Kaspersky Container Security

Connecting to external data storage resources

In addition to the Kaspersky Container Security components included in the distribution kit, the solution can also work with the following external data storage resources:

  • PostgreSQL database
  • ClickHouse DBMS
  • MinIO s3 compatible file storage

Configuration of settings for connection to external data storage resources is conducted by means of the values.yaml configuration file.

In this section

Creating a user for an external PostgreSQL database

Using external ClickHouse DBMS

Configuring the MinIO external storage settings

Page top
[Topic 298985]

Creating a user for an external PostgreSQL database

For Kaspersky Container Security, you can use PostgreSQL databases included in the solution or your own PostgreSQL databases. To install an external PostgreSQL database that does not work with the Kaspersky Container Security schema, you must create a separate user. You can do this by installing the Helm Chart package with the schema parameters specified for the external PostgreSQL database.

To create a user with a custom schema for an external PostgreSQL database:

  1. Run the following command to create a separate namespace for the external PostgreSQL database:

    kubectl create ns kcspg

    where kcspg is the namespace for the external PostgreSQL database.

  2. To deploy an external PostgreSQL database:
    1. Specify the parameters for deploying the external PostgreSQL database in the pg.yaml configuration file.

      Parameters for deploying the external PostgreSQL database

      apiVersion: apps/v1

      kind: Deployment

      metadata:

      annotations:

      deployment.kubernetes.io/revision: "1"

      labels:

      app: postgres

      component: postgres

      name: postgres

      namespace: kcspg

      spec:

      replicas: 1

      selector:

      matchLabels:

      app: postgres

      component: postgres

      strategy:

      type: Recreate

      template:

      metadata:

      creationTimestamp: null

      labels:

      app: postgres

      component: postgres

      spec:

      containers:

      - name: postgres

      image: postgres:13-alpine

      ports:

      - containerPort: 5432

      env:

      - name: POSTGRES_DB

      value: api

      - name: POSTGRES_USER

      value: postgres

      - name: POSTGRES_PASSWORD

      value: postgres

      volumeMounts:

      - mountPath: "/var/lib/postgresql/data"

      name: "pgdata"

      imagePullSecrets:

      - name: ci-creds

      volumes:

      - hostPath:

      path: "/home/docker/pgdata"

      name: pgdata

      The parameters specify the password of the database. You must then specify this password in the infraconfig section of the values.yaml configuration file, which is part of the Helm Chart package included in the distribution kit of the solution.

    2. Run the following command:

      kubectl apply -f pg.yaml -n kcspg

    The name of this external database is formed as follows:

    <pod_name>.<namespace name>.<service>.cluster.local

    For example, postgres.kcspg.svc.cluster.local

  3. To deploy a Service object in a cluster:
    1. Specify the Service object deployment parameters in the svc.yaml configuration file.

      Parameters for deploying the Service object in a cluster

      apiVersion: v1

      kind: Service

      metadata:

      name: postgres

      spec:

      type: ClusterIP

      selector:

      component: postgres

      ports:

      - port: 5432

      targetPort: 5432

    2. Run the following command:

      kubectl apply -f svc.yaml -n kcspg

  4. To create a user, a schema, and a user-schema relation:
    1. Using the postgres element expanded at step 2b, log in to the pod.
    2. Start the psql interactive terminal:

      psql -h localhost -U postgres -d api

    3. Run the following commands:

      CREATE ROLE kks LOGIN PASSWORD 'kks' NOINHERIT CREATEDB;

      CREATE SCHEMA kks AUTHORIZATION kks;

      GRANT USAGE ON SCHEMA kks TO PUBLIC;

  5. In the values.yaml configuration file, specify the necessary parameters to use an external PostgreSQL database.

    Parameters in the values.yaml file

    default:

    postgresql:

    external: true

    configmap:

    infraconfig:

    type: fromEnvs

    envs:

    POSTGRES_HOST: postgres.kcspg.svc.cluster.local

    POSTGRES_PORT: 5432

    POSTGRES_DB_NAME: api

    secret:

    infracreds:

    type: fromEnvs

    envs:

    POSTGRES_USER: kks

    POSTGRES_PASSWORD: kks

    The values of the parameters specified in values.yaml must match the values of corresponding parameters in the pg.yaml and svc.yaml configuration files.

  6. Start a solution update.

    Example of commands to create a user with an external PostgreSQL database

    export KUBECONFIG=/root/.kube/config

    export CHART_URL=repo.kcs.kaspersky.com

    export CHART_USERNAME=<CHART_USERNAME>

    export CHART_PASSWORD=<CHART_PASSWORD>

    export VERSION=2.0.0

    export KCS_HOSTNAME=kcs.apps.aws.ext.company.com

    export IMAGE_URL=company.gitlab.examplecloud.com:5050

    export IMAGE_USERNAME=<repo_user>

    export IMAGE_PASSWORD=<repo_pass>

    cd /tmp

    helm registry login --username $IMAGE_USERNAME --password $IMAGE_PASSWORD company.gitlab.examplecloud.com:5050/company/kcs/chart

    helm pull oci://company.gitlab.examplecloud.com:5050/company/kcs/chart/kcs --version $VERSION

    tar -xf kcs*.tgz -C /tmp

    cp -rf /tmp/values.yaml /tmp/kcs

    cd /tmp/kcs

    helm upgrade --install kcs-release --create-namespace --namespace kcs --values values.yaml --version $VERSION --timeout 30m --wait --debug .

Page top
[Topic 292954]

Using external ClickHouse DBMS

In addition to the ClickHouse DBMS, which is a component of Kaspersky Container Security and is included in the distribution kit, the solution can also work with the resources of the external ClickHouse DBMS. To do this, you must do the following:

Kaspersky Container Security works with ClickHouse 22.6 or later.

Page top
[Topic 298717]

Creating a database for Kaspersky Container Security

To create a database for Kaspersky Container Security,

In ClickHouse on your workstation, run the following command:

CREATE DATABASE IF NOT EXISTS kcs

where kcs is the name of the database for Kaspersky Container Security.

To configure the settings of the created database for Kaspersky Container Security:

  1. Add users and define their authorization method. To do this, you must do the following:
    1. Add the following users:
      • a user with rights to read data received by the Kaspersky Container Security core (reader).

        <roles>

        <kcs_reader_role>

        <grants>

        <query>GRANT SELECT ON kcs.*</query>

        </grants>

        </kcs_reader_role>

      • a user with rights to write data from external agent requests (writer).

        <roles>

        <kcs_writer_role>

        <grants>

        <query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query>

        <query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query>

        </grants>

        </kcs_writer_role>

    2. Specify the user authorization method: with a password or with a certificate.

      Example of configuring users with password authentication

      <clickhouse>

      ...

      <kcsuser-write>

      <password>*********</password>

      <networks>

      <ip>::/0</ip>

      </networks>

      ...

      <grants>

      <query>GRANT kcs_writer_role</query>

      </grants>

      </kcsuser-write>

      <kcsuser-read>

      <password>*********</password>

      <networks>

      <ip>::/0</ip>

      </networks>

      ...

      <grants>

      <query>GRANT kcs_reader_role</query>

      </grants>

      </kcsuser-read>

      ...

      <roles>

      <kcs_reader_role>

      <grants>

      <query>GRANT SELECT ON kcs.*</query>

      </grants>

      </kcs_reader_role>

      <kcs_writer_role>

      <grants>

      <query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query>

      <query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query>

      </grants>

      </kcs_writer_role>

      ...

      </roles>

      ...

      </clickhouse>

      Example of configuring users with certificate authentication

      <clickhouse>

      ...

      <kcsuser-write>

      <ssl_certificates>

      <common_name>kcsuser-write</common_name>

      </ssl_certificates>

      <networks>

      <ip>::/0</ip>

      </networks>

      ...

      <grants>

      <query>GRANT kcs_writer_role</query>

      </grants>

      </kcsuser-write>

      <kcsuser-read>

      <ssl_certificates>

      <common_name>kcsuser-read</common_name>

      </ssl_certificates>

      <networks>

      <ip>::/0</ip>

      </networks>

      ...

      <grants>

      <query>GRANT kcs_reader_role</query>

      </grants>

      </kcsuser-read>

      ...

      <roles>

      <kcs_reader_role>

      <grants>

      <query>GRANT SELECT ON kcs.*</query>

      </grants>

      </kcs_reader_role>

      <kcs_writer_role>

      <grants>

      <query>GRANT CREATE TABLE, INSERT, ALTER, UPDATE ON kcs.*</query>

      <query>GRANT SELECT (source_ip, source_port, source_alias, dest_ip, dest_port, dest_alias, protocol, severity, action, event_time, count, type) ON kcs.node_agent_events</query>

      </grants>

      </kcs_writer_role>

      ...

      </roles>

      ...

      </clickhouse>

  2. Specify disks for short-term and long-term data storage. When working with ClickHouse, Kaspersky Container Security can store large amounts of data with various retention periods. By default, the major part of events is stored for a maximum of 30 minutes, whereas information about incidents is stored for up to 90 days. Since event recording requires a considerable resources to ensure high recording speed and disk space provision, it is recommended to use different disks for short-term and long-term data storage.

    Example of configuring data storage settings

    <clickhouse>

    ...

    <storage_configuration>

    <disks>

    <kcs_disk_hot>

    <path>/etc/clickhouse/hot/</path>

    </kcs_disk_hot>

    <kcs_disk_cold>

    <path>/etc/clickhouse/cold/</path>

    </kcs_disk_cold>

    </disks>

    <policies>

    <kcs_default>

    <volumes>

    <default>

    <disk>kcs_disk_hot</disk>

    </default>

    <cold>

    <disk>kcs_disk_cold</disk>

    </cold>

    </volumes>

    </kcs_default>

    </policies>

    </storage_configuration>

    ...

    </clickhouse>

Page top

[Topic 298742]

Configuring the external ClickHouse DBMS settings

To configure the Kaspersky Container Security settings to use the external ClickHouse DBMS:

  1. In the values.yaml configuration file, specify that the solution uses the external ClickHouse DBMS:

    default:

    kcs-clickhouse:

    external: true

  2. Specify the variables for using the external ClickHouse DBMS:

    configmap:

    infraconfig:

    type: fromEnvs

    envs:

    ...<ariables for using the external ClickHouse DBMS>

    In this section you must specify the following variables:

    • EXT_CLICKHOUSE_PROTOCOL is the protocol for connection to the external ClickHouse DBMS.
    • EXT_CLICKHOUSE_HOST is the host for connection to the external ClickHouse DBMS.
    • EXT_CLICKHOUSE_PORT is the port for connection to the external ClickHouse DBMS.
    • EXT_CLICKHOUSE_DB_NAME is the name of the database prepared for using with Kaspersky Container Security.
    • EXT_CLICKHOUSE_COLD_STORAGE_NAME is the name of the disk, where ClickHouse will long term store data about incidents.
    • EXT_CLICKHOUSE_STORAGE_POLICY_NAME is the name of the data storage policy according to which ClickHouse will transfer the data about incidents to the disk for long-term storage.

      If you use the same disk for short-term and long-term data storage, the EXT_CLICKHOUSE_COLD_STORAGE_NAME and EXT_CLICKHOUSE_STORAGE_POLICY_NAME values are not specified.

    • EXT_CLICKHOUSE_SSL_AUTH is the variable for SSL authorization of ClickHouse users. If the true value is specified, authorization is performed without passwords using client certificates.

      If TLS_INTERNAL is false, EXT_CLICKHOUSE_SSL_AUTH must also be false.

    • EXT_CLICKHOUSE_ROOT_CA_PATH is the path to the CA certificate, which is specified if the https protocol is used to connect to ClickHouse ( EXT_CLICKHOUSE_PROTOCOL: https). You can specify the path in one of the following ways:
      • Put the ClickHouse CA certificate in the directory specified by the path. In this case, you must uncomment the secret.cert-kcs-clickhouse-ca block.
      • Use Vault to store certificate data. In this case, you must uncomment the cert-kcs-clickhouse-ca block in the vault.certificate section.
  3. Specify values of secrets for using the external ClickHouse DBMS:

    configmap:

    secret:

    infracreds:

    type: fromEnvs

    envs:

    ...<secrets for using the external ClickHouse DBMS>

    In this section you must specify the following:

    • EXT_CLICKHOUSE_WRITE_USER is the name of a user with permissions to write created for using with Kaspersky Container Security.
    • CLICKHOUSE_WRITE_PASSWORD is the password of a user with permissions to write created for using with Kaspersky Container Security.
    • EXT_CLICKHOUSE_READ_USER is the name of a user with read rights prepared for use with Kaspersky Container Security.
    • CLICKHOUSE_READ_PASSWORD is the password of a user with permissions to read created for using with Kaspersky Container Security.

      CLICKHOUSE_READ_PASSWORD and CLICKHOUSE_WRITE_PASSWORD are not used if EXT_CLICKHOUSE_SSL_AUTH is set to true.

    Usernames and passwords can also be specified using the Vault secret storage.

    Example of configuring the external ClickHouse DBMS settings

    kcs-clickhouse:

    external: true

    persistent: true

    ...

    configmap:

    infraconfig:

    type: fromEnvs

    envs:

    ...

    EXT_CLICKHOUSE_PROTOCOL: https

    EXT_CLICKHOUSE_HOST: clickhouse.ns.svc.cluster.local

    EXT_CLICKHOUSE_PORT: 8443

    EXT_CLICKHOUSE_DB_NAME: kcs

    EXT_CLICKHOUSE_COLD_STORAGE_NAME: cold

    EXT_CLICKHOUSE_STORAGE_POLICY_NAME: kcs_default

    EXT_CLICKHOUSE_SSL_AUTH: false

    EXT_CLICKHOUSE_ROOT_CA_PATH: /etc/ssl/certs/kcs-clickhouse-ca.crt

    ...

    secret:

    ...

    infracreds:

    type: fromEnvs

    envs:

    ...

    EXT_CLICKHOUSE_WRITE_USER: kcsuser-write

    EXT_CLICKHOUSE_READ_USER: kcsuser-read

    CLICKHOUSE_WRITE_PASSWORD: **************

    CLICKHOUSE_READ_PASSWORD: ***********

    ...

    When using Vault:

    vault:

    ...

    secret:

    type: managedByVault

    ...

    EXT_CLICKHOUSE_WRITE_USER: kv/secret/kcs/clickhouse@EXT_CLICKHOUSE_WRITE_USER

    EXT_CLICKHOUSE_READ_USER: kv/secret/kcs/clickhouse@EXT_CLICKHOUSE_READ_USER

    CLICKHOUSE_WRITE_PASSWORD: kv/secret/kcs/clickhouse@CLICKHOUSE_WRITE_PASSWORD

    CLICKHOUSE_READ_PASSWORD: kv/secret/kcs/clickhouse@CLICKHOUSE_READ_PASSWORD

    ...

Page top
[Topic 298743]

Configuring the MinIO external storage settings

To configure the Kaspersky Container Security settings to use the external S3-compatible MinIO file storage:

  1. In the values.yaml configuration file, specify that the solution uses external MinIO file storage:

    default:

    kcs-s3:

    external: true

  2. Specify variable values for using MinIO:

    configmap:

    infraconfig:

    type: fromEnvs

    envs:

    ... variables for using the external MinIO file storage >

    In this section you must specify the following variables:

    • MINIO_HOST is the host to connect to MinIO.
    • MINIO_PORT is the port to connect to MinIO.
    • MINIO_BUCKET_NAME is the name of the section in MinIO allocated for Kaspersky Container Security data.
    • MINIO_SSL is the variable for ssl connection to MinIO (including using the https protocol).

      If TLS_INTERNAL is false, MINIO_SSL must also be false.

    • MINIO_ROOT_CA_PATH is the path to the CA certificate, which is specified if the https protocol is used to connect to MinIO (MINIO_SSL: true). You can specify the path in one of the following ways:
      • Put the MinIO CA certificate in the directory specified by the path. In this case, you must uncomment the secret.cert-minio-ca block.
      • Use Vault to store certificate data. In this case, you must uncomment the cert-minio-ca block in the vault.certificate section.
  3. Specify values of secrets for using the external MinIO file storage:

    configmap:

    secret:

    infracreds:

    type: fromEnvs

    envs:

    ...<secrets for using the external MinIO file storage>

    In this section you must specify the following:

    • MINIO_ROOT_USER is the name of the MinIO user specified for Kaspersky Container Security.
    • MINIO_ROOT_PASSWORD is the password of the MinIO user user specified for Kaspersky Container Security.

    Usernames and passwords can also be specified using the Vault secret storage.

    Example of configuring the MinIO external file storage settings

    kcs-s3:

    enabled: true

    external: true

    ...

    configmap:

    infraconfig:

    type: fromEnvs

    envs:

    ...

    MINIO_HOST: kcs-s3

    MINIO_PORT: 9000

    MINIO_BUCKET_NAME: reports

    MINIO_SSL: true

    MINIO_ROOT_CA_PATH: /etc/ssl/certs/minio-ca.crt

    ...

    secret:

    ...

    infracreds:

    type: fromEnvs

    envs:

    ...

    MINIO_ROOT_USER: kcs_user

    MINIO_ROOT_PASSWORD: ********

    ...

    When using Vault:

    vault:

    ...

    secret:

    type: managedByVault

    ...

    MINIO_ROOT_USER: kv/test/minio@MINIO_ROOT_USER

    MINIO_ROOT_PASSWORD: kv/test/minio@MINIO_ROOT_PASSWORD

Page top
[Topic 298749]