Container Service for Kubernetes (ACK) clusters provide the inspection feature to help you detect security risks in workloads. An ACK cluster generates an inspection report after performing an inspection task. You can view and address the failed inspection items in the cluster based on the inspection report. This way, you can learn the real-time health status of the cluster.
Prerequisites
An ACK managed cluster or an ACK dedicated cluster is created, and the Kubernetes version of the cluster is 1.14 or later. For more information, see Create an ACK dedicated cluster or Create an ACK managed cluster. For more information about how to upgrade an ACK cluster, see Upgrade an ACK cluster.
If you use a Resource Access Management (RAM) user, you must follow the following instructions to complete RAM authorization and role-based access control (RBAC) authorization.
Complete RAM authorization
If you use a RAM user, a message appears on the Inspections page of the ACK console, which prompts you to grant the RAM user the permissions to perform operations on the Inspections page. If the RAM user does not have the required permissions, you cannot perform operations on the Inspections page. For more information, see Create a custom RAM policy.
If you also need to use the inspection report feature, you must grant the RAM user read permissions on the
Simple Log Service project
used by thelogtail-ds
component in your cluster. This allows the RAM user to read the log data in theSimple Log Service project
. Otherwise, you cannot view inspection reports. For more information, see Use custom policies to grant permissions to a RAM user.Complete RBAC authorization
After you complete RAM authorization, you must grant RBAC permissions to the RAM user to manage the Kubernetes resources displayed on the Inspections page of the ACK console. You must grant administrator permissions to the RAM user to manage your cluster. This authorizes the RAM user to manage the Kubernetes resources displayed on the Inspections page. For more information, see Grant RBAC permissions to RAM users or RAM roles.
Enable the inspection feature in an ACK cluster
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
Optional: Install and update the security-inspector component.
If you use the inspection feature for the first time and the security-inspector component is not installed, follow the prompts on the page to install it. If the version of the security-inspector component is not update-to-date, update the component to the latest version based on the prompts on the page. After the component is installed, you can click Security Inspection on the Overview tab of the Cluster Information page to go to the Inspections page.
For more information about the introduction and release notes of the security-inspector component, see security-inspector.
In the upper-right corner of the Inspections page, click Inspect. After the inspection is completed, click Details in the Actions column to view the detailed results.
ImportantWe recommend that you perform the inspection during off-peak hours.
Optional: In the upper-right corner of the Inspections page, click Configure Periodic Inspection. In the panel that appears, you can enable or disable periodic inspections and configure inspection items.
Inspection details
The Inspections page provides a table to show the inspection results of different workloads. The following features are provided to display the inspection results:
Filters inspection results based on conditions such as Passed or Failed, Namespace, and Workload Type. Displays the values of Number of Passed Items and Number of Failed Items for each inspected workload.
Displays detailed information about each inspection item on the inspection details page, including the passed and failed inspection items of each pod and container, description of each inspection item, and suggestions on security reinforcement. To ignore failed inspection items, add them to the whitelist.
View the YAML files of the workloads.
Inspection reports
An inspection report provides the results of the latest inspection, including the following information:
Overview of the inspection results. This includes the total number of inspection items, the number and percentage of each inspected resource object type, and the overall health status of the cluster.
Statistics of the following inspection categories: health checks, images, networks, resources, and security conditions.
Detailed inspection results of the configurations of each workload. The results include resource categories, resource names, namespaces, inspection types, inspection items, and inspection results.
Inspection items
The following table describes the inspection items.
Inspection item | Inspection content and potential security risk | Suggestion |
hostNetworkSet | Checks whether the pod specification of a workload contains the | Delete the Example: |
hostIPCSet | Checks whether the pod specification of a workload contains the | Delete the Example: |
hostPIDSet | Checks whether the pod specification of a workload contains the | Delete the Example: |
hostPortSet | Checks whether the pod specification of a workload contains the | Delete the Example: |
runAsRootAllowed | Checks whether the pod specification of a workload contains the | Add the Example: |
runAsPrivileged | Checks whether the pod specification of a workload contains the | Delete the Example: |
privilegeEscalationAllowed | Checks whether the pod specification of a workload contains the | Add the Example: |
capabilitiesAdded | Checks whether the pod specification of a workload contains the | Modify the pod specification to retain only the required Linux capabilities and remove other capabilities. If processes in the containers do not require Linux capabilities, remove all Linux capabilities. Examples: If processes in the containers require Linux capabilities, specify only the required Linux capabilities and remove other capabilities. Example: |
notReadOnlyRootFileSystem | Checks whether the pod specification of a workload contains the | Add the Examples: If you want to modify files in a specific directory, set the Example: |
cpuRequestsMissing | Checks whether the pod specification of a workload contains the | Add the Examples: |
cpuLimitsMissing | Checks whether the pod specification of a workload contains the | Add the Examples: |
memoryRequestsMissing | Checks whether the pod specification of a workload contains the | Add the Examples: |
memoryLimitsMissing | Checks whether the pod specification of a workload contains the | Add the Examples: |
readinessProbeMissing | Checks whether the pod specification of a workload contains the | Add the Examples: |
livenessProbeMissing | Checks whether the pod specification of a workload contains the | Add the Examples: |
tagNotSpecified | Checks whether the | Modify the Examples: |
anonymousUserRBACBinding | Checks RBAC role bindings in the cluster and locates the configurations that allow access from anonymous users. If anonymous users are allowed to access the cluster, they may gain access to sensitive information, attack the cluster, and intrude into the cluster. | Remove the configurations that allow access from anonymous users from the RBAC role bindings. Examples: |
Events
Event type | Event name | Example of event content | Event description | Operation |
Normal | SecurityInspectorConfigAuditStart | Start to running config audit | The system starts to inspect the cluster. | In this case, no action is required. |
Normal | SecurityInspectorConfigAuditFinished | Finished running once config audit | The system finishes inspecting the cluster. | In this case, no action is required. |
Warning | SecurityInspectorConfigAuditHighRiskFound | 2 high risks have been found after running config audit | The inspection feature identifies security risks in workloads. |
|