All Products
Search
Document Center

Container Service for Kubernetes:Use security monitoring capabilities

Last Updated:Sep 07, 2023

You can use the security monitoring feature to monitor Container Service for Kubernetes (ACK) clusters and generate alerts upon security events. These security events include use of malicious container images, attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations on containers. This topic describes how to use the security monitoring feature to monitor ACK clusters and handle alerts.

Prerequisites

  • An ACK cluster is created. For more information, see Create an ACK managed cluster.

  • Security Center is activated. For more information, see Purchase Security Center.

  • If you use a Resource Access Management (RAM) user, you must attach the AliyunYundunSASReadOnlyAccess policy to the RAM user.

Background information

Cloud-native applications are deployed in containers after they pass the authentication and admission control of the API server. However, in accordance with the zero trust principle for application security, monitoring and alerting are required to ensure the security of application runtimes. The security monitoring feature is integrated with Security Center to detect vulnerabilities and generate alerts. This allows cluster administrators to monitor applications and receive alerts upon security events, such as use of malicious container images, attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations on containers. Alerts are displayed on the cluster details page of the ACK console in real time. You can view and handle the alerts based on the information displayed on the page.

Procedure

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Security > Security Monitoring in the left-side navigation pane.

  3. On the Security Monitoring page, view the monitoring and alerting information.

    • The Security Monitoring page shows the security status of the cluster from the following aspects:

      • Security detection: shows security events that have triggered alerts. Click More to go to the Security Center console to view details.

      • Node status: shows healthy nodes and unhealthy nodes.

      • Defense capabilities: shows pending alerts, the time when the anti-virus database of the scanning agent was last updated, and the time when the system vulnerability scan was last performed.

    • On the Security Monitoring page, click the Alerts tab to view the triggered alerts in real time. Alerts are triggered upon security events, such as attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations on containers. For more information, see Overview.

      • On the Alerts tab, find the alert that you want to manage and click Manage in the Actions column. In the dialog box that appears, you can add the alert to the whitelist or ignore the alert.

      • On the Alerts tab, find the alert that you want to view and click Details in the Actions column. On the details page, you can view information about the alert, such as the time when the event occurred, affected assets, and process IDs. On the Details page, click the Diagnosis tab. On the Diagnosis tab, you can enable automatic attack tracing and view the raw data.

    • On the Security Monitoring page, click the Vulnerabilities tab and then click Upgrade to open the Security Center buy page. After you purchase Security Center, you can view the vulnerabilities of the nodes in the cluster.

      On the Vulnerabilities tab, find the vulnerability that you want to fix, and click Repair in the Actions column. On the page that appears, you can select the assets for which you want to fix the vulnerability.

      Note

      The vulnerabilities displayed on the Vulnerabilities tab include: Linux software vulnerabilities, Windows system vulnerabilities, web content management system (WCMS) vulnerabilities, application vulnerabilities, and emergency vulnerabilities. For more information, see View and handle vulnerabilities.