Security Center allows you to manage the risks of containers on the Assets page of the Security Center console. You can connect a self-managed Kubernetes cluster to Security Center and manage your containers in the Security Center console in a centralized manner. This topic describes how to connect a self-managed Kubernetes cluster to Security Center.

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Prerequisites

  • You can connect a maximum of 10 self-managed Kubernetes clusters.
  • If a self-managed Kubernetes cluster that you want to connect is deployed in a virtual private cloud (VPC), the cluster must reside in the China (Hangzhou), China (Beijing), China (Shanghai), China (Shenzhen), or China (Hong Kong) region.
    Note If a self-managed Kubernetes cluster that you want to connect is deployed on the Internet, no limits are imposed on the region of the cluster.

Connect a self-managed Kubernetes cluster to Security Center

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Assets.
  3. On the Assets page, click the Container tab.
  4. In the upper-right corner of the Container tab, click Self-built cluster access.
  5. In the Self-built cluster management panel, click Self-built cluster access.
  6. In the Access Self-built K8s cluster panel, configure the parameters.
    Parameter Description
    Cluster name The name of the self-managed Kubernetes cluster. The name can contain letters, digits, and underscores (_).
    Self-built K8s cluster version The version of the self-managed Kubernetes cluster. Valid values:
    • V1.20
    • V1.19
    • V1.18
    • V1.17
    • V1.16
    Region of cluster The region where the self-managed Kubernetes cluster resides.
    Network type The network type of the self-managed Kubernetes cluster. Valid values:
    • Public network
    • VPC
    VPC where the cluster is located The VPC where the self-managed Kubernetes cluster resides.
    ApiServerIp The IP address of the API server for the self-managed Kubernetes cluster.
    K8s configuration information The configuration file of the self-managed Kubernetes cluster. You must generate a configuration file on your server before you upload the file. For more information about how to generate a configuration file for a Kubernetes cluster, see Generate a configuration file for a Kubernetes cluster.
  7. Click OK.
    After you connect the Kubernetes cluster to Security Center, you can view the cluster information in the Self-built cluster management panel.

Generate a configuration file for a Kubernetes cluster

To generate a configuration file, make sure that your server meets the following prerequisites:
  • A Kubernetes cluster is created on your server.
  • Docker is installed.
  1. Log on to the server where the Kubernetes cluster resides as the root user.
  2. Create a user.
    1. Run the following command to create ClusterRole:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
          name: cluster-reader
      rules:
      - apiGroups:
          - ""
          resources:
          - *
          verbs:
          - get
          - list
          - watch
    2. Run the following command to create ClusterRoleBinding:
      Notice Before you run the command in this step and all the following steps, you must replace <UserName> with your username.
      apiVersion: rbac.authorization.k8s.io/v1beta1
      kind: ClusterRoleBinding
      metadata:
          name: <UserName>-read-all
      roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: cluster-reader
      subjects:
      - apiGroup: rbac.authorization.k8s.io
          kind: User
          name: <UserName>
  3. Create a certificate.
    1. Run the following command to create a private key for the user:
      openssl genrsa -out <UserName>.key 2048
    2. Run the following command to create a certificate signing request:
      openssl req -new -key <UserName>.key -out <UserName>.csr -subj "/O=K8s/CN=<UserName>"
    3. Run the following command to sign the certificate:
      openssl x509 -req -in <UserName>.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out <UserName>.crt -days 365
  4. Create a configuration file for the cluster.
    1. Run the following command to create the cluster configuration field:
      kubectl config set-cluster k8s --server=
      https://192.168.XX.XX:6443 --certificate-authority=ca.crt --embed-cears=true --kubeconfig=/root/<UserName>.conf
    2. Run the following command to create the user configuration field:
      kubectl config set-credentials <UserName> --client-certificate=<UserName>.crt --client-key=<UserName>.key --embed-certs=true --kubeconfig=/root/<UserName>.conf
    3. Run the following command to create the context configuration field:
      kubectl config set-context <UserName>@<ClusterName> --cluster=k8s --user=<UserName> --kubeconfig=/root/<UserName>.conf
      Notice Before you run the command in this step and all the following steps, you must replace <ClusterName> with the name of your cluster.
    4. Run the following command to switch context:
      kubectl config use-context <UserName>@<ClusterName> --kubeconfig=/root/<UserName>.conf
    5. Run the following command to view the configuration file:
      kubectl config view --kubeconfig=/root/<UserName>.conf
  5. Run the following commands to check whether the kubeconfig file is available.
    mkdir -p /home/<UserName>/.kube
    cp <UserName>.conf /home/<UserName>/.kube/config
    kubectl get pod -n kube-system

    If the pod information is displayed in the command-line window after all the preceding commands are complete, the kubeconfig file is available, and Security Center can access this cluster. Otherwise, the kubeconfig file is unavailable.