The security-inspector component is a key component for performing security inspections. This topic describes the features and usage notes of security-inspector. It also lists the latest changes to security-inspector.

Introduction

You can use security-inspector to scan workload configurations from various perspectives. This helps you better understand the security risks of your workloads. The following figure shows the architecture of security-inspector.

security-inspector

Usage notes

security-inspector provides the following inspection features:

  • security-inspector uses Polaris to perform security inspections. This allows you to detect security risks of workload configurations in a Kubernetes cluster in real time.
    Note Polaris is an open source project that is used to identify security risks of workload configurations in a Kubernetes cluster. For more information, see Polaris.
  • security-inspector can scan workload configurations from various perspectives and provide scan reports that contain the following information: health checks, images, networks, resources, and security. This allows you to better understand the security risks of your applications in real time and provides security suggestions to reinforce your system. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.

Release notes

September 2021
Version Image address Release date Description Impact
v0.6.0.4-gc12ad66-aliyun registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.6.0.4-gc12ad66-aliyun 2021-09-20 No impact on workloads
June 2021
Version Image address Release date Description Impact
v0.5.0.2-g5e33765-aliyun registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.5.0.2-g5e33765-aliyun 2021-06-24 The issue that inspection reports are not displayed as normal when one Log Service project is shared among multiple clusters is fixed. No impact on workloads

March 2021

Version Image address Release date Description Impact
v0.4.0.0-g541eb31-aliyun registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.4.0.0-g541eb31-aliyun 2021-03-15
  • The Center for Internet Security (CIS) Kubernetes benchmark is supported. For more information, see Use security-inspector to audit the CIS Kubernetes Benchmark.
  • The following Kubernetes events are supported. You can find the events in Event Center when a scan is triggered.
    • SecurityInspectorConfigAuditStart: Configuration auditing is started.
    • SecurityInspectorConfigAuditFinished: Configuration auditing is completed.
    • SecurityInspectorConfigAuditHighRiskFound: Risky configurations are found after configuration auditing is completed.
    • SecurityInspectorBenchmarkStart: The benchmark check is started.
    • SecurityInspectorBenchmarkFinished: The benchmark check is completed.
    • SecurityInspectorBenchmarkFailedCheckFound: Failed inspection items are found after the benchmark check is completed.
No impact on workloads

January 2021

Version Image address Release date Description Impact
v0.3.0.2-gcb49252-aliyun registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.3.0.2-gcb49252-aliyun 2021-01-05 Permissions of anonymous users can be scanned to detect risky role-based access control (RBAC) permissions that are granted to the users. No impact on workloads

December 2020

Version Image address Release date Description Impact
v0.2.0.22-gd1fbaff-aliyun registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.2.0.22-gd1fbaff-aliyun 2020-12-16
  • CustomResourceDefinitions (CRDs) are supported to store the latest inspection results.
  • Specified inspection items can be enabled or disabled based on your needs.
  • The workload whitelist feature is supported.
No impact on workloads

July 2020

Version Image address Release date Description Impact
v0.1.0.3-g69f71f6-aliyun registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.1.0.3-g69f71f6-aliyun 2020-07-06 Inspection tasks can be manually triggered to inspect the workloads of clusters and generate inspection reports. No impact on workloads