Container Security components use the Helm package manager for Kubernetes. Helm chart versions 3 or later are supported.
Note
Note
  • Clusters that run Helm chart versions older than 2.3.25 (or 1.0.8 for ECS) will no longer receive new rule updates.
  • Clusters that use unsupported Helm chart versions retain protection from their last downloaded rules file but might have error logs in Scout for rule download failures.
  • To ensure continued rule updates, upgrade Helm chart to the latest version. See Upgrade Helm chart.

Install Helm chart

  1. Create a file named overrides.yaml, which is used to contain your cluster-specific settings.
    Note
    Note
    You can find the setting values in the Trend Vision One console or the Container Security API when you create a cluster. See the Values.yaml file for a reference when creating your overrides file.
  2. Use helm to install Container Security components with your cluster-specific settings. We recommend that you run Container Security in its own namespace.
  3. To install Helm chart into an existing Kubernetes namespace, use the --namespace flag with the helm install command: 
    helm install \
    --values overrides.yaml \
    --namespace ${namespace} \
    trendmicro \
    https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz
Note
Note
For more information about helm install, see the Helm installation documentation.
The table below describes environments that require specific settings.
Environment
Description
AWS EKS Fargate
If you are using Container Security in a pure AWS EKS Fargate environment, you might need to adjust your Fargate profile to allow pods in a non-default namespace (ex: trendmicro-system). See AWS documentation for more information on Fargate profiles.
Red Hat OpenShift
If you are using Container Security in a Red Hat OpenShift environment, the Helm Chart creates a Security Context Constraint to allow Container Security components to have the minimum security context requirements to run.
Pod Security Admission
If you are using Container Security in a cluster with Pod Security Admission and you have runtime security enabled, ensure the namespace where Container Security is installed is using the privileged Pod Security Standards policy.

Upgrade Helm chart

Use the following to upgrade an existing installation in the default Kubernetes namespace to the latest version:
Note
Note
Helm overrides the reset values in overrides.yaml when upgraded.
 
helm upgrade \
    --values overrides.yaml \
    --namespace ${namespace} \
    trendmicro \
    https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz
To use the previously set values, use the --reuse-values option during a Helm upgrade:
helm upgrade \
    --namespace ${namespace} \
    --reuse-values \
    trendmicro \
    https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz