Table of contents
Topics on this page

Frequently asked questions

Container Security

Why am I getting a '401 Unauthorized' message on API calls?

This is usually because you haven't created an API key to authenticate your requests with Container Security. For information on creating and using a Trend Micro Cloud One API key, see the API key help. Deprecated: For information on creating and using a legacy API key, see the Workload Security API key help.

Does Container Security require inbound network access to my Kubernetes cluster?

Container Security currently does not require any inbound network access and does not require any extra IP addresses to be added to inbound firewall rules. Communication from the admission controller, as well as from Deep Security Smart Check to Trend Micro Cloud One™ - Container Security, is outbound-initiated only over HTTPS port 443.

If I restrict outbound traffic, what URLs do I need to allow to communicate with the internet?
  • Trend Micro Cloud One (where <region> is your Trend Micro Cloud One region):
    • https://container.<region>.cloudone.trendmicro.com
    • https://iot.container.<region>.cloudone.trendmicro.com
  • Runtime security (allow the endpoint for your Trend Micro Cloud One region):
    • US: https://sensor-components-prod-componentsstoragebucket-1tgz7758j5977.s3.amazonaws.com
    • India: https://sensor-components-prod-componentsstoragebucket-4t1tmfipzmxq.s3.amazonaws.com
    • UK: https://sensor-components-prod-componentsstoragebucket-177dw039ojo4z.s3.amazonaws.com
    • Japan: https://sensor-components-prod-componentsstoragebucket-a1g8t8ve13ql.s3.amazonaws.com
    • Germany: https://sensor-components-prod-componentsstoragebucket-dt9l26kxtrha.s3.amazonaws.com
    • Australia: https://sensor-components-prod-componentsstoragebucket-mqamem5enf3f.s3.amazonaws.com
    • Canada: https://sensor-components-prod-componentsstoragebucket-1lllr5j8i7dmf.s3.amazonaws.com
    • Singapore: https://sensor-components-prod-componentsstoragebucket-x75mv7yqzt9.s3.amazonaws.com
  • Runtime vulnerability scanning (allow the endpoint for your Trend Micro Cloud One region):
    • US: https://asaas-scan-upload-us-east-1-prod.s3.us-east-1.amazonaws.com
    • India: https://asaas-scan-upload-ap-south-1-prod.s3.ap-south-1.amazonaws.com
    • UK: https://asaas-scan-upload-eu-west-2-prod.s3.eu-west-2.amazonaws.com
    • Japan: https://asaas-scan-upload-ap-northeast-1-prod.s3.ap-northeast-1.amazonaws.com
    • Germany: https://asaas-scan-upload-eu-central-1-prod.s3.eu-central-1.amazonaws.com
    • Australia: https://asaas-scan-upload-ap-southeast-2-prod.s3.ap-southeast-2.amazonaws.com
    • Canada: https://asaas-scan-upload-ca-central-1-prod.s3.ca-central-1.amazonaws.com
    • Singapore: https://asaas-scan-upload-ap-southeast-1-prod.s3.ap-southeast-1.amazonaws.com
  • Trend Micro Artifact Scanner (allow the endpoints for your Trend Micro Cloud One region):
    • US:
      • https://artifactscan.us-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-us-east-1-prod.s3.us-east-1.amazonaws.com
      • https://asaas-scan-vuln-us-east-1-prod.s3.us-east-1.amazonaws.com
    • India:
      • https://artifactscan.in-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-ap-south-1-prod.s3.ap-south-1.amazonaws.com
      • https://asaas-scan-vuln-ap-south-1-prod.s3.ap-south-1.amazonaws.com
    • UK:
      • https://artifactscan.gb-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-eu-west-2-prod.s3.eu-west-2.amazonaws.com
      • https://asaas-scan-vuln-eu-west-2-prod.s3.eu-west-2.amazonaws.com
    • Japan:
      • https://artifactscan.jp-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-ap-northeast-1-prod.s3.ap-northeast-1.amazonaws.com
      • https://asaas-scan-vuln-ap-northeast-1-prod.s3.ap-northeast-1.amazonaws.com
    • Germany:
      • https://artifactscan.de-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-eu-central-1-prod.s3.eu-central-1.amazonaws.com
      • https://asaas-scan-vuln-eu-central-1-prod.s3.eu-central-1.amazonaws.com
    • Australia:
      • https://artifactscan.au-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-ap-southeast-2-prod.s3.ap-southeast-2.amazonaws.com
      • https://asaas-scan-vuln-ap-southeast-2-prod.s3.ap-southeast-2.amazonaws.com
    • Canada:
      • https://artifactscan.ca-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-ca-central-1-prod.s3.ca-central-1.amazonaws.com
      • https://asaas-scan-vuln-ca-central-1-prod.s3.ca-central-1.amazonaws.com
    • Singapore:
      • https://artifactscan.sg-1.cloudone.trendmicro.com
      • https://cli.artifactscan.cloudone.trendmicro.com
      • https://asaas-scan-upload-ap-southeast-1-prod.s3.ap-southeast-1.amazonaws.com
      • https://asaas-scan-vuln-ap-southeast-1-prod.s3.ap-southeast-1.amazonaws.com
  • Telemetry: https://telemetry.deepsecurity.trendmicro.com
How do I allow Smart Check containers to bypass policies?

You will need to create an exception for Smart Check images:

  1. Open the Container Security web console.
  2. Go to Policies.
  3. Select the policy you want to change.
  4. On the Deployment and Continuous tabs, scroll to the Exceptions section and enable this exception: Allow images with names that start with deepsecurity/ The policies exceptions interface for Container Security
Are regular expressions supported when creating policies?

We support the keywords "contains" and "start with" for image registry, name, and tag in the first release. This provides a basic regular expressions interface.

Does each Kubernetes cluster need its own admission controller?

Yes. Each Kubernetes cluster should have its own admission controller. If you need to, you can scale the desired replicas. The default is 1.

Will the validation of admission control webhooks cause Container Security to change a container's configuration?

No. It only validates if a deployment request is allow or denied in a policy definition.

During the validating phase, when you run kubectl apply -f <...>, does the admission controller query Container Security? If so, is a local cache being used for each query?

Yes. The admission controller queries Container Security everytime a review request happens in Kubernetes, both when doing a kubectl create or a kubectl apply.

No local cache is being used for queries or policies to ensure the policy is always up to date.

By default, review requests from the kube-system namespace are not forwarded to Container Security. For more information, see the admission controller yaml file.

What is the telemetry in Container Security used for? What kind of data is admission control sending?

For more information about data collection and telemetry, see Container Security Data Collection.

If a connection to Cloud One fails, will an administrator be notified about an issue in the validation process? If so, how are they notified, and can you configure the notifications?

No alerts will be raised, but a warning icon (Warning icon) will appear on the cluster page after 24 hours of inactivity, and the admission controller will contain error logs. You can also configure the logging destination in your cluster, which allows you to integrate our logging solution in with Kubernetes.

If Cloud One is not responsive, you can also configure what happens by changing the failurePolicy property. By default, failurePolicy is set to Ignore, which allows the admission request if Cloud One is not accessible. If you set failurePolicy to Fail, then the admission request fails.

When should you increase the replica count for the admission controller?

Consider increasing the replica count for the admission controller in large environments, where many admission requests may occur at the same time. Admission requests occur when a pod scales its replica counts, new deployments occur, etc.

How do you add pods with multiple containers to exceptions?

Pods with multiple containers should have exceptions for all containers inside of them. Container Security only allows the admission request if all requested containers are not violating a policy rule or meet exception criteria.

Why is my pod not being isolated from network access?

If you are using the "Isolate" action in your Continuous Compliance policy or Runtime rules, the Kubernetes cluster where the protected resources are running must have Kubernetes network policies enabled. To enable Kubernetes network policies, install a network plugin with NetworkPolicy support using the provided guide in the helm chart README.

Why are vulnerabilities not showing up in the vulnerability view?

See Troubleshooting Runtime Vulnerability Scanning for instructions.

Can I have multiple scan tools installed in my cluster?

It is recommended to only include one scanning tool in each cluster, as multiple such tools running concurrently can cause unpredictable behavior where both tools continuously scan each other's pods. If this situation is not avoidable, you can exclude the other scan tool's namespace from Container Security scans by adding the following to your overrides file:

cloudOne:
    exclusion:
        namespaces: [list, of, namespaces]
It is also recommended to exclude the namespace where you installed Container Security from getting scanned by the other scan tool.

When should I increase the maximum concurrency for the vulnerability scanner pods?

Large clusters could benefit from increasing the default maximum concurrency for the vulnerability scanner pods to drive faster scan results, by using more of your cluster's resources. The scanner pod concurrency limit is meant to constrain Container Security's resource usage within your cluster. For example, if the concurrency limit was set to 5, then a maximum of 5 unique images can be scanned at a time. Modifying the scanner pod concurrency limit can be done through your overrides file:

cloudOne:
    scanManager:
        maxJobCount: 15
When increasing the concurrency limit for the vulnerability scanner pods, please ensure your cluster has enough resources to handle the additional scanner pods. The default resource requirements for each scanner pod are specified in the helm chart.

Smart Check

Does Smart Check only find vulnerabilities in packages that are installed with a package manager?

Smart Check scans both the installed package list as well as a set of applications commonly installed by copying them directly to the file system. Our labs team provides an active feed with up-to-date information about the supported applications.

Does Smart Check get automatic security updates, or do I need to upgrade to get security updates?

Deep Security Smart Check updates its malware details and vulnerability definitions automatically. You will need to upgrade to get software updates, including new feature and security updates.

How do I scan images before they reach my production registry?

See Configure pre registry scanning for instructions.

How do I override a vulnerability or content scan finding?

If a scan finds a vulnerability or content scan issue but you know it's not a concern, you can override it using the Smart Check API. For details, see the Overrides section of the API.

How do I check whether images meet common PCI-DSS compliance requirements?

You can use the checklist feature in the Smart Check API to verify whether a scanned image complies with common PCI requirements. The checklist feature is currently supported for CentOS and Red Hat images only. For details, see the Scans section of the API.