Use cases

This section describes some deployment and usage scenarios for Container Security.

Use Case 1: Container image scanning, policy-based deployment control, and continuous compliance

This use case provides the most complete protection for your container images. It combines the capabilities of Deep Security Smart Check (which performs container image scans in your development environment) with the policy-based deployment control capabilities of Container Security.

Container image scanning can take place before the image reaches the registry (via the Smart Check API), and on an ongoing basis when the image is stored in the registry. The results of the container image scans are sent to Trend Micro Cloud One - Container Security, which then checks them against a policy that you define. The policy can also check certain image properties, in addition to the scan results.

When Kubernetes objects are ready to be deployed, the Container Security webhook is triggered, which checks the policy you've configured, determines whether the image is safe to deploy, and either allows or blocks it from running.

After Kubernetes objects are deployed, continuous compliance rules are triggered. The continuous compliance rules intermittently run in a control loop, which checks if a container is violating policy rules that are assigned to a cluster or its namespaces. The control loop can be triggered using a custom controller.

Use Case 2: Policy-based deployment control and continuous compliance

If you aren't using Smart Check in your development environment, you can use Container Security to define a policy that's based strictly on a Kubernetes object's properties. The deployment controller then allows or blocks the deployment based on the policy through its native integration with Kubernetes. After deployment, you can then intermittently check for policy-violating behaviors in your containers using continuous compliance rules.

Use Case 3: Container image scanning with policies

If you're using Smart Check in your development environment but aren't interested in policy-based deployment control, Container Security can enhance Smart Check image scanning by providing policy management to help you manage scan results.

When using Smart Check on its own, scan results are delivered as raw results that developers can review. You can also use your tool suite's scripting language to check the scan results and perform actions based on the results.

With Container Security, Smart Check scan results are sent to Trend Micro Cloud One™, where you can configure policies based on scan results. Policy management:

  • Removes the need to hard-code rules in your pipeline to deal with scan results
  • Separates policy owners from policy consumers. Instead of requiring developers to create rules to deal with scan results in the development pipeline, policy owners can create policies in the Trend Micro Cloud One console.
  • Allows you to create different policies for different stages of a container image's lifecycle. For example, the policy for a container that's in a functional test phase might be more permissive than the policy for a container image that's being sent to the production registry.
  • Allows you to share common policies across multiple pipelines

Now you're ready to learn how to get started with Container Security.