The Container Security Operator is a method of deploying and managing the Trend Vision One Container Security application, similar to Helm chart. Learn more about Helm Chart.
The operator runs on the OpenShift container platform to deploy and manage the Container
Security application. The operator automatically installs Helm chart and checks for
new updates as they are released. Use the following steps to install the operator
from the OpenShift Operator hub.
Register your cluster with Container Security
Automatically register
You can configure clusters to be automatically registered when Container Security
is installed.
Use the following steps to automatically register multiple clusters for Container
Security with a Trend Vision One API key.
-
From the Trend Vision One console, navigate to .
-
Create a Trend Vision One API key with a role that contains only the "Automatically register cluster" permission.See Obtain an API key for automated cluster registration for more information.
- Store the Trend Vision One API Key as a secret called
trendmicro-container-security-registration-key
with the keyregistration.key
in thetrendmicro-system
namespace.
Manually register
Create a cluster in the Trend Vision One console using a bootstrap token.
-
From the Trend Vision One console, navigate to .
-
Click + Add Cluster under the Kubernetes section.
-
Give the Red Hat OpenShift cluster a unique name.
-
Copy the bootstrap token.
Note
The bootstrap token is used during the installation process.
Install the operator
-
Open the OpenShift cluster Web Administrative Console by going to https://console-openshift-console.apps.<cluster-name>.<base-domain>
Note
Use the command below to get the exact Web Console URL using the OpenShift CLI:oc whoami --show-console
-
On left hand panel of the OpenShift Admin Console, select Operators, and then navigate to open the OperatorHub.
-
From the OperatorHub page, in the search box at the top, search for
VisionOne
. Click on Trend Vision OneTM Container Security to open the Operator information dialog. -
Click Install.
Note
- By default, the Operator selects the
stable
channel with the latest version to be installed. You can change the channel toalpha
to install a preview release. - The Container Security Operator requires the
trendmicro-system namespace
to be created for installation. Use the default, recommendedtrendmicro-system
namespace. - Choose
Automatic
for automatic upgrades orManual
for manual upgrades that require manual update approval.
- By default, the Operator selects the
-
After installing the operator, go to View Operator to view the operator status.
-
Navigate to
VisionOneContainerSecurity
from the top menu, and clickCreate VisionOneContainerSecurity
to open the create operand form. -
In the create
VisionOneContainerSecurity
Operand form, click onVisionOne
to expand the list that shows the configuration required to connect with Trend Vision One.Define the following in theVisionOne
section:-
For Auto Registration, set the following values:
Note
Make sure you have stored the Trend Vision One API Key as a secret in the cluster, as described in Automatically register.-
clusterRegistrationKey
: Set the value astrue
. -
clusterName
: Name of the cluster forVisionOne
. If not specified, the name will be a random string. -
clusterNamePrefix
: Optional prefix for the cluster name. -
policyId
: Existing Policy Id inVisionOne
that will be assigned to the new cluster. -
groupId
: Existing Group Id inVisionOne
that will be assigned to the new cluster.
Note
See the automated cluster register README for more information. -
-
For Manual registration:
Note
Make sure to set thebootstrapToken
value in youroverrides.yaml
file, as described in Manually register.-
clusterRegistrationKey
: Set the value asfalse
. -
bootstrapToken
: Enter the required token.Note
ThebootstrapToken
expires after 1 day. This value is not required for auto-registration.
-
-
For manual registration, set the following values to the same values in your
overrides.yaml
file. For Auto registration, set the values based on the new cluster requirements. Leave blank if the value is not present:-
exclusion
: List of namespaces to be excluded from scans. Events are not be generated for these namespaces. -
endpoint
: The Trend Vision One API Endpoint.The default endpoint (https://api.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs) works for most regions. For Middle East and Africa (MEA) update the endpoint to https://api.mea.xdr.trendmicro.com/external/v2/direct/vcs/external/vcs. -
inventoryCollection
: Enables inventory scanning feature. -
malwareScanning
: Enables malware scanning feature. -
runtimeSecurity
: Enables Runtime Security feature. -
secretScanning
: Enables secret scanning feature. -
vulnerabilityScanning
: Enables vulnerability scanning feature. -
policyOperator
: Set the policy name created after cluster registration. Refer to the sample ClusterPolicy YAML in GitHub to create a new cluster policy using the specified policy name.
-
-
-
Click Create to create the operand instance, which installs Container Security Helm chart.
- From the Trend Vision One, you can now check the protection status of your Read Hat OpenShift cluster nodes under .