Managing runtime autoprofiles

Kaspersky Container Security can monitor processes, network traffic, and file operations in containers, and then use the obtained information to automatically generate container runtime profiles. The autoprofiling process is performed within a time interval set by the user and within the selected scope. Such a scope can be a cluster, a namespace, or a pod.

The content of an automatically generated profile (autoprofile) depends on the agent group's node monitoring settings. To start autoprofiling, you need to activate the monitoring settings for network connections, processes being started, and file operations of containers for the corresponding agent group.

The autoprofile is made unique by a combination of three settings: the name of the cluster, the name of the namespace, and the image digest. Accordingly, within one namespace, an autoprofile is generated for all containers with the selected build of an image.

Creating a runtime autoprofile

We recommend that you restart the pods after autoprofiling begins so that the solution records the start of the pods in its rules. This will prevent pods from being incorrectly blocked when they restart.

Kaspersky Container Security allows creating autoprofiles at three levels:

• At the cluster level
• At the namespace level
• At the pod level

At the cluster and namespace level, you can create an autoprofile using a table with a list of clusters or namespaces, or from a graph of objects within a cluster. At the pod level, an autoprofile can only be created using the table.

To create a container runtime autoprofile using the table with a list of objects:

1. Go to Resources → Clusters.
2. Follow these steps depending on the level at which you are creating an autoprofile:
   • If you want to create an autoprofile at the cluster level, in the cluster table, select check boxes for one or more clusters.
   • If you want to create an autoprofile at the namespace level, follow these steps:
     1. Click the name of the cluster in the cluster table.
     2. On the Table tab, in the table that lists the namespaces in the cluster, use the check box to select one or more namespaces.
   • If you want to create an autoprofile at the pod level, follow these steps:
     1. Click the name of the cluster in the cluster table.
     2. Click the name of the namespace in the table of namespaces in the cluster.
     3. In the displayed sidebar, select the Pods and containers tab, and in the table of pods within the namespace, select check boxes for one or more pods.

   Make sure that the autoprofiling process is not running in the selected objects. If the process is running, the solution will not allow another autoprofiling task to start.

3. Click the Build autoprofile button above the table.

   In a cluster, you can run only one autoprofile creation task at a time. The solution will allow a new autoprofiling task only after the previous task has finished or has been stopped.

4. This opens a window; in that window, specify the duration of autoprofiling. This duration can be 1 to 1440 minutes.

   The default setting is 60 minutes.

5. Click Start.

   In the Autoprofiles column of the table of objects (clusters, namespaces, or pods), the solution displays the time remaining until the end of autoprofiling for that object or the number of autoprofiles created for the object.

To create a container runtime autoprofile from a graph:

1. Go to Resources → Clusters.
2. Follow these steps on the Graph view tab, according to the level at which you are creating an autoprofile:
   • If you want to create an autoprofile at the cluster level, left-click on the cluster icon () on a namespace graph.
   • If you want to create an autoprofile at the namespace level, follow these steps:
     1. Double-click to expand the group of namespaces within the cluster on the graph.
     2. In the namespace graph, left-click on the icon of the namespace you are interested in ().
3. In the menu that opens, select Build autoprofile.

   If the autoprofiling process is already running in the cluster, you will not be able to select Build autoprofile. If you have the appropriate rights, you can stop the creation of an autoprofile in the selected cluster by selecting Stop autoprofiling in the menu. Alternatively, wait for previously started autoprofiling task to complete. The solution allows running only one autoprofiling task at a time in a cluster.

4. This opens a window; in that window, specify the duration of autoprofiling. This duration can be 1 to 1440 minutes.

   The default setting is 60 minutes.

5. Click Start.

The created runtime autoprofiles are displayed in the Policies → Runtime policies → Autoprofiles section.

Viewing the list of runtime autoprofiles

Kaspersky Container Security displays a list of all created runtime autoprofiles in the table under Policies → Runtime → Autoprofiles. The following information is displayed for each autoprofile:

• The name of the autoprofile, which is a concatenation of the following data:
  • Pod name.
  • Namespace name.
  • Cluster name.
  • The first 12 characters of the image checksum (after the SHA256 prefix)

  These components of the autoprofile name are separated by underscores (for example, kube-company_sampled-operations_docker-cluster__9a74fc18ee07).

• The status of the autoprofile with regard to its verification by the user: Verified or Not verified. By default, an autoprofile is created with the Not verified status.

  If necessary, you can use the Verified/Not verified toggle switch to change the status of the autoprofile in the table. You can also assign the Verified status to one or more autoprofiles by clicking the Verify button above the table.

  Only autoprofiles with the Verified status can be applied.

• Date and time of the last modification.
• The cluster and namespace that the autoprofile is based on.
• The image whose checksum the autoprofile was based on.

Kaspersky Container Security also displays a list of autoprofiles for each image whose digest was used to create the autoprofiles.

To view a list of autoprofiles created for an image:

1. Go to Resources → Registries.
2. In the desired registry, click the icon and expand the list of images in the registry. Images used to create autoprofiles are marked with the autoprofiling icon ().
3. Click the name of an image, go to the page with detailed information about the scan results for this image.

   The list of all autoprofiles for the image is presented as a table in the Associated autoprofiles section. The following information is displayed for each autoprofile:

   • Autoprofile name. Click the name of an autoprofile to open a window with a detailed description of the autoprofile. The information in this window is read-only.
   • Date and time of the last modification.
   • The cluster and namespace that the autoprofile is based on.

Viewing runtime autoprofile settings

To view autoprofile parameters:

1. In Policies → Runtime policies → Autoprofiles section, click the name of the autoprofile in the list of created container runtime autoprofiles.
2. In the displayed sidebar, General and Building parameters tabs contain information about the parameters of the selected autoprofile. The General tab displays the following:
   • Autoprofile status.
   • Name of the runtime autoprofile.
   • Description of the runtime autoprofile, if it was specified manually. By default, no description is added when autoprofiling.
   • Under Parameters, you can view the parameters of the following modules:
     • File threat protection.
     • Restrict container executable files.
     • Restrict inbound network connections.
     • Restrict outbound network connections.
     • File operations.

   If necessary, you can make changes to the autoprofile parameters.

   The Building parameters tab displays the following data:

   • Name of the runtime autoprofile.
   • Date and time of the last modification of the autoprofile.
   • Name of the user that initiated the creation of the autoprofile.
   • Image checksum, namespace, and cluster the autoprofile was based on.
   • Name of the image whose checksum the autoprofile was based on. You can view the scan results for this image by clicking the image name.

Editing runtime autoprofile settings

To edit autoprofile parameters:

1. In Policies → Runtime policies → Autoprofiles section, click the name of the autoprofile in the list of created container runtime autoprofiles.
2. If necessary, in the displayed sidebar, on the General information tab, edit the values of one, multiple, or all of the following parameters:
   • Autoprofile status. Use the Verified/Not verified toggle switch to change the autoprofile status to Verified or Not verified.
   • Name of the runtime autoprofile. You can specify a custom autoprofile name to replace the name automatically generated by the solution.
   • Description of the runtime autoprofile. By default, no description is added when autoprofiling.
   • Under Parameters, edit the network status monitoring parameters as follows:
     • File threat protection. If necessary, use the Disabled/Enabled toggle switch to enable or disable File Threat Protection. By default, the settings under File Threat Protection are disabled.
     • Restrict container executable files. You can specify specific file names and paths to block, as well as specify exceptions.

       If processes are running inside containers in the relevant build, the solution performs the following actions:

       • When events are detected in processes in Audit and Enforce mode, the solution activates the Block specified executable files setting and all unique paths are indicated in the Executables or path field.
       • If there are no events in processes in Audit and Enforce mode, the solution applies the Block all executable files setting.
       • If it detects events other than the above, the solution activates the Allow exclusions setting and specifies all unique path values in the Executables or path field.
     • Restrict inbound network connections. If necessary, you can use the Disabled/Enabled toggle switch to disable the ability to restrict inbound connections of the container.

       If inbound traffic is observed in containers in the relevant build, the solution performs the following actions:

       • When events related to inbound connections are detected in Audit and Enforce mode, the solution activates the Restrict inbound network connections setting.
       • If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields contain all the unique recipients of inbound connections.
     • Restrict outbound network connections. If necessary, you can use the Disabled/Enabled toggle switch to disable the ability to restrict outbound connections of the container.

       If outbound traffic is observed in containers in the relevant build, the solution performs the following actions:

       • When events related to outbound connections are detected in Audit and Enforce mode, the solution activates the Restrict outbound network connections setting.
       • If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields specify all unique outbound connection sources.
     • File operations. You can edit the settings for monitoring file operations in the container.

       If actions are observed inside the containers in the relevant build, upon detection of file management events in Audit and Enforce mode, the solution activates the File operations setting. In this case, all unique paths are indicated in the Path field, and the check boxes of all detected operation types are selected in the Operation type field.

       You can also click Add rule to add rules to be applied when monitoring file operations.

     If a setting is enabled in the Settings section, the solution determines the specific build of the image and scans all containers deployed from that build.

3. Save changes to the autoprofile by doing one of the following:
   • To save without changing the autoprofile status to Verified, click Save.
   • To save and change the status of the autoprofile to Verified, click Save and verify.

Stopping autoprofiling

If an autoprofile task is running in the selected cluster, Kaspersky Container Security displays the time remaining until the process completes:

• in the Autoprofiles column of the table with the list of clusters
• in the Autoprofiles column of the table with the list of namespaces in the cluster
• in the Autoprofiles column of the table with the list of pods in the selected namespace in the cluster.

You can stop a running autoprofiling process at three levels:

• At the cluster level
• At the namespace level
• At the pod level

At the cluster and namespace level, you can stop creating an autoprofile using a table with a list of clusters or namespaces, or from a graph of objects within a cluster. At the pod level, autoprofiling can only be stopped using the table.

Autoprofiling can be stopped for the entire profiled object (cluster, namespace, or pod) or for specific entities within the profiled object (for example, for selected namespaces or pods).

You can stop a running autoprofiling process if you have the necessary rights.

Page top

Stopping an autoprofiling task

To stop running an autoprofiling task using the table with a list of objects:

1. Go to Resources → Clusters.
2. Follow these steps depending on the level at which you are stopping the autoprofiling:
   • If you want to stop autoprofiling at the cluster level, use the check box to select one or more clusters for which the autoprofiling task has been started.
   • If you want to stop autoprofiling at the namespace level, follow these steps:
     1. Click the name of the cluster in the cluster table.
     2. On the Table tab, in the table that lists the namespaces in the cluster, use the check box to select one or more namespaces for which the autoprofiling task has been started.
   • If you want to stop autoprofiling at the pod level, do the following:
     1. Click the name of the cluster in the cluster table.
     2. Click the name of the namespace in the table of namespaces in the cluster.
     3. In the displayed sidebar, select the Pods and containers tab, and in the table of pods within the namespace, select check boxes for one or more pods for which the autoprofiling task has been started.
3. Click the Stop autoprofiling button located above the table.

   If the list of selected objects includes a cluster, namespace, or subcluster where the autoprofiling process has not been started, the Stop autoprofiling button becomes inactive.

4. Click the Stop button to confirm stopping the autoprofiling process.

To stop an autoprofiling task from a graph:

1. Go to Resources → Clusters.
2. Do the following on the Graph view tab, depending on the level at which you are creating an autoprofile:
   • If you want to stop an autoprofiling task at the cluster level, left-click on the cluster icon () on a namespace graph.
   • If you want to stop an autoprofiling task at the namespace level, do the following:
     1. Double-click to expand the group of namespaces within the cluster on the graph.
     2. In the namespace graph, left-click on the icon of the namespace you are interested in ().
3. In the menu that opens, select Stop autoprofiling.
4. Click the Stop button to confirm stopping the autoprofiling process.

Page top

Stopping autoprofiling for individual objects

To stop autoprofiling for individual objects in an autoprofiling task:

1. Start an autoprofiling task.
2. Do one of the following:
   • If a cluster autoprofiling task is running, do the following:
     1. In the table with the list of clusters, click the name of the cluster for which an autoprofile is being created.
     2. In the window that opens, do one of the following:
        • Select one or more namespaces for which you want to stop auto-profiling.
        • Click the namespace name and in the window that opens, select one or more pods for which you want to stop autoprofiling.
   • If a namespace autoprofiling task is running, do the following:
     1. In the table with the list of namespaces in the cluster, click the name of the namespace for which an autoprofile is being created.
     2. In the window that opens, select one or more pods for which you want to stop autoprofiling.
3. Click the Stop autoprofiling button located above the table with the list of objects.
4. Click the Stop button to confirm stopping the autoprofiling process.

   Kaspersky Container Security stops the autoprofiling process for the selected objects. The solution will continue running the autoprofiling task for the rest of the objects in the cluster or namespace.

When stopping autoprofiling for individual objects, bear in mind that stopping the task at the level of a larger object will completely stop the task. For example, an autoprofiling task is completely stopped in the following cases:

• If a task for autoprofiling namespaces or pods is started and you stop autoprofiling at the level of the cluster that includes the selected namespaces or pods.
• If a task for autoprofiling pods is started and you stop autoprofiling at the level of the namespace that contains the selected pods.

Page top

Deleting a runtime autoprofile

To delete a container runtime autoprofile:

1. Open the table of the generated runtime autoprofiles in one of the following sections:
   • In the Policies → Runtime → Autoprofiles section.
   • In the Associated autoprofiles section, on the page with detailed information about the image scan results, in the Resources → Registries section.
2. Do one of the following:
   • In the Policies → Runtime → Autoprofiles section, use the check box to select the autoprofile that you want to delete and click the Delete button located above the table.
   • On the page with detailed information about the image scan results, in the Resources → Registries section, in the row with the name of the autoprofile that you want to delete, click the delete icon ().
3. In the window that opens, confirm the action.

Restrictions related to autoprofiles

When working with runtime autoprofiles, consider the following restrictions related to scopes and user roles:

• If an image is not added to the scopes assigned to the user as part of a namespace in a cluster, the user cannot access autoprofiles generated using the digest of the image.

  A user assigned the default scope can view all created autoprofiles.

• If a user has the rights to manage autoprofiling, the user can start a task to build an autoprofile, change the settings and re-generate an autoprofile.
• A user who did not start an autoprofiling task can change the settings, as well as rebuild and delete an autoprofile, if all of the following conditions are met:
  • The user has rights to manage autoprofiling
  • One of the user's roles coincides with the role of the autoprofiling task's creator at the time the autoprofile is created
  • The scopes assigned to the user include the image (as part of the namespace in the cluster) that the autoprofile is based on