Runtime Security monitors clusters of Alibaba Cloud Container Service for Kubernetes (ACK) and triggers alerts upon security events. Alerts are triggered upon the following security events: attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations on containers. This topic describes how to use Runtime Security to monitor ACK clusters and configure alerts.

Prerequisites

  • A cluster of ACK managed edition is created. For more information, see Create a managed ACK cluster.
  • Server Guard is activated. For more information, see Purchase Security Center.
  • If your account is a Resource Access Management (RAM) user, you must grant the RAM user the AliyunYundunSASReadOnlyAccess permission.

Background information

Cloud-native applications are deployed in containers after they pass the authentication, authorization verification, and admission control of the API server. However, these applications are not protected from security risks. To resolve this issue, you can use Runtime Security. Runtime Security monitors applications and triggers alerts upon security events. Runtime Security is integrated with Security Center to detect vulnerabilities and raise alerts. This allows cluster administrators to monitor applications and receive alerts upon the following security events: attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations on containers. You can view and manage alerts on the details page of an ACK cluster.

Procedure

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. On the Clusters page, find the target cluster and click Manage in the Actions column.
  4. In the left-side navigation pane, choose Security > Runtime Security. On the Runtime Security page, you can view the monitoring information and alerts.
    • The security condition of the cluster is displayed on the Runtime Security page. The security condition includes security detection, node status, and defense capabilities.
      • Security detection: shows security events that have triggered alerts. Click More to navigate to the Security Center console for details.
      • Node status: shows healthy nodes and unhealthy nodes.
      • Defense Capabilities: shows pending alerts, the time when the anti-virus database was last updated, and the time when system vulnerabilities were last scanned.
    • On the Runtime Security page, click the Alerts tab to view the triggered alerts in real time. Typically, alerts are triggered upon the following security events: attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations on containers. For more information, see Overview.
      • On the Alerts tab, find the target alert, and click Manage in the Actions column. In the dialog box that appears, you can add this alert to the whitelist or ignore this alert.
      • On the Alerts tab, find the target alert, and click Details in the Actions column. On the details page, you can view the information about this alert, such as the time when the event occurred, affected assets, and corresponding process IDs. On the Details page, click the Diagnosis tab. On the Diagnosis tab, you can enable automatic attack tracing and view the original data.
    • On the Runtime Security page, click the Vulnerabilities tab to view vulnerabilities identified by Common Vulnerabilities and Exposures (CVE) on the cluster nodes.
      On the Vulnerabilities tab, find the target vulnerability, and click Fix in the Actions column. On the fix page that appears, you can fix the vulnerability and repair the affected assets.
      Note The vulnerabilities identified by CVE that are revealed on the Vulnerabilities tab include: Linux software vulnerabilities, Windows system vulnerabilities, web content management system (WCMS) vulnerabilities, application vulnerabilities, and emergency vulnerabilities. For more information, see the related topics: