Authorization Management

Kubernetes clusters support authorizing RAM users to perform operations on clusters.

For more information, see Use RAM users.

Full-link TLS Certificate Verification

In Kubernetes clusters provided by Container Service, the following communication links will be verified with TLS certificates to ensure that the communication is not eavesdropped or tampered with.

  • The communication link occurred when kubelet on the worker node actively connects to apiserver on the master node.
  • The communication link occurred when apiserver on the master node actively connects to kubelet on the worker node.

During the initialization process, the master node uses SSH tunnels to connect to the SSH service of other nodes (port 22).

Native Secret & RBAC support

Kubernetes secrets are used to store sensitive information such as passwords, OAuth tokens, and SSH keys. Using plain text to write sensitive information to a pod YAML file or a Docker image may leak the information. Using secrets can avoid such security risks effectively.

For more information, see Secret.

Role-Based Access Control (RBAC) uses the Kubernetes built-in API group to drive authorization management, which allows you to use APIs to manage pods that correspond to different roles, and the access permissions of roles.

For more information, see Using RBAC Authorization.

Network isolation

In a Kubernetes cluster, pods on different nodes can communicate with each other by default. In some scenarios, the network intercommunication between different businesses is not allowed. You need to introduce network policies to reduce risks. In Kubernetes clusters, you can use the Canal network driver to support network policies.

Image security status scans

Kubernetes clusters can use Container Registry to manage images and perform image security scans.

The image security status scan can quickly identify security risks in the image and protect applications running on Kubernetes clusters against attacks.For more information, seeImage Scanning.

Security groups and Internet access

By default, each new cluster is assigned a new security group with the minimum security risks. This security group only allows ICMP for the inbound Internet traffic.

By default, you cannot use Internet SSH to connect to your clusters. For more information, see Use SSH to connect to a cluster Use Internet SSH to connect to the cluster node.

Cluster nodes connect to the Internet through the NAT gateway, which can further reduce the security risks.