Views:

Container Security supports protection on connected Google GKE containers.

Important
Important

Procedure

  1. Go to Cloud SecurityContainer SecurityContainer Inventory.
  2. Select the Kubernetes node in the tree.
  3. Click Add Cluster.
    The Protect Cluster screen appears.
  4. Specify a unique name for the cluster to appear in the Container Inventory table in the Cluster field.
    Note
    Note
    • Cluster names must not contain spaces and only support alphanumeric characters, underscores (_), and periods (.).
    • You cannot modify the cluster name after creating the cluster.
  5. If you want to provide more details about the purpose of the cluster, use the Description field.
  6. If you want Container Security to send data to Cloud Posture and receive ASRM Risk Insights, select Map to cloud account.
    1. In the dropdown menu, select GCP.
    2. In another browser tab, sign in to the Google Cloud account that hosts the cluster and copy the following values into the Container Security - Protect Cluster screen.
      • Project ID: Go to {project_id} and copy the Project ID.
      • GCP "Cluster region": Go to Kubernetes EngineClusters{your_cluster} and copy the Cluster region.
      • GCP "Cluster name": Go to Kubernetes EngineClusters{your_cluster} and copy the Cluster name.
  7. If you have already created a policy that you want to use to protect the Kubernetes cluster, select the policy name from the Policy dropdown menu.
    You can create a Kubernetes policy and assign the policy after connecting the cluster.
  8. To ensure that Container Security does not impact any of the following Kubernetes management systems, select the systems in the Namespace Exclusions dropdown menu.
    • Calico System
    • Istio System
    • Kube System
    • OpenShift*
    • GKE System*
    Note
    Note
    Options with an asterisk (*) represent sets of related namespaces. For details, see Grouped namespaces.
  9. If your cluster requires a proxy server, turn on Use Proxy and configure the following settings:
    • Protocol: Select HTTP or SOCKS5.
    • Proxy address: Specify the IP address of the proxy server.
    • Port: Specify the port number of the proxy server.
    • Require authentication credentials: Select and specify the Account and Password of the proxy server.
  10. If you already know the type of security features you want to enable on the cluster, turn on the desired features.
    • Runtime Security: Provides visibility into any activity of your running containers that violates a customizable set of rules.
    • Runtime Vulnerability Scanning: Provides visibility of operating system and open source code vulnerabilities that are part of containers running in clusters.
    • Runtime Malware Scanning: Provides detection of malware in your running containers, enabling you to identify and respond to malware threats introduced after deployment.
  11. Click Next.
    The Helm deployment script information appears on the screen.
  12. For users deploying Container Security protection the cluster for the first time:
    1. To define the configuration properties of Container Security in your Kubernetes cluster, create a YAML file (for example: overrides.yaml) and copy the contents of the first input field to the file.
      WARNING
      WARNING
      The YAML file contains a unique API key required to connect the specified cluster to Container Security. The API key only appears one time and you should create a copy for future upgrades. Trend Micro cannot retrieve the API key again once you close the screen.
    2. To enable automated cluster registration, create an API key and enter true for clusterRegistrationKey, as shown in the example below.
      Note
      Note
      You can configure the protection of the cluster by specifying clusterName, clusterNamePrefix, policyId, groupId under the policyOperator section.
      Sample override file:
      cloudOne:
          clusterRegistrationKey: true
          endpoint: https://container.us-1.dev-cloudone.trendmicro.com
          exclusion: 
              namespaces: [kube-system]
          inventoryCollection:
              enabled: true
          complianceScan:
              enabled: false
          policyOperator:
              clusterName: xxxx (optional. A random name will be used if not specified)
              clusterNamePrefix: xxxx (optional)
              policyId: xxxx (optional)
              groupId: xxxx (required)
    3. Copy the entire helm install script in the second input field.
      Important
      Important
    4. Paste the helm install script in an editor and modify the following:
      • --values overrides.yaml \ - Use the relative path to the overrides.yaml you saved in the previous step.
      • exclusion: > namespaces- Ensure that you add the following exclusions to the list: kube-system, gmp-system, autoneg-system
  13. For users that are updating an existing deployment, copy the entire helm get values --namespace trendmicro-system trendmicro | helm upgrade \ script in the last input field and execute the Helm script on your cluster.
    Note
    Note
    In the future, you can upgrade the helm deployment without overriding changes by using the Helm argument:
    --reuse-values.