Contents
Connecting to external data storage resources
In addition to the Kaspersky Container Security components included in the distribution kit, the solution can also work with the following external data storage resources:
- PostgreSQL database
- ClickHouse DBMS
- MinIO s3 compatible file storage
Configuration of settings for connection to external data storage resources is conducted by means of the values.yaml configuration file.
Creating a user for an external PostgreSQL database
For Kaspersky Container Security, you can use PostgreSQL databases included in the solution or your own PostgreSQL databases. To install an external PostgreSQL database that does not work with the Kaspersky Container Security schema, you must create a separate user. You can do this by installing the Helm Chart package with the schema parameters specified for the external PostgreSQL database.
To create a user with a custom schema for an external PostgreSQL database:
- Run the following command to create a separate namespace for the external PostgreSQL database:
kubectl create ns kcspg
where
kcspg
is the namespace for the external PostgreSQL database. - To deploy an external PostgreSQL database:
- Specify the parameters for deploying the external PostgreSQL database in the pg.yaml configuration file.
Parameters for deploying the external PostgreSQL database
The parameters specify the password of the database. You must then specify this password in the
infraconfig
section of the values.yaml configuration file, which is part of the Helm Chart package included in the distribution kit of the solution. - Run the following command:
kubectl apply -f pg.yaml -n kcspg
The name of this external database is formed as follows:
<
pod_name
>.<
namespace name
>.<
service
>.cluster.local
For example,
postgres.kcspg.svc.cluster.local
- Specify the parameters for deploying the external PostgreSQL database in the pg.yaml configuration file.
- To deploy a Service object in a cluster:
- Specify the Service object deployment parameters in the svc.yaml configuration file.
- Run the following command:
kubectl apply -f svc.yaml -n kcspg
- To create a user, a schema, and a user-schema relation:
- Using the postgres element expanded at step 2b, log in to the pod.
- Start the psql interactive terminal:
psql -h localhost -U postgres -d api
- Run the following commands:
CREATE ROLE kks LOGIN PASSWORD 'kks' NOINHERIT CREATEDB;
CREATE SCHEMA kks AUTHORIZATION kks;
GRANT USAGE ON SCHEMA kks TO PUBLIC;
- In the values.yaml configuration file, specify the necessary parameters to use an external PostgreSQL database.
Parameters in the values.yaml file
The values of the parameters specified in values.yaml must match the values of corresponding parameters in the pg.yaml and svc.yaml configuration files.
- Start a solution update.
Example of commands to create a user with an external PostgreSQL database
Using external ClickHouse DBMS
In addition to the ClickHouse DBMS, which is a component of Kaspersky Container Security and is included in the distribution kit, the solution can also work with the resources of the external ClickHouse DBMS. To do this, you must do the following:
- Create a database for Kaspersky Container Security, add and configure users, and define a disk policy if different disks are used for long-term and short-term data storage.
- Specify the required variables in the values.yaml configuration file for the external ClickHouse DBMS.
Kaspersky Container Security works with ClickHouse 22.6 or later.
Page topCreating a database for Kaspersky Container Security
To create a database for Kaspersky Container Security,
In ClickHouse on your workstation, run the following command:
CREATE DATABASE IF NOT EXISTS kcs
where kcs
is the name of the database for Kaspersky Container Security.
To configure the settings of the created database for Kaspersky Container Security:
- Add users and define their authorization method. To do this, you must do the following:
- Add the following users:
- a user with rights to read data received by the Kaspersky Container Security core (reader).
<roles>
<kcs_reader_role>
<grants>
<query>GRANT SELECT ON kcs.*</query>
</grants>
</kcs_reader_role>
- a user with rights to write data from external agent requests (writer).
<roles>
<kcs_writer_role>
<grants>
<query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query>
<query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query>
</grants>
</kcs_writer_role>
- a user with rights to read data received by the Kaspersky Container Security core (reader).
- Specify the user authorization method: with a password or with a certificate.
Example of configuring users with password authentication
Example of configuring users with certificate authentication
- Add the following users:
- Specify disks for short-term and long-term data storage. When working with ClickHouse, Kaspersky Container Security can store large amounts of data with various retention periods. By default, the major part of events is stored for a maximum of 30 minutes, whereas information about incidents is stored for up to 90 days. Since event recording requires a considerable resources to ensure high recording speed and disk space provision, it is recommended to use different disks for short-term and long-term data storage.
Configuring the external ClickHouse DBMS settings
To configure the Kaspersky Container Security settings to use the external ClickHouse DBMS:
- In the values.yaml configuration file, specify that the solution uses the external ClickHouse DBMS:
default:
kcs-clickhouse:
external: true
- Specify the variables for using the external ClickHouse DBMS:
configmap:
infraconfig:
type: fromEnvs
envs:
...<
ariables for using the external ClickHouse DBMS
>
In this section you must specify the following variables:
EXT_CLICKHOUSE_PROTOCOL
is the protocol for connection to the external ClickHouse DBMS.EXT_CLICKHOUSE_HOST
is the host for connection to the external ClickHouse DBMS.EXT_CLICKHOUSE_PORT
is the port for connection to the external ClickHouse DBMS.EXT_CLICKHOUSE_DB_NAME
is the name of the database prepared for using with Kaspersky Container Security.EXT_CLICKHOUSE_COLD_STORAGE_NAME
is the name of the disk, where ClickHouse will long term store data about incidents.EXT_CLICKHOUSE_STORAGE_POLICY_NAME
is the name of the data storage policy according to which ClickHouse will transfer the data about incidents to the disk for long-term storage.If you use the same disk for short-term and long-term data storage,
the EXT_CLICKHOUSE_COLD_STORAGE_NAME
andEXT_CLICKHOUSE_STORAGE_POLICY_NAME
values are not specified.EXT_CLICKHOUSE_SSL_AUTH
is the variable for SSL authorization of ClickHouse users. If thetrue
value is specified, authorization is performed without passwords using client certificates.If
TLS_INTERNAL
isfalse
,EXT_CLICKHOUSE_SSL_AUTH
must also befalse
.EXT_CLICKHOUSE_ROOT_CA_PATH
is the path to the CA certificate, which is specified if the https protocol is used to connect to ClickHouse (EXT_CLICKHOUSE_PROTOCOL: https
). You can specify the path in one of the following ways:- Put the ClickHouse CA certificate in the directory specified by the path. In this case, you must uncomment
the secret.cert-kcs-clickhouse-ca
block. - Use Vault to store certificate data. In this case, you must uncomment the
cert-kcs-clickhouse-ca
block in thevault.certificate
section.
- Put the ClickHouse CA certificate in the directory specified by the path. In this case, you must uncomment
- Specify values of secrets for using the external ClickHouse DBMS:
configmap:
secret:
infracreds:
type: fromEnvs
envs:
...<
secrets for using the external ClickHouse DBMS
>
In this section you must specify the following:
EXT_CLICKHOUSE_WRITE_USER
is the name of a user with permissions to write created for using with Kaspersky Container Security.CLICKHOUSE_WRITE_PASSWORD
is the password of a user with permissions to write created for using with Kaspersky Container Security.EXT_CLICKHOUSE_READ_USER
is the name of a user with read rights prepared for use with Kaspersky Container Security.CLICKHOUSE_READ_PASSWORD
is the password of a user with permissions to read created for using with Kaspersky Container Security.CLICKHOUSE_READ_PASSWORD
andCLICKHOUSE_WRITE_PASSWORD
are not used ifEXT_CLICKHOUSE_SSL_AUTH
is set totrue
.
Usernames and passwords can also be specified using the Vault secret storage.
Example of configuring the external ClickHouse DBMS settings
Configuring the MinIO external storage settings
To configure the Kaspersky Container Security settings to use the external S3-compatible MinIO file storage:
- In the values.yaml configuration file, specify that the solution uses external MinIO file storage:
default:
kcs-s3:
external: true
- Specify variable values for using MinIO:
configmap:
infraconfig:
type: fromEnvs
envs:
...
variables for using the external MinIO file storage
>
In this section you must specify the following variables:
MINIO_HOST
is the host to connect to MinIO.MINIO_PORT
is the port to connect to MinIO.MINIO_BUCKET_NAME
is the name of the section in MinIO allocated for Kaspersky Container Security data.MINIO_SSL
is the variable for ssl connection to MinIO (including using the https protocol).If
TLS_INTERNAL
isfalse
,MINIO_SSL
must also befalse
.MINIO_ROOT_CA_PATH
is the path to the CA certificate, which is specified if the https protocol is used to connect to MinIO (MINIO_SSL: true
). You can specify the path in one of the following ways:- Put the MinIO CA certificate in the directory specified by the path. In this case, you must uncomment the
secret.cert-minio-ca
block. - Use Vault to store certificate data. In this case, you must uncomment the
cert-minio-ca
block in thevault.certificate
section.
- Put the MinIO CA certificate in the directory specified by the path. In this case, you must uncomment the
- Specify values of secrets for using the external MinIO file storage:
configmap:
secret:
infracreds:
type: fromEnvs
envs:
...<
secrets for using the external MinIO file storage
>
In this section you must specify the following:
MINIO_ROOT_USER
is the name of the MinIO user specified for Kaspersky Container Security.MINIO_ROOT_PASSWORD
is the password of the MinIO user user specified for Kaspersky Container Security.
Usernames and passwords can also be specified using the Vault secret storage.
Example of configuring the MinIO external file storage settings