Container security - Container security| Alibaba Cloud Documentation Center

Security Center provides a container security module that is based on the cloud native technology. This module allows you to detect and prevent intrusions into your containers.

Security Center uses the container security module to protect your containers throughout their lifecycles. During container creation, this module ensures the security of container images. During container deployment, this module checks container configurations by using a baseline check. During the running of containers, this module detects and prevents intrusions. Alibaba Cloud Container Service is deeply integrated with the protection features that are provided by Security Center. The following table describes the entries for the security features.


Category	Feature	Entry in the left-side navigation pane
Container network and asset visualization	Container network visualization	Radar tab
Container network and asset visualization	Centralized management of container assets	Container tab on the Assets page
Image security in security prevention	Scan of image system vulnerabilities	Security Prevention > Image Security
	Scan of image application vulnerabilities
	Scan of malicious image samples
	Check for image sensitive information
	Image baseline check
Supply chain security in security prevention	Vulnerability scan of open source supply chain software	Security Prevention > Image Security
Supply chain security in security prevention	Use the container signature feature	Security Prevention > Container Signature
Runtime threat detection	Alerts	Runtime Detection > Alerts
	Runtime Vul Fixes	Runtime Detection > Runtime Vul Fixes
	Baseline Check	Runtime Detection > Baseline Check
	Attack awareness	Runtime Detection > Attack Awareness
	AccessKey pair leak detection	Runtime Detection > AccessKey Leak

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Description

The following table describes the features that you can use to protect your containers.

X: indicates that the feature is not supported by the edition.
√: indicates that the feature is supported by the edition.
Value-added: indicates a value-added feature. If you want to use a value-added feature, you must enable the feature when you purchase or upgrade Security Center.


Feature	Description	Basic, Anti-virus, and Advanced	Enterprise	Ultimate	Documentation
Threat detection during container runtime	Security Center detects threats to Container Service for Kubernetes in real time, including viruses and malicious programs in the containers or on hosts, intrusion into the containers, and container escapes. Security Center also generates alerts for these threats and warnings for high-risk operations.	X	X	√	Use Runtime Security to monitor ACK clusters and configure alerts
Threat detection during container runtime	Security Center detects the following risks for containers during container runtime and generates alerts for detected risks: Malicious image startups Monitors open image sources in real time, such as Docker Hub, and generates alerts if an image that contains webshells or mining programs is installed on your server. Viruses and malicious programs Detects viruses, trojans, mining programs, malicious scripts, and webshells in containers. Intrusion into containers Detects intrusion into containers from application-layer attacks, unauthorized operations in containers, and application-to-application spread of malicious scripts in containers. Container escapes Detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities. High-risk operations Detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started based on suspicious privilege escalation. This minimizes the risk of attackers exploiting these vulnerabilities.	X	X	√	View and handle alert events
Threat detection on Kubernetes containers	Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusions at the earliest opportunity. Security Center detects the following items: Suspicious command execution on a Kubernetes API server Mounting of suspicious directories to a pod Transfer of Kubernetes service accounts from one application to another Startup of a pod based on a malicious image	X	X	√	Use threat detection on Kubernetes containers
Image signature	Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security. Only Kubernetes clusters that are deployed in the China (Hong Kong) region support the image signature feature.	X	X	√	Use the container signature feature
Security check of container images	Security Center detects the following image vulnerabilities and malicious image samples: Image system vulnerabilities Security Center detects system vulnerabilities in images to ensure that your images are secure and reliable. Image application vulnerabilities Security Center scans container-related middleware to detect application vulnerabilities in images and provides fixes and solutions. This helps ensure that images run in a secure environment. Malicious image samples Security Center detects malicious image samples in your containers. This allows you to view the risks in your containers and reinforce the security of your assets. Note Security Center detects container image vulnerabilities and malicious image samples. However, Security Center does not automatically fix the detected vulnerabilities and samples. If vulnerabilities or malicious samples are detected in a container image, we recommend that you follow the fixes and solutions provided by Security Center. You can also use the paths of the malicious samples to manually reinforce image protection.	X	Value-added	Value-added	Overview of image security scans
Container configuration security	Security Center performs security checks on the baseline configurations of containers. Security Center also generates alerts based on the results of these checks. The security checks cover the following items: Alibaba Cloud Standard - Docker security baseline check Checks the baseline against the Alibaba Cloud standard of best practices for Docker. This check covers different dimensions, such as security audit, service configurations, and file permissions. Security Center generates alerts at the earliest opportunity. Alibaba Cloud Standard - Kubernetes-Master security baseline check Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master. Alibaba Cloud Standard - Kubernetes-Node security baseline check Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Node.	X	X	√	Overview
Visualization of container security status	Security Center monitors the security status of containers in real time and displays the security status on the Assets page.	√	√	√	View the security information of containers

References

Use container network topology

View the security information of containers

Use threat detection on Kubernetes containers

View container image scan results

Use Runtime Security to monitor ACK clusters and configure alerts