Security Center provides a container security module that is based on the cloud native technology. This module allows you to detect and prevent intrusions into your containers.

Security Center uses the container security module to protect your containers throughout their lifecycles. During container creation, this module ensures the security of container images. During container deployment, this module checks container configurations by using a baseline check. During container running, this module detects and prevents intrusions. Alibaba Cloud Container Service is deeply integrated with the protection features that are provided by Security Center.
Note Only the Security Center Enterprise edition provides the container security module.

Features

The following table describes the features that you can use to protect your containers.
  • X: The feature is not supported by this edition of Security Center.
  • √: The feature is supported by this edition of Security Center.
Feature Description Basic edition Basic Anti-Virus edition Advanced edition Enterprise edition Documentation
Threat detection during container runtime Security Center detects threats to Container Service for Kubernetes in real time, including viruses and malicious programs in the containers or on hosts, intrusion into the containers, and container escapes. It also generates alerts for these threats and warnings for high-risk operations. X X X Use Runtime Security to monitor ACK clusters and configure alerts
Security Center detects the following items:
  • Malicious image startups

    Monitors open image sources in real time, such as Docker Hub, and generates alerts if an image that contains webshells or mining programs is installed on your server.

  • Viruses and malicious programs

    Detects viruses, trojans, mining programs, malicious scripts, and webshells in containers.

  • Intrusion into containers

    Detects intrusion into containers from application-layer attacks, unauthorized operations in containers, and application-to-application spread of malicious scripts in containers.

  • Container escapes

    Detects container escapes caused by improper container configurations, Docker vulnerabilities, or operating system vulnerabilities.

  • High-risk operations

    Detects sensitive host directories mounted to containers, Docker API leaks, Kubernetes API leaks, and containers started by suspicious privilege escalation. This minimizes the risk of attackers exploiting these vulnerabilities.

X X X View and handle alert events
Threat detection on Kubernetes containers Security Center monitors the status of running containers in a Kubernetes cluster. This allows you to detect security risks and attacker intrusion in a timely manner. Security Center detects the following items:
  • Suspicious command execution on a Kubernetes API server
  • Mounting of suspicious directories to a pod
  • Transfer of Kubernetes service accounts from one application to another
  • Startup of a pod based on a malicious image
 X X X Threat detection for Kubernetes containers
Image signature Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves asset security. Only Kubernetes clusters that are deployed in the China (Hong Kong) region support the image signature feature. X X X Container signature
Security check of container images The image vulnerability detection feature is in public preview.
Security Center detects vulnerabilities in container images to ensure that your images are secure and reliable.
Note Security Center supports only the detection of container image vulnerabilities, but does not support automatic fixing of the detected vulnerabilities. If vulnerabilities are detected in a container image, we recommend that you follow the fixes and solutions provided by Security Center to manually reinforce image protection.
X X X Image security scan
Detection of application vulnerabilities in images Security Center scans container-related middleware to detect application vulnerabilities in images. This ensures that images run in a secure environment. X X X
Detection of malicious image samples Security Center provides image security scans to detect malicious image samples in your containers. This allows you to view the risks in your containers and reinforce the security of your assets. X X X
Container configuration security Security Center performs security checks on the baseline configurations of containers. It also generates alerts based on the results of these checks. The security checks cover the following items:
  • Alibaba Cloud Standard -DockerSecurity Baseline Check

    Checks the baseline against the Alibaba Cloud standard of best practices for Docker. This check covers different dimensions, such as security audit, service configurations, and file permissions. Security Center generates alerts in a timely manner.

  • Alibaba Cloud Standard - Kubernetes-Master security baseline check

    Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Master.

  • Alibaba Cloud Standard - Kubernetes-Node security baseline check

    Checks the baseline against the Alibaba Cloud standard of best practices for Kubernetes Node.

X X X Overview
Visualization of container security status Security Center monitors the security status of containers in real time and displays it on the Assets page. X X X View the security status of containers

References

View the security status of containers

Threat detection for Kubernetes containers

Image security scan

Use Runtime Security to monitor ACK clusters and configure alerts