
    • Cargo.lock (image and repository in CI/CD are scanned).
  • C/C++: conan.lock (repository in CI/CD is scanned).
  • Elixir: mix.lock (repository in CI/CD is scanned).
  • Dart: pubspec.lock (repository in CI/CD is scanned).
  • Swift: Podfile.lock, Package.resolved (repository in CI/CD is scanned).
  • Julia: Manifest.toml (image and repository in CI/CD are scanned).

Page top
[Topic 283462]

Working in cloud-based environments

Kaspersky Container Security can operate in various cloud environments. For more information on launching the solution in cloud environments, contact your Presales Manager.

Page top
[Topic 295358]