Add a cluster

To set up Container Security in your environment:

1. Set up required components.
2. Create a Kubernetes cluster, if you haven't got one already.
3. Install the policy-based deployment controller.

Set up required components

• Set up kubectl and Helm 3 (version 3.0.1 or later) on your local computer so you can remotely manage your Kubernetes cluster. For tips on installing and upgrading Helm, see the Container Security Helm readme.
• Trend Micro Cloud One Container Security leverages Kubernetes network policies to perform isolation mitigation. Network policies are implemented by the network plugin. To use the Continuous Compliance feature in Container Security, you'll need a network plugin with NetworkPolicy support. For details, see the Container Security Helm readme.

Create a Kubernetes cluster

If you already have a Kubernetes cluster available, you can skip this section.

Container Security supports Kubernetes 1.14 or newer. Amazon Elastic Container Service (ECS) is not supported. The runtime security feature has additional requirements, which you can find in the Application Security help.

You can deploy the Kubernetes cluster using any method you prefer. If you're not familiar with how to create a Kubernetes cluster with your cloud provider, these resources may be helpful:

When deploy to a EKS cluster with Bottlerocket nodes, you will need to adjust helm charts overrides.

• Amazon Elastic Kubernetes Service (EKS):
  • Creating an Amazon EKS cluster
  • Getting started with eksctl
• Google Kubernetes Engine (GKE):
  • Creating a single-zone cluster
• Azure Kubernetes Service (AKS):
  • Quickstart: Deploy an Azure Kubernetes Service cluster using the Azure CLI

Install the policy-based deployment controller and enable runtime security

To use the policy-based deployment control feature, you must deploy a very small pod to each cluster that you want to protect.

You only need to install 1 policy-based deployment controller per Kubernetes cluster.

1. Open the Trend Micro Cloud One console and select Container Security.
2. Go to the Clusters page.

3. Do one of the following:

   • If this is your first cluster, click + Add a cluster.
     
   • If this is not your first cluster, select + Add.
     

4. Provide the following information:

   • Name: a unique name for your cluster that will help you to identify it
   • Description: an optional description of the cluster
   • Policy: select a policy. If you haven't created a policy yet, you can do it later and then update this setting. (See Create a policy)
   • Namespace Exclusions: select namespaces in which to ignore resources. The Kube System namespace is selected by default. Container Security will ignore resources in the selected namespaces. These resources will not be monitored, evaluated or mitigated by any policies. See OpenShift best practices for example uses.
5. To enable runtime security, select the Enabled checkbox. For more information about this feature, see Configure runtime security.
6. To enable runtime vulnerability scanning, select the Enabled checkbox. For more information about this feature, which is currently in preview, see Configure runtime vulnerability scanning.
7. Select Next.

8. The first snippet on the page contains the API key for your cluster. This key is unique to your cluster and should not be reused for other clusters. Copy the snippet and add it to your overrides file (usually overrides.yaml).

   After you close this window, the API key will not be displayed again.

   

9. The second snippet on the page contains a helm install command. Use it to install the deployment controller in your cluster. For more information on installing the deployment controller, see the Container Security Helm readme.

If you are running Container Security in a pure AWS EKS Fargate environment, you may need to adjust your Fargate profile to allow pods in a non-default namespace (ex: trendmicro-system) to be scheduled. See AWS documentation for more information on Fargate profiles.

Next, you'll need to create a policy if you haven't done so already.

Troubleshooting

A successful installation should contain one "Ready" admission controller pod.

If you encounter problems, use kubectl get pods and kubectl logs deployment/trendmicro-admission-controller to debug any issues you encounter during the installation.