[Topic 263612]

Kaspersky Container Security 1.1 Help

Page top

[Topic 258853]

About the Kaspersky Container Security platform

Kaspersky Container Security (hereinafter referred to as the solution) allows you to discover security problems and ensures protection throughout the container application lifecycle, from development and deployment control to runtime.

Solution functionalities:

• Integration with image registries (Docker Hub, JFrog Artifactory, Sonatype Nexus Repository OSS, GitLab Registry, Harbor) to scan images in the registry for known vulnerabilities published by the NVD and VDB (DSTD), secrets (passwords, access keys, tokens), misconfigurations, and malware.
• Integration into the continuous integration / continuous delivery (CI/CD) process as a pipeline stage, as well as scanning IaC for misconfigurations and container images for vulnerabilities, malware, and sensitive data (secrets).
• Checking of cluster nodes for compliance with industry information security benchmarks.
• Monitoring compliance with the configured security policies while building and operating the applications, including monitoring container runs in the runtime.
• Monitoring of resources used by the controlled clusters.

You can configure and access the functionalities of Kaspersky Container Security through the Management Console. The console is implemented as a web interface which can be accessed through the Chromium (Google Chrome, Microsoft Edge, Apple Safari) or Mozilla Firefox browsers.

[Topic 263672]

What's new

Kaspersky Container Security 1.1 offers the following new features and improvements:

• Support for detected malicious objects with different severity levels. The solution allows you to accept risks for non-critical objects.
• Ability to generate reports on detected vulnerabilities, security events, and compliance with applicable policies. The solution can generate the following types of reports:
  • Images summary report.
  • Images detailed report.
  • Accepted risks report.

  Depending on report type, reports are created and generated in different parts of the solution, including the CI/CD section. Generated reports are available for viewing and downloading in several formats in a new section of the main menu: Administration → Reports.

• Optimization of the load on CI agents when integrating with the CI pipeline. The new version of the product offers two CI schemes:
  • Using the resources of the CI agent.
  • Without using the resources of the CI agent. In this scheme, the scanner starts in the CI pipeline and reads and sends a SBOM to the installed solution. This SBOM file is parsed by the available scanners, and the scan result is then returned to the CI system.
• Support the running of scanners when there is a proxy between an image registry and the installed solution.
• Different application scopes control user access to orchestrator resources and image registries, which are monitored by the solution. This also allows for the application of various security policies on these resources and registries.
• Ability to control image integrity using image signatures, as well as block images that have not passed signature verification. The solution can integrate with Notary and Cosign plug-ins for signature verification. To block images that have not passed signature authenticity verification, a new Image content protection section has been added to runtime policies.
• Control of applications and services running inside containers. The solution can monitor and block processes running inside containers.
• Support for Container Runtime Profiles, which can detect abnormal objects based on a custom or predefined profile pattern. The solution can create and use runtime profiles, which can be used to specify permissions for processes started inside containers and for network communications. Profiles are applied to containers started in a runtime environment and restrict their operation according to the specified settings.
• Monitoring and control of traffic between containers, containerization platform components, and external applications and resources. The solution can restrict network communications of containers in a runtime environment by configuring the following settings:
  • Ports (TCP/UDP).
  • IP addresses (IPV4, IPV6).
  • Block inbound and/or outbound network connections.

[Topic 265460]

Distribution kit

For information about purchasing the application, please visit https://www.kaspersky.com or contact our partners.

The distribution kit includes a Helm Chart package with the containerized resources necessary for deploying and installing Kaspersky Container Security components, including the following:

• kcs-ih—image of the scanning image handler application, which starts jobs that use vulnerability scanners and malware scanners, and then aggregates and publishes the scan results. The image handler can be scaled to fit your needs.
• kcs-scanner—image of the scanner server, which is used to store the vulnerabilities database and image layer cache, and acts as the server for kcs-ih images.
• kcs-middleware — image of the server part of the solution that implements business logic for data processing and provides a REST API for the graphical interface.
• nats and nats-box—images of the application that determine the ordered sequence of requests, thereby enabling the exchange of data segmented as messages.
• kcs-postgres — image of the database management system containing tools for analysis and optimization of request parsing and mechanisms for processing requests (rules).
• kcs-clickhouse—image of the Clickhouse database management system, which stores and processes informational messages from node-agent system agents.
• kcs-s3—image of the S3-compatible file storage repository used to store files generated by Kaspersky Container Security and to distribute them to users.
• kcs-panel— image for deploying the graphical user interface of Kaspersky Container Security.
• kcs-updates — image that is used to deliver updates when deploying the solution in isolated segments of a corporate network.
• kcs-licenses—image of the license management application for Kaspersky Container Security.
• values.yaml - a configuration file within the Helm package that contains the setting values for installing and updating the solution.

After downloading and saving the Helm package in a selected directory, the orchestrator downloads the images from the source specified in the Helm package directly to the orchestration platform nodes.

The information required to activate the application is sent to you by email.

[Topic 266385]

Hardware and software requirements

To install and operate Kaspersky Container Security, the following infrastructure requirements must be met:

• One of the following orchestration platforms:
  • Kubernetes (version 1.22 or later)
  • OpenShift 4.11 or later
• Availability of a CI system to scan container images within the development process (for example, GitLab CI).
• Installed package manager Helm v3.8.0 or later.

To implement runtime monitoring with container runtime profiles, orchestrator nodes must meet the following requirements:

• Linux kernel 4.19 or later.
• Container runtimes: containerd, CRI-O.
• Container Network Interface (CNI) plug-ins: Flannel, Calico, Cilium.
• Kernel headers on the host node:
  • For deb systems, the kernel-headers package must be installed.
  • For rpm systems, the kernel-devel package must be installed.

When using external database management systems, Kaspersky Container Security supports the following DBMS:

PostgreSQL, versions 11. *, 13. *, 14. *

Kaspersky Container Security supports integration with the following image registries:

• GitLab 14.2 or later
• Docker Hub V2 API or later
• JFrog Artifactory 7.55 or later
• Sonatype Nexus Repository OSS 3.43 or later
• Harbor 2.х.

Image requirements (OS, version, scanned packages):

• Alpine Linux, versions 2.2—2.7, 3.0—3.18, Edge. Packages installed via apk are scanned.
• Red Hat Universal Base Image, versions 7, 8, 9. Packages installed via yum/rpm are scanned.
• Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via yum/rpm are being scanned.
• CentOS, versions 6, 7, 8. Packages installed via yum/rpm are being scanned.
• AlmaLinux, versions 8, 9. Packages installed via yum/rpm are being scanned.
• Rocky Linux, versions 8, 9. Packages installed via yum/rpm are being scanned.
• Oracle Linux, versions 5, 6, 7, 8. Packages installed via yum/rpm are being scanned.
• CBL-Mariner, versions 1.0, 2.0. Packages installed via yum/rpm are being scanned.
• Amazon Linux, versions 1, 2, 2023. Packages installed via yum/rpm are being scanned.
• openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
• SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are being scanned.
• Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
• Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/apt-get/dpkg are scanned.
• Ubuntu, all versions supported by Canonical. Packages installed via apt/apt-get/dpkg are being scanned.
• Distroless, all versions. Packages installed via apt/apt-get/dpkg are being scanned.
• RedOS, versions 7.1, 7.2, 7.3.x. Packages installed via yum/rpm are scanned.
• Astra, versions ce 2.12.x., se 1.7.x. Packages installed via apt/apt-get/dpkg are scanned.

When configuring Kaspersky Container Security with three scanner pods (kcs-ih) and a maximum image scan size of 10 GB, the cluster must meet the following requirements:

• At least 7 node processors
• 15 GB of RAM node capacity
• 40 GB of free disk space on a node hard drive
• At least 1 Gbps of communication channel bandwidth between cluster components

The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.

Kaspersky Container Security user workstation requirements:

• Permanent Internet connection when deployed in a public corporate network.
• Access to the Management Console page of Kaspersky Container Security (address within customer's corporate network, specified during installation).
• Communication channels with at least 10 Mbit/s bandwidth.
• One of the following browsers:
  • Google Chrome version 73 or later.
  • Microsoft Edge version 79 or later.
  • Mozilla Firefox version 63 or later.
  • Apple Safari version 12.1 or later.
  • Opera version 60 or later.

Page top

[Topic 256168]

Scaling

Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.

When a scanning pod is added, the system resources increase as follows:

• The number of node processors—by 2.
• The amount of RAM on the nodes—by 4 GB.
• The amount of free disk space on a node hard drive—by 15 GB.

To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.

• The amount of RAM on the nodes—by 300 MB.
• The amount of free disk space on a node hard drive—by 1 GB.

If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.

Page top

[Topic 265976]

System packages of base images

The following operating system images are used as base images by Kaspersky Container Security:

• Alpine 3.18.4.
• Ubuntu 23.10.
• Oracle Linux 9.2.

Package management systems ("package managers") are used to manage the installation, removal, configuration, and updating of various software components. Kaspersky Container Security uses the following package managers for its base operating systems:

• For Alpine, apk.
• For Ubuntu, apt.
• For Oracle Linux, rpm.

To get information about installed system packages,

use the standard orchestrator tools for accessing a running container and (depending on the package manager used) enter the following bash command:

• For apk:

  apk -q list | grep "installed".

• For apt:

  apt list --installed.

• For rpm:

  yum list installed.

Page top

[Topic 270192]

Working in cloud-based environments

Kaspersky Container Security can operate in various cloud environments. For more information on launching the solution in cloud environments, contact your Presales Manager.

[Topic 250375]

Solution architecture

The Kaspersky Container Security platform consists of three main components:

• The Kaspersky Container Security Server has the following functions:
  • Provides an interface for interactive management of the solution (Management Console).
  • Ensures integration with external software components (SIEM, CI, image registries, LDAP, Telegram, email) and the receipt of information from them.
  • Coordinates the operation of other solution components.
  • Ensures the creation and management of security policies.
  • Displays the results of solution operations.
• Kaspersky Container Security Agent (hereinafter also referred to as the Agent). This component runs as a containerized application and ensures the appropriate level of node security in accordance with the configured security policies, including control of the following:
  • Runtime security of containers running on the nodes.
  • Network interaction between pods and applications inside containers.
  • Integration with the orchestration platform and flow of data necessary for analysis of the orchestrator configuration and its components.
  • Startup of containers from trusted images to prevent unverified images from running.

  Agents are installed to all nodes of clusters and all clusters requiring protection. Kaspersky Container Security works with two types of agents: cluster protection agents (csp-kube-agent) and node protection agents (csp-node-agent). Together they form groups of Agents. A separate group of Agents is created for each cluster. Many groups of Agents can be created for one installation of the solution.

  If the cluster contains no agents, some of the solution functionality is unavailable (for example, runtime policies, resource monitoring).

• Kaspersky Container Security Scanner. This component scans configuration files and images in the connected registries, searches for and analyzes detected malware, and conducts checks when the solution is integrated into CI/CD.

  

  Overall architecture scheme of Kaspersky Container Security

Kaspersky Container Security can be deployed in a public or private corporate network.

[Topic 254415]

Scanner

Scanner is a Kaspersky Container Security software component that scans objects in real time to assess their security and detect known vulnerabilities, malware, signs of sensitive data, and misconfigurations. The scanner lets you conduct security checks based on active security policies.

Kaspersky Container Security employs the following types of scanners:

• Vulnerability scanner based on the Common Vulnerabilities and Exposures (CVE) database
• File threat scanner within the File Threat Protection component
• Configuration file scanner
• Sensitive data (secrets) scanner

[Topic 254553]

About object scanning

Kaspersky Container Security checks objects deployed in the solution during the scanning process.

The scanning process searches for and analyzes threats and security risks associated with objects in the solution. Object scans must be performed regularly to keep track of emerging security threats.

When scanning, Kaspersky Container Security identifies the following security threats:

• Vulnerabilities
• Malware.
• Misconfigurations
• Sensitive data
• Non-compliance with security policy requirements

Scanning process

The scanner receives scan jobs through the image handler. The image handler is an application deployed in the Kaspersky Container Security infrastructure that forwards scan jobs to the scanner and receives the scan results from the scanner.

When scan jobs are forwarded, the current status of the scanner is determined as one of the following:

• Free — the scanner is not processing objects and can accept a job from the image handler application if requested.
• Busy — the scanner is currently processing a scan job. A new job from the image handler application is put in the queue.

The scan job queue includes all forwarded scan jobs and is generated in the following cases:

• An image registry scan is manually started.
• An image registry scan is automatically started.
• A bulk scan of cluster objects is started.

Jobs in the scan queue receive the following statuses:

• Pending — status assigned by default when a job is created.
• In progress — the job is being processed by the image handler.
• Parsing results — the solution processes the job scanning results to display them in the interface.
• Error— scan job failed.
• Finished — the results of the scan job are available.

Scan tasks from the queue are submitted to the image handler in the order of their receipt. A job then goes to a scanner with Free status and is scanned for security issues. The scan results are sent back to the image handler. The job is considered completed and finished if scanning results are received. If a scan job was performed three or more times but received no results, the job is given the Error status.

Actions after scanning

After scanning, the solution displays the scan results. If security threats are detected in an object, Kaspersky Container Security prompts you to perform one of the following actions:

• Delete the security threat.
• Accept the security risk

Page top

[Topic 259110]

File Threat Protection

When scanning registries and objects in CI/CD, Kaspersky Container Security uses the File Threat Protection component to search for and analyze potential file threats. The results of this malware scan are displayed together with the overall scan results.

The databases of the File Threat Protection component are updated from the Kaspersky Container Security update server.

After starting the utility, the File Threat Protection databases are downloaded and saved in the dedicated folder in the solution vendor's cloud object storage.

When the solution is deployed in a public corporate network, an update is performed directly from the update server. When installing the solution in a private corporate network, the updated File Threat Protection databases are added to the kcs-db-server container for subsequent running and updating.

[Topic 250376]

Standard deployment schemes

Kaspersky Container Security supports the following deployment scenarios:

• Deployment in a public corporate network (Internet access from the Kubernetes cluster is allowed):
  • Images from which the Kaspersky Container Security components are deployed are located in a public repository.
  • After installation, the solution components refer to the vulnerability databases on the Internet.
  • Databases are updated using the Update server on the Internet.

  A private corporate network with access to servers in the allowed servers list may be considered a public corporate network.

• Deployment in a private corporate network (Internet access from the Kubernetes cluster is prohibited):
  • An internal repository is used to host the images from which the Kaspersky Container Security components are deployed.
  • Components are installed from a dedicated image with the vulnerability databases and security standards required to operate the solution.
  • After installation, the solution components refer to vulnerability databases and security standards located in the corporate network.
  • The Update server providing threat database updates is deployed as a separate component in the corporate network.

A private corporate network also allows for deployment with a proxy server.

[Topic 254665]

Deployment in a public corporate network

When deployed in a public corporate network, Kaspersky Container Security is allowed to access the Internet from a cluster. The solution databases are updated from external databases containing updates for the vulnerabilities and malware databases.

Solution architecture when deployed in a public corporate network

[Topic 254664]

Deployment in a private corporate network

When deployed in a private corporate network, Kaspersky Container Security is prohibited from accessing the Internet from a cluster. The solution databases are updated by updating the images of the scanner that is run from the CI / CD and the image scanner.

Solution architecture when deployed in a private corporate network

[Topic 267938]

Preparing to install the solution

Prior to installing Kaspersky Container Security, you must install all certificates required for the corporate network and configure the proxy servers.

The solution can be deployed in a private or public corporate network.

Before installing Kaspersky Container Security, make sure that you have the following components and accesses:

• Virtual or physical machine with access to the Internet and the cluster.
• Helm package manager for packaging, configuring, and deploying applications and services in clusters.

  Kaspersky Container Security supports Helm v3.8.0 or later.

• Internet access to download Helm Chart packages.
• Orchestrator management tool, for example, kubectl for Kubernetes or oc for Openshift.
• Access to a cluster using the kubeconfig file.

  To install the solution in a private corporate network, configure a repository for container images. This repository accesses the Kaspersky Container Security vendor repository with the credentials provided by the solution vendor.

To prepare to install the solution in a private corporate network:

1. Connect the vendor's Helm repository containing the Helm Chart package.

   export CHART_URL="xxxxxx"
export CHART_USERNAME="xxxxxx"
export CHART_PASSWORD="xxxxxx"
export VERSION="xxxxxx"

   The CHART_URL, CHART_USERNAME, CHART_PASSWORD, and VERSION values are provided by the vendor.

   Example connection of a repository with Helm Chart

   helm registry login \

   --username $CHART_USERNAME \

   --password $CHART_PASSWORD

   $CHART_URL

   helm pull oci://$CHART_URL/charts/kcs --version $VERSION

   tar xvf kcs-$VERSION.tgz

2. Fill in the file with the installation settings (values.yaml) included in the solution distribution kit according to the comments in the file.
3. Save the file with the installation settings and proceed to install the solution.

Page top

[Topic 267055]

Solution installation

Kaspersky Container Security components are supplied as images in the Kaspersky Container Security manufacturer registry and deployed as containers.

Installation of the Kaspersky Container Security platform consists of the following steps:

1. Installing the Server and Scanner components.
2. First launch of the Management Console.
3. Configuration of the Agent groups and Agent deployment on the controlled cluster nodes.

After installation, you should prepare the solution for operation:

• Configure integration with image registries.
• Configure integration with outputs.
• Configure security policies.
• Add container runtime profiles.
• Configure integration with image signature validators.
• Configure integration with CI/CD.
• Configure user accounts, roles, and scopes.
• Configure integration with LDAP server.

[Topic 250378]

Installing the Server and Scanner

To install Kaspersky Container Security Server and Scanner:

After preparing the configuration file, run the solution installation:

cd kcs/

helm upgrade --install kcs . \

--create-namespace \

--namespace kcs \

--values values.yaml

Following the installation, the solution components are deployed.

The control panel will be available at the address specified in the envs subsection of the environment variables section. This allows you to create the ConfigMap object for the API_URL parameter:

http://${DOMAIN}

[Topic 250380]

First launch of the Management console

To start the Kaspersky Container Security Management Console:

1. In your browser, navigate to the address specified for the Management Console during the Server installation.

   The authorization page opens.

2. Enter your user name and password and click the Login button.

   During the installation of the solution, the user name and password have the same value assigned—admin. You can change the user name and password after launching the Management Console.

   After 3 unsuccessful password entry attempts, the user is temporarily blocked. The default block duration is 1 minute.

3. Following the request, change the current password for the user account: enter a new password, confirm it, and click the Change button.

   Passwords have the following requirements:

   • The password must contain numerals, special characters, and uppercase and lowercase letters.
   • The minimum password length is 6 characters, and the maximum password length is 72 characters.

The main page of the Management Console opens.

By default, the logged-in user session in the Management Console is 9 hours. In the Settings → Authentication section, you can set your own session duration from the minimum of 1 hour to the maximum of 168 hours. After this time expires, the session ends.

You can change the connection settings in the Settings → Authentication section.

[Topic 255780]

Viewing and accepting the End User License Agreement

When you launch the Management Console in a browser for the first time, Kaspersky Container Security prompts you to read the End User License Agreement between you and Kaspersky. To continue working with the solution, confirm that you have fully read and accept the terms of the End User License Agreement for Kaspersky Container Security.

To confirm acceptance of the terms of the End User License Agreement,

at the bottom of the End User License Agreement window, click the Accept button.

The authorization page opens for launching the Management Console.

After installing a new version of the solution, accept the End User License Agreement again.

[Topic 266166]

Checking solution functionality

After installing Kaspersky Container Security and starting the administration console, you can make sure that the solution is detecting security problems and protecting containerized objects.

To check the functionality of Kaspersky Container Security:

1. Activate the solution using an activation code or key file.
2. Configure integration with image registries. Integration with a single registry is sufficient to check the functionality.
3. If necessary, configure the settings of the scanner policy that is created by default after installation of the solution.
4. Add an image for scanning and make sure that the scan task is sent for processing.
5. After the scan is complete, go to the page with detailed information about the image scan results.

Scanning an image and receiving valid results confirms that Kaspersky Container Security is operating correctly. After this, you can further configure the solution settings.

Page top

[Topic 266165]

Agent deployment

You should install Agents on all nodes of the cluster that you want to protect.

To deploy Agents in the cluster:

1. In the main menu, go to the Components → Agents section.
2. In the work pane, click the Add Agent group button.
3. Fill in the fields in the form.
   1. Enter the group name and description. We recommend that you specify the name of the cluster, on the nodes of which Agents are deployed, as the group name for convenient Agent management.
   2. Select the type of Agent.
   3. Select the type of target node operating system.
   4. Select the orchestrator to use.
   5. In the KCS registry section, enter the web address of the registry where the images used to install agents are located. To access the registry, you must specify the correct user name and password.
   6. Specify the namespace in the cluster.
   7. If required, enter the deployment token, which is the identifier that the Agent uses to connect to the Server. You can enter the token or leave the field blank for the token to generate automatically.
4. Click the Add button.

   The right part of the work pane displays the data required to continue Agents deployment in the cluster.

5. Use the instruction from the Configuration field (in the .YAML format) to deploy Agents in the cluster. For example:

   kubectl apply -f <file> -n <namespace>

   Following the application of the guidelines from the instruction on the cluster, the Agent is deployed on all worker nodes of the cluster.

The table in the Agents subsection displays the created group and deployed Agents. Agents server connection status is available for viewing.

[Topic 266603]

Configuring a proxy server

In version 1.1, Kaspersky Container Security can proxy requests from private corporate networks to the external environment. The settings for connection through a proxy server are configured using the following environment variables in the Helm Chart package, which is included in the solution distribution kit:

• HTTP_PROXY – proxy server for HTTP requests.
• HTTPS_PROXY – proxy server for HTTPS requests.
• NO_PROXY – a variable that specifies domains or domain masks to be excluded from proxying.

  If HTTP_PROXY or HTTPS_PROXY is used, the NO_PROXY variable is automatically generated in the Helm Chart package, and all the components used by Kaspersky Container Security are indicated in this variable.

  You can change the NO_PROXY variable if you need to specify domains and masks for operation of Kaspersky Container Security in order to exclude them from proxying.

• SCANNER_PROXY – a specialized variable that specifies which proxy server receives requests from the scanner of the File Threat Protection component. These requests are used by Kaspersky servers to update databases.
• LICENSE_PROXY – a specialized variable that specifies the proxy server to which kcs-licenses application requests are sent for Kaspersky servers to check and update information about the current license.

To specify Kaspersky servers in the permission lists of proxy servers, you must use a *.kaspersky.com or .kaspersky.com mask (depending on the domain name masks supported by your proxy server).

The table below lists the Kaspersky Container Security applications that can use environment variables, and also indicates the purpose of these environment variables.

Environment variables used by Kaspersky Container Security applications

Page top

[Topic 250382]

Removing the solution

To uninstall the Kaspersky Container Security Server, do one of the following:

• On a workstation with the Helm package manager installed, access the Target cluster and the namespace with Kaspersky Container Security installed, and run the following command:

  helm uninstall kcs-release

  The Helm package manager does not delete PVC objects, PV objects or secrets. You should delete these manually using the following commands:

  kubectl delete pvc <PVC name>

  kubectl delete secret <secret name>

  kubectl delete pv <PV name>

• If Kaspersky Container Security is installed in a separate namespace, run the following command:

  kubectl delete ns <namespace>

To delete the Kaspersky Container Security agent:

Run the following command on the cluster node with the agent deployed:

kubectl delete -f <file> -n kcs

where <file> is the name of the YAML configuration file used to deploy the agent.

If you delete all agents on the nodes of a cluster, we recommend that you remove the group that included these agents.

To delete a group of agents:

1. In the main menu, go to the Components → Agents section of Kaspersky Container Security.
2. Select the required group from the list. The Status column displays the Disconnected status for the deleted agents.
3. Open the action menu from the last column of the row for the group and select Delete group.
4. In the window that opens, confirm the action.

[Topic 270647]

Updating the solution

You can find information about the latest versions of the application on the Kaspersky website at https://www.kaspersky.com or contact our partners.

The upgrade process is identical to the installation process. As part of the update process, the current version of the application is indicated.

The values of created PVC PostgreSql and Clickhouse objects were increased from 10GB to 20GB and from 1GB to 5GB, respectively, in Helm Chart of Kaspersky Container Security 1.1.1.
You can upgrade Kaspersky Container Security to version 1.1.1. To do this, you must first uninstall the available Helm Chart using the helm uninstall command. Then, using the values.yaml configuration file for the new version of the solution, you must run the helm install command to install the Helm Chart.
When you delete the Helm Chart, previously created PVC objects are saved, but when you install the Helm Chart with new values, the objects' physical size may not change. In this case, you should manually configure the physical size of objects taking into account the

Page top

[Topic 250383]

Solution interface

The Management Console is implemented through the web interface and consists of the following elements:

• Main menu — sections and subsections of the main menu give access to the key functionalities of the solution.
• Work pane — information and controls in the work pane depend on the section or subsection that you select in the main menu.

[Topic 263917]

Main menu

In the web interface, the main menu of Kaspersky Container Security is on the left pane and lists the main functional capabilities of the solution.

Resources

This section contains the monitoring results of all available Kaspersky Container Security resources: clusters, registries integrated with the solution, and CI/CD processes.

Components

This section contains information about the state of solution components, such as Agents and scanners. The Agents subsection also lets you create and delete Agent groups and view the information necessary to deploy Agents.

Compliance

This section contains the results of checks on cluster nodes for compliance with the Kubernetes benchmarks.

Policies

This section allows you to configure security policies when operating Kaspersky Container Security.

The Risk acceptance subsection contains a list of all detected threats and vulnerabilities, the risk of which is accepted by the user. In this subsection, you can cancel a risk acceptance or set the period during which a risk is considered accepted.

Administration

This section allows you to perform the following tasks:

• Under Access management, you can manage user access rights, define roles and access rights, and restrict access to resources and functional capabilities within specific scopes.
• Under Reports, you can view a list of generated reports on images, and download and delete reports.
• The Integrations subsection provides the capability to configure integration with: public image registries, image signature validators, outputs, and an LDAP server.
• Under Events, you can view a list of application-generated events that may be useful when tracking processes and analyzing potential security threats.

Settings

This section allows you to perform the following tasks:

• Under Authentication, you can configure the settings for starting the Management Console for Kaspersky Container Security and manage the connection settings.
• The Licensing subsection allows you to manage licensing settings and view license functionality.
• The About subsection contains information about the version of the application and the latest update of the malware and vulnerabilities database. You can also view the terms of the license agreements for Kaspersky Container Security and the File Threat Protection component, and open the Kaspersky Container Security Help for more detailed information about the solution.

Block with the name of the current user

This block displays information about the user that logged in to the Kaspersky Container Security Management Console. Using the commands of the pop-up menu, you can go to the user profile page and exit the console.

[Topic 255368]

Dashboard

On the main Kaspersky Container Security page, you can configure the dashboard to receive up-to-date analytical data on objects that are processed by the solution. This configuration is performed using filters that let you sort information by object and period.

Analytical data is displayed using widgets or specialized tools that show analytic information.

The Kaspersky Container Security dashboard opens when logging in to an account or when clicking the area containing the logo and name of the solution above the main menu.

[Topic 255372]

Applying filters

Kaspersky Container Security provides the capability to configure the dashboard using the following filters:

• Filter by period:
  • For the entire period
  • For the year
  • For the quarter
  • For the month
  • For the week
  • For the past 24 hours
  • For a customized period

  For any period you select, the time count begins from the current day. By default, information is displayed for the week.

• Filter by resource:
  • All images
  • All images outside of clusters
  • All images in clusters
  • Images of a specific cluster
  • CI/CD images

  By default, information is displayed for all images.

[Topic 255371]

Widgets on the dashboard

Kaspersky Container Security provides analytical data on the dashboard by using widgets that are organized into groups based on data type. The following widget groups and widgets are available in Kaspersky Container Security:

• Image compliance with security policy requirements. The solution displays the following information:
  • Total number of images.
  • Number of images with Compliant status.
  • Number of images with Non-compliant status.
• Image risk assessment. The widget provides the following information on the statuses of objects:
  • Total number of images.
  • Number of images with the Critical status.
  • Number of images with the High status.
  • Number of images with the Medium status.
  • Number of images with the Low status.
  • Number of images with the Negligible status.
  • Number of images with the Ok status.
• Top 10 object benchmarks that most frequently result in failure of cluster nodes to comply with the Kubernetes benchmarks:
  • 10 cluster node benchmarks that most frequently result in non-compliance.
  • Number of cluster nodes that failed the compliance check due to the specified benchmark.
• Top 10 registries based on the number of images with maximum risk status.
• Vulnerabilities
  • Top 10 detected vulnerabilities with Critical, High or Medium severity status, and the number of images containing the specified vulnerability.
  • Top 10 images containing the maximum number of identified vulnerabilities with Critical and High severity status.
• Malware
  • Top 10 most frequently detected types of malware and number of images containing this malware.
  • Top 10 images with the maximum number of detected types of malware.
• Sensitive data:
  • Top 10 detected types of sensitive data with Critical, High or Medium severity status and the number of images containing this sensitive data.
  • Top 10 images containing the maximum amount of detected sensitive data with Critical and High severity status.
• Misconfigurations
  • Top 10 detected misconfigurations with Critical, High or Medium severity status, and the number of images containing such sensitive data.
  • Top 10 images with the maximum number of detected misconfigurations with Critical and High severity status.

  Object lists that specify the severity level are sorted in descending order of severity (first items on the list are objects with the highest severity status).

Page top

[Topic 267266]

User profile

To go to the user profile page:

1. In the main menu, click on the block with the current user name.
2. Select My Profile.

On the My Profile page, Kaspersky Container Security displays key information about the active user account. This information is divided into the following sections:

• General information—shows the user's name and their displayed user name, a contact email address, and a list of the roles assigned to the user.

  In this section, you can also change the password to enter the Management Console by clicking the Change password button.

• API token—information about the token for connecting to and accessing the solution using API. The value of the valid API token is hidden by a mask and can be viewed by clicking the unmask icon () located to the right of the token. You can hide the token value with a mask by clicking the mask icon ().

  In this section, you can also copy the value of the active token by using the Copy button. If necessary, you can also generate a new API token by clicking the Reissue token button.

• Permissions - all rights and permissions assigned to the user are displayed.

Page top

[Topic 263603]

Specific ways to set up data display

Kaspersky Container Security interface provides the following ways to set up data displaying:

• Filtering: The filter fields are located above the data tables. Filter fields and ways to manage the filter depend on the specifics of the data to be displayed.

  In some sections, you must click the filter icon to open the filter fields ().

• Sorting in ascending or descending order. In some sections, you can sort the list of data by the selected column by using the sort icon () in the column header.
• Search: You can search the displayed data by using the Search field, located above the table and designated by the search icon ().
• Menu. In some tables, you can perform actions on the objects using the menu commands in the table rows. To open the menu for the selected object, click the menu icon () in the object row.
• Select. In some tables, you can select items by clicking the check box (). To unselect a check box, click the checkbox again.
• Delete. You can delete objects in the solution by using the delete icon () or the Delete link that appears when selecting objects.
• Expand or collapse lists. In some tables, you can click the expand icon () to expand an object row and view its contents. To collapse table elements, click the collapse icon ().

[Topic 250749]

Licensing the solution

This section provides information about the general terms related to the licensing of Kaspersky Container Security.

[Topic 251945]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab stipulating the terms on which you may use the application.

Please carefully read the terms of the End User License Agreement before you start using the application.

You can read the terms of the End User License Agreement during the Kaspersky Container Security installation.

By confirming that you agree with the text of the End User License Agreement during installation of the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must cancel installation of the application and must not use the application.

Updates functionality (including providing anti-virus signature updates and codebase updates) might not be available in the software in the U.S. territory.

[Topic 251954]

About the license

A license is a time-limited right to use Kaspersky Container Security as granted under the End User License Agreement.

A license includes the right to use the application in accordance with the terms of the End User License Agreement, and to receive technical support. The available functionality and application usage period depend on the type of license that was used to activate the application.

Kaspersky Container Security supports the following types of licenses:

• NFR (not for resale) is a free license for a specific period intended to familiarize the user with the application and to conduct test deployments.
• A Commercial license is a paid license that is provided when you purchase the solution.

Solution functionality depends on the type of license held. Kaspersky Container Security supports the following licenses:

• Standard license — allows for integration with image registries and platforms, security threat detection scans, risk assessment, and monitoring of object status.
• Enterprise license — in addition to the functionality of the standard license, this license also provides access to components used for the monitoring, control, and analysis of objects, misconfiguration detection and security threat protection.

When the license expires, the application continues to work but with limited functionality. For full Kaspersky Container Security functionality, you must purchase a commercial license or renew your commercial license.

[Topic 251955]

About the license certificate

A license certificate is a document that you receive together with a key file or activation code.

The license certificate contains the following license information:

• License number or order number
• Information about the user who is granted the license
• Information about the application that can be activated under the provided license
• Restrictions on the number of licensing units (for example, devices on which the application can be used under the provided license)
• Start date of the license term
• License expiration date or license term
• License type

[Topic 251956]

About the license key

A license key is a sequence of bits that you can use to activate and then use the application in accordance with the terms of the End User License Agreement. The license key is generated by Kaspersky experts.

You can add a license key to the application by either applying a key file or entering an activation code.

Kaspersky can block a license key over violations of the End User License Agreement. If the license key has been blocked, you have to add a different license key to continue using the application.

[Topic 251958]

About the key file

A key file is a file with the KEY extension that you receive from Kaspersky. The purpose of a key file is to add a license key that activates the application.

You receive a key file at the email address that you provided when you purchased Kaspersky Container Security.

You do not need to connect to Kaspersky activation servers to activate the solution with a key file.

You can restore a key file if it has been accidentally deleted.

To restore a key file, do one of the following:

• Contact the license vendor.
• Get a key file from the Kaspersky website based on an available activation code.

[Topic 251957]

About the activation code

An activation code is a unique sequence of 20 English letters and numbers. You must enter an activation code to add a license key that activates Kaspersky Container Security. Your activation code will be sent to the email address that you provided when you purchased Kaspersky Container Security.

To activate the application with an activation code, Internet access is required to connect to Kaspersky activation servers.

If you lose your activation code after activating the application, please contact the Kaspersky partner that you purchased the license from.

[Topic 253551]

Application activation procedure

Application activation is the process of activating a license that grants the right to use Kaspersky Container Security until expiry.

You can activate the application by using the activation code or key file provided to you when you purchased the solution.

An activation code is used for activation when you install the solution in a public corporate network with Internet access. A key file is used for activation when you install Kaspersky Container Security in a public corporate network or private corporate network without Internet connectivity.

To activate the application with an activation code:

1. In the Settings → Licensing section, click the Add license key button.
2. In the window prompting you to select how you want to add the license key, select Enter activation code.
3. In the Activation code field, enter the activation code and click Add.

   The application is activated, and the license info page opens.

To activate the application with a key file:

1. In the Settings → Licensing section, click the Add license key button.
2. In the window prompting you to select how to add the license key, select Upload key file and click the Upload and add button.
3. In the window that opens, select a file with the KEY extension and click Open.

   The application is activated, and the license info page opens.

When activating the application, the new activation code or key file will replace the previously entered activation code or key file.

[Topic 253956]

Viewing license information

You can view information about the active license in the Kaspersky Container Security web interface, in the Settings → Licensing section.

The license details page displays the following parameters:

• Licensing information. Kaspersky Container Security displays the following:
  • Name of the Kaspersky partner that you purchased the license from.
  • License term.

    The term begins from the moment you purchase the license, not from the moment you activate the application.

• Customer information. This subsection provides data on the company that purchased the license:
  • Company name
  • Country where the company is located
  • Email address of the customer representative
• Time period remaining until license expiration The solution displays the exact date and time of license expiration.
• Node count—maximum number of nodes and number of active nodes allowed by the license.
• Image scans per month—maximum number of image scans and completed scans allowed by the license. A month is considered to be the last 30 days (30 days from the current day).
• Functionality provided by the license. The solution displays a list of the available functionality under the license you purchased.

[Topic 254015]

Renewing the license

When the license is approaching its expiration date, Kaspersky Container Security displays the following notifications:

• Notification that the license is expiring soon, indicating the time remaining until expiration. You receive this notification 30, 14, and 7 days before the license expires.
• Notification that the license is expiring and the solution will switch to limited functionality mode. This notification is sent on the day of license expiration.

In limited functionality mode, the functionality of Kaspersky Container Security is limited as follows:

• No new object scans are performed.
• The web interface does not display the new nodes added to the previously created clusters after the license expired.
• New clusters cannot be added for monitoring purposes.
• Vulnerabilities databases are not updated.

You can renew a license by applying a new activation code or by adding a new key file. To renew a license, contact the Kaspersky partner you purchased the license from.

[Topic 255742]

Removing the license key

To remove the license key:

1. In the Settings → Licensing section, click the Delete license key button.
2. Confirm the removal by clicking the Delete button.

Page top

[Topic 250750]

Data provisioning

This section contains information about the data that Kaspersky Container Security can save on the device and forward to Kaspersky during its operation.

If you use an activation code to activate Kaspersky Container Security, you agree to automatically provide information to Kaspersky as part of the regular license key status confirmation process. To confirm the license key status, Kaspersky Container Security periodically contacts Kaspersky activation servers and forwards the following information to Kaspersky:

• regional activation center identifier;
• title of the license to use the solution;
• checksum type and checksum of the license key;
• date and time when the license key was created;
• date and time when the solution license expires;
• solution license identifier;
• identifier of the information model applied when providing a license to use the solution;
• current license key status;
• license type used to activate the solution;
• unique device identifier;
• family name of the device operating system;
• solution installation identifier (PCID);
• identifier, localization, and full version of the solution;
• solution identifier obtained from the license;
• set of compatible software identifiers;
• solution rebrand identifier;
• list of legal agreements shown to the solution user;
• type and version of the legal agreement accepted by the user while using the solution.

In addition, by using the activation code, you agree to forward the following information to Kaspersky:

• activation code entered by the user to activate the solution;
• date and time on the user device;
• version, build number, update number, and revision of the device operating system;
• flag indicating that the user accepted the terms of the legal agreement while using the solution.

By using the activation code, you agree to automatically forward the data listed above to Kaspersky. If you do not agree to provide this information, use a key file to activate Kaspersky Container Security.

If you use Kaspersky update servers to download updates, you agree to automatically provide the following information:

• Identifier of the Kaspersky Container Security solution obtained from the license;
• full version of the solution;
• solution license identifier;
• type of valid license;
• solution installation identifier (PCID);
• Identifier of the solution update launch;
• processed web address.

Kaspersky can use all the obtained data to generate statistical information about the distribution and use of Kaspersky software.

Any received information is protected in accordance with legally established requirements and applicable Kaspersky regulations. Data is transmitted over encrypted communication channels.

More detailed information about the processing, storage, and destruction of information obtained during the use of the solution and transferred to Kaspersky is provided in the End User License Agreement and the Privacy Policy on the Kaspersky website.

[Topic 252215]

Working with clusters

Kaspersky Container Security provides a tool for displaying and analyzing the connections between various resources within namespaces in clusters.

A cluster is a set of nodes that run applications placed in containers.

By using clusters, you can perform bulk scans of images within those clusters. When doing so, the registries found in a cluster during a scan are automatically created. Kaspersky Container Security automatically reads and records the identification data used for accessing registries in a cluster (user name, password, token), and generates a link to this object. Registries are also assigned a name in the following format: <cluster name>_<registry name>. When working with cluster objects, the received identification data is used to access the registries.

The Inventory → Assets → Clusters section displays a table of clusters where Kaspersky Container Security Agents are installed. This table indicates the number of namespaces and orchestrators included in each cluster.

Cluster resources can be scanned and visually represented only if deployed Agents are available.

[Topic 255534]

Cluster resources

Kaspersky Container Security scans and displays objects included in the cluster and the links between them for all clusters with active Agents. The possible types of objects are presented in the table below.

Components of a cluster infrastructure

Page top

[Topic 250386]

Viewing cluster resources

Kaspersky Container Security allows you to view available clusters and quickly receive consolidated information on specific groups of cluster objects. You can use a filter to define the settings for displaying objects. You can search for objects by, for example, the namespace name or the image name.

To view the resources of a cluster and their interaction schematic:

1. In the Inventory → Assets → Clusters section, click the cluster name link in the table.

   In the cluster viewing window that opens, resources are displayed on the following tabs:

   • Namespaces
   • Pods
   • Visual representation
2. On the Namespaces tab, in the Namespaces drop-down list, select the group of namespaces that you want to view.

   The table that opens shows all namespaces of the selected group within the cluster. The following information is indicated for each namespace:

   • Number of containers in the namespace.
   • Number of scanned images.
   • Number of processed scan tasks.
   • Number of incomplete scan tasks.
   • Risk assessment.
   • Detected security issues.

   You can click the namespace link to view the image registry for the selected namespace.

3. On the Pods tab, in the Namespaces drop-down list, select the group of namespaces that you want to view:
   • All namespaces.
   • Agent. Kaspersky Container Security displays objects in the cluster based on the Agent that is active within them.

   An object search can be performed by using a filter that allows you to define the following search parameters:

   • Image name
   • Pod name
   • Compliance with security policy requirements

     An image is assigned the Compliant status if no security issue (such as a vulnerability) is detected in that image.

   • Date of last scan
   • Detected risks. In this case, the search is performed on objects for which security issues were found. For example, vulnerabilities, malware, traces of sensitive data or misconfigurations were found in these objects.

   For each namespace, the table that opens indicates the pod, container running agent, image, status of compliance with security policy requirements, risk assessment, and identified security issues.

   You can click the link on the image name to view it in the image registry.

4. On the Visualization tab, click the object icon on the cluster resource interaction schematic to open its details window.

   A visual representation of cluster resources is generated if active Agents exist for this cluster.

Page top

[Topic 263733]

Working with images from registers

The Resources → Assets → Registries section contains a list of images scanned by Kaspersky Container Security and the image scan results. The list includes images from registries integrated with Kaspersky Container Security. You can add images to the list automatically or manually.

The list of images is empty until you configure integration with registries and settings for pulling and scanning images for the registry in the Administration section.

The list of images is displayed as a table, the images are grouped by repositories.

You can perform the following actions in the Resources → Assets → Registries section:

• Search for images by name or checksum.

  A search is conducted only in the selected active image registry. If the sought image is absent from the selected registry but is part of a different registry, the search gives no results.

• Filter the list to display images that match the specified criteria:
  • Images only from the specified registries;
  • Images that comply with or fail to comply with benchmarks;
  • Images scanned during a specified period of time;
  • Images for which the specified risks are identified.
• Start rescanning of the specified images (the Rescan button is displayed above the table after you select one or more images).
• Generate reports on selected images (the Create report button is displayed above the table after you select one or more images).
• Add images to the list and remove images from the list.
• View detailed information about the image scanning results.

[Topic 250388]

Adding and removing images

Images from the registries integrated with Kaspersky Container Security can be added to the list of images automatically, in line with the configured settings for pulling and scanning images for each registry. You can also add images to the list of images from registries manually. New images are queued for scanning.

To manually add images to the list:

1. In the Resources → Assets → Registries section, do one of the following:
   • Select a repository from the list, open the action menu located to the right of the repository name, and select Add images.
   • Click the Add images button above the table.
2. Do one of the following:
   • If you add images from the selected repository, select the required image tags in the window that opens and click the Add images button.
   • If you add images using the Add images button above the table, in the window that opens, select a registry, a repository, one or more images and click the Add images button.

To optimize the load on image registries, a list of images in the connected registries is generated every 10 minutes. After a new image appears in the registry, its appearance in the Kaspersky Container Security interface may be delayed by the specified period.

To remove images from the list:

1. In the Resources → Assets → Registries section, do one of the following:
   • Select one or more images that you want to remove from the list and start removal using the Delete link located above the table.
   • In the list, select the repository of images you want to delete, open the action menu on the row with the repository name, and select Delete repository.
2. In the window that opens, confirm the deletion.

[Topic 250389]

Viewing image scanning results from registries

Summary information about the scanning results for all images in the repository and each specific image is displayed in the list of images in the Resources → Assets → Registries section.

Click the image name link to open a page with detailed information on image scanning results.

The tabs at the top of the window contain the following information:

• The Risk tab provides a summary of the scanning results. If threats are detected during scanning, recommended actions to protect the image are available at the bottom of the page. Click the Rescan image button to repeat scanning of the image.
• The Vulnerabilities tab shows the vulnerabilities detected in the image. Clicking the link in the name of the vulnerability can open a detailed description of the vulnerability and find out if it has an
  exploit

  Program code that takes advantage of some vulnerability in the system or in application software. Exploits are frequently used to install malware on a computer without the user's knowledge.

  .

  Kaspersky Container Security receives a description of vulnerabilities from the connected vulnerabilities database. The description is provided in the language of the vulnerabilities database. For example, a description of vulnerabilities from the NVD is displayed in English.
  The classification of vulnerabilities in the solution matches the classification used in the connected vulnerabilities database.

• The Layers tab displays layers used in the image with the specification of identified vulnerabilities. Click the layer name link to open a detailed description of the identified vulnerabilities.
• The Resources tab demonstrates resources (components) with the specification of identified vulnerabilities. Click the resource name link to open a detailed description of the identified vulnerabilities.
• The Malware tab lists malware detected in the image. Click the malware name link to open a detailed description.
• The Sensitive data tab shows sensitive data (secrets) found in the image such as passwords, access keys, or tokens.
• The Misconfigurations tab displays detected image misconfigurations that constitute a threat. Click the misconfiguration name link to open a detailed description.
• The Information tab provides the basic information about the image and image history.
• The Scan history presents the latest scan results for each version of the image. The results are updated if the same version of an image is scanned, or they are added in a separate row of the table if a different version of the image is scanned.

You can accept each identified risk.

[Topic 271977]

About risk rating

A scan conducted by Kaspersky Container Security results in rating a risk of the scanned object. While scanning, the solution may detect all or some of the following security issues in objects:

• Vulnerabilities
• Malware.
• Sensitive data.
• Misconfigurations

Each risk detected is assigned one of the following risk ratings, based on the severity of the security threats:

• Negligible.
• Low.
• Medium.
• High.
• Critical.

If no security issues are detected during scanning, such an image is considered secure and is marked as Ok.

Risk ratings of the detected vulnerabilities, malware, sensitive data, or misconfigurations correspond to the ratings specified in the security threat databases, which are used for scanning (for example, NVD, VDB). These vulnerability and threat databases use special scoring scales to assess the severity of security threats. For example, the Common Vulnerability Scoring System (CVSS) is applied in the NVD.

The object is assigned the highest severity level of all the detected with an appropriate risk rating.

For example, the following security threats were detected during an object scan:

• vulnerabilities with the low level of severity;
• sensitive data with the high and critical levels of severity;
• configuration errors with the medium severity level;
• malware with the low severity level.

Here, the risk rating is critical in accordance with the highest severity level of the detected threats.

[Topic 260972]

Detailed information about detected vulnerabilities

You can view detailed information about a vulnerability detected in an image. To do this, in the window with the image scan results, select the Vulnerabilities tab and click the link with the vulnerability entry identifier. The identifier is given in CVE-YYYY-X... format, where:

• CVE is a prefix that indicates that the vulnerability is included in the database of known vulnerabilities and security defects.
• YYYY is the year when the vulnerability was reported.
• X... is the number assigned to the vulnerability by authorized bodies.

A separate window displays the following information about the detected vulnerability:

• Vulnerability entry identifier
• Vulnerability severity level
• Description of the vulnerability and a link to additional information
• Installed resource
• Vulnerability severity score based on the
  CVSS

  Common Vulnerability Scoring System is an open standard for scoring vulnerabilities. CVSS specifies a set of metrics and formulas for scoring vulnerability severity, with values from 0 (minimum) to 10 (maximum). CVSS allows you to allocate vulnerability response efforts based on vulnerability severity.

  open standard in the
  NVD

  The National Vulnerability Database is the United States Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol.

  ,
  VDB

  The Data Security Threats Database (DSTD or VDB) is a national vulnerability database maintained by the Russian Federal Service for Technical and Export Control (FSTEC).

  , and
  RED OS

  Russian general-purpose operating system RED OS supports scanning for vulnerabilities that can threaten the functioning of services and workstations.

  vulnerability databases, as well as the final consolidated vulnerability severity score.
• You can accept the risk of the vulnerability by clicking the Accept button.
• Information about the scan:
  • Image in which the vulnerability was detected
  • Operating system that was scanned
  • Date when the vulnerability was first detected
  • Date when the image was last scanned
  • Performed workloads

Page top

[Topic 260988]

Detailed information about detected malware

If image scanning detects malware, the solution displays this on the page with information about the image scan results. To view detailed information about a detected malicious object, in the window with image scan results, select the Malware tab.

For each object, the solution generates the MD5 or SHA256 hash and indicates the path to the location where it was detected.

You can view detailed information about detected malicious objects in the cyberthreat databases created in

A page with a threat description on the Kaspersky OpenTIP portal is publicly available. Users must enter their account credentials to access Kaspersky TIP.

Page top

[Topic 259061]

Setting up integration with external image registries

Kaspersky Container Security can scan images from the following external image registries:

• Harbor
• GitLab Registry
• JFrog Artifactory
• Sonatype Nexus Repository OSS
• Yandex Registry
• Docker Hub
• Docker Registry

You should integrate Kaspersky Container Security with external registries containing images to be scanned. Images from registries integrated with Kaspersky Container Security can be scanned automatically or manually, depending on the configured image pulling and scanning settings for each registry.

[Topic 265977]

Minimum sufficient rights for integration with registries

To integrate with external image registries, a Kaspersky Container Security account must have a certain set of rights, which differs depending on the registry type. The list of the minimum account rights required for integration is given below for each registry type.

GitLab

To integrate the solution with a GitLab user's registry, you should define the parameter values as follows:

• User role in the project or group: Reporter.
• Level of access to the project: Reporter.
• Rights assigned to the user token: read_api, read_registry.

JFrog

To integrate the solution with a JFrog user's registry, you need to define the parameter values as follows:

• User role in the project or group: Manage Reports.
• Project access: Can Update Profile.
• User rights: the right to read any repository (ANY repository).

Harbor

To integrate the solution with a Harbor user's registry, you should define the parameter values as follows:

• Member type: user. To do this, specify User in the Member Type column of the table in the Projects → Members section.
• User role in the project or group: user with limited rights. To do this, you must specify Limited Guest in the Role column of the table in the Projects → Members section.
• User rights: user without administrator rights. To do this, in the Administrator column of the table in the Users section, select No.

Nexus

To integrate the solution with a Nexus user's registry, you should define the parameter values as follows:

• User role in the project or group: user.
• Rights assigned to the user role in the project or group: nx-apikey-all, nx-repository-view-docker-*-browse, nx-repository-view-docker-*-read.

Docker Hub

The solution integrates with a Docker Hub user's registry after authorization using the user name and password.

This Docker Hub registry integration option only applies to a personal namespace.

Page top

[Topic 267912]

Working with public registries without authorization

Kaspersky Container Security 1.1 does not work with public registries without authorization. For example, you cannot use the solution to scan images when Docker Hub is accessed anonymously.

If you do not authorize in public registries, you can use such image registries in a cluster, add them to Kaspersky Container Security and manually assign them to a specific scope. If the scope includes only one or several public registries for which you are not authorized, and you try to add an image in the Resources → Assets → Registries section, the solution displays an error indicating that it is impossible to add images as the solution is not integrated with image registries.

[Topic 250403]

Viewing information about integrations with registries

You can view a list of all registries integrated with Kaspersky Container Security in the Administration → Integrations → Image registries section.

You can use the list to do the following:

• Add new registry integrations. Click the Add registry button located above the list to open the registry settings window.
• View and modify registry integration settings, including image pull and scan settings. You can open the editing window by clicking the registry name link.
• Delete integrations with registries.

[Topic 266472]

Adding integrations with external image registries

Integrated registries support only local image repositories that directly contain the images. In version 1.1, Kaspersky Container Security does not support working with remote or virtual repositories.

To add an integration with an external registry:

1. In the Administration → Integrations → Image registries section, click the Add registry button.

   The integration settings window opens.

2. On the Registry settings tab, specify the settings for connection to the registry:
   1. Enter the name of the registry.
   2. If required, enter a description of the registry.
   3. Select the registry type from the drop-down list.
   4. If you set up JFrog Artifactory registry integration, to access Docker, in the Repository Path method drop-down list, select one of the following methods:
      • Repository path.
      • Subdomain.
      • Port.
   5. If you set up a JFrog Artifactory, Harbor, or Sonatype Nexus Repository OSS registry integration, enter the full web address of the registry. We recommend that you use HTTPS connection (HTTP connection is also supported).

      If you use HTTP or HTTPS with a self-signed or invalid certificate, you should check the insecure-registry box for the Docker engine on the nodes where the server and scanner are installed.

   6. If you set up a Gitlab Registry registry integration, provide the full web addresses (URLs) of the registry and registry API.
   7. If you set up a registry integration for Docker Hub or JFrog Artifactory, choose an authentication method: with an account or API key. For Sonatype Nexus Repository OSS registries, you can only use authentication with an account.
   8. Specify the data required for authentication.
3. Go to the Image scan details tab and specify the scan timeout for scanning images from this registry (in minutes).

   If image scanning lasts longer than the specified time, the scanning stops and the image is returned to the scanning queue. The solution will requeue the image up to 3 times. This means that the time required to scan an image from the registry may be tripled.

4. Configure the image pull and scan settings for the registry. By default, the Manual option is selected in Pull and scan images: images are not automatically pulled from the registry, but the user can manually add images to the list of images for scanning. New images are automatically queued for scanning.

   If you want images to be pulled from the registry and queued for scanning automatically, select Automatic in Pull and scan images and configure the settings for image pulling and scanning. The following options are available:

   • Scan timeout—a block of settings that determine the frequency at which images are pulled from the registry for scanning. The time is specified in accordance with the time of the node on which the Kaspersky Container Security Server is deployed.
   • Rescan images—if you check this box, images that were previously pulled from the registry are rescanned each time new images are scanned.
   • Name/tag criteria—you can use name criterion and/or image tag pattern to specify which images to pull and scan. If you check the box, Kaspersky Container Security will only pull those images that match the specified patterns for scanning.

     You can use criteria in the following patterns:

     • by image name and tag – <name><:tag>
     • by image name only – <name>
     • by image tag only – <:tag>

     For example:

     • for the alpine pattern, all images with the name "alpine" are pulled, regardless of the tag;
     • for the 4 pattern, all images with tag 4 are pulled, regardless of the image name;
     • for the alpine:4 pattern, all images with the name "alpine" and tag 4 are pulled.

     When generating criteria, you can use the * character, which replaces any number of characters.

     To add a criterion, enter it in the field and click the Add button. You can add one or more criteria.

   • Additional conditions for image pulling.
     • If no additional conditions are required, select No additional conditions.
     • Images created within – select this option if you want to only pull images created within a specific period (for a specified number of days, months, or years). Specify the duration of the period and the unit of measurement in the fields on the right. By default, the period is 60 days long.
     • Latest - select this option if you want to only pull images with the latest tags (from the date of the image creation). In the field on the right, specify the number of latest tags to consider.
   • Never pull images with the name/tag pattern - using image name/tag patterns you can specify, which images are excluded from pulling and scanning.
   • Always pull images with the name/tag pattern—using image name/tag patterns you can specify, which images are always pulled and scanned, regardless of other conditions set above.
5. Click the Save button in the top of the window to save the registry integration settings.

[Topic 250405]

Deleting integration with external registry

To delete an integration with an external registry:

1. In the Administration → Integrations → Image registries section, select the integration you want to delete by selecting the check box in the row with the registry name. You can select one or more integrations.
2. In the line containing the name of the integration with the image registry that you want to delete, click the delete icon ().
3. In the window that opens, confirm the action.

Kaspersky Container Security does not scan images from a registry it is no longer integrated with.

[Topic 267228]

Integration with CI/CD

Kaspersky Container Security lets you scan images of containers and IaC residing in code repository management systems in the

At the project build stage in the repository management system, you can run the Kaspersky Container Security scanner to check the objects in the repository for compliance with the enabled security policies. The scanner is started from a registry using an agent, such as GitLab Runner in GitLab. Data on the scan job and sending scan results are forwarded through the application programming interface (API).

When running an object scan during the project build stage, you must make sure that the Fail CI/CD step is not selected in the settings of the applied assurance policy. If this setting is activated, the solution will notify you of an error during the scan.

The scan results are displayed in the list of images in the Inventory → CI/CD → Scanning in CI/CD section.

For each of the objects in the table, Kaspersky Container Security displays the following:

• Date and time of the last scan.
• Name.
• Risk rating.
• Summary scan results with an indication of the identified objects related to vulnerabilities, malware, sensitive data and misconfigurations.
• Artifact type.
• The number and pipeline of the build in which the image was scanned.

In the section Resources → CI/CD → Scanning in CI/CD section, you can also generate a report on images that are scanned within the CI/CD process.

Reports are generated only for objects with the Image artifact type. In this section, a report cannot be generated for other types of artifacts.

[Topic 260412]

Image scanning in CI/CD processes

Kaspersky Container Security allows you to scan images that are used in CI/CD. The solution is incorporated into CI/CD as a pipeline stage, where the Kaspersky Container Security Scanner is run.

To scan images from CI/CD, you should configure the integration of Kaspersky Container Security with CI/CD processes.

Kaspersky Container Security performs the following types of scans in CI/CD:

• Scanning of images in TAR archives A TAR archive is stored as a build artifact that the solution scans in the next build pipeline.
• Scanning a Git repository, which can be performed in one of the following ways:
  • for a project branch (individual development path) in the Git repository
  • for a commit (state snapshot or checkpoint in the project's timeline)

The scanning results are forwarded to the server and displayed in the Management Console in the Resources → CI/CD section. The provided table lists the images that were scanned, shows the results of the risk assessment, and indicates the detected vulnerabilities.

You can click the image name link to open a page with detailed information about image scanning results. This page is similar to the page showing the results of registry images scanning.

Kaspersky Container Security also displays the type of artifact for each object. Two main artifacts are used:

• File system is repository containing configuration files.
• Container image is a template used for runtime implementation of the container.

The table indicates the build number and build pipeline for each scan object. These parameters can be used to determine the specific stage where the image failed.

For CI/CD images, rescanning is not provided.

[Topic 263676]

Configuring image and configuration file scan settings

To scan images or repositories (in order to scan configuration files) used in the CI/CD process, add a stage to the CI/CD pipeline that runs the Kaspersky Container Security scanner. The scanning results are forwarded to the Kaspersky Container Security Server and are displayed in the Management console in the Resources → CI/CD section.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

Example of configuring integration with GitLab CI/CD

This example uses a specific scanner image with the built-in vulnerability databases located in the image registry of the Kaspersky Container Security manufacturer.

To use the image scanning feature in the GitLab CI/CD process, you should enable the use of the GitLab Container Registry.

Integration configuration includes the following steps:

1. Authorization of GitLab CI/CD in the image registry of the Kaspersky Container Security manufacturer.
   1. On the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

      printf "login:password" | openssl base64 -A

      where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

   2. In the GitLab CI/CD environment variables, create the DOCKER_AUTH_CONFIG variable (in the GitLab repository select Settings → CI/CD, click the Expand button to expand Variables, and then click the Add variable button).
   3. Specify the variable in the following form:

      {

      "auths": {

      "repo.cloud.example.com": {

      "auth": "base64hash"

      }

      }

      }

      where base64hash is the string obtained in step 1a.

2. Authorization of requests from GitLab CI/CD when sending data to Kaspersky Container Security.
   1. Copy the API token on the My profile page.
   2. Specify the copied API token value in the API_TOKEN variable in the .gitlab-ci.yml configuration file.
3. Adding the image scanning stage to the CI/CD process.

   To add scanning to the CI/CD pipeline, you should add the following lines to the .gitlab-ci.yml file:

   1. Add information about the scanner image that contains databases of vulnerabilities and other malicious objects after the code build stage in the following form:

      scan_image:

      stage: scanner

      image:

      name: repo.cloud.example.com/repository/company/scanner:v1.1.1-with-db

      entrypoint: [""]

      pull_policy: always

      We recommend that you specify always for the pull_policy parameter to receive relevant builds with updated databases of vulnerabilities and other malicious objects for each scan.

   2. Specify the tag, build ID, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

      SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

      BUILD_NUMBER: ${CI_JOB_ID}

      BUILD_PIPELINE: ${CI_PIPELINE_ID}

      API_TOKEN: <API token value>

      The example here contains the master tag, you can also specify another tag.

   3. If you configure scanning for a private repository, specify the authorization data to ensure the scanner can access an image. The authorization data can be set as variables.

      COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

      COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

   4. If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:

      API_CA_CERT: ${KCS_CA_CERT}

      The CA certificate of the Ingress controller is specified in the text field as a string in the .PEM format:

      ----- BEGIN CERTIFICATE ----- \ n... <certificate details> ...\ n ----- END CERTIFICATE -----

      If the API_CA_CERT variable is not set, scanning will start but will not be completed.

      Use of the CA certificate of the Ingress controller allows the scanner running in CI/CD to verify the authenticity of the data receiving server.

      If you use a self-signed certificate, or want to skip checking the data receiving server using the CA certificate of the Ingress controller, specify the value of the variable to skip the check as follows:

      SKIP_API_SERVER_VALIDATION: 'true'

   5. Specify the web address of the API host server for Kaspersky Container Security:

      API_BASE_URL: <web address>

      variables:

      API_BASE_URL: ${API_BASE_URL}

      script:

      - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

      artifacts:

      paths:

      - artifact-result.json

After configuring integration with an external registry, you can scan images within the CI/CD process, including scanning in SBOM mode. Scan results can be viewed in Resources → CI/CD, or downloaded in the .SPDX, .JSON, and .HTML formats.

[Topic 265788]

Defining the path to container images

To start scanning, the solution needs to determine the path to the container images that need to be scanned. The path to container images can be specified in two ways:

• By specifying an image tag after the registry name, repository name, and image name. The tag is a changeable and easy-to-read description of the image.

  In this case, the path looks as follows: <registry>/<repository>/<image name>:<tag>. For example, http://docker.io/library/nginx:1.20.1.

• By specifying an image digest after the registry name, repository, and image name. A digest is an integral internal property of an image, specifically a hash of its contents (the SHA256 hash algorithm is used).

  When using a digest, the path is formed as follows: <registry>/<repository>/<image name><digest>. For example, http://docker.io/library/nginx@sha256:af9c...69ce.

A tag can match different digests, whereas digests are unique for each image.

Depending on the method used to specify the image path, Kaspersky Container Security performs one of the following actions before scanning:

• Converts the tag to a trusted digest.
• Checks whether the digest specified in the image path is trusted. A digest is considered trusted if it ensures the required degree of confidence in maintaining the desired protection relative to the object encoded using the hash algorithm.

Only trusted digests are sent to the container runtime.

Before running a container, the content of the image is compared with the received digest. To recognize a digest as trusted and the image as not corrupted, Kaspersky Container Security checks the integrity and authenticity of the image signature.

Page top

[Topic 260433]

Scanning images from CI/CD

To scan images from CI/CD, in the configuration file used to integrate the repository, specify the API_BASE_URL (web-address of the Kaspersky Container Security API server) and API_TOKEN (token to access API of the Kaspersky Container Security) environment variables for the scanner.

To scan an image from a TAR archive:

1. Build an image and save it as a TAR archive using any application for creating containerized images.
2. Start the scan by running a command in the following format:

   /scanner image.tar --file --stdout

   where:

   • <--file> is the file with the image to be scanned
   • <--stdout> is output to the security event log

   Example of a configuration file with settings for scanning a TAR archive

   stages:

   - build_tar

   - scan_tar

   - push_image

   build_tar:

   stage: build_tar

   tags:

   - k8s

   - docker

   image:

   name: gcr.io/kaniko-project/executor:v1.9.0-debug

   entrypoint: [""]

   dependencies:

   - scan_source_branch

   - scan_source_commit

   script:

   - mkdir -p /kaniko/.docker

   - echo "${DOCKER_AUTH_CONFIG}" > /kaniko/.docker/config.json

   - /kaniko/executor

   --context "${CI_PROJECT_DIR}"

   --dockerfile "${CI_PROJECT_DIR}/Dockerfile"

   --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

   --compressed-caching=false

   --build-arg GITLAB_USER=gitlab-ci-token

   --build-arg GITLAB_TOKEN=${CI_JOB_TOKEN}

   --no-push

   --tarPath=image.tar

   artifacts:

   paths:

   - image.tar

   expire_in: 2 hours

   scan_tar:

   stage: scan_tar

   tags:

   - k8s

   - docker

   dependencies:

   - build_tar

   image:

   name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

   pull_policy: always

   entrypoint: [""]

   variables:

   API_BASE_URL: ${API_BASE_URL}

   API_TOKEN: ${API_TOKEN}

   API_CA_CERT: ${KCS_CA_CERT}

   script:

   - /scanner image.tar --file --stdout

   artifacts:

   paths:

   - image.tar

   expire_in: 2 hours

   push_image:

   stage: push_image

   tags:

   - k8s

   image:

   name: gcr.io/go-containerregistry/crane:debug

   entrypoint: [""]

   dependencies:

   - scan_tar

   script:

   - mkdir -p $HOME/.docker

   - echo "${DOCKER_AUTH_CONFIG}" > $HOME/.docker/config.json

   - /ko-app/crane push image.tar "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}"

To scan an image from a Git repository:

1. In the configuration file of the Git repository, specify the token for accessing the repository (for example, GitLab requires you to indicate a value for GITLAB_TOKEN).
2. Start scanning by running a command in the following format:

   /scanner [TARGET] [--repo REPO_URL] [--branch BRANCH] [--commit COMMIT] --stdout

   where:

   • <TARGET> is the path to the file with the image to be scanned
   • <--repo> is the web address (URL) of the Git repository
   • <--branch> is the branch of the repository to be scanned
   • <--commit> is the hash of the commit to be scanned
   • <--stdout> is the output to the security event log.

   Example of a configuration file with environment variables for scanning an image from a Git repository

   stages:

   - scan_source_branch

   - scan_source_commit

   scan_source_branch:

   stage: scan_source_branch

   image:

   name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

   pull_policy: always

   entrypoint: [""]

   tags:

   - k8s

   - docker

   variables:

   API_BASE_URL: ${API_BASE_URL}

   API_TOKEN: ${API_TOKEN}

   API_CA_CERT: ${KCS_CA_CERT}

   script:

   - GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --branch ${CI_COMMIT_BRANCH} --stdout

   scan_source_commit:

   stage: scan_source_commit

   image:

   name: "company.gitlab.cloud.net:5050/companydev/example/scanner:master-with-db"

   pull_policy: always

   entrypoint: [""]

   tags:

   - k8s

   - docker

   variables:

   API_BASE_URL: ${API_BASE_URL}

   API_TOKEN: ${API_TOKEN}

   API_CA_CERT: ${KCS_CA_CERT}

   script:

   - GITLAB_TOKEN=${CI_JOB_TOKEN} /scanner --repo ${CI_REPOSITORY_URL} --commit ${CI_COMMIT_SHA} --stdout

[Topic 263762]

Monitoring the integrity and origin of images

When scanning images in CI/CD, Kaspersky Container Security protects against image spoofing at the registry level. The integrity and origin of images of containers deployed in an orchestrator cluster is controlled by verifying image signatures, starting at the build stage in CI.

Image integrity is monitored in two stages:

• Container images are signed after they are created. This process is implemented using external signature applications.
• Image signatures are checked before images are deployed.

  The solution saves a signature key, which is based on the SHA256 hash function and used as the code for signature validation. When deployed in an orchestrator, Kaspersky Container Security asks the signature server to confirm the authenticity of the signature.

Kaspersky Container Security checks image signatures as follows:

1. In the Administration → Integrations → Image signature validators section, you can configure the settings for integrating the solution with external image signature validation applications.
2. In the Policies → Runtime → Policies section, a runtime policy is added to protect the content of the image. This runtime policy validates the authenticity of signatures. Digital signatures are validated based on the configured image signature validators.
3. The orchestrator starts image deployment and uses a
   dynamic admission controller

   A configurable controller to access Kubernetes that helps enforce policies and supports the management and control system.

   to make a deployment request to the agent (kube-agent).

   To send the request to the Kaspersky Container Security agent, configure the dynamic admission controller in the values.yaml configuration file.

4. Based on the applicable runtime policy, the agent checks the signature validation settings configured in the Administration → Integrations → Image signature validators section.
5. If the check confirms the authenticity and validity of the signature, the solution allows image deployment. Otherwise, deployment is blocked.

[Topic 264539]

Running the scanner in SBOM mode

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in

The advantages of using SBOM are the following:

• Less resources required to scan images for vulnerabilities.
• Reduced scanning time due to automatic verification of correct operation and proper use of solution components.
• Capability to scan all existing vulnerabilities in an image without exceptions.
• High reliability of scanning results.

In CI/CD, the scanning process consists of two stages: receiving an SBOM file and scanning an image based on the received SBOM file. The image scanning process is implemented as follows:

• The CI/CD scanner generates a list of image components and sends the generated artifact to Kaspersky Container Security.
• Using the image handler, the solution forwards the received SBOM file to the scanner for scanning.

For subsequent scanning, Kaspersky Container Security generates an SBOM file in the

To generate an SBOM file in the .SPDX format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --spdx --stdout > example.spdx

where:

<--sbom-json> indicates the creation of an SBOM file.

<--spdx> indicates that an artifact is generated in the .SPDX format.

<--stdout > example.spdx> indicates data output to a file in the .SPDX format.

To generate an SBOM file in the .JSON format when the scanner operates with SBOM creation:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --sbom-json --stdout > example.json

where:

<--sbom-json> indicates the creation of an SBOM file.

<--stdout > example.json> indicates data output to a file in .JSON format.

The resulting file (for example, example.json) is specified as an artifact: artifacts: paths:

Scanning using an SBOM file is only applicable when scanning an image for vulnerabilities. If your CI/CD process requires scanning for other risks and threats (such as misconfigurations), you must separately run the corresponding scanning and add its results to the image handler in addition to the SBOM file.

[Topic 265362]

Getting scan results in JSON or HTML format

When using Kaspersky Container Security to scan images in CI/CD, you can generate and save an artifact with the scan results within your CI/CD platform. This can be done using a configuration file of the external repository system that is integrated with the solution. For example, you can use a .gitlab-ci.yml configuration file in GitLab.

You can generate an artifact containing scan results in the following scenarios:

• When the scanner conducts a complete CI/CD scan - scanning results file can be generated in the .HTML format or the .JSON format.
• When the scanner operates with SBOM creation - file containing scanning results can be generated in the .SPDX format or the .JSON format.

To generate a scan results file in .HTML format:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > example.html

where:

<--html> indicates that an artifact is generated in .HTML format.

<--stdout > example.html> indicates data output to a file in .HTML format.

To generate a scan results file in .JSON format when performing a complete CI/CD scan:

Enter the following command in the .gitlab-ci.yml configuration file:

- /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > example.json

where:

<--stdout > example.json> indicates data output to a file in .JSON format.

The resulting file (for example, example.json) is specified as an artifact: artifacts: paths:

Page top

[Topic 270274]

Running the scanner in lite SBOM mode

Kaspersky Container Security allows you to start a scanner to check images for vulnerabilities in the lite SBOM mode. In this case, the solution scans a specially created SBOM file, and the results of this scan become available at the CI/CD stage.

Data from listening to and intercepting network traffic must be securely transferred between the CI/CD environment and the solution.

You can generate an artifact for download in the .SPDX, .HTML, or .JSON format to receive the results.

Running a scanner in GitLab

To start the scanner in the lite SBOM mode, when configuring image scanning in CI/CD, edit the .gitlab-ci.yml configuration file as follows:

1. Add information about the image of the scanner that is started for image scanning in CI/CD as follows:

   scan_image:

   stage: scanner

   image:

   name:repo.cloud.example.com/repository/company/scanner:v.1.1.1-lite

   entrypoint: [""]

   pull_policy: always

2. Specify the orchestration platform tag as follows:

   k8s

   In the example provided, the k8s tag is specified for Kubernetes, you can also specify the tag for another supported orchestration platform.

3. Specify such variables as the build ID, private repository details, pipeline ID and API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

   SCAN_TARGET: ${CI_REGISTRY_IMAGE}:master

   COMPANY_EXT_REGISTRY_USERNAME: ${COMPANY_EXT_REGISTRY_USERNAME}

   COMPANY_EXT_REGISTRY_PASSWORD: ${COMPANY_EXT_REGISTRY_PASSWORD}

   BUILD_NUMBER: ${CI_JOB_ID}

   BUILD_PIPELINE: ${CI_PIPELINE_ID}

   API_TOKEN: <API token value>

4. If necessary, specify a variable to check the data receiving server in CI/CD using the CA certificate of the Ingress controller:

   API_CA_CERT: ${KCS_CA_CERT}

   If the API_CA_CERT variable is not set, scanning will start but will not be completed.

5. Specify the web address of the API host server for Kaspersky Container Security:

   API_BASE_URL: <web address>

6. Specify the command to create an SBOM file when the scanner is started in one of the following supported formats:
   • To generate an artifact in the .JSON format:

     script:

     - /bin/sh /entrypoint.sh $SCAN_TARGET --stdout > artifact-result.json

     artifacts:

     paths:

     - artifact-result.json

   • To generate an artifact in the .HTML format:

     script:

     - /bin/sh /entrypoint.sh $SCAN_TARGET --html --stdout > artifact-result.html

     artifacts:

     paths:

     - artifact-result.html

   • To generate an artifact in the .SPDX format:

     script:

     - /bin/sh /entrypoint.sh $SCAN_TARGET --spdx --stdout > artifact-result.spdx

     artifacts:

     paths:

     - artifact-result.spdx

Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .HTML format in GitLab

Running a scanner in Docker

To start the scanner in liteSBOM mode in Docker:

1. Specify the web address of the API host server for Kaspersky Container Security:

   -e API_BASE_URL=https://company.local

2. Specify the value of the variable to skip checking the data receiving server using the CA certificate of the Ingress controller:

   -e SKIP_API_SERVER_VALIDATION=true

3. Specify the API token for authorization of the CI/CD scanner requests to Kaspersky Container Security as follows:

   -e API_TOKEN=<API token value>

4. Specify the information to run the scanner that contains databases of vulnerabilities and other malicious objects:

   repo.kcs.company.com/images/scanner:v1.1.1-with-db

5. If you need to generate an artifact for downloading in the .SPDX, .HTML, or .JSON format, specify the following:

   - <artifact format> --stdout> result. <file format>

   For example:

   --html --stdout > result.html

6. Press the Enter key to start the scanner.

   If a domain name resolution error - Name does not resolve - appears when calling the scanner, you must specify the address before the API_BASE_URL variable before the internal DNS server of your organization. For example:

   --dns 10.0.xx.x

   API_BASE_URL: https://company.local/

Example of the scanner configured to operate in the lite SBOM mode and the artifact generation in the .JSON format in Docker

Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.

[Topic 250391]

Risk handling

Threats identified by Kaspersky Container Security (vulnerabilities, malware, sensitive data, and misconfigurations) are subject to the Risk acceptance procedure. If you accept the risk of a threat, it will not be considered by assurance policies when determining image security status (Compliant/Non-compliant with security policies) during the specified acceptance period. Image scanning continues to detect the threat, but does not label the image as Non-compliant.

If you accept the risk of a vulnerability detected in an image, this risk is accepted for the specific image registry. If the risk is accepted for all vulnerabilities in an image, the image is deemed compliant with security policy requirements and is given Compliant status.

If you change the settings of the assurance policy applied to images, the image security status also changes.

The risk from a threat is accepted for a period of 30 days by default. You can extend the period during which the risk is considered accepted. You can also cancel risk acceptance at any time. If you cancel risk acceptance, the associated threat will again affect the security status of the image.

You can view the list of all accepted risks in the Policies → Risk acceptance section.

[Topic 259187]

Risk acceptance

You can accept the risks detected by the solution if they have Medium, Low or Negligible severity level. It is impossible to accept risks with High or Critical severity level.

To accept the risk:

1. In the image scanning results window, open the tab with information about the required type of detected threats.
2. In the table, select a threat and click Accept or Accept risk in the action menu (depending on selected tab) to start risk acceptance.
3. In the window that opens, specify the risk acceptance parameters:
   • Select the extent of risk acceptance:
     • For the selected image with the detected risk;
     • For all images in the repository containing the image with the detected security threat;
     • For all images in which this security threat has been or will be detected.
   • If required, specify the period after which this security threat must be considered again when determining image security status.
   • Specify the reason for risk acceptance.
4. Click the Accept button.

The selected threat does not affect the security status of this specific image, images in the repository, or all images for the defined number of days (or for an unlimited term).

An accepted risk can be viewed in the Policies → Risk acceptance section.

[Topic 264522]

Viewing information about accepted risks

The list of all accepted risks is displayed in the Policies → Risk acceptances section.

You can use the list to do the following:

• Search by risk name, repository name, image, or resource where the risk is detected.
• Filter the list by risk type and manufacturer fix availability.
• Generate a Risk acceptance report by clicking the Create report button above the table.
• Sort the list by date of acceptance, risk name, scope (applied to all images or just one image), and acceptance period. Sorting is performed using the () sort icon.
• View detailed information about risk acceptance and the associated threat. Click the risk name link to open the window with the related detailed information.

Use the buttons in the detailed information window to do the following:

• Specify or extend the time period after which this security threat must be considered again when determining image security status.
• Cancel risk acceptance.

You can also view information about the accepted risk in the list of detected threats in the image scanning results. In the row with the threat with accepted risk, you can find the time of risk acceptance. You can click the link to open a window with detailed information about the risk acceptance and the associated threat.

[Topic 250394]

Cancelling risk acceptance

To cancel risk acceptance:

1. Open the window that shows detailed information about the risk acceptance and the associated threat. You can open the window by clicking the risk name link in the list of accepted risks. Or you can click the link in the row with the security risk with accepted risk, in the list of detected security risks in the image scanning results.
2. Click the Cancel risk acceptance button and confirm the action in the window that opens.

Canceling risk acceptance means that the associated threat will again affect the security status of the image(s) for which the risk was accepted.

[Topic 250395]

Compliance check

Kaspersky Container Security agents can check Kubernetes cluster nodes for compliance with the Kubernetes information security benchmarks.

Kaspersky Container Security checks for compliance with the Kubernetes benchmarks on Kubernetes versions 1.15–1.25.

The agent checks the state of the node where it is installed and sends the results to the server. Check results are displayed in the Compliance section.

You can view the results of checks on cluster nodes for compliance with the Kubernetes benchmarks in the Compliance → Kubernetes benchmarks section. Kaspersky Container Security displays a summary of the number of checks performed and their status. The solution assigns the following statuses to the checks:

• Passed—check completed successfully.
• Warning—check shows that problems may occur during the execution of operations or tasks.
• Failed—check revealed non-compliance with the benchmark.

The solution displays the node check results in the form of a table, grouping the nodes by clusters.

Click the node name link to open a page with detailed information about the results of the node check.

The solution displays summary information at the top of the window. In the table, each benchmark is correlated with node compliance status.

Click on the benchmark row to open and close a pane to the right of the table; this pane contains detailed information about the benchmark.

You can check a node against the standard benchmarks by clicking the Scan button.

Page top

[Topic 263737]

Configuring and generating reports

Kaspersky Container Security provides the capability to generate reports based on the results of scanning registries, clusters, and images. The list of generated reports is displayed under Administration → Reports.

Reports generated by the solution display the following information:

• Events related to the operating logic of Kaspersky Container Security, such as the results of scanning images or analyzing nodes.
• Statistical data, such as a list of images and their identified security issues.

Kaspersky Container Security provides the following report templates:

• Summary images report.
• Images detailed report.
• Accepted risks report.

Depending on the applied report template, reports are created and generated in different sections of the solution.

The report generation process may take several minutes.

A list of generated reports is displayed under Administration → Reports. Reports are available for download in HTML, PDF or CSV format.

In Kaspersky Container Security 1.1, reports are generated only in English.

[Topic 264258]

Image reports

In Kaspersky Container Security, you can generate reports on image scan results. Depending on the required level of detail, image reports can be summary reports or detailed reports.

Images summary report.

A summary report provides consolidated information on the selected images. This report provides the names of images and the names of the clusters containing these images. A summary report contains data on image compliance with security policy requirements, the names of policies that invoked the image scans, and the scan status. For each image, the report contains data on the number of identified risks related to vulnerabilities, malware, sensitive information, and misconfigurations.

Images detailed report

A detailed report provides more detailed information about selected images, completed scans, and identified security issues. Each report includes the date and time of the last scan, the cluster containing the selected image, a risk assessment, and an assessment of compliance with security policy requirements. Kaspersky Container Security displays the number of objects with different severity levels based on identified vulnerabilities, malware, sensitive data, and misconfigurations.

In the block with the description of the applied image security policies, the application provides a list of image security policies and indicates whether this scan stage was completed successfully or with errors. The report also specifies the action performed by Kaspersky Container Security in accordance with a specific policy. In this case, the report may show that the CI/CD stage was blocked, that images were marked as non-compliant with security requirements, or that both of these actions were performed.

The Vulnerabilities section provides a list of identified vulnerabilities, their severity levels, the resource in which they were detected, and the image version in which the vulnerabilities were fixed.

The Malware and Sensitive data sections display lists of detected malicious objects and objects containing sensitive data. For each object, the severity level and path are indicated.

The Misconfigurations block provides a list indicating the names of files in which misconfigurations were identified, the severity levels of the misconfigurations, and the types of files (for example, a Docker file). It also specifies the detected issue and provides recommendations on resolving the issue.

Kaspersky Container Security receives a description of misconfiguration-related issues from the internal database for configuration file analysis. This includes modules that scan configuration files from: Kubernetes, Dockerfile, Containerfile, Terraform, Cloudformation, Azure ARM Template, and Helm Chart. The description of misconfigurations and remediation recommendations are presented in the same language as the specified scan modules. For example, the description of misconfigurations from Kubernetes is provided in English.
This database is updated when a new version of the application is released.

Page top

[Topic 264537]

Risk acceptance report

The Risk acceptance report contains data on accepted risks, including the date and time they were accepted. You can generate a report on all accepted risks or a group of accepted risks based on a filter.

For each selected risk that you accepted, its name is specified in the following format:

• Risk type (vulnerability, malware, sensitive data, or misconfiguration).
• Risk name or ID.
• Risk severity.

Kaspersky Container Security provides the image name, name of the resource and repository where the specific risk was detected, and the image version in which the risk was fixed. The report table also displays the following information about risk acceptance:

• Risk acceptance scope.
• Time period after which the risk should be considered again when determining image security status.
• User who accepted the risk.

Page top

[Topic 264284]

Generating reports

In Kaspersky Container Security, reports are generated in different sections of the application depending on the specific report template that you are using. You can view a list of generated reports under Administration → Reports.

To generate an Images summary report:

1. Go to one of the following sections:
   • Resources → Assets → Registries to generate a report on images from registries integrated with the solution.
   • Resources → CI/CD to generate a report on images that are scanned in CI/CD.

     Under Resources → CI/CD, reports are generated only for objects with the image artifact type (container_image). In this section, a report cannot be generated for other types of artifacts.

2. Depending on the section that you selected, do one of the following:
   • In the Resources → Assets → Registries section, select a repository or one or more images for which you want to generate a report.

     You can select all repositories and images by selecting the check box in the table header.

   • In the Resources → CI/CD section, select one or more images for which you want to generate a report.

     You can specify all images in all repositories by selecting the check box in the table header.

3. Click the Create report button above the table, and select Images summary report in the drop-down list.
4. In the window that opens, confirm report generation.

You can download the generated report in the Administration → Reports section. Reports are available for download in the .HTML, .PDF or .CSV format.

To generate an Images detailed report:

1. Go to one of the following sections:
   • Resources → Assets → Registries to generate a report on images from registries integrated with the solution.
   • Resources → CI/CD to generate a report on images that are scanned in CI/CD.

     Under Resources → CI/CD, reports are generated only for objects with the image artifact type (container_image). In this section, a report cannot be generated for other types of artifacts.

   • Components → Scanners → Scanner tasks to generate a report based on an image scanned as part of a scan task.
2. Depending on the section that you selected, do one of the following:
   • Under Resources → Assets → Registries, perform the following steps:
     1. Select a repository or one or more images for which you want to generate a report.
     2. Click the Create report button above the table, and select Images detailed report in the drop-down list.
   • Under Resources → CI/CD, complete the following steps:
     1. Select a repository or one or more images for which you want to generate a report.
     2. Click the Create report button above the table, and select Images detailed report in the drop-down list.
   • Under Components → Scanners → Scanner jobs, complete the steps specified below:
     1. In the list of scanner tasks, select the scanned object for which you want to generate a report. You can select only one image from the page with a detailed description of the scan results for this image.
     2. In the window containing the object scan results, click the Create report button located to the right of the description of the object's compliance with security policy requirements.

        A scan results window with a Create report button opens only for scanner jobs that have Finished status.

3. In the opened window, confirm report generation.

You can download the generated report in the Administration → Reports section. Reports are available for download in HTML, PDF or CSV format.

To generate an accepted risks report:

1. Go to the Policies → Risk acceptance section.

   By default, a report is generated for all accepted risks, which are displayed in the table. If necessary, you can generate a report for specific objects. To specify the objects for which you want to generate a report, perform one or more of the following actions:

   • In the Search field, enter a risk name, repository name, or image name.
   • Use the Risk type drop-down list above the table to select objects by risk type.
   • Use the Vendor fix drop-down list above the table to select objects by risk type.
2. Click the Create report button above the table.

Kaspersky Container Security will start generating a report, and will prompt you to follow a link to a page containing a list of generated reports. You can download the generated report in the Administration → Reports section.

[Topic 264301]

Downloading and deleting reports

Kaspersky Container Security displays a list of generated reports in the table in the Administration → Reports section.

For each generated report, the table provides the name that the application assigned to the report, the report template, the date and time of report creation, and the report generation status. The table also lets you download a successfully generated report in the desired format, or delete a report.

To download a report:

In the row containing the report, click the button for the relevant format: PDF, HTML, or CSV.

To delete a report:

1. In the row containing the name of the report that you want to delete, click the delete icon ().
2. In the window that opens, confirm the action.

[Topic 266783]

Security policies configuration

Kaspersky Container Security components use the following security policies:

• Scanner policies determine the settings for scanning different types of resources. Scan policies use rules to detect sensitive data, as well as vulnerabilities, malware, and misconfiguration.
• Assurance policies define Kaspersky Container Security actions to provide security if vulnerabilities, malware, sensitive data and misconfigurations detected during image scanning meet the criteria specified in the policy.
• Response policies define the actions of the solution in case events specified in the policy occur. For example, Kaspersky Container Security can notify the user about an event.
• Runtime policies allow you to control and, where appropriate, restrict the deployment and operation of containers on the cluster in line with your corporate security requirements.

Kaspersky Container Security applies only enabled policies during its operation. Disabled policies cannot be used during checks.

[Topic 266135]

Scanner policies

Scanner policy determines the settings for scanning different types of resources.

When installing Kaspersky Container Security, a default scanner policy is created; it can be applied to all resources and executed in all environments. It is called the global scan policy (default). This policy is assigned global scope by default.

You can enable, disable, or configure global scanner policy settings if your role has been assigned the rights to manage scanner policies and view the global scope.

The following actions cannot be performed on a global scanner policy:

• Change the assigned global scope.
• Remove the global scanner policy.

The list of configured scanner policies is displayed as a table in the Policies → Scanner policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Enable or disable policies by using the Disabled / Enabled toggle button in the Status column of the table.
• Change policy settings. You can open the editing window by clicking the policy name link.

  You can also enable and disable policies in the edit window. Kaspersky Container Security does not use disabled policies when operating.

• Configure rules for detecting sensitive data. To do this, go to the Sensitive data tab.
• Delete policies.

[Topic 266137]

Creating a scanner policy

Rights to manage scanner policy settings are required to add a scanner policy in Kaspersky Container Security.

To add a scanner policy:

1. In the Policies → Scanner policies section, click the Add policy button.

   The policy settings window opens.

2. Use the Disabled / Enabled toggle switch to disable the added policy, if necessary. In this case, it will be added but not applied until it is activated.

   By default, the status of a newly added scanner policy is Enabled.

3. Enter a policy name and, if required, policy description.
4. In the Scope field, select the scope for the scanner policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

5. In the Vulnerabilities section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure scanning using the National Vulnerability Registry (NVD) databases.
   • Use the Disabled / Enabled toggle switch to configure scanning using the Vulnerability Database (VDB).
6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image as part of the File Threat Protection component.
7. In the Misconfigurations section, use the Disabled / Enabled toggle switch to configure a scan for configuration errors.
8. Click Save.

[Topic 266436]

Editing scanner policy settings

You can edit the scanner policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change scanner policy settings:

1. In the Policies → Scanner policies section, click the policy name link.

   The policy settings editing window opens.

2. If required, use the Disable / Enable toggle switch to change the policy status (enabled / disabled).
3. Make changes to the policy settings. The following settings are open for editing:
   • The policy's name, description, and scope.
   • Vulnerability control settings. Select the check boxes for the vulnerabilities database(s) to check images against.
   • Malware control settings. Select the check box if you need to scan images for malware and other file threats. This control is conducted by using the File Threat Protection component.
   • Misconfiguration control settings. Select the check box if you need to check images for misconfigurations. The control is conducted with the default settings configured by the Kaspersky Container Security manufacturer.
4. Click Save.

Page top

[Topic 250398]

Configuration of sensitive data detection rules

The list of configured rules for detecting sensitive data (hereinafter referred to as Secrets) during image scanning is displayed in the Policies → Scanner policies → Sensitive data section.

The rules are grouped into categories depending on the purpose and scope of secrets to be detected. The list of categories is determined by the Kaspersky Container Security manufacturer. Categories contain predefined rules.

You can use the list to do the following:

• View and change the settings for secrets detection rules. You can open the editing window by clicking the rule ID link.
• Add new rules to the selected category. Click the Add rule button located above the table to open the integration settings window. To add rules that do not belong to any of the preset categories, use the Other category.
• Delete rules. Check the box next to one or more rules in the list. The delete icon is then displayed.

To change the settings of sensitive data detection rules:

1. In the table, in the Policies → Scanner policies → Policies section, select the scanner policy.
2. In the Sensitive data section, select the necessary rules by selecting the check boxes in the rule lines.
3. Use the Disable / Enable toggle switch in the Status column in the table with the list of policy rules to enable or disable this policy component.

   Do not click the Save button.

   Kaspersky Container Security immediately applies the changes to the sensitive data settings and displays the corresponding notification. You can also refresh the page to see the settings change.

[Topic 250399]

Assurance policies

Assurance policy defines Kaspersky Container Security actions to provide security if threats detected during image scanning meet the criteria specified in the policy.

The configured assurance policies are displayed as a table in the Policies → Assurance policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.
• Delete policies.

If you add an assurance policy, modify its settings, or delete a policy, the compliance status is reviewed (Compliant / Non-compliant) for the images to which the policy is applied.

[Topic 266504]

Creating an assurance policy

Rights to manage security policy settings are required to add a security policy in Kaspersky Container Security.

To add an assurance policy:

1. In the Policies → Assurance policy section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Scope field, select the scope for the image security policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

4. Specify the actions that Kaspersky Container Security should perform in accordance with the policy:
   • Fail CI/CD step—if Kaspersky Container Security scanner detects threats while scanning the image in the CI/CD pipeline matching the severity level specified in the policy, the scanning ends with an error (Failed). This result is transferred to the CI system.
   • Label images as non-compliant—Kaspersky Container Security labels images containing detected threats that meet the criteria specified in the policy.
5. In the Vulnerability level section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure the scan based on the vulnerability severity level.
   • Set the assigned severity level based on the vulnerability databases. You can select it from the Severity level drop-down list or specify a severity score from 0 to 10.
   • Use the Disabled / Enabled toggle switch to configure blocking in case of specific vulnerabilities and specify these vulnerabilities in the Vulnerabilities field.
6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image.
7. In the Misconfigurations section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure the scan based on the misconfiguration severity level.
   • Select the misconfiguration severity level from the Severity level drop-down list.

     The severity level is assigned based on the vulnerability databases.

8. In the Sensitive data section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure the scan based on the sensitive data severity level.
   • Select the sensitive data severity level from the Severity level drop-down list.

     The severity level is assigned based on the vulnerability databases.

9. Click Save.

By default, the added policy is Enabled.

[Topic 266506]

Editing assurance policy settings

You can edit the image security policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change assurance policy settings:

1. In the Policies → Assurance policies section, click the policy name in the list of existing assurance policies.

   The policy settings window opens.

2. Make changes to the relevant policy settings:
   • The policy's name, description, and scope.
   • Actions of the solution in accordance with this policy.
   • Required scans.
   • Severity level of vulnerabilities detected during scans.
   • Identify number of vulnerabilities for blocking purposes.
3. Click Save.

[Topic 250400]

Response policies

Response policy defines the actions of the solution in the case that events specified in the policy occur. For example, Kaspersky Container Security can notify the user about the detected threats.

If you want to configure response policies to notify the user, you should first set up integration with notification outputs.

The configured response policies are displayed as a table in the Policies → Response policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

  If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

• Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
• Delete policies.

In this version of the solution, response policies define only the actions that Kaspersky Container Security takes to notify the user when a specific event detailed in the policy occurs. For example, if an object with a critical vulnerability is detected, the solution can send an email notification to the user.

[Topic 266507]

Creating a response policy

Rights to manage response policy settings are required to add a response policy in Kaspersky Container Security.

To add a response policy:

1. In the Policies → Response policies section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Scope field, select the scope for the response policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

4. In the Trigger field, use the drop-down list to select an event that will trigger Kaspersky Container Security to notify the user if this event occurs during a scan. One of the following events can be selected as a trigger event:
   • Sensitive data. A notification is sent if the solution detects signs of exposed sensitive data in an object during a scan.
   • Non-compliant. Kaspersky Container Security notifies you if a scanned object contains images that do not comply with the requirements of security policies.
   • Critical vulnerabilities. A notification is sent if a scanned object contains vulnerabilities with Critical status.
   • Malware. A notification is sent if a scan finds malware.
   • Risk acceptance expiration. Kaspersky Container Security notifies you if a scanned object contains risks that you had previously accepted but the risk acceptance period has expired.
5. Configure the required notification methods:
   1. Select an Output: Email or Telegram.
   2. From the drop-down list in the Integration name field, select the name of the pre-configured integration with the selected notification output.
   3. To add another notification method, click the Add button and fill in the fields as described in paragraphs a and b above.
   4. If needed, you can remove the added notification methods by clicking the icon located to the right of the Integration name field.
6. Click Save.

By default, the added policy is Enabled.

[Topic 266508]

Editing response policy settings

You can edit the response policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change response policy settings:

1. In the Policies → Response policies section, click the policy name in the list of existing response policies.

   The policy settings window opens.

2. If necessary, make changes to the relevant policy settings:
   • Change the policy name.
   • Add or edit the policy description.
   • Add or edit the policy scope.
   • Change the trigger event by selecting it from the drop-down list.
   • Add an output by clicking the Add button.
   • Delete the output by clicking the delete icon () located next to the line of the selected output.
3. Click Save.

Page top

[Topic 264620]

Runtime policies

A runtime policy determines the actions that are taken by the solution when monitoring and controlling runtime operations of containers in accordance with the security policies. Kaspersky Container Security maintains control based on security threats detected in an image, the severity level of these threats, and the availability of

Containers in the runtime may run from verified images or from images that are still unknown to the solution.

On the Policies tab, under Policies → Runtime policies, a table lists configured runtime policies.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

  If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

• Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
• Delete policies.

To work optimally, a runtime policy must be supplemented by runtime container profiles, which define the rules and restrictions for running containers in the runtime environment.

[Topic 265799]

Creating a runtime policy

Rights to manage runtime policy settings are required to add a runtime policy in Kaspersky Container Security.

To add a runtime policy:

1. In the Policies → Runtime policies section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Scope field, select the scope for the runtime policy from the available options. Since runtime policies are only used for deployed and/or running containers, scopes containing resources across clusters can be selected.

   Scopes containing only registry resources are not available for selection. If necessary, you can specify individual images and pods for the runtime policy that you are creating in the Container runtime profiles section, as specified in step 10.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

4. If necessary, select the Exclusions check box to define exclusions to which the runtime policy will not be applied. To do so, select the relevant objects in the drop-down list, specify their names, and then click Add.

   Existing exclusions in the policy are checked when deploying a container.

5. In the Mode section, select one of the following policy enforcement modes:
   • Audit. In this mode, a scan takes into account the contents of containers.
   • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
6. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
7. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
8. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block image deployment if the image is unknown to Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
9. In the Capabilities block section, use the Disabled / Enabled toggle switch to block the use of specified Unix functions. To do so, select specific system functions from the drop-down list. You can also lock the use of all Unix system functions by selecting ALL from the drop-down list.
10. In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
    1. In the drop-down list, select an attribute to define the pods that the container runtime profiles will be applied to.
    2. Depending on the selected attribute, do the following:
       • If you selected By pod labels, enter the pod label key and the pod label value.

         You can add additional pod labels for pod selection by clicking the Add label pair button.

       • If you selected Image URL template, enter the template for the web address of the image registry.

         If the cluster contains images from the public Docker Hub registry, the solution equally considers the full path and the short path to the images. For example, if you specify the URL of the container image in the cluster as docker.io/library/ubuntu:focal, the solution accepts it equally as ubuntu: focal.

         You can add additional web addresses for pod selection by clicking the Add Image URL button.

    3. In the Runtime profile field, specify one or more runtime profiles that will be applied to pods that match the attributes you defined.
    4. If necessary, you can add pods for mapping using the Add pod mapping button. Pods with different attributes or applied runtime profiles will be mapped under the same runtime policy.
11. In the Image content protection section, use the Disabled / Enabled toggle switch to enable verification of digital signatures that confirm the integrity and origin of images in the container. To do this, perform the following actions:
    1. In the Image registry URL template field, enter the template for the web address of the image registry in which you want to verify signatures.
    2. In the drop-down list, select Check to enable verification or Don't check to disable verification.
    3. In the drop-down list, select one of the configured image signature validators.
    4. If necessary, add signature verification rules by using the Add signature verification rule button. The solution will apply multiple signature verification rules under a single runtime policy.
12. In the Limit container privileges section, use the Disabled / Enabled toggle switch to block the start of containers with a specific set of rights and permissions. In the list of settings, select the rights and permissions configuration to lock pod settings.
13. In the Registries allowed section, use the Disabled / Enabled toggle switch to allow deployment of containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
14. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do this, specify the volume mount points on the host system in the Volumes field.

    The Volumes field must begin with a forward slash ("/") because this represents the operating system path.

15. Click Save.

By default, the added policy is Enabled.

[Topic 266505]

Editing runtime policy settings

You can edit the runtime policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change runtime control policy settings:

1. In the Policies → Runtime policies section, click the policy name in the list of existing runtime policies.

   The policy settings window opens.

2. Change the policy name.
3. Add or edit the policy description.
4. Make changes to the relevant sections of the policy:
   • Mode.
   • Scope.
   • Bypass criteria.
   • Best practice check.
   • Block non-compliant images.
   • Block unregistered images.
   • Capabilities block.
   • Limit container privileges.
   • Registries allowed.
   • Volumes blocked.
5. Click Save.

[Topic 266509]

Deleting policies

You can delete security policies if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation. You also need rights to manage the corresponding types of policies in order to delete them.

To delete a policy:

1. Open the list of configured scanner policies, assurance policies, response policies or runtime policies.
2. In the line containing the name of the policy that you want to delete, click the delete icon ().
3. In the window that opens, confirm the action.

If security policy configuration errors block Kaspersky Container Security and you cannot manage the solution using the Management Console, the security policies must be deleted manually.

To manually delete a policy and recover the solution:

1. Run the following command to remove the agents (kube-agent and node-agent) as applicable:

   kubectl delete deployment kube-agent

   kubectl delete daemonset node-agent

2. Delete all customer resources in the target cluster by running the following command:

   kubectl get crd -o name | grep 'kcssecurityprofiles.securityprobe.kcs.com' | xargs kubectl delete

3. Restart all Kaspersky Container Security pods and access the Management Console.
4. Make the necessary changes to the security policies.
5. Install the agents using the instruction in the .YAML format.

Page top

[Topic 265312]

Managing container runtime profiles

When implementing runtime policies, Kaspersky Container Security can apply user-defined rules for monitoring processes and the network. To do so, add runtime profiles to the appropriate runtime policies. Runtime profiles are essentially lists of restrictions for containers. Image profiles define the settings for secure image deployment and safe activities of an application deployed from an image. The actions assigned in profiles can significantly reduce the capabilities of cybercriminals who could potentially infiltrate a facility, and can improve security during the runtime operation of containers.

The following settings specify restrictions in an image profile:

• Executable files that should be blocked.
• Network restrictions for inbound and outbound connections.

The list of configured profiles is displayed as a table on the Container runtime profiles tab under Policies → Runtime policies. In this section, you can also do the following:

• Create new container runtime profiles. Open the profile settings window by clicking the Add profile button above the list.
• Edit profile settings by clicking the link in the runtime profile name.
• Delete runtime profiles.

[Topic 264971]

Creating a runtime profile

To add a container runtime profile:

1. Under Policies → Runtime policies → Container runtime profiles, click the Add profile button.

   The profile settings input window opens.

2. Enter a name for the runtime profile and, if necessary, a description.
3. In the Restrict container executable files section, use the Disabled / Enabled toggle switch to restrict executable files according to rules. In the list, select the blocking option that guarantees optimal container performance:
   • Block process from all executable files - application blocks all executable files from starting while the container is running.
   • Block specified executable files - application blocks the executable files that you select in the Block the specified executable files field. You can block all executable files or a list of specific executable files. You can also use an * mask (for example, /bin/*) to apply a rule to an entire directory and its subdirectories.

     You can fine-tune the list of allowed and blocked executable files by specifying exclusions for blocking rules. For example, you can specifically exclude the path /bin/cat for a rule applied to /bin/*. In this case, all executable files from the directory /bin/ will be blocked from running except the /bin/cat application.

     Example path to executable files

     Specifying the direct path to executable binary files:

     /bin/bash

     Specifying a directory using a * mask:

     /bin/*

     In this example, all executable files from subdirectories of the /bin/ directory are allowed to run.

     If you select the Allow exclusions check box, the application will block all executable files except those specified in the Allow exclusions field when a container is started and running.

4. In the Restrict ingress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict inbound connections of a container. When this restriction is active, Kaspersky Container Security will block all sources of inbound connections except those that you specified as exclusions.

   If you select the Allow exclusions check box, you can specify the parameters of one or more allowed sources of inbound network connections. To define exclusions, you must specify at least one of the following parameters:

   • Sources. In the Sources field, enter an IP address or a range of IP addresses for the inbound connection source in CIDR4 or CIDR6 notation.
   • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

     If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

     If you do not specify a value for the ports, the application will allow a connection over all ports.

5. In the Restrict egress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict outbound connections for defined destinations.

   If you select the Allow exclusions check box, you can specify the parameters of one or more allowed destinations for outbound network connections. To define exclusions, you must specify at least one of the following parameters:

   • Destinations. In the Destinations field, enter an IP address or a range of IP addresses for an outbound connection destination in CIDR4 or CIDR6 notation, or the web address (URL) of a destination.
   • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

     If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

     If you do not specify a value for the ports, the application will allow a connection to be made through all ports.

6. Click Save.

The added runtime profile is displayed in the Policies → Runtime policies → Container runtime profiles section.

[Topic 265052]

Examples of configured runtime profiles

The table below presents a few of the images that are most frequently used by the application, and the settings for their configured restrictions in runtime profiles.

Images and their configured settings

Page top

[Topic 264972]

Changing runtime profile settings

To change container runtime profile settings:

1. Under Policies → Runtime policies → Container runtime profiles, click the name of the profile in the list of existing container runtime profiles.
2. In the window that opens, change the values of one or more of the following settings:
   • Name of the runtime profile.
   • Description of the runtime profile.
   • Restrict container executable files.
   • Restrict inbound network connections.
   • Restrict outbound network connections.
3. Click Save.

Changes made to runtime profile settings are immediately applied to the running container and affect its operation.

[Topic 264973]

Deleting a runtime profile

To delete a container runtime profile:

1. In the table of configured runtime profiles under Policies → Runtime policies → Image profiles, click the delete icon () in the row containing the name of the profile that you want to delete.
2. In the window that opens, confirm the action.

[Topic 265760]

Configuring integration with image signature validators

Kaspersky Container Security can verify the authenticity and validity of the digital signatures of images. To use this functionality, you need to configure integration of the solution with one or more external signature applications. The specifics of signing an image digest, the location of signatures, and protecting signatures depend on the signature application you have selected. The solution supports two configurable external signature validation applications:

• Notary v1 is a web service developed by Docker that is used to ensure the security of containers at various stages of their life cycle, including the creation and subsequent storage of signatures.
• Cosign is a web service designed to create signatures for containers, verify signatures, and place signed containers in repositories. The tool was developed as part of the
  Sigstore

  This project aimed to develop and provide tools and services for the verification of software through the use of digital signatures. Sigstore also maintains a public registry to confirm the authenticity of changes to an image.

  project.

You can configure integration with an image signature validator in the Administration → Integrations → Image signature validators section.

[Topic 265766]

Viewing the list of integrations with signature validators

To open the list of the configured integrations with image signature validators,

go to the Administration → Integrations → Image signature validators section.

You can use the list to do the following:

• Add new integrations with signature verification modules. Click the Add verification module button located above the list to open the integration settings window.
• View and edit the settings for integration with an image signature verification module. You can open the editing window by clicking the link on the verification module name.
• Remove an integration with an image signature validator.

[Topic 265764]

Adding an integration with an image signature validator

To add an integration with an image signature validator:

1. In the Administration → Integrations → Image signature validators section, click the Add signature validator button.

   The integration settings window opens.

2. In the General information section, enter a policy name and, if necessary, a policy description.
3. In the Type section, select one of the following signature validators:
   • Notary v1.
   • Cosign.
4. Depending on the selected signature validator, specify the server authentication credentials:
   • For Notary v1, specify the following settings:
     • Web address – the full web address of the server where image signatures are stored.
     • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

       The secret must be in the Kaspersky Container Security namespace.

     • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
     • Delegations – list of signature holders participating in the signing process.
     • Under Trusted roots, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

       If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

   • For Cosign, specify the following settings:
     • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

       The secret must be in the Kaspersky Container Security namespace.

     • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
     • Under Trusted roots, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

       For Cosign, specify the public keys for the ECDSA or RSA algorithms provided by cosign.pub.

       If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

     • In the Signature requirements section, specify the minimum number of signatures and signature holders who must sign the image.
5. Click the Save button in the top of the window to save the settings for integration with an image signature validator.

You can use the configured integration in runtime policies to ensure protection of the image content.

[Topic 265792]

Viewing and editing information about integration with an image signature validator

To view and edit the settings for integration with an image signature validator:

1. In the Administration → Integrations → Image signature validators section, click the integration name link in the list of integrations with signature validators.
2. If necessary, in the window that opens, edit the integration settings, which depend on the selected signature validator, as follows:
   • For Notary v1, you can modify the following settings:
     • Validator name.
     • Description.
     • URL.
     • Signature server authentication secret name.
     • Certificate.
     • Delegations.
     • Key name.
     • Key value.
   • For Cosign, you can modify the following settings:
     • Signature server authentication secret name.
     • Certificate.
     • Key name.
     • Key value.
     • Threshold.
     • Required signers.
3. If necessary, add key pairs by clicking the Add key pair button.
4. Click the Save button in the upper part of the window.

[Topic 265780]

Removing an integration with an image signature validator

To remove an integration with an image signature validator:

1. Open the list of the configured integrations with image signature validators.
2. In the line containing the name of the integration that you want to delete, click the delete icon ().
3. In the window that opens, confirm the action.

[Topic 250406]

Setting up integration with notification outputs

Kaspersky Container Security can notify users about events while operating in accordance with the response policy settings. To use the notification feature, you should set up an integration of Kaspersky Container Security with one or more notification outputs.

Kaspersky Container Security can use the following outputs:

• Email
• Telegram instant messaging system

[Topic 250407]

Viewing the list of email integrations

To open a list of configured email integrations,

go to the Administration → Integrations → Notifications section and select Email integrations.

You can use the list to do the following:

• Add new email integrations. Click the Add button located above the list to open the integration settings window.
• View and change email integration settings — you can open the editing window by clicking the integration name link.
• Search for an email integration — to perform this search, enter the integration name in the Search field.
• Delete email integration.

[Topic 250408]

Adding email integrations

To add an email integration:

1. Do one of the following:
   • Under Administration → Integrations → Notification, in the Email integration section, click the Add new button.
   • In the Administration → Integrations → Notifications section, select Email integrations. In the window that opens, click the Add button located above the table.

   The integration settings window opens.

2. Specify the following information in the form:
   • Name of the integration — Displayed in the response policy settings.
   • User name and password of the account used to send messages.
   • SMTP server name.
   • E-mail encryption method.
   • Port that the SMTP server uses.
   • Email address of the message sender.
   • Email addresses of message recipients. You can enter one or more addresses in this field.
3. Click the Save button in the top of the window to save the email integration settings.

Example email integration settings

You can use the configured integration in response policies.

[Topic 254848]

Viewing information about email integration

To view and change an email integration:

1. In the Email integrations section under Administration → Integrations → Notifications, click the integration name link in the list of integrations.
2. In the editing window that opens, change the following integration settings if necessary:
   • Name.
   • User name.
   • Password of the user account that is used to send messages.
   • SMTP server name.
   • E-mail encryption method.
   • Port that the SMTP server uses.
   • Email address of the message sender.
   • Email addresses of message recipients.
3. Click Save.

[Topic 250409]

Viewing the list of Telegram integrations

Integration with Telegram allows you to configure messaging in the chat with the Telegram bot.

To open the list of the configured Telegram integrations, go to the Administration → Integrations → Notifications section, and select Telegram integrations.

You can use the list to do the following:

• Add new Telegram integrations. Click the Add button located above the list to open the integration settings window.
• View and change Telegram integration settings — you can open the editing window by clicking the integration name link.
• Delete integration with Telegram.

[Topic 250410]

Adding Telegram integrations

To add a Telegram integration:

1. Do one of the following:
   • Under Administration → Integrations → Notifications, in the Telegram integration section, click the Add new button.
   • In the Administration → Integrations → Notifications section, select Telegram integrations. In the window that opens, click the Add button located above the table.

   The integration settings window opens.

2. Specify the following information in the form:
   • Name of the integration — Displayed in the response policy settings.
   • ID of the chat to post the messages — you can get the ID in the following way:
     1. Write the first message to the message bot. The chat ID is generated the first time a message is sent.
     2. In the address bar of your browser, type:

        https://api.telegram.org/bot<token>/getUpdates

        where <token> is the token of the message bot.

     3. In the received .json response file, find the "ID" value in the "chat" object. This is the chat ID.

     After changing the message history visibility settings for new participants in a Telegram chat, the chat ID is also changed. In this case, you must change the Telegram integration settings and specify the new value for the chat ID.

   • Token of the message bot — you receive this token as a result of executing the /newbot command in the BotFather bot to create a bot. You can also get the token of a previously created bot by running the /token command.
3. Click the Save button in the top of the window to save the Telegram integration settings.

Example Telegram integration settings

You can use the configured integration in response policies.

[Topic 254829]

Viewing and editing information about integration with Telegram

To view and change a Telegram integration:

1. In the Telegram integrations section under Administration → Integrations → Notifications, click the integration name link in the list of integrations.
2. In the opened editing window, change the following integration settings if necessary:
   • Name.
   • Chat ID.
   • Bot token.
3. Click Save.

[Topic 250411]

Deleting integrations with notification outputs

To delete email integration or Telegram integration:

1. Open the list of the configured email integrations or Telegram integrations.
2. In the line containing the name of the integration that you want to delete, click the delete icon ().
3. In the window that opens, confirm the deletion.

You cannot delete an integration that is used in one or more response policies.

[Topic 254129]

Configuring LDAP server integration

Kaspersky Container Security lets you connect to servers of external

Connection to an external directory service over the LDAP protocol enables you to perform the following tasks:

• Configure user accounts to take into account data from an external directory service for working with Kaspersky Container Security.
• Correlate user roles in Kaspersky Container Security to groups of users from Active Directory. Users in these groups will be able to use their domain account credentials to log in to the solution web interface and access application functionality based on their assigned role.

  We recommended that you create these user groups in Active Directory in advance to allow them to complete authorization using their domain accounts in the Kaspersky Container Security web interface.
  An email address must be indicated for user accounts in Active Directory.

[Topic 262715]

Creating LDAP server integration

To create an integration with an LDAP server:

1. In the Administration → Integrations → LDAP section, click the Connect server button.

   The LDAP server settings window opens.

2. Specify the following mandatory settings in the form fields:
   • Web address (URL) of your company's LDAP server.

     The web address of the LDAP server is specified as follows: ldap://<host>:<port>. For example: ldap://ldap.example.com:389.

   • Base distinguished name—in the context of an LDAP name, this is the name that uniquely identifies and describes a record of the LDAP directory server.

     For example, the base distinguished name for example.com is dc=example, dc=com.

   • User authorization filter—in the context of an LDAP search, this is a filter that generates a user authorization request and indicates where to start searching for a user in the Active Directory catalog tree.

     The filter for user authorization must be specified as follows: sAMAccountName =% s, ou = Accounts.

   • Group filter for defining the group search settings in Active Directory.
   • User filter for defining the user search settings in Active Directory.
3. Under Base schema, specify the values of the following attributes and classes of objects:
   • Object class is the type of object to search for.
   • Organizational unit class is the LDAP object class that identifies the object as a container object within the domain.
   • User class is the LDAP object class that identifies the object as a user.
   • Organization unit name is the attribute of a group that identifies its name.
   • Group class is the class that identifies the LDAP object as a group.
   • Distinguished name attribute is the unique distinguishing name of the record.
4. Under User settings, specify the values of the following object attributes:
   • User first name attribute.
   • User lastname attribute.
   • Group name attribute.
   • User username attribute.

     When authorizing with a user account, the username may need to be specified together with the realm in the following format: <username @ realm>, for example, user@example.com.

   • User password.
   • Group member.
   • User email attribute.
   • User member of.
5. Click the Save button above the form for LDAP server integration data.
6. To verify that the values were filled in correctly, click the Test connection button above the form for LDAP server integration data.

   Kaspersky Container Security will display a notification informing you of the successful connection to the LDAP server or a failure to establish the connection.

Example of completed fields when configuring LDAP server integration

If the LDAP server certificate changes, reconfigure the integration.

You can use the configured integration when creating and assigning user roles.

[Topic 254155]

Viewing and editing information about LDAP server integration

To view the LDAP server connection:

Go to the Administration → Integrations → LDAP section.

Kaspersky Container Security displays the web address of the connected LDAP server above the Test connection, Change settings, and Delete integration buttons.

To change the settings for the connection to the LDAP server:

In the Administration → Integrations → LDAP section, click the Edit settings button.

Kaspersky Container Security opens the page containing the form for LDAP server integration data.

[Topic 254159]

Testing connection with LDAP server

To test connection with the LDAP server:

1. Go to the Administration → Integrations → LDAP section.
2. Do one of the following:
   • If the integration with the LDAP server is created, click the Test connection button.
   • If you are creating an integration with an LDAP server, click the Test connection button above the form for LDAP server integration data.

Kaspersky Container Security will display a notification informing you of the connection to the LDAP server or a failure to establish the connection.

Page top

[Topic 254187]

Gaining access to Active Directory group

After the integration with the LDAP server is configured, you can specify an Active Directory group for each Kaspersky Container Security role. After authorizing their account credentials, the users from this group gain access to solution functionality based on their defined roles.

[Topic 265983]

Users, roles, and scopes

This section describes how to work with users and user roles, and provides instructions on how to create, edit, and delete them. This section also describes how to use scopes to give different levels of access to different user roles.

[Topic 250413]

Managing users

Multiple users can have access to Kaspersky Container Security. A user account is created for each user, and one or more user roles are assigned to them.

The list of Kaspersky Container Security users is displayed in the table in the Administration → Access management → Users section.

You can do the following:

• Add users.
• View and edit user account settings.
• Reset password for the selected accounts.
• Delete users.
• Sort values in the list of users by clicking the icon in the corresponding column (displayed user name, user name, assigned role). Sorting can be done in alphabetic order and reverse alphabetical order.
• Search by user name by using the Search by user name field above the table.

[Topic 251976]

About user roles

A user role in Kaspersky Container Security is a set of permissions to perform certain actions in the solution web interface. Depending on their role, users have access to different sections and functional capabilities.

Kaspersky Container Security provides user roles as well as system roles, which have predefined sets of access permissions to perform common tasks for protecting container environments.

The following system roles are provided during initial installation of the solution:

• The Administrator of Kaspersky Container Security role is intended for users who are tasked with deploying and supporting the infrastructure and system software required for the solution to work (for example, operating systems, application servers, and databases). These users manage user accounts, roles and access permissions in Kaspersky Container Security.

  In the web interface, this role is indicated by the KCSADM abbreviation.

• The Information Security Administrator (IS Administrator) role is intended for users who are tasked with creating and managing user accounts, roles and access permissions of users, changing settings, connecting public image registries, Agents and outputs, and configuring security policies.

  In the web interface, this role is indicated by the ISADM abbreviation.

• The IS auditor role is intended for users who view the resources and user list of a solution, and who monitor the results of scans and compliance checks.

  In the web interface, this role is indicated by the ISAUD abbreviation.

• The IS officer role is intended for users who view and manage security policies, connect public image registries, and view the results of runtime container analyses for projects in which these users are directly involved.

  In the web interface, this role is indicated by the ISOFF abbreviation.

• The Developer role is intended for users who perform compliance checks and view the results of scanning images from registries and CI/CD, cluster resources and accepted risks.

  In the web interface, this role is indicated by the DEV abbreviation.

You can assign system roles to user accounts when creating or viewing these user accounts.

Multiple user roles can be assigned to a user.

If a specific system role is not needed, you can delete it.

However, you cannot delete the last active system role that has permissions to manage other roles.

If the available system roles do not offer the required access permissions, you can create your own unique sets of permissions as custom roles.

When creating custom roles, consider the necessary set of permissions for accessing related functionalities. For example:

• To view and configure the settings of the response policies, you need permission to view integrations with notification services. If this permission is not granted, Kaspersky Container Security will display an error when you try to configure a response policy.
• Permissions to manage response policies must be granted with permissions to manage notifications, otherwise, you will not be able to select the outputs in the policy settings.
• To create a user, you need permission to view and manage roles. If such permission is not granted, only the dashboard is displayed to the created user.
• The permission to manage users must be granted together with the permission to manage roles, otherwise you will not be able to assign a role when creating a user.

You can assign user roles to user accounts just like with system roles. In addition, you can also change the settings of user roles and delete user roles.

When assigning the scopes to roles, you must take into account that a security policy can be implemented within a specific scope only if this scope is assigned to one of your roles.

If you integrated the solution with an LDAP server, Kaspersky Container Security also receives and displays the roles and user groups from the Active Directory service.

[Topic 266510]

Working with system roles

The table below lists the main actions that are available to users with system roles in the Kaspersky Container Security web interface after installation.

User roles and their available actions

Page top

[Topic 266512]

Displaying list of roles

Kaspersky Container Security displays the list of active roles in the Administration → Access management → Roles section.

The table presents all active system roles and user roles and indicates ID, name, and number of users assigned to the specific role. If you have configured integration with LDAP, the table also shows Active Directory user groups that correspond to the user roles in Kaspersky Container Security.

[Topic 266001]

About scopes

In Kaspersky Container Security, a scope is a resource list of reasons why the solution is being used (e.g. specific cluster, multiple external registries, or specific namespaces).

Scopes are used for the following purposes:

• To differentiate access to resources, for example, in order to monitor the operation of clusters, registries, or namespaces.

  This access control is performed by assigning a scope when creating a scope or editing its settings.

• To distinguish the objects that policies and scans are applied to.

  These objects are differentiated by assigning a scope when creating security policies or editing their settings.

In Kaspersky Container Security, you can add your own scopes or assign the default global scope to users.

The global scope includes access to all solution resources. This scope is added by default during installation of Kaspersky Container Security.

You cannot change the settings of the global scope or delete it.

Only a user with the appropriate rights can access the global scope. To assign global scope to other users and roles, you need to have permission to manage the global scope.

If you assign the global scope to a policy, the policy will be applied to all resources and applied in all environments.

[Topic 266058]

Scopes and enforcement of security policies

In Kaspersky Container Security, scopes are specified for all security policies. To ensure that all necessary resources are scanned, each policy can be assigned one or more scopes. Moreover, the same scope can be specified in multiple policies.

Regardless of the number of policies implemented in a scope (for example, when scanning an image or scanning a cluster in a runtime), all security policies are applied.

When multiple security policies and multiple scopes are applied simultaneously, the following rules apply:

• For scanner policies: scanning is performed using a cumulative list of settings that is obtained by combining all scanner policies in force within the scope.
• For assurance policies: when scanning images, all policies applicable to the scanned resources are applied, in line with specified scopes.
• For response policies: when events occur, the user is notified using the notification tools specified in all response policies applicable to resources specified in the assigned scopes.
• For runtime policies: containers are monitored and, if necessary, blocked from running in the runtime in accordance with all applicable policies assigned to the scope.

[Topic 266083]

Switching between scopes

In Kaspersky Container Security, several scopes can be assigned to a role. You can view the list of available scopes or switch scopes in order to access resources available in a different scope.

When switching between scopes, bear in mind the following:

• If you select the scope with resources by registry, in the section Resources → Assets → Clusters, Kaspersky Container Security does not display a list of clusters, namespaces, and pods. A full visual representation of the links between resources is displayed, but you cannot view information about an object that is outside of the available scope.
• Select the scope with resources by cluster, in the Resources → Assets → Registries section. Kaspersky Container Security then displays a list of the images used to start the containers in clusters.
• In the Scanners section, you can view lists of all scanners and scan tasks. However, you will not be able to view information about a scanned object if it is not within a scope that is available to you.
• In the Compliance → Kubernetes benchmarks section, Kaspersky Container Security displays a list of all nodes within clusters in the scope, regardless of the level of cluster detail in the scope. However, you cannot view information about a cluster node if it is not within a scope that is available to you.
• In the Policies section, Kaspersky Container Security shows the following:
  1. All policies in which at least one of the author's roles matches your role.
  2. All policies in which at least one scope matches the scope you selected.
  3. All policies that are linked to scopes assigned to your roles. However, you cannot delete these policies or edit their settings.

To switch the scope:

1. Go to one of the following sections:
   • Resources → Assets → Clusters.
   • Resources → Assets → Registries.
   • Compliance → Kubernetes benchmarks.
   • Subsections of the Policies section: Scanner policies, Assurance policies, Response policies, or Runtime policies.
2. In the drop-down list of available scopes in the upper right part of the window, select the required scope.

   You can also activate all the scopes by selecting All in the list.

Page top

[Topic 266008]

Adding users, roles, and scopes

To add a user account:

1. In the Administration → Access management → Users section, click the Add user button above the list of users.
2. In the window that opens, specify the following settings:
   • User name is a unique value that must be assigned to a user for identification within Kaspersky Container Security.

     A user name can include only letters of the English alphabet and numerals. The minimum user name length is 4 characters, and the maximum user name length is 254 characters.

   • Display name (optional) is the value that is displayed in the solution web interface. If this parameter is not specified, the user name is displayed in the web interface.
   • Email (optional).
3. Enter the password in the Password field.

   Passwords have the following requirements:

   • The password must contain numerals, special characters, and uppercase and lowercase letters.
   • The minimum password length is 6 characters, and the maximum password length is 72 characters. The default password length is 8 characters.
4. Confirm the entered password in the Confirm password field.
5. Select the check box if the user should change the password the next time the solution starts.
6. Assign a role to the user by selecting from the list of available roles.

   While you are not required to assign a role when creating a user, a new user without an assigned role will not be able to interact with Kaspersky Container Security.

7. Click Add.

To add a user, permission to view and configure settings is required. If you do not have this permission, any user you add will only be able to view the main page of the solution.

To add a user role:

1. In the Administration → Access management → Roles section, click the Add role button above the list of roles.
2. In the window that opens, specify the following values:
   • Role ID is a unique value that must be assigned to a role for identification within Kaspersky Container Security.

     The role ID can include uppercase Latin letters and numbers. A role ID cannot contain special characters or spaces.

   • Role name is the value displayed in the solution web interface.
   • Description (optional).
   • Scope is a setting that is used to differentiate access to resources.
3. In the Active Directory mapping field, specify the Active Directory groups that the user belongs to.
4. Select the check boxes next to the permissions that will be available for the role being added.
5. Click Add.

To add a scope:

1. In the Administration → Access management → Scopes section, click the Add scope button above the table with the list of scopes.
2. In the window that opens, specify the scope name and, if necessary, a scope description.
3. In the Resources section, select the resources for the scope:
   • Click the Add resources by registry button, and in the drop-down list, select the registries for the scope. You can define a more specific scope by selecting specific repositories and images from these repositories in the drop-down list.
   • Click the Add resources by cluster button and select the orchestrators for the scope from the drop-down list. You can define a more specific scope by selecting specific clusters, namespaces, and images from the orchestrators used to deploy the containers in the clusters.

   You must specify at least one resource for which access is granted for monitoring.

4. Click Set objects to scope.
5. Save the scope by clicking the Save button.

[Topic 254462]

Resetting password for user accounts

To reset the password for a user account,

1. Go to the Administration → Access management → Users section.
2. Do one of the following:
   • In the user list, select the row of the specific user account, then click the Reset password link above the table.
   • In the user account row, open the menu () and select Reset password.

[Topic 266123]

Changing settings for users, roles, and scopes

To edit a user account:

1. In the Administration → Access management → Users section, click the user name in the list of users.
2. In the opened window, make the necessary changes.

   If you make changes to a user account with the administrator privileges, do not delete all roles, since doing so results in the loss of administrator access to the solution.

3. Click Save.

To edit a user role:

1. In the Administration → Access management → Roles section, click the role identifier in the Role ID column in the list of roles.
2. In the opened window, make the necessary changes.
3. Click Save.

   After a role is modified, all users with the assigned role must be reauthorized.

   You cannot edit a role if it is the last active system role with rights to manage user accounts, user roles, or the global scope.

To edit a scope:

1. In the Administration → Access management → Scopes section, click on the scope name in the Scope name column of the table with the list of scopes.
2. In the opened window, make the necessary changes.
3. Click Save.

Page top

[Topic 266056]

Removing users, roles, and scopes

To delete a user account:

1. In the Administration → Access management → Users section, do one of the following:
   • Select the user from the row of the specific user account, then click the Delete link above the table containing the list of users.

     You can select one or more user accounts.

   • In the row with the user account, open the menu () and select Delete user.
2. In the window that opens, confirm deletion by clicking Delete.

   The user account used for authorization in Kaspersky Container Security cannot be deleted.

To delete a user role:

1. In the Administration → Access management → Roles section, in the role row in the list of roles, click the deletion icon ().
2. In the window that opens, confirm deletion by clicking Delete.

You cannot delete the last active system role with rights to manage other user accounts, user roles, or the global scope.
You also cannot delete a role if it is assigned to any user.

To delete a scope:

1. In the Administration → Access management → Scopes section, in the role row in the list of scopes, click the delete icon ().
2. In the window that opens, confirm deletion by clicking Delete.

   You cannot delete the default global scope.
   You also cannot delete a scope if it is assigned to a different active user role.

[Topic 255363]

Security event log

In the Administration → Events section, Kaspersky Container Security displays the occurred events that can be used for informational purposes, to track ongoing processes, to analyze security threats, and to determine what caused the solution failures.

Kaspersky Container Security displays the following types of events:

• Audit events. This group of events includes user activity audit data, such as information about configured settings of the solution, user authentications, changes in groups, and modifications or deletion of information within the solution.
• Solution operating results. These events include alerts about a triggered response policy.
• Records of the internal operations of solution applications.

Kaspersky Container Security shows the following security event categories:

• Administration—all events related to solution administration are logged.
• Policies (scanner policies, assurance policies, response policies, runtime policies) — events related to compliance or non-compliance of an image with applicable policies.
• Malware — events that occur when malware is detected during a scan of images and nodes.
• Sensitive data — events related to the detection of exposed sensitive data during a scan (for example, scanned images, functions, and nodes).
• Non-compliance — the following events are recorded:
  • Detection of non-compliant images.
  • Functions that do not comply with requirements, and runtime implementation of these functions.
  • Nodes that do not comply with requirements, and runtime actions of these nodes.

A list of security events is displayed for a specific period. You can select one of the provided options or define your own time period. For any period you select, the time count begins from the current day. Events for the last week are displayed by default.

Kaspersky Container Security displays the events that occurred during scans. The events are displayed as a table for the following components:

• Administration.
• Alerts.
• CI/CD.
• Policies.
• Resources.
• Runtime.
• Scanners.

For each event, the table indicates the date and time of the event, IP address of the user, description, and status. The user name is listed for some events, such as those involving Administration, Malware, and Sensitive data categories. The security threat level is also indicated for Alerts. For events related to the Scanners component, the identifiers generated by the solution and the status of the scan jobs are also logged. For Runtime, indicate the mode (Audit or Block), cluster, and deployed pod.

The security event log of Kaspersky Container Security is maintained and stored in PostgreSQL and does not have data protection mechanisms.

Page top

[Topic 255365]

Exporting events to SIEM systems

Kaspersky Container Security allows you to send event messages to

The data about the system events is transmitted as the integration with the SIEM system is configured during the installation of the solution. Event messages are forwarded to the SIEM registration server in the CEF format over TCP or UDP using the provided port (typically port 514). When the solution is deployed, these parameters are specified in the values.yaml configuration file:

CEF_PROTOCOL=tcp

CEF_HOST=<ip address>

CEF_PORT=<port>

The transmitted message consists of the following components:

1. The
   Syslog

   A standard for sending and logging system event messages used for the UNIX and GNU/Linux platforms.

   header, which specifies the date, time, and host name.
2. Prefix and CEF version number.
3. Device vendor.
4. Solution name.
5. Solution version.
6. Solution-generated unique event type code.
7. Event description.
8. Event severity assessment.
9. Additional information, such as device IP address, event reason, event result, and event status.

Example of a message forwarded to a SIEM system

[Topic 265971]

Backing up and restoring data

PostgreSQL mechanisms can be used for PostgreSQL database backup and data recovery. You can use these for the PostgreSQL database in Kaspersky Container Security or an existing PostgreSQL database you may have.

Database backup copies are created using the pg_dump utility. The backup copy includes all main settings and PostgreSQL database objects, even if the database is used in parallel. If you have a backup copy, you can quickly restore the database.

Without a backup copy, a malfunction may lead to an irrecoverable loss of the information stored in the PostgreSQL database.

The pg_dump utility lets you export a PostgreSQL database as a script or in an archive format such as .TAR.

Example of using the pg_dump utility

To restore a PostgreSQL database from a backup copy, you can use the pg_restore utility. This allows you to restore a PostgreSQL database from an archive file created by the pg_dump utility. The pg_restore utility executes commands that restore the database to the state that existed when the database was saved.

Example of using the pg_restore utility

[Topic 250760]

Contacting Technical Support

If you cannot find a solution to your problem in the application documentation or in other sources of information about the application, you should contact Technical Support. Technical Support experts will answer your questions about installing and using the application.

Kaspersky provides technical support for this application throughout its lifecycle (please refer to the product support lifecycle page). Before contacting Technical Support, please read the technical support rules.

You can contact Technical Support experts in one of the following ways:

• Visit the Technical Support website.
• Submit a request to Kaspersky Technical Support through the Kaspersky CompanyAccount portal.

[Topic 250761]

Sources of information about the application

Kaspersky Container Security page on the Kaspersky website

On the Kaspersky Container Security page, you can view general information about the application, its functions and features.

Discussing Kaspersky applications on the Forum

If your question does not require an immediate answer, you can discuss it with Kaspersky experts and other users on our Forum.

On this Forum, you can view existing threads, leave your own comments, and create new discussion threads.

[Topic 267648]

Limitations and warnings

Kaspersky Container Security 1.1 has a number of limitations that are not critical to the operation of the solution:

• If you need to run many image vulnerability scans, we advise you to disable the misconfiguration scan option in the scanner policy because this operation may consume substantially more resources, especially when working with large-sized images.
• In cases where an attempt is made to run the solution simultaneously with other container security applications, Kaspersky Container Security has been noted to operate incorrectly. If another application in use is interfering and / or integrating with the operation of containers, the File Threat Protection component may not function correctly. You can temporarily disable the File Threat Protection component in scanner policies.

  We recommend that you do not use Kaspersky Container Security simultaneously with other container security applications.

• To use network policies supplied with Kaspersky Container Security, ensure the following:
  1. In the Helm Chart used to deploy and install the solution, the networkPolicies.create parameter is set to true (the default value).
  2. The network plug-in in the cluster, where the solution is deployed, supports Kubernetes network policies. If network policies are not supported, Kaspersky Container Security will create NetworkPolicies objects, but they will not be applied and will not filter traffic.

     If the NetworkPolicies objects are missing or not applied, the security level of the solution is lower.

• Kaspersky Container Security 1.1 supports correct scanning only of images for the linux/amd64 architecture. When scanning multi-platform images, the scanner automatically attempts to apply the linux/amd64 architecture option.

[Topic 90]

Glossary

CI/CD

Continuous Integration/Continuous Delivery is the combination of continuous software integration and continuous delivery in the development process.

CNI

Container Networking Interface is a project dedicated to standardized management of network interfaces in Linux containers and flexible extension of their network capabilities. CNI plug-ins ensure that the network interface is included in the container namespace and performs all necessary configuration on the host node.

CRI

The Container Runtime Interface (CRI) is used by the orchestrator to work with various container runtimes, without the need to recompile cluster components. The CRI defines the main protocol used for communication between cluster components and the container runtime.

CSI

Container Storage Interface is a simple unified interface that defines interaction between a storage system and a container orchestration platform.

CVE

Common Vulnerabilities and Exposures is the database for generally known information security vulnerabilities. Each vulnerability is given an identifier in the CVE-year-number format, description and several open links with descriptions.

CVSS

Common Vulnerability Scoring System is an open standard for scoring vulnerabilities. CVSS specifies a set of metrics and formulas for scoring vulnerability severity, with values from 0 (minimum) to 10 (maximum). CVSS makes it possible to allocate vulnerability response efforts based on vulnerability severity.

CycloneDX

CycloneDX is an SBOM standard that was developed for application security contexts and analysis of application components by assessing the availability and state of all software components.

Dynamic admission controller

A configurable Kubernetes admission controller that helps enforce policies and supports management and control.

Exploit

Program code that takes advantage of some vulnerability in the system or in application software. Exploits are frequently used to install malware on a computer without the user's knowledge.

FSTEC

The Russian Federal Service for Technical and Export Control.

IaC

Infrastructure as a Code is an approach to managing and describing infrastructure through configuration files instead of manually editing server configurations.

Kaspersky OpenTIP

The publicly available Kaspersky Threat Intelligence Portal information system. Contains information about cyberthreats, safe objects, and the relationships between them.

Kaspersky TIP

The Kaspersky Threat Intelligence Portal information system that is available with premium access. Provides additional tools for analyzing cyberthreats, including threat lookup and Kaspersky Cloud Sandbox, as well as analytical reports about APTs, financial crime software, industrial cybersecurity threats, and the digital activity of a specific organization.

LDAP

Lightweight Directory Access Protocol is a lightweight client-server protocol for accessing directory services.

Namespace

A virtual cluster inside a Kubernetes cluster which isolates cluster resources. Each namespace has its resources: services, pods, and deployments. The Resource names must be unique to operate in one namespace, although you can use the same names in other namespaces.

Node

A physical or virtual machine on which containers with applications are deployed and run. A Kubernetes cluster consists of several nodes. The cluster has a master node which manages the cluster and worker nodes where containers operate.

NVD

The National Vulnerability Database is the United States Government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol.

PCI SSC

PCI Security Standards Council is a global forum dedicated to the ongoing development, enhancement, storage, dissemination, and implementation of security standards for payment card data protection.

Pipeline

Continuous software integration and continuous delivery (CI/CD) is performed in sequence one by one.

Pod

An abstract Kubernetes object, a group of one or more application containers, including shared storage (volumes), network settings, and information about application launch. Pod is the Kubernetes management unit.

RED OS

Russian general-purpose operating system RED OS supports scanning for vulnerabilities that can threaten the functioning of services and workstations.

SBOM

A Software Bill of Materials (SBOM) is a list of all object components. It also describes component dependencies and ways to validate and confirm source authenticity.

SIEM

Security information and event management is a class of software solutions that obtain and analyze data about security events.

Sigstore

It is a project aimed at developing and providing tools and services for the verification of software through the use of digital signatures. Sigstore also maintains a public registry to confirm the authenticity of changes to an image.

SPDX

Software Package Data Exchange (SPDX) is an international open standard for security, license compliance, and other artifacts of the software supply chain that is used to provide information about the origin, licensing, and security of software packages and their dependencies.

Syslog

A standard for sending and logging system event messages used for the UNIX and GNU/Linux platforms.

VDB (DSTD)

The Data Security Threats Database (DSTD or VDB) is a national vulnerability database maintained by the Russian Federal Service for Technical and Export Control (FSTEC).

[Topic 255979]

Third party code information

Information about third-party code is contained in the file legal_notices.txt, which you can download in the management Console using the Kaspersky Container Security End User License Agreement link in the Settings → About section.

[Topic 250415]

Trademark notices

Registered trademarks and service marks are the property of their respective owners.

Adobe is either a registered trademark or a trademark of Adobe in the United States and/or other countries.

Amazon and AWS are trademarks of Amazon.com, Inc. or its affiliates.

Apple and Safari are trademarks of Apple Inc.

Ubuntu is a registered trademark of Canonical Ltd.

ClamAV is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

The Grafana Word Mark and Grafana Logo are either registered trademarks/service marks or trademarks/service marks of Coding Instinct AB, in the United States and other countries and are used with Coding Instinct’s permission. We are not affiliated with, endorsed or sponsored by Coding Instinct, or the Grafana community.

Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries. Docker, Inc. and other parties may also have trademark rights in other terms used herein.

Dropbox is a trademark of Dropbox, Inc.

Google, Google Chrome, Chromium, and Nexus are trademarks of Google LLC.

S3 is a trademark of International Business Machines Corporation registered in many jurisdictions around the world.

LinkedIn is a registered trademark or trademark of LinkedIn Corporation and its affiliates in the United States and/or other countries.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

CVE is a registered trademark of The MITRE Corporation.

OpenAPI is a trademark of the Linux Foundation.

Helm, Kubernetes is a registered trademark of The Linux Foundation in the United States and other countries.

Microsoft, Active Directory, Excel, Microsoft Edge, Windows, and Windows Server are trademarks of the Microsoft group of companies.

CVE is a registered trademark of The MITRE Corporation.

Mozilla and Firefox are trademarks of the Mozilla Foundation in the U.S. and other countries.

Oracle is a registered trademark of Oracle and/or its affiliates.

Red Hat, Red Hat Enterprise Linux, and CentOS are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.

OpenShift is a registered trademark of Red Hat, Inc. in the United States and other countries.

Debian is a registered trademark of Software in the Public Interest, Inc.

Sonatype Nexus is a trademark of Sonatype, Inc.

SUSE is a registered trademark of SUSE LLC in the United States and other countries.

TWITCH is a trademark of Twitch Interactive, Inc. or its affiliates.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited.

ClickHouse is a trademark of YANDEX LLC.