Creating an agent group

To create an agent group:

1. In the main menu, go to the Components → Agents section.
2. In the work pane, click the Add agent group button.
3. On the General tab:
   1. Fill in the fields in the form.
      • Enter the group name. For the convenience of managing agents, we recommend specifying the name of the cluster on whose nodes the agents will be installed.
      • If required, enter a description of the agent group.
      • From the drop-down list, select one or more scopes that are available to the user role. If no value is specified, the solution uses the default scope.

        If you need to add a scope after creating an agent group, add the relevant cluster to the scope in the Administration → Access management → Scopes section.

      • Select the orchestrator to use.
      • Specify the name of the namespace that to be used to install agents.

        The namespace must exist at the time when the agents are started.

   2. In the KCS registry section, enter the web address of the Kaspersky Container Security registry where the agent installation images are located. To access the registry, you must specify the correct user name and password.
   3. Under Linked SIEM, select the SIEM system from the drop-down list.

      To link an agent group in Kaspersky Container Security, you must create and configure at least one integration with a SIEM system.
      One agent group can be linked with only one SIEM system.

      For each SIEM system integration, the drop-down list indicates the connection status – Success, Warning, or Error.

4. On the Node monitoring tab, use the Disable/Enable toggle switch to start monitoring and analyzing the status of the network, processes inside containers, and file threat protection for the following settings:
   • Network connections. The status of network connections is monitored with traffic capture devices (network monitors) and eBPF modules. This process considers applicable runtime policies and container runtime profiles.

     By selecting the check boxes, you can activate the following monitoring actions:

     • Network reputation monitoring actions.
     • Port opening monitoring actions.

     These actions are disabled by default.

   • Container processes. Container processes are monitored using eBPF programs based on applicable runtime policy rules and container runtime profile rules.
   • File threat protection. If File Threat Protection actions are running, you can select objects for which you want to enable monitoring within the File Threat Protection component: All, Containers, or Nodes. By default, monitoring is enabled for all objects.

     To track anti-malware database updates, specify one of the following values:

     • Anti-malware database update URL: the web address of the Kaspersky Container Security update service.
     • Anti-malware database update proxy: the HTTP proxy for a cloud or local update server.

     If the kcs-updates container is used to update anti-malware databases, the URL of the database update tool must be specified as follows: <domain>/kuu/updates (for example, https://kcs.company.com/kuu/updates).

     By default, File Threat Protection databases are updated from Kaspersky cloud servers.

   • File operations. The solution tracks file operations using eBPF modules based on applicable runtime policies and container runtime profiles.

     Regardless of the mode specified in the runtime policy, only the Audit mode is supported for file operations. If the Enforce mode is specified in the applicable runtime policy, file operations are performed in Audit mode.

   • Container lifecycle. The solution monitors the changes of container state (creation, starting, stopping, deletion, pause, unpause). This allows you to track container operations on the node that bypass the orchestrator.

     Regardless of the mode specified in the runtime policy, only the Audit mode is supported for monitoring the container lifecycle. If the Enforce mode is specified in the applicable runtime policy, the container lifecycle is monitored in Audit mode.

   • Host login. The solution monitors the attempts of local and remote users to log in to the host operating system. Kaspersky Container Security monitors all authorization attempts (successful and unsuccessful), and also determines the protocol (SSH, TELNET, RDP) that was used to attempt authorization on the host.

   Monitoring steps that are not needed can be disabled to avoid unnecessary load on the nodes.

   By default, all actions for monitoring and analyzing the state of the network, processes in containers, and File Threat Protection are disabled.

5. Click Save.

In the workspace, the Deployment data tab displays the following data necessary for installing agents in the cluster:

• The automatically generated installation token is the ID that the agent uses to connect to the server.
• Instruction for installing agents on a cluster.

Page top