All Products
Search
Document Center

Container Service for Kubernetes:security-inspector

Last Updated:Mar 08, 2024

The security-inspector component is a key component for performing security inspections. This topic describes the features, usage notes, and release notes for security-inspector.

Introduction

You can use security-inspector to scan workload configurations based on multiple dimensions. This helps you better understand the security risks of your workloads. The following figure shows the architecture of security-inspector.

security-inspector

Usage notes

security-inspector provides the following inspection features:

  • security-inspector uses Polaris to perform security inspections. This allows you to identify security risks of workload configurations in your cluster in real time.

    Note

    Polaris is an open source project that is used to identify security risks of workload configurations in a Kubernetes cluster. For more information, see Polaris.

  • security-inspector can scan workload configurations from various aspects and provide reports that contain the following information: health checks, images, networks, resources, and security. This allows you to better understand the security risks of your applications in real time and reinforce your system based on the suggestions that are provided by security-inspector. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.

Release notes

February 2024

Version

Image address

Release date

Description

Impact

v0.12.0.7-g6f9d47f-aliyun

registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.12.0.7-g6f9d47f-aliyun

2024-02-21

This version is in canary release.

You can specify whether the component uses the host network on the Add-ons page and modify the health check port.

No impact on workloads.

December 2023

Version

Image address

Release date

Description

Impact

v0.11.0.3-ga2fad87-aliyun

registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.11.0.3-ga2fad87-aliyun

2023-12-21

Modifications to the ttlSecondsAfterFinished configuration item for security-inspector-polaris-cronjob can be retained during component updates.

No impact on workloads.

June 2023

Version

Image address

Release date

Description

Impact

v0.10.1.2-g13c9de7-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.10.1.2-g13c9de7-aliyun

2023-06-02

  • The issue that the component malfunctions after you update the Kubernetes version of the cluster to 1.26.3-aliyun.1 is fixed.

  • The periodic scanning logic of the component is optimized. After the component is updated, it can run only one inspection task at a time. This avoids provisioning multiple pending pods for inspection tasks in the cluster.

No impact on workloads.

April 2023

Version

Image address

Release date

Description

Impact

v0.10.0.3-g15b35c4-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.10.0.3-g15b35c4-aliyun

2023-04-13

Kubernetes 1.26 is supported.

No impact on workloads.

February 2023

Version

Image address

Release date

Description

Impact

v0.9.1.0-gcdddfa7-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.9.1.0-gcdddfa7-aliyun

2023-02-27

CVE-2023-0286 is fixed in the base image used by the image of the component.

No impact on workloads.

December 2022

Version

Image address

Release date

Description

Impact

v0.9.0.0-g1d38ec6-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.9.0.0-g1d38ec6-aliyun

2022-12-22

  • ACK Serverless clusters that run Kubernetes 1.18 and later are supported.

  • Accidentally deleted Log Service dashboards can be recreated by restarting the pods of security-inspector.

No impact on workloads.

v0.8.3.2-ge5496db-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.3.2-ge5496db-aliyun

2022-12-13

This version is in canary release.

The initialization process of security-inspector is accelerated. Previously, it requires a few minutes to initialize security-inspector after you install security-inspector. security-inspector cannot perform security inspections during the initialization period.

No impact on workloads.

August 2022

Version

Image address

Release date

Description

Impact

v0.8.3.1-gf7bf0e0-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.3.1-gf7bf0e0-aliyun

2022-08-30

The message content of the SecurityInspectorConfigAuditHighRiskFound and SecurityInspectorConfigAuditFinished events is optimized. Links to event details are added to the message content.

No impact on workloads.

June 2022

Version

Image address

Release date

Description

Impact

v0.8.2.16-gc84d60d-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.2.16-gc84d60d-aliyun

2022-06-21

  • The issue that the MountVolume.SetUp failed for volume "config" : object "kube-system"/"security-inspector-polaris-config" not registered event may be generated in clusters that run Kubernetes 1.22 is fixed.

  • The requests that security-inspector sends to the API server are optimized to reduce the loads of the API server when security-inspector scans large clusters.

No impact on workloads.

April 2022

Version

Image address

Release date

Description

Impact

v0.8.1.0-g58d1a56-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.1.0-g58d1a56-aliyun

2022-04-11

  • The issue that automatic node draining fails due to the improper configurations of security-inspector is fixed.

  • The issue that inspection reports are not displayed as normal when multiple clusters share the same Log Service project is fixed.

No impact on workloads.

February 2022

Version

Image address

Release date

Description

Impact

v0.8.0.0-gb0edd1d-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.0.0-gb0edd1d-aliyun

2022-02-15

  • The severity level of the privilegeEscalationAllowed inspection item is set to medium.

  • Support for clusters that run Kubernetes 1.16 is optimized and the issue caused by #84880 is fixed.

No impact on workloads.

December 2021

Version

Image address

Release date

Description

Impact

v0.7.0.5-g8cc37b6-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.7.0.5-g8cc37b6-aliyun

2021-12-03

  • Kubernetes 1.22 is supported. security-inspector 0.7.0.5 and later versions support only clusters that run Kubernetes 1.16 and later.

  • The ARM64 architecture is supported.

No impact on workloads.

September 2021

Version

Image address

Release date

Description

Impact

v0.6.0.4-gc12ad66-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.6.0.4-gc12ad66-aliyun

2021-09-20

No impact on workloads.

June 2021

Version

Image address

Release date

Description

Impact

v0.5.0.2-g5e33765-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.5.0.2-g5e33765-aliyun

2021-06-24

The issue that inspection reports are not displayed as normal when one Log Service project is shared among multiple clusters is fixed.

No impact on workloads.

March 2021

Version

Image address

Release date

Description

Impact

v0.4.0.0-g541eb31-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.4.0.0-g541eb31-aliyun

2021-03-15

  • The CIS Kubernetes benchmark is supported. For more information, see Security inspection.

  • The following Kubernetes events are added. You can find the events in the event center of your cluster when a scan is triggered.

    • SecurityInspectorConfigAuditStart: Configuration inspection is started.

    • SecurityInspectorConfigAuditFinished: Configuration inspection is complete.

    • SecurityInspectorConfigAuditHighRiskFound: High-risk configurations are found after configuration inspection is complete.

    • SecurityInspectorBenchmarkStart: The benchmark check is started.

    • SecurityInspectorBenchmarkFinished: The benchmark check is complete.

    • SecurityInspectorBenchmarkFailedCheckFound: Failed inspection items are found after the benchmark check is complete.

No impact on workloads.

January 2021

Version

Image address

Release date

Description

Impact

v0.3.0.2-gcb49252-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.3.0.2-gcb49252-aliyun

2021-01-05

Permissions of anonymous users can be scanned to identify risky role-based access control (RBAC) permissions that are granted to the users.

No impact on workloads.

December 2020

Version

Image address

Release date

Description

Impact

v0.2.0.22-gd1fbaff-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.2.0.22-gd1fbaff-aliyun

2020-12-16

  • CustomResourceDefinitions (CRDs) can be used to store the latest inspection results.

  • Specified inspection items can be enabled or disabled based on your needs.

  • The workload whitelist feature is supported.

No impact on workloads.

July 2020

Version

Image address

Release date

Description

Impact

v0.1.0.3-g69f71f6-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.1.0.3-g69f71f6-aliyun

2020-07-06

Inspection tasks can be manually triggered to inspect the workloads in your cluster and generate inspection reports.

No impact on workloads.