Frequently asked questions

Container Security

Why am I getting a '401 Unauthorized' message on API calls?

This is usually because you have not created an API key to authenticate your requests with Container Security.

For information on creating and using a Trend Cloud One API key, see the API key help.

For information on creating and using a legacy API key (deprecated), see the Workload Security API key help.

Does Container Security require inbound network access to my Kubernetes cluster?

Container Security currently does not require any inbound network access and does not require any extra IP addresses to be added to inbound firewall rules. Communication from the admission controller is outbound-initiated only over HTTPS port 443.

If I restrict outbound traffic, what URLs do I need to allow to communicate with the internet?

Trend Cloud One (where <region> is your Trend Cloud One region):

https://container.<region>.cloudone.trendmicro.com
https://iot.container.<region>.cloudone.trendmicro.com

Runtime security (allow the endpoint for your Trend Cloud One region):

Australia: https://sensor-components-prod-componentsstoragebucket-mqamem5enf3f.s3.amazonaws.com
Canada: https://sensor-components-prod-componentsstoragebucket-1lllr5j8i7dmf.s3.amazonaws.com
Germany: https://sensor-components-prod-componentsstoragebucket-dt9l26kxtrha.s3.amazonaws.com
India: https://sensor-components-prod-componentsstoragebucket-4t1tmfipzmxq.s3.amazonaws.com
Japan: https://sensor-components-prod-componentsstoragebucket-a1g8t8ve13ql.s3.amazonaws.com
Singapore: https://sensor-components-prod-componentsstoragebucket-x75mv7yqzt9.s3.amazonaws.com
UK: https://sensor-components-prod-componentsstoragebucket-177dw039ojo4z.s3.amazonaws.com
US: https://sensor-components-prod-componentsstoragebucket-1tgz7758j5977.s3.amazonaws.com

Runtime vulnerability scanning (allow the endpoint for your Trend Cloud One region):

Australia (au-1): upload.artifactscan.au-1.cloudone.trendmicro.com
Canada (ca-1): upload.artifactscan.ca-1.cloudone.trendmicro.com
Germany (de-1): upload.artifactscan.de-1.cloudone.trendmicro.com
India (in-1): upload.artifactscan.in-1.cloudone.trendmicro.com
Japan (jp-1): upload.artifactscan.jp-1.cloudone.trendmicro.com
Singapore (sg-1): upload.artifactscan.sg-1.cloudone.trendmicro.com
UK (gb-1): upload.artifactscan.gb-1.cloudone.trendmicro.com
US (us-1): upload.artifactscan.us-1.cloudone.trendmicro.com

Trend Micro Artifact Scanner (allow the endpoints for your Trend Cloud One region):

Australia:
https://artifactscan.au-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.au-1.cloudone.trendmicro.com
report.artifactscan.au-1.cloudone.trendmicro.com
Canada:
https://artifactscan.ca-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.ca-1.cloudone.trendmicro.com
report.artifactscan.ca-1.cloudone.trendmicro.com
Germany:
https://artifactscan.de-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.de-1.cloudone.trendmicro.com
report.artifactscan.de-1.cloudone.trendmicro.com
India:
https://artifactscan.in-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.in-1.cloudone.trendmicro.com
report.artifactscan.in-1.cloudone.trendmicro.com
Japan:
https://artifactscan.jp-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.jp-1.cloudone.trendmicro.com
report.artifactscan.jp-1.cloudone.trendmicro.com
Singapore:
https://artifactscan.sg-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.sg-1.cloudone.trendmicro.com
report.artifactscan.sg-1.cloudone.trendmicro.com
UK:
https://artifactscan.gb-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.gb-1.cloudone.trendmicro.com
report.artifactscan.gb-1.cloudone.trendmicro.com
US:
https://artifactscan.us-1.cloudone.trendmicro.com
https://cli.artifactscan.cloudone.trendmicro.com
upload.artifactscan.us-1.cloudone.trendmicro.com
report.artifactscan.us-1.cloudone.trendmicro.com

Telemetry: https://telemetry.deepsecurity.trendmicro.com

Default Container Registry: https://public.ecr.aws

Are regular expressions supported when creating policies?

We support the keywords "contains" and "start with" for image registry, name, and tag in the first release. This provides a basic regular expressions interface.

Does each Kubernetes cluster need its own admission controller?

Yes. Each Kubernetes cluster should have its own admission controller. If you need to, you can scale the desired replicas. The default is 1.

Will the validation of admission control webhooks cause Container Security to change a container's configuration?

No. It only validates if a deployment request is allow or denied in a policy definition.

During the validating phase, when `kubectl apply -f <...>` is executed, does the admission controller query Container Security? If so, is a local cache being used for each query?

Yes. The admission controller queries Container Security everytime a review request happens in Kubernetes, both when doing a kubectl create or a kubectl apply.

No local cache is being used for queries or policies to ensure the policy is always up to date.

By default, review requests from the kube-system namespace are not forwarded to Container Security. For more information, see the admission controller yaml file.

What is the telemetry in Container Security used for? What kind of data is admission control sending?

For more information about data collection and telemetry, see Trend Cloud One - Container Security Data Collection.

If a connection to Trend Cloud One fails, will an administrator be notified about an issue in the validation process? If so, how are they notified, and can the notifications be configured?

No alerts will be raised, but a warning icon (

) will appear on the cluster page after 24 hours of inactivity, and the admission controller will contain error logs. You can also configure the logging destination in your cluster, which allows you to integrate our logging solution in with Kubernetes.

If Trend Cloud One is not responsive, you can also configure what happens by changing the failurePolicy property. By default, failurePolicy is set to Ignore, which allows the admission request if Trend Cloud One is not accessible. If you set failurePolicy to Fail, then the admission request fails.

When should the replica count for the admission controller be increased?

Consider increasing the replica count for the admission controller in large environments, where many admission requests may occur at the same time. Admission requests occur when a pod scales its replica counts, new deployments occur, and so on.

How to add pods with multiple containers to exceptions?

Pods with multiple containers should have exceptions for all containers inside of them. Container Security only allows the admission request if all requested containers are not violating a policy rule or meet exception criteria.

Why is my pod not being isolated from network access?

If you are using the Isolate action in your Continuous Compliance policy or Runtime rules, the Kubernetes cluster where the protected resources are running must have Kubernetes network policies enabled. To enable Kubernetes network policies, install a network plugin with NetworkPolicy support using the provided guide in the helm chart README.

Why are vulnerabilities not showing in the vulnerability view?

See Troubleshooting Runtime Vulnerability Scanning for instructions.

Can I have multiple scan tools installed in my cluster?

It is recommended to only include one scanning tool in each cluster, as multiple such tools running concurrently can cause unpredictable behavior where both tools continuously scan each other's pods. If this situation is not avoidable, you can exclude the other scan tool's namespace from Container Security scans by adding the following to your overrides file:

cloudOne:
exclusion:
namespaces: [list, of, namespaces]

It is also recommended to exclude the namespace where you installed Container Security from getting scanned by the other scan tool.

When should I increase the maximum concurrency for the vulnerability scanner pods?

Large clusters could benefit from increasing the default maximum concurrency for the vulnerability scanner pods to drive faster scan results by using more of your cluster's resources. The scanner pod concurrency limit is meant to constrain Container Security's resource usage within your cluster. For example, if the concurrency limit was set to 5, then a maximum of 5 unique images can be scanned at a time. Modifying the scanner pod concurrency limit can be done through your overrides file:

cloudOne:
scanManager:
maxJobCount: 15

When increasing the concurrency limit for the vulnerability scanner pods, please ensure your cluster has enough resources to handle the additional scanner pods. The default resource requirements for each scanner pod are specified in the helm chart.

Are there any limitations to private Google Kubernetes Engine (GKE) clusters?

For admission webhooks to work, a private Google Kubernetes Engine (GKE) cluster requires an additional Virtual Private Cloud network firewall rule. For information on how to add a firewall rule that allows traffic from your master’s source IP range to the Trend Micro admission controller pod, see Adding firewall rules for specific use cases.

The Trend Micro admission controller pod has port 8443 enabled. The following example shows a gcloud command to use in order to a add firewall rule:

--action ALLOW \
--direction INGRESS \
--source-ranges ${CONTROL_PLANE_RANGE} \
--rules tcp:8443 \
--description="Allow apiserver access to admission webhook pod on port 8443" \
--target-tags ${TARGET}