Table of contents

Configure runtime security

Runtime security provides visibility into container activity that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers, as well as container drift detection. Container Security can automatically mitigate problems detected by the runtime security feature. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the ruleset assigned to its Container Security policy.

Runtime security is compatible with Kubernetes and supports Amazon EKS, Microsoft Azure AKS, Google GKE, and OpenShift. It is currently supported with default and the most recent Linux kernels.

Create a runtime ruleset

After you have access to the runtime security preview, create one or more runtime rulesets. Choose from several managed rules provided by Trend Micro to define a set of rules that you want to enforce.

  1. Open the Trend Cloud One console and select Container Security.
  2. Go to Runtime Rulesets icon Runtime Rulesets.
  3. Do one of the following:

    • If this is your first ruleset, click + New runtime rulesets.

      A screen displayed if there are no existing runtime rulesets

    • If this is not your first ruleset, select + New.

      A screen displayed if at least one runtime ruleset exists

  4. Provide the following information:

    • Name: a unique name for the ruleset that will help you to identify it. You cannot change this name after the ruleset is created.
    • Description: an optional description of the ruleset.

    Page to enter data to create a runtime ruleset

  5. By default, the ruleset is applied to all pods in a cluster. If you want to limit the ruleset to certain applications, add one or more labels that match against the Kubernetes labels applied to your applications. Container Security enforces the rules for applications that match the labels you specify:

    1. Click Add Label.
    2. Enter the label key and value to be matched.

      For example, adding a label of app:php applies the ruleset only to Kubernetes pods labeled with app:php.

  6. Click Add Rule and use the dialog to select the rules that you want to enforce with this ruleset, then click Apply. To select all rules, use the table heading.

    For information about the attack technique that a rule is designed to prevent, search for the MITRE ID (for example T1021.004) at MITRE ATTACK.

  7. For each rule, use Mitigation to select the action that Container Security takes when a running pod violates the rule. These actions include logging an event and allowing the pod to keep running, isolating the pod's network traffic, and terminating the pod.

  8. Click Create to finalize your new ruleset.

Add a ruleset to a policy

Create a policy and use the Runtime tab to add one or more rulesets to it. You can also add rulesets to an existing policy. For instructions, see Create a policy.

You also need to assign the policy to the cluster that you want to protect. This applies the ruleset to the cluster.

Enable runtime security for a cluster

If you have not registered a cluster to Container Security, follow the instructions in Add a cluster.

If you registered a cluster to Container Security, but did not enable runtime security, proceed as follows:

  1. Add runtimeSecurity.enabled=true to your overrides file (typically, overrides.yaml):

        apiKey: <API_KEY>
        endpoint: <ENDPOINT>
            enabled: true
  2. Use the following command to upgrade Container Security:

    helm upgrade \
        trendmicro \
        --namespace trendmicro-system --create-namespace \
        --values overrides.yaml \

View runtime events

When a runtime rule is triggered, it generates an event visible through the Events page. For more information, see Monitor events.

Disable runtime security

To disable runtime security in a cluster, but keep the other aspects of Container Security, do the following:

  1. Set runtimeSecurity.enabled=false in your overrides file (typically overrides.yaml).

        apiKey: <API_KEY>
        endpoint: <ENDPOINT>
            enabled: false
  2. Use the following command to upgrade the Container Security cluster:

    helm upgrade \
        trendmicro \
        --namespace trendmicro-system \
        --values overrides.yaml \

Taints and tolerations

Taints are a Kubernetes concept that allow nodes to repel a set of pods. For more information, see Kubernetes: Taints and Tolerations. If you are using taints, you can use tolerations to ensure that runtime security is applied to tainted nodes. This is done by adding tolerations to your overrides file in the following format:

  - key: "key1"
    operator: "Equal"
    value: "value1"
    effect: "NoSchedule"

To add tolerations for all taints (applying runtime security to all nodes, regardless of taints), add the following to your overrides file:

  - key: ""
    operator: Exists

Supported Linux kernels major and minor versions

Container Security Helm version 2.3.14 added support for the modern Berkeley Packet Filter (BPF), also known as eBPF CO-RE (Compile Once, Run Everywhere). This allows Container Security to support any Linux kernel version 5.8 or later, as long as BTF types are exposed.

The following is a non-exclusive list of the kernel version flavors supported by Container Security.

Platform Major and minor version Flavor
Amazon Linux 2 4.14.x
Amazon Linux 2 5.4.x
Amazon Linux 2 5.10.x
Amazon Linux 2 5.15.x
Red Hat Enterprise Linux CoreOS (RHCOS) 4.18.x
Ubuntu 4.15.x generic
Ubuntu 5.4.x generic
Ubuntu 5.4.x azure
Ubuntu 5.4.x aws
Ubuntu 5.4.x gke
Ubuntu 5.11.x generic
Ubuntu 5.11.x azure
Ubuntu 5.11.x aws
Google Container-Optimized OS (COS) 5.4.x
Google Container-Optimized OS (COS) 5.10.x
Debian 11 5.10.x generic
Bottlerocket 5.10.x