About the Kaspersky Container Security platform

Kaspersky Container Security (hereinafter referred to as the solution) allows you to discover security problems and ensures protection throughout the container application lifecycle, from development and deployment control to runtime.

Solution functionalities:

• Integration with image registries (Docker Hub, JFrog Artifactory, Sonatype Nexus Repository OSS, GitLab Registry, Harbor) to scan images in the registry for known vulnerabilities published by the NVD and VDB (DSTD), secrets (passwords, access keys, tokens), misconfigurations, and malware.
• Integration into the continuous integration / continuous delivery (CI/CD) process as a pipeline stage, as well as scanning IaC for misconfigurations and container images for vulnerabilities, malware, and sensitive data (secrets).
• Checking of cluster nodes for compliance with industry information security benchmarks.
• Monitoring compliance with the configured security policies while building and operating the applications, including monitoring container runs in the runtime.
• Monitoring of resources used by the controlled clusters.

You can configure and access the functionalities of Kaspersky Container Security through the Management Console. The console is implemented as a web interface which can be accessed through the Chromium (Google Chrome, Microsoft Edge, Apple Safari) or Mozilla Firefox browsers.

What's new

Kaspersky Container Security 1.1 offers the following new features and improvements:

• Support for detected malicious objects with different severity levels. The solution allows you to accept risks for non-critical objects.
• Ability to generate reports on detected vulnerabilities, security events, and compliance with applicable policies. The solution can generate the following types of reports:
  • Images summary report.
  • Images detailed report.
  • Accepted risks report.

  Depending on report type, reports are created and generated in different parts of the solution, including the CI/CD section. Generated reports are available for viewing and downloading in several formats in a new section of the main menu: Administration → Reports.

• Optimization of the load on CI agents when integrating with the CI pipeline. The new version of the product offers two CI schemes:
  • Using the resources of the CI agent.
  • Without using the resources of the CI agent. In this scheme, the scanner starts in the CI pipeline and reads and sends a SBOM to the installed solution. This SBOM file is parsed by the available scanners, and the scan result is then returned to the CI system.
• Support the running of scanners when there is a proxy between an image registry and the installed solution.
• Different application scopes control user access to orchestrator resources and image registries, which are monitored by the solution. This also allows for the application of various security policies on these resources and registries.
• Ability to control image integrity using image signatures, as well as block images that have not passed signature verification. The solution can integrate with Notary and Cosign plug-ins for signature verification. To block images that have not passed signature authenticity verification, a new Image content protection section has been added to runtime policies.
• Control of applications and services running inside containers. The solution can monitor and block processes running inside containers.
• Support for Container Runtime Profiles, which can detect abnormal objects based on a custom or predefined profile pattern. The solution can create and use runtime profiles, which can be used to specify permissions for processes started inside containers and for network communications. Profiles are applied to containers started in a runtime environment and restrict their operation according to the specified settings.
• Monitoring and control of traffic between containers, containerization platform components, and external applications and resources. The solution can restrict network communications of containers in a runtime environment by configuring the following settings:
  • Ports (TCP/UDP).
  • IP addresses (IPV4, IPV6).
  • Block inbound and/or outbound network connections.

Distribution kit

For information about purchasing the application, please visit https://www.kaspersky.com or contact our partners.

The distribution kit includes a Helm Chart package with the containerized resources necessary for deploying and installing Kaspersky Container Security components, including the following:

• kcs-ih—image of the scanning image handler application, which starts jobs that use vulnerability scanners and malware scanners, and then aggregates and publishes the scan results. The image handler can be scaled to fit your needs.
• kcs-scanner—image of the scanner server, which is used to store the vulnerabilities database and image layer cache, and acts as the server for kcs-ih images.
• kcs-middleware — image of the server part of the solution that implements business logic for data processing and provides a REST API for the graphical interface.
• nats and nats-box—images of the application that determine the ordered sequence of requests, thereby enabling the exchange of data segmented as messages.
• kcs-postgres — image of the database management system containing tools for analysis and optimization of request parsing and mechanisms for processing requests (rules).
• kcs-clickhouse—image of the Clickhouse database management system, which stores and processes informational messages from node-agent system agents.
• kcs-s3—image of the S3-compatible file storage repository used to store files generated by Kaspersky Container Security and to distribute them to users.
• kcs-panel— image for deploying the graphical user interface of Kaspersky Container Security.
• kcs-updates — image that is used to deliver updates when deploying the solution in isolated segments of a corporate network.
• kcs-licenses—image of the license management application for Kaspersky Container Security.
• values.yaml - a configuration file within the Helm package that contains the setting values for installing and updating the solution.

After downloading and saving the Helm package in a selected directory, the orchestrator downloads the images from the source specified in the Helm package directly to the orchestration platform nodes.

The information required to activate the application is sent to you by email.

Hardware and software requirements

To install and operate Kaspersky Container Security, the following infrastructure requirements must be met:

• One of the following orchestration platforms:
  • Kubernetes (version 1.22 or later)
  • OpenShift 4.11 or later
• Availability of a CI system to scan container images within the development process (for example, GitLab CI).
• Installed package manager Helm v3.8.0 or later.

To implement runtime monitoring with container runtime profiles, orchestrator nodes must meet the following requirements:

• Linux kernel 4.19 or later.
• Container runtimes: containerd, CRI-O.
• Container Network Interface (CNI) plug-ins: Flannel, Calico, Cilium.
• Kernel headers on the host node:
  • For deb systems, the kernel-headers package must be installed.
  • For rpm systems, the kernel-devel package must be installed.

When using external database management systems, Kaspersky Container Security supports the following DBMS:

PostgreSQL, versions 11. *, 13. *, 14. *

Kaspersky Container Security supports integration with the following image registries:

• GitLab 14.2 or later
• Docker Hub V2 API or later
• JFrog Artifactory 7.55 or later
• Sonatype Nexus Repository OSS 3.43 or later
• Harbor 2.х.

Image requirements (OS, version, scanned packages):

• Alpine Linux, versions 2.2—2.7, 3.0—3.18, Edge. Packages installed via apk are scanned.
• Red Hat Universal Base Image, versions 7, 8, 9. Packages installed via yum/rpm are scanned.
• Red Hat Enterprise Linux, versions 6, 7, 8. Packages installed via yum/rpm are being scanned.
• CentOS, versions 6, 7, 8. Packages installed via yum/rpm are being scanned.
• AlmaLinux, versions 8, 9. Packages installed via yum/rpm are being scanned.
• Rocky Linux, versions 8, 9. Packages installed via yum/rpm are being scanned.
• Oracle Linux, versions 5, 6, 7, 8. Packages installed via yum/rpm are being scanned.
• CBL-Mariner, versions 1.0, 2.0. Packages installed via yum/rpm are being scanned.
• Amazon Linux, versions 1, 2, 2023. Packages installed via yum/rpm are being scanned.
• openSUSE Leap, versions 42, 15. Packages installed via zypper/rpm are scanned.
• SUSE Enterprise Linux, versions 11, 12, 15. Packages installed via zypper/rpm are being scanned.
• Photon OS, versions 1.0, 2.0, 3.0, 4.0. Packages installed via tdnf/yum/rpm are scanned.
• Debian GNU/Linux, versions 7, 8, 9, 10, 11, 12. Packages installed via apt/apt-get/dpkg are scanned.
• Ubuntu, all versions supported by Canonical. Packages installed via apt/apt-get/dpkg are being scanned.
• Distroless, all versions. Packages installed via apt/apt-get/dpkg are being scanned.
• RedOS, versions 7.1, 7.2, 7.3.x. Packages installed via yum/rpm are scanned.
• Astra, versions ce 2.12.x., se 1.7.x. Packages installed via apt/apt-get/dpkg are scanned.

When configuring Kaspersky Container Security with three scanner pods (kcs-ih) and a maximum image scan size of 10 GB, the cluster must meet the following requirements:

• At least 7 node processors
• 15 GB of RAM node capacity
• 40 GB of free disk space on a node hard drive
• At least 1 Gbps of communication channel bandwidth between cluster components

The above requirements apply to Kaspersky Container Security deployment only; they do not take into account other loads on the client's resources.

Kaspersky Container Security user workstation requirements:

• Permanent Internet connection when deployed in a public corporate network.
• Access to the Management Console page of Kaspersky Container Security (address within customer's corporate network, specified during installation).
• Communication channels with at least 10 Mbit/s bandwidth.
• One of the following browsers:
  • Google Chrome version 73 or later.
  • Microsoft Edge version 79 or later.
  • Mozilla Firefox version 63 or later.
  • Apple Safari version 12.1 or later.
  • Opera version 60 or later.

Page top

Scaling

Kaspersky Container Security supports scaling for the number of scanning pods to ensure that the incoming image volume can be scanned. You can scale the number of scanning pods up or down at any time while the solution is operating.

When a scanning pod is added, the system resources increase as follows:

• The number of node processors—by 2.
• The amount of RAM on the nodes—by 4 GB.
• The amount of free disk space on a node hard drive—by 15 GB.

To scan images larger than 10 GB, the kcs-ih service resources must be increased as follows per scanning pod and for each additional GB.

• The amount of RAM on the nodes—by 300 MB.
• The amount of free disk space on a node hard drive—by 1 GB.

If the images are not scanned for configuration file errors during standard operation mode, it is not necessary to increase the RAM of the scanning pods.

Page top

System packages of base images

The following operating system images are used as base images by Kaspersky Container Security:

• Alpine 3.18.4.
• Ubuntu 23.10.
• Oracle Linux 9.2.

Package management systems ("package managers") are used to manage the installation, removal, configuration, and updating of various software components. Kaspersky Container Security uses the following package managers for its base operating systems:

• For Alpine, apk.
• For Ubuntu, apt.
• For Oracle Linux, rpm.

To get information about installed system packages,

use the standard orchestrator tools for accessing a running container and (depending on the package manager used) enter the following bash command:

• For apk:

  apk -q list | grep "installed".

• For apt:

  apt list --installed.

• For rpm:

  yum list installed.

Page top

Working in cloud-based environments

Kaspersky Container Security can operate in various cloud environments. For more information on launching the solution in cloud environments, contact your Presales Manager.