Limitations and warnings

Kaspersky Container Security 1.2 has a number of limitations that are not critical to the operation of the solution:

• To ensure maximum compatibility of BPF programs used by Kaspersky Container Security with numerous Linux distributions and Linux kernel versions, the solution uses eBPF CO-RE technology. Kaspersky Container Security works directly with the kernel of the Linux host server (node), thus the following requirements and restrictions must be observed:
  • To use eBPF CO-RE, the Linux kernel must be compiled with configuration value CONFIG_DEBUG_INFO_BTF = y. Most Linux distributions have this configuration value enabled when building the kernel that is supplied with the distribution.
  • If kernel versions are updated manually, you must check the availability of the above mentioned configuration value.

  For earlier versions of Linux distributions and Linux kernels that do not have built-in support for eBPF CO-RE, backward compatibility is ensured by Kaspersky Container Security.

• If a manually compiled Linux kernel is used on a host server (node), the following settings must be enabled during the kernel configuration to ensure runtime monitoring using container runtime profiles:

  CONFIG_BPF=y

  CONFIG_BPF_SYSCALL=y

  CONFIG_BPF_EVENTS=y

  CONFIG_NET_CLS_BPF=m

  CONFIG_NET_ACT_BPF=m

  To ensure better BPF code performance, we recommend enabling the following settings:
  CONFIG_BPF_JIT = y
CONFIG_HAVE_BPF_JIT = y

• If runtime monitoring using Kaspersky Container Security container runtime profiles is to be conducted simultaneously with CNI Cilium (node-agent pods are deployed on the same host servers with cilium-agent), the following actions must be performed:
  • In the cluster with the deployed node-agent, specify the value of the data.bpf-filter-priority parameter for the ConfigMap cilium-config greater than 1.

    We recommend to specify 5 for the data.bpf-filter-priority parameter.

  • Restart the cilium-agent pods to apply the specified setting.
• To access Kubernetes, Kaspersky Container Security uses the functionality of the dynamic access controller provided in Kubernetes. The security of your cluster can be hardened by configuring authorization between the Kubernetes API and kube-agent, which ensures the operation of the solution's dynamic access controller. Authorization must be configured in accordance with the Kubernetes instructions.

  We recommend to limit access to kube-agent to data exchange with the Kubernetes API server. For this purpose, the following Kubernetes network policy must be applied:

  ---

  apiVersion: networking.k8s.io/v1

  kind: NetworkPolicy

  ––metadata:

  labels:

  app: kcs

  name: allow-kube-api-to-kube-agent

  namespace: {{ $.Release.Namespace }}

  spec:

  podSelector:

  matchLabels:

  app: kube-agent

  ingress:

  - from:

  - podSelector:

  matchLabels:

  component: kube-apiserver

  ports:

  - protocol: TCP

  port: 8443