Before deploying Container Security, ensure that your Kubernetes clusters meet the minimum system requirements and specific Helm and network policy requirements.
 |
Note
|
System requirements
|
Features Enabled
|
Min. vCPU Request
|
Max vCPU Limit
|
Min. Memory Request
|
Max Memory Limit
|
|
Default features
|
0.6 vCPU
|
3.4 vCPU
|
572 MB
|
4 GB
|
|
Runtime security enabled
|
06 vCPU + 0.2 vCPU per node
|
3.4 vCPU + 2 vCPU per node
|
572 MB + 768 MB per node
|
4GB + 2GB per node
|
|
Runtime scanning enabled
|
0.7 vCPU
|
4.4 vCPU
|
592 MB
|
5GB
|
|
Both features enabled
|
0.7 vCPU + 0.2 vCPU per node
|
4.4vCPU + 2 vCPU per node
|
592 MB + 768 MB per node
|
5 GB + 2 GB per node
|
Help and network policy requirements
|
Requirement
|
Description
|
||
|
Helm 3 (or later)
|
Container Security components use the
helm
package manager for Kubernetes. |
||
|
Network policy support
|
Container Security continuous compliance enforces policies by
leveraging Kubernetes network
policies to perform isolation mitigation. Network
policies are implemented by a network plugin.
|
|
NoteBefore connecting an Amazon EKS Fargate pod, ensure that the container meets the
additional system
requirements for EKS Fargate deployments.
|
If you are running Container Security in a Red Hat OpenShift environment, network
isolation mitigation is only supported for pods whose security context is acceptable
by the oversight controller's SecurityContextConstraint. If you want to let
Container Security isolate pods that are not allowed by default, you can use the
overrides.yaml file to override the default settings. |
ImportantThe network policy with matchLabels
trendmicro-cloud-one:
isolate must exist in each application namespaces in order to
perform proper isolation mitigation. |