The container network topology feature allows you to perform security-related operations on your assets, such as clusters, containers, images, and applications, in a visualized manner. The feature also displays the network topology of your containers. This feature enables you to manage your containers in a more efficient manner. You can use the container network topology feature to obtain up-to-date security information and network connections of your assets. This topic describes how to view the network topology of running containers.

Background information

The network topology of running containers displays the image vulnerability information that is obtained by using the container image scan feature. If you want to view container risks, you must enable the container image scan feature and use the feature to scan images. For more information, see Enable the container image scan feature and Scan container images. If you use the container network topology feature but do not enable the container image scan feature, you can view only the server vulnerabilities and the network topology of the current cluster. However, you cannot view the container vulnerabilities in the current cluster. To ensure the security of the container runtime environment, we recommend that you enable the container image scan feature.

Security Center automatically refreshes the network topology of running containers and security information about the current cluster on the Radar tab every minute. This ensures that you can view the up-to-date network topology and security information.

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Scenarios

  • The container network topology feature displays the network topology of your assets to ensure that your system meets the requirements of classified protection.
  • You can view the ports that are exposed on the Internet because the exposed ports are automatically displayed in the Security Center console.
  • You can perform security-related operations on your assets in a visualized manner. The assets include clusters, containers, images, and applications.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Overview.
  3. On the Overview page, click the Radar tab.
  4. View the network topology of your assets.Network topology of a cluster
    On the Radar tab, you can perform the following operations:
    • View the security score of your assets

      In the left-side section of the Radar tab, view the security score of your assets. The security score is calculated based on the security status of your assets. A high score indicates few risks in your assets. For more information about the security score, see Security score.

    • View the total numbers of clusters, applications, containers, nodes, and images, and the numbers of vulnerable clusters, applications, containers, nodes, and images

      In the left-side section of the Radar tab, view the total numbers of clusters, applications, containers, nodes, and images, and the numbers of risky clusters, applications, containers, nodes, and images. The number in red indicates the number of vulnerable assets. Click one asset type to go to the Assets page. On the Assets page, view the details of the assets.

    • View the details and security information of a cluster
      On the Radar tab, click the cluster whose details and security information you want to view. In the panel that appears, the details and security information about the cluster are displayed. In the Basic Information section of the panel, the following information is displayed: Name, ID, Cluster Type, Region, Creation Time, Version, Cluster Status, and Server. In the Security Situation section of the panel, the following information is displayed:
      • Risks in the servers of the current cluster:
        • Security Alerts: The number below Security Alerts indicates the number of alerts generated for the servers of the current cluster.
        • Vul Risk: The number below Vul Risk indicates the number of vulnerabilities detected on the servers of the current cluster.
        • Baseline Risks: The number below Baseline Risks indicates the number of baseline risks in the servers of the current cluster.
      • Risks in the containers of the current cluster:
        • Image Vul (CVE): The number below Image Vul (CVE) indicates the number of image system vulnerabilities in the current cluster.
        • Application Vul(s): The number below Application Vul(s) indicates the number of image application vulnerabilities in the current cluster.
        • Image Malicious Files: The number below Image Malicious Files indicates the number of malicious image samples in the current cluster.
      Click Details on the right side of a risk name to go to the details page of the cluster or the Image Security page. On the details page of the cluster or the Image Security page, view the details of the detected risks and handle the risks. For more information, see the following topics:
    • View the network topology of a cluster
      On the Radar tab, click the cluster whose network topology you want to view. In the Basic Information section of the panel that appears, click View for Container Network to view the network topology of the cluster. View the network topology of a cluster
      Each image is a node in the network topology of the cluster. The network topology displays the communications links among all containers in the cluster. You can click an image in the network topology to view the details and security information about the image. The security information includes the alerts generated for the image, image vulnerabilities, and malicious image samples.
      Note An image in gray indicates that the container image scan feature is disabled for the image. To obtain the security information about the image, you can go to the Image Security page to add the image to Security Center and enable the container image scan feature for the image. Only Harbor and Quay image repositories can be added to Security Center. For more information, see Add third-party image repositories to Security Center.
    • Turn on or turn off Enable the network topology of all clusters
      The network topology of all clusters is enabled by default. If you keep the container network topology feature enabled, a few CPU resources are consumed. If you do not require the network topology of all clusters, click the Settings icon icon in the upper-right corner of the Radar tab and turn off Switch icon. If you want to view the network topology of all clusters after you turn off Enable the network topology of all clusters, you can turn on Enable the network topology of all clusters.
      Note We recommend that you turn on Enable the network topology of all clusters so that you can obtain the security status of each image in the network topology of all clusters.