Security Center provides a container security module that is based on the cloud native technology. This module allows you to detect and prevent intrusions into your containers.

Security Center uses the container security module to protect your containers throughout their lifecycles. During container creation, this module ensures the security of container images. During container deployment, this module checks container configurations by using a baseline check. During the running of containers, this module detects and prevents intrusions. Alibaba Cloud Container Service is deeply integrated with the protection features that are provided by Security Center. The following table describes the entries for the security features.
Category Feature Entry in the left-side navigation pane
Container network and asset visualization Container network visualization Radar tab
Centralized management of container assets Container tab on the Assets page
Image security in security prevention Scan of image system vulnerabilities Security Prevention > Image Security
Scan of image application vulnerabilities
Scan of malicious image samples
Check for image sensitive information
Image baseline check
Supply chain security in security prevention Vulnerability scan of open source supply chain software Security Prevention > Image Security
Use the container signature feature Security Prevention > Container Signature
Runtime threat detection Alerts Runtime Detection > Alerts
Runtime Vul Fixes Runtime Detection > Runtime Vul Fixes
Baseline Check Runtime Detection > Baseline Check
Attack awareness Runtime Detection > Attack Awareness
AccessKey pair leak detection Runtime Detection > AccessKey Leak

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Description

The following table describes the features that you can use to protect your containers.
  • X: indicates that the feature is not supported by the edition.
  • √: indicates that the feature is supported by the edition.
  • Value-added: indicates a value-added feature. If you want to use a value-added feature, you must enable the feature when you purchase or upgrade Security Center.
Feature Description Basic, Anti-virus, and Advanced Enterprise Ultimate Documentation
Threat detection during container runtime Security Center detects threats to Container Service for Kubernetes in real time, including viruses and malicious programs in the containers or on hosts, intrusion into the containers, and container escapes. Security Center also generates alerts for these threats and warnings for high-risk operations. X X Use Runtime Security to monitor ACK clusters and configure alerts
Security Center detects the following risks for containers during container runtime and generates alerts for detected risks:
  • Malicious image startups

    Monitors open image sources in real time, such as Docker Hub, and generates alerts if an image that contains webshells or mining programs is installed on your server.

  • Viruses and malicious programs

    Detects viruses, trojans, mining programs, malicious scripts, and webshells in containers.

  • Intrusion into containers

    Detects intrusion into containers from application-layer attacks, unauthorized operations in containers, and application-to-application spread of malicious scripts in containers.

  • Container escapes

    Detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities.

  • High-risk operations

    Detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started based on suspicious privilege escalation. This minimizes the risk of attackers exploiting these vulnerabilities.

X X View and handle alert events
Threat detection on Kubernetes containers Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusions at the earliest opportunity. Security Center detects the following items:
  • Suspicious command execution on a Kubernetes API server
  • Mounting of suspicious directories to a pod
  • Transfer of Kubernetes service accounts from one application to another
  • Startup of a pod based on a malicious image
X X Use threat detection on Kubernetes containers
Image signature Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security. Only Kubernetes clusters that are deployed in the China (Hong Kong) region support the image signature feature. X X Use the container signature feature
Security check of container images Security Center detects the following image vulnerabilities and malicious image samples:
  • Image system vulnerabilities

    Security Center detects system vulnerabilities in images to ensure that your images are secure and reliable.

  • Image application vulnerabilities

    Security Center scans container-related middleware to detect application vulnerabilities in images and provides fixes and solutions. This helps ensure that images run in a secure environment.

  • Malicious image samples

    Security Center detects malicious image samples in your containers. This allows you to view the risks in your containers and reinforce the security of your assets.

Note Security Center detects container image vulnerabilities and malicious image samples. However, Security Center does not automatically fix the detected vulnerabilities and samples. If vulnerabilities or malicious samples are detected in a container image, we recommend that you follow the fixes and solutions provided by Security Center. You can also use the paths of the malicious samples to manually reinforce image protection.
X Value-added Value-added Overview of image security scans
Container configuration security Security Center performs security checks on the baseline configurations of containers. Security Center also generates alerts based on the results of these checks. The security checks cover the following items:
  • Alibaba Cloud Standard - Docker security baseline check

    Checks the baseline against the Alibaba Cloud standard of best practices for Docker. This check covers different dimensions, such as security audit, service configurations, and file permissions. Security Center generates alerts at the earliest opportunity.

  • Alibaba Cloud Standard - Kubernetes-Master security baseline check

    Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master.

  • Alibaba Cloud Standard - Kubernetes-Node security baseline check

    Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Node.

X X Overview
Visualization of container security status Security Center monitors the security status of containers in real time and displays the security status on the Assets page. View the security information of containers

References

Use container network topology

View the security information of containers

Use threat detection on Kubernetes containers

View container image scan results

Use Runtime Security to monitor ACK clusters and configure alerts