Preparing to install the solution

Prior to installing Kaspersky Container Security, you must install all certificates required for the corporate network and configure the proxy servers.

The solution can be deployed in a private or public corporate network.

Before installing Kaspersky Container Security, make sure that you have the following components and accesses:

• Virtual or physical machine with access to the Internet and the cluster.
• Helm package manager for packaging, configuring, and deploying applications and services in clusters.

  Kaspersky Container Security supports Helm 3.10.0 and later.

• Internet access to download Helm Chart packages.
• Orchestrator management tool, for example, kubectl for Kubernetes or oc for Openshift.
• Access to a cluster using the kubeconfig file.

  To install the solution in a private corporate network, configure a repository for container images. This repository accesses the Kaspersky Container Security vendor repository with the credentials provided by the solution vendor.

Preparing for installation in a private network

To prepare to install the solution in a private corporate network:

1. Connect the vendor's Helm repository containing the Helm Chart package.

   export CHART_URL="xxxxxx"

   export CHART_USERNAME="xxxxxx"

   export CHART_PASSWORD="xxxxxx"

   export VERSION="xxxxxx"

   The CHART_URL, CHART_USERNAME, CHART_PASSWORD, and VERSION values are provided by the vendor.

   Example connection of a repository with Helm Chart

   helm registry login \

   --username $CHART_USERNAME \

   --password $CHART_PASSWORD

   $CHART_URL

   helm pull oci://$CHART_URL/charts/kcs --version $VERSION

   tar xvf kcs-$VERSION.tgz

2. Fill in the file with the installation settings (values.yaml) included in the solution distribution kit according to the comments in the file.

   We do not recommend specifying account data in the values.yaml file to be used when launching the Helm Chart package.

   You can use one of the following secure methods to manage secrets:

   • Using CI/CD systems. Secrets are specified using protected environment variables or built-in secret management mechanisms. During deployment, the data is dynamically inserted into the Helm Chart; it does not need to be specified openly in the values.yaml configuration file.
   • Integrating with HashiCorp Vault. Helm Chart supports integration with HashiCorp Vault, where you can store secrets, and you must specify only the paths to such secrets in values.yaml.

     The pull-secret values for Docker Registry cannot be fully stored in HashiCorp Vault. We recommend that you specify the pull-secret values manually in the section with the Kubernetes cluster parameters and refer to them from the Helm Chart.

   The following main installation settings must be specified in the values.yaml file:

   • Namespace name.

     helm upgrade --install kcs . \

     --create-namespace \

     --namespace kcs \

     --values values.yaml \

   • The domain name of Kaspersky Container Security for Inbound connections.

     --set default.domain="kcs.example.domain.ru" \

     When network policies are enabled, you must specify at least one namespace for the cluster ingress controller.

     --set default.networkPolicies.ingressControllerNamespaces="{ingress-nginx}" \

     By default, network policies are enabled.

   • Secrets of the solution components.

     --set secret.infracreds.envs.POSTGRES_USER="user" \

     --set-string secret.infracreds.envs.POSTGRES_PASSWORD="pass" \

     --set secret.infracreds.envs.MINIO_ROOT_USER="user" \

     --set-string secret.infracreds.envs.MINIO_ROOT_PASSWORD="password" \

     --set-string secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD="pass" \

     --set secret.infracreds.envs.MCHD_USER="user" \

     --set-string secret.infracreds.envs.MCHD_PASS="pass" \

     To ensure security, the solution components must use credentials generated by the system administrator independently in accordance with corporate security policies. When deploying the target component within a solution, the specified user and password are automatically created. When using a third-party service, you must provide the username and password created by the administrator in the said service.

   • Secrets related to access to the solution installation repository.

     --set pullSecret.kcs-pullsecret.username="user" \

     --set pullSecret.kcs-pullsecret.password="pass"

     If you plan to deploy the system using a Kaspersky registry, you must specify the credentials provided to you when you purchased Kaspersky Container Security. If you plan to use a private registry or a proxy registry, you must specify your registry credentials.

   • HashiCorp Vault secrets storage settings:
     • The enabled flag enables the integration with the storage. The vault.enabled = true value indicates that the integration with HashiCorp Vault is established; the values of environment variables are obtained from the storage.
     • mountPath is the path to the directory with the secrets in the storage.
     • role is the role to be used for authentication in the storage.

   We recommend not to change the composition of the basic installation settings.

3. If you are using an external PostgresSQL DBMS, please specify the following:

   --set default.postgresql.external="true"

   --set configmap.infraconfig.envs.postgres_host="<IP address or FQDN of PostgresSQL DBMS>"

   --set configmap.infraconfig.envs.postgres_port="<port for connection to PostgresSQL DBMS; by default, port 5432 is used>"

   --set configmap.infraconfig.envs.postgres_db_name="name of the database created by the PostgresSQL DBMS administrator, api is used by default>"

   You should also ask the PostgreSQL DBMS administrator to clarify the requirements for the DBMS server certificates verification. Kaspersky Container Security supports the following verification modes:

   • --set configmap.infraconfig.envs.postgres_verify_level= "disable” – the server certificate is not verified.
   • --set configmap.infraconfig.envs.postgres_verify_level= "require” – the certificate is required, the solution trusts any certificate without any further verification.
   • --set configmap.infraconfig.envs.postgres_verify_level= "verify-ca” – the certificate is required, the solution checks that the certificate is issued by a trusted CA (Certificate authority).
   • --set configmap.infraconfig.envs.postgres_verify_level= "verify-full” – the certificate is required, the solution verifies that the certificate is issued by a trusted CA and contains the correct IP address or FQDN.

   If you need to verify the certificate of an external PostgresSQL DBMS, do the following:

   1. Upload the public part of the CA certificate to the folder with the Helm Chart package using the certs/pgsql-ca.crt mask.
   2. Specify the following verification parameter: --set configmap.infraconfig.envs.postgres_root_ca_path="/etc/ssl/certs/pgsql-ca.crt".
   3. Uncomment the the secret.cert-pgsql-ca section in the values.yaml configuration file to create the secret.
4. Save the file with the installation settings and proceed to install the solution.

Certificate requirements

Kaspersky Container Security requires SSL certificates to operate. The method to create certificates when deploying the solution is specified in the values.yaml configuration file in the default.certSource section. You can choose one of the following methods to create certificates:

• helm – the method when the solution automatically creates the necessary certificates (used by default).
• vault – the method to be used if you plan to integrate the solution with the HashiCorp Vault external storage. You need to generate all the required certificates and upload them to HashiCorp Vault.
• files – the method to create certificates manually, for example, using the corporate CA. Scripts for manually certificates creation are stored in the "certs/" folder of the Helm Chart package.

  The generated certificates must match the expected certificate name in the values.yaml file in the secret section. If necessary, you can uncomment and redefine the expected certificate file names in the secret section.

Certificates have the following requirements:

• Key length is 4096 bits RSA.
• The CN field specifies the pod of the component to which the certificate is related (kcs-licenses, kcs-middleware, kcs-mw-grpc, kcs-panel, kcs-postgres, kcs-scanner, kcs-scanner-api, kcs-updates, kcs-memcached, kcs-ab, kcs-s3, kcs-clicklickhouse, kcs-eb).