The feature of container network topology allows you to perform security-related operations on your assets, such as clusters, containers, images, and applications, in a visualized manner. The feature also displays the network topology of your containers. This feature allows you to manage your containers in a more efficient manner. You can use container network topology to obtain the up-to-date security information and network connections of your assets. This topic describes how to view the network topology of running containers.

Background information

The network topology of running containers displays the image vulnerability information that is obtained by using the feature of container image scan. If you want to view container risks, you must enable the feature of container image scan and use the feature to scan images. For more information, see Enable container image scan and Scan container images. If you use container network topology but do not enable container image scan, you can view only the server vulnerabilities and the network topology of the current cluster. However, you cannot view the container vulnerabilities in the current cluster. To ensure the security of the container runtime environment, we recommend that you enable container image scan.

Security Center automatically refreshes the network topology of running containers and security information about the current cluster on the Radar tab every minute. This ensures that you can view the up-to-date network topology and security information.

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Scenarios

  • Container network topology displays the network topology of your assets to ensure that your system meets the requirements of classified protection.
  • You can view the ports that are exposed on the Internet because the exposed ports are automatically displayed in the Security Center console.
  • You can perform security-related operations on your assets in a visualized manner. The assets include clusters, containers, images, and applications.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Overview.
  3. On the Overview page, click the Radar tab.
  4. View the network topology of your assets. Network topology of a cluster
    On the Radar tab, you can perform the following operations:
    • View the security score of your assets

      In the left-side section of the Radar tab, view the security score of your assets. The security score is calculated based on the security status of your assets. If you want to handle the risks in your assets, click Process Now to go to the Security Risk panel. A higher security score indicates fewer risks in your assets. For more information about the security score, see Security score.

    • View the total numbers of clusters, applications, containers, nodes, and images, and the numbers of vulnerable clusters, applications, containers, nodes, and images

      In the left-side section of the Radar tab, view the total numbers of clusters, applications, containers, nodes, and images, and the numbers of vulnerable clusters, applications, containers, nodes, and images. A number in red indicates the number of vulnerable assets. If you want to view the details of a specific type of asset, click the asset type to go to the Assets page.

    • View the details and security information of a cluster
      On the Radar tab, click the cluster whose details and security information you want to view. In the panel that appears, the details and security information about the cluster are displayed. In the Basic Information section of the panel, the following information is displayed: Name, ID, Cluster Type, Region, Creation Time, Version, Cluster Status, and Server. In the Security Situation section of the panel, the following information is displayed:
      • Risks in the servers of the current cluster:
        • Security Alerts: The number below Security Alerts indicates the number of alerts generated for the servers of the current cluster.
        • Vul Risk: The number below Vul Risk indicates the number of vulnerabilities detected on the servers of the current cluster.
        • Baseline Risks: The number below Baseline Risks indicates the number of baseline risks in the servers of the current cluster.
      • Risks in the containers of the current cluster:
        • Image Vul (CVE): The number below Image Vul (CVE) indicates the number of image system vulnerabilities in the current cluster.
        • Application Vul(s): The number below Application Vul(s) indicates the number of image application vulnerabilities in the current cluster.
        • Image Malicious Files: The number below Image Malicious Files indicates the number of malicious image samples in the current cluster.
      Click Details to the right of a risk name to go to the details page of the cluster or the Image Security page. On the details page of the cluster or the Image Security page, view the details of the detected risks and handle the risks. For more information, see the following topics:
    • View the network topology of a cluster
      On the Radar tab, click the cluster whose network topology you want to view. On the Basic Information tab of the panel that appears, click View next to Container Network to view the network topology of the cluster. View the network topology of a cluster
      Each image is a node in the network topology of the cluster. The network topology displays the communications links among all containers in the cluster. You can click an image in the network topology to view the details and security information about the image. The security information includes the alerts generated for the image, image vulnerabilities, and malicious image samples.
      Note An image in gray indicates that the feature of container image scan is disabled for the image. To obtain the security information of the image, you can go to the Image Security page to add the image to Security Center and enable the feature of container image scan for the image. Only Harbor and Quay image repositories can be added to Security Center. For more information, see Add third-party image repositories to Security Center.
    • Turn on or turn off Enable the network topology of all clusters
      By default, the network topology of all clusters is enabled. If you keep the feature of container network topology enabled, only a few CPU resources are consumed. If you do not require the network topology of all clusters, click the Settings icon icon in the upper-right corner of the Radar tab and turn off Switch icon. If you want to view the network topology of all clusters after you turn off Enable the network topology of all clusters, you can turn on Enable the network topology of all clusters.
      Note We recommend that you turn on Enable the network topology of all clusters so that you can obtain the security status of each image in the network topology of all clusters.