Security policies configuration

Kaspersky Container Security components use the following security policies:

• Scanner policies determine the settings for scanning different types of resources. Scan policies use rules to detect sensitive data, as well as vulnerabilities, malware, and misconfiguration.
• Assurance policies define Kaspersky Container Security actions to provide security if vulnerabilities, malware, sensitive data and misconfigurations detected during image scanning meet the criteria specified in the policy.
• Response policies define the actions of the solution in case events specified in the policy occur. For example, Kaspersky Container Security can notify the user about an event.
• Runtime policies allow you to control and, where appropriate, restrict the deployment and operation of containers on the cluster in line with your corporate security requirements.

Kaspersky Container Security applies only enabled policies during its operation. Disabled policies cannot be used during checks.

Scanner policies

Scanner policy determines the settings for scanning different types of resources.

When installing Kaspersky Container Security, a default scanner policy is created; it can be applied to all resources and executed in all environments. It is called the global scan policy (default). This policy is assigned global scope by default.

You can enable, disable, or configure global scanner policy settings if your role has been assigned the rights to manage scanner policies and view the global scope.

The following actions cannot be performed on a global scanner policy:

• Change the assigned global scope.
• Remove the global scanner policy.

The list of configured scanner policies is displayed as a table in the Policies → Scanner policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Enable or disable policies by using the Disabled / Enabled toggle button in the Status column of the table.
• Change policy settings. You can open the editing window by clicking the policy name link.

  You can also enable and disable policies in the edit window. Kaspersky Container Security does not use disabled policies when operating.

• Configure rules for detecting sensitive data. To do this, go to the Sensitive data tab.
• Delete policies.

Creating a scanner policy

Rights to manage scanner policy settings are required to add a scanner policy in Kaspersky Container Security.

To add a scanner policy:

1. In the Policies → Scanner policies section, click the Add policy button.

   The policy settings window opens.

2. Use the Disabled / Enabled toggle switch to disable the added policy, if necessary. In this case, it will be added but not applied until it is activated.

   By default, the status of a newly added scanner policy is Enabled.

3. Enter a policy name and, if required, policy description.
4. In the Scope field, select the scope for the scanner policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

5. In the Vulnerabilities section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure scanning using the National Vulnerability Registry (NVD) databases.
   • Use the Disabled / Enabled toggle switch to configure scanning using the Vulnerability Database (VDB).
6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image as part of the File Threat Protection component.
7. In the Misconfigurations section, use the Disabled / Enabled toggle switch to configure a scan for configuration errors.
8. Click Save.

Editing scanner policy settings

You can edit the scanner policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change scanner policy settings:

1. In the Policies → Scanner policies section, click the policy name link.

   The policy settings editing window opens.

2. If required, use the Disable / Enable toggle switch to change the policy status (enabled / disabled).
3. Make changes to the policy settings. The following settings are open for editing:
   • The policy's name, description, and scope.
   • Vulnerability control settings. Select the check boxes for the vulnerabilities database(s) to check images against.
   • Malware control settings. Select the check box if you need to scan images for malware and other file threats. This control is conducted by using the File Threat Protection component.
   • Misconfiguration control settings. Select the check box if you need to check images for misconfigurations. The control is conducted with the default settings configured by the Kaspersky Container Security manufacturer.
4. Click Save.

Page top

Configuration of sensitive data detection rules

The list of configured rules for detecting sensitive data (hereinafter referred to as Secrets) during image scanning is displayed in the Policies → Scanner policies → Sensitive data section.

The rules are grouped into categories depending on the purpose and scope of secrets to be detected. The list of categories is determined by the Kaspersky Container Security manufacturer. Categories contain predefined rules.

You can use the list to do the following:

• View and change the settings for secrets detection rules. You can open the editing window by clicking the rule ID link.
• Add new rules to the selected category. Click the Add rule button located above the table to open the integration settings window. To add rules that do not belong to any of the preset categories, use the Other category.
• Delete rules. Check the box next to one or more rules in the list. The delete icon is then displayed.

To change the settings of sensitive data detection rules:

1. In the table, in the Policies → Scanner policies → Policies section, select the scanner policy.
2. In the Sensitive data section, select the necessary rules by selecting the check boxes in the rule lines.
3. Use the Disable / Enable toggle switch in the Status column in the table with the list of policy rules to enable or disable this policy component.

   Do not click the Save button.

   Kaspersky Container Security immediately applies the changes to the sensitive data settings and displays the corresponding notification. You can also refresh the page to see the settings change.

Assurance policies

Assurance policy defines Kaspersky Container Security actions to provide security if threats detected during image scanning meet the criteria specified in the policy.

The configured assurance policies are displayed as a table in the Policies → Assurance policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.
• Delete policies.

If you add an assurance policy, modify its settings, or delete a policy, the compliance status is reviewed (Compliant / Non-compliant) for the images to which the policy is applied.

Creating an assurance policy

Rights to manage security policy settings are required to add a security policy in Kaspersky Container Security.

To add an assurance policy:

1. In the Policies → Assurance policy section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Scope field, select the scope for the image security policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

4. Specify the actions that Kaspersky Container Security should perform in accordance with the policy:
   • Fail CI/CD step—if Kaspersky Container Security scanner detects threats while scanning the image in the CI/CD pipeline matching the severity level specified in the policy, the scanning ends with an error (Failed). This result is transferred to the CI system.
   • Label images as non-compliant—Kaspersky Container Security labels images containing detected threats that meet the criteria specified in the policy.
5. In the Vulnerability level section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure the scan based on the vulnerability severity level.
   • Set the assigned severity level based on the vulnerability databases. You can select it from the Severity level drop-down list or specify a severity score from 0 to 10.
   • Use the Disabled / Enabled toggle switch to configure blocking in case of specific vulnerabilities and specify these vulnerabilities in the Vulnerabilities field.
6. In the Malware section, use the Disabled / Enabled toggle switch to configure scanning for malware in the image.
7. In the Misconfigurations section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure the scan based on the misconfiguration severity level.
   • Select the misconfiguration severity level from the Severity level drop-down list.

     The severity level is assigned based on the vulnerability databases.

8. In the Sensitive data section, configure the following settings:
   • Use the Disabled / Enabled toggle switch to configure the scan based on the sensitive data severity level.
   • Select the sensitive data severity level from the Severity level drop-down list.

     The severity level is assigned based on the vulnerability databases.

9. Click Save.

By default, the added policy is Enabled.

Editing assurance policy settings

You can edit the image security policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change assurance policy settings:

1. In the Policies → Assurance policies section, click the policy name in the list of existing assurance policies.

   The policy settings window opens.

2. Make changes to the relevant policy settings:
   • The policy's name, description, and scope.
   • Actions of the solution in accordance with this policy.
   • Required scans.
   • Severity level of vulnerabilities detected during scans.
   • Identify number of vulnerabilities for blocking purposes.
3. Click Save.

Response policies

Response policy defines the actions of the solution in the case that events specified in the policy occur. For example, Kaspersky Container Security can notify the user about the detected threats.

If you want to configure response policies to notify the user, you should first set up integration with notification outputs.

The configured response policies are displayed as a table in the Policies → Response policies section.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

  If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

• Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
• Delete policies.

In this version of the solution, response policies define only the actions that Kaspersky Container Security takes to notify the user when a specific event detailed in the policy occurs. For example, if an object with a critical vulnerability is detected, the solution can send an email notification to the user.

Creating a response policy

Rights to manage response policy settings are required to add a response policy in Kaspersky Container Security.

To add a response policy:

1. In the Policies → Response policies section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Scope field, select the scope for the response policy from the available options.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

4. In the Trigger field, use the drop-down list to select an event that will trigger Kaspersky Container Security to notify the user if this event occurs during a scan. One of the following events can be selected as a trigger event:
   • Sensitive data. A notification is sent if the solution detects signs of exposed sensitive data in an object during a scan.
   • Non-compliant. Kaspersky Container Security notifies you if a scanned object contains images that do not comply with the requirements of security policies.
   • Critical vulnerabilities. A notification is sent if a scanned object contains vulnerabilities with Critical status.
   • Malware. A notification is sent if a scan finds malware.
   • Risk acceptance expiration. Kaspersky Container Security notifies you if a scanned object contains risks that you had previously accepted but the risk acceptance period has expired.
5. Configure the required notification methods:
   1. Select an Output: Email or Telegram.
   2. From the drop-down list in the Integration name field, select the name of the pre-configured integration with the selected notification output.
   3. To add another notification method, click the Add button and fill in the fields as described in paragraphs a and b above.
   4. If needed, you can remove the added notification methods by clicking the icon located to the right of the Integration name field.
6. Click Save.

By default, the added policy is Enabled.

Editing response policy settings

You can edit the response policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change response policy settings:

1. In the Policies → Response policies section, click the policy name in the list of existing response policies.

   The policy settings window opens.

2. If necessary, make changes to the relevant policy settings:
   • Change the policy name.
   • Add or edit the policy description.
   • Add or edit the policy scope.
   • Change the trigger event by selecting it from the drop-down list.
   • Add an output by clicking the Add button.
   • Delete the output by clicking the delete icon () located next to the line of the selected output.
3. Click Save.

Page top

Runtime policies

A runtime policy determines the actions that are taken by the solution when monitoring and controlling runtime operations of containers in accordance with the security policies. Kaspersky Container Security maintains control based on security threats detected in an image, the severity level of these threats, and the availability of

Containers in the runtime may run from verified images or from images that are still unknown to the solution.

On the Policies tab, under Policies → Runtime policies, a table lists configured runtime policies.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

  If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

• Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
• Delete policies.

To work optimally, a runtime policy must be supplemented by runtime container profiles, which define the rules and restrictions for running containers in the runtime environment.

Creating a runtime policy

Rights to manage runtime policy settings are required to add a runtime policy in Kaspersky Container Security.

To add a runtime policy:

1. In the Policies → Runtime policies section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Scope field, select the scope for the runtime policy from the available options. Since runtime policies are only used for deployed and/or running containers, scopes containing resources across clusters can be selected.

   Scopes containing only registry resources are not available for selection. If necessary, you can specify individual images and pods for the runtime policy that you are creating in the Container runtime profiles section, as specified in step 10.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

4. If necessary, select the Exclusions check box to define exclusions to which the runtime policy will not be applied. To do so, select the relevant objects in the drop-down list, specify their names, and then click Add.

   Existing exclusions in the policy are checked when deploying a container.

5. In the Mode section, select one of the following policy enforcement modes:
   • Audit. In this mode, a scan takes into account the contents of containers.
   • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
6. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
7. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
8. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block image deployment if the image is unknown to Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
9. In the Capabilities block section, use the Disabled / Enabled toggle switch to block the use of specified Unix functions. To do so, select specific system functions from the drop-down list. You can also lock the use of all Unix system functions by selecting ALL from the drop-down list.
10. In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
    1. In the drop-down list, select an attribute to define the pods that the container runtime profiles will be applied to.
    2. Depending on the selected attribute, do the following:
       • If you selected By pod labels, enter the pod label key and the pod label value.

         You can add additional pod labels for pod selection by clicking the Add label pair button.

       • If you selected Image URL template, enter the template for the web address of the image registry.

         If the cluster contains images from the public Docker Hub registry, the solution equally considers the full path and the short path to the images. For example, if you specify the URL of the container image in the cluster as docker.io/library/ubuntu:focal, the solution accepts it equally as ubuntu: focal.

         You can add additional web addresses for pod selection by clicking the Add Image URL button.

    3. In the Runtime profile field, specify one or more runtime profiles that will be applied to pods that match the attributes you defined.
    4. If necessary, you can add pods for mapping using the Add pod mapping button. Pods with different attributes or applied runtime profiles will be mapped under the same runtime policy.
11. In the Image content protection section, use the Disabled / Enabled toggle switch to enable verification of digital signatures that confirm the integrity and origin of images in the container. To do this, perform the following actions:
    1. In the Image registry URL template field, enter the template for the web address of the image registry in which you want to verify signatures.
    2. In the drop-down list, select Check to enable verification or Don't check to disable verification.
    3. In the drop-down list, select one of the configured image signature validators.
    4. If necessary, add signature verification rules by using the Add signature verification rule button. The solution will apply multiple signature verification rules under a single runtime policy.
12. In the Limit container privileges section, use the Disabled / Enabled toggle switch to block the start of containers with a specific set of rights and permissions. In the list of settings, select the rights and permissions configuration to lock pod settings.
13. In the Registries allowed section, use the Disabled / Enabled toggle switch to allow deployment of containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
14. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do this, specify the volume mount points on the host system in the Volumes field.

    The Volumes field must begin with a forward slash ("/") because this represents the operating system path.

15. Click Save.

By default, the added policy is Enabled.

Editing runtime policy settings

You can edit the runtime policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change runtime control policy settings:

1. In the Policies → Runtime policies section, click the policy name in the list of existing runtime policies.

   The policy settings window opens.

2. Change the policy name.
3. Add or edit the policy description.
4. Make changes to the relevant sections of the policy:
   • Mode.
   • Scope.
   • Bypass criteria.
   • Best practice check.
   • Block non-compliant images.
   • Block unregistered images.
   • Capabilities block.
   • Limit container privileges.
   • Registries allowed.
   • Volumes blocked.
5. Click Save.

Deleting policies

You can delete security policies if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation. You also need rights to manage the corresponding types of policies in order to delete them.

To delete a policy:

1. Open the list of configured scanner policies, assurance policies, response policies or runtime policies.
2. In the line containing the name of the policy that you want to delete, click the delete icon ().
3. In the window that opens, confirm the action.

If security policy configuration errors block Kaspersky Container Security and you cannot manage the solution using the Management Console, the security policies must be deleted manually.

To manually delete a policy and recover the solution:

1. Run the following command to remove the agents (kube-agent and node-agent) as applicable:

   kubectl delete deployment kube-agent

   kubectl delete daemonset node-agent

2. Delete all customer resources in the target cluster by running the following command:

   kubectl get crd -o name | grep 'kcssecurityprofiles.securityprobe.kcs.com' | xargs kubectl delete

3. Restart all Kaspersky Container Security pods and access the Management Console.
4. Make the necessary changes to the security policies.
5. Install the agents using the instruction in the .YAML format.

Page top