Contents
Using external ClickHouse DBMS
In addition to the ClickHouse DBMS, which is a component of Kaspersky Container Security and is included in the distribution kit, the solution can also work with the resources of the external ClickHouse DBMS. To do this, you must do the following:
- Create a database for Kaspersky Container Security, add and configure users, and define a disk policy if different disks are used for long-term and short-term data storage.
- Specify the required variables in the values.yaml configuration file for the external ClickHouse DBMS.
Kaspersky Container Security works with ClickHouse 22.6 or later.
Page topCreating a database for Kaspersky Container Security
To create a database for Kaspersky Container Security,
In ClickHouse on your workstation, run the following command:
CREATE DATABASE IF NOT EXISTS kcs
where kcs is the name of the database for Kaspersky Container Security.
To configure the settings of the created database for Kaspersky Container Security:
- Add users and define their authorization method. To do this, you must do the following:
- Add the following users:
- a user with rights to read data received by the Kaspersky Container Security core (reader).
<roles><kcs_reader_role><grants><query>GRANT SELECT ON kcs.*</query></grants></kcs_reader_role> - a user with rights to write data from external agent requests (writer).
<roles><kcs_writer_role><grants><query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query><query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query></grants></kcs_writer_role>
- a user with rights to read data received by the Kaspersky Container Security core (reader).
- Specify the user authorization method: with a password or with a certificate.
Example of configuring users with password authentication
Example of configuring users with certificate authentication
- Add the following users:
- Specify disks for short-term and long-term data storage. When working with ClickHouse, Kaspersky Container Security can store large amounts of data with various retention periods. By default, the major part of events is stored for a maximum of 30 minutes, whereas information about incidents is stored for up to 90 days. Since event recording requires a considerable resources to ensure high recording speed and disk space provision, it is recommended to use different disks for short-term and long-term data storage.
Configuring the external ClickHouse DBMS settings
To configure the Kaspersky Container Security settings to use the external ClickHouse DBMS:
- In the values.yaml configuration file, specify that the solution uses the external ClickHouse DBMS:
default:
kcs-clickhouse:
external: true
- Specify the variables for using the external ClickHouse DBMS:
configmap:infraconfig:type: fromEnvsenvs:...<ariables for using the external ClickHouse DBMS>In this section you must specify the following variables:
EXT_CLICKHOUSE_PROTOCOLis the protocol for connection to the external ClickHouse DBMS.EXT_CLICKHOUSE_HOSTis the host for connection to the external ClickHouse DBMS.EXT_CLICKHOUSE_PORTis the port for connection to the external ClickHouse DBMS.EXT_CLICKHOUSE_DB_NAMEis the name of the database prepared for using with Kaspersky Container Security.EXT_CLICKHOUSE_COLD_STORAGE_NAMEis the name of the disk, where ClickHouse will long term store data about incidents.EXT_CLICKHOUSE_STORAGE_POLICY_NAMEis the name of the data storage policy according to which ClickHouse will transfer the data about incidents to the disk for long-term storage.If you use the same disk for short-term and long-term data storage,
the EXT_CLICKHOUSE_COLD_STORAGE_NAMEandEXT_CLICKHOUSE_STORAGE_POLICY_NAMEvalues are not specified.EXT_CLICKHOUSE_SSL_AUTHis the variable for SSL authorization of ClickHouse users. If thetruevalue is specified, authorization is performed without passwords using client certificates.If
TLS_INTERNALisfalse,EXT_CLICKHOUSE_SSL_AUTHmust also befalse.EXT_CLICKHOUSE_ROOT_CA_PATHis the path to the CA certificate, which is specified if the https protocol is used to connect to ClickHouse (EXT_CLICKHOUSE_PROTOCOL: https). You can specify the path in one of the following ways:- Put the ClickHouse CA certificate in the directory specified by the path. In this case, you must uncomment
the secret.cert-kcs-clickhouse-cablock. - Use Vault to store certificate data. In this case, you must uncomment the
cert-kcs-clickhouse-cablock in thevault.certificatesection.
- Put the ClickHouse CA certificate in the directory specified by the path. In this case, you must uncomment
- Specify values of secrets for using the external ClickHouse DBMS:
configmap:secret:infracreds:type: fromEnvsenvs:...<secrets for using the external ClickHouse DBMS>In this section you must specify the following:
EXT_CLICKHOUSE_WRITE_USERis the name of a user with permissions to write created for using with Kaspersky Container Security.CLICKHOUSE_WRITE_PASSWORDis the password of a user with permissions to write created for using with Kaspersky Container Security.EXT_CLICKHOUSE_READ_USERis the name of a user with read rights prepared for use with Kaspersky Container Security.CLICKHOUSE_READ_PASSWORDis the password of a user with permissions to read created for using with Kaspersky Container Security.CLICKHOUSE_READ_PASSWORDandCLICKHOUSE_WRITE_PASSWORDare not used ifEXT_CLICKHOUSE_SSL_AUTHis set totrue.
Usernames and passwords can also be specified using the Vault secret storage.
Example of configuring the external ClickHouse DBMS settings