The inspection feature scans your ACK cluster workloads for security misconfigurations and generates a report. Use inspection reports to identify and remediate failed items, keeping your workloads secure and healthy.
Prerequisites
Before you begin, ensure that you have:
A cluster running Kubernetes 1.14 or later. For upgrade instructions, see Manually update ACK clusters.
(RAM users only) RAM authorization and role-based access control (RBAC) authorization, as described below.
Grant permissions to a RAM user
If you use a Resource Access Management (RAM) user to access the Inspections page, complete both of the following authorization steps.
RAM authorization
Create a custom RAM policy that grants the following actions on your cluster resource:
{
"Statement": [
{
"Action": [
"cs:DescribePolarisConfig",
"cs:DescribePolarisJob",
"cs:DescribePolarisCronJob",
"cs:UpdatePolarisJob",
"cs:UpdatePolarisCronJob"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/<yourclusterID>"
]
}
],
"Version": "1"
}To view inspection reports, also grant the RAM user read permissions on the Simple Log Service project used by the logtail-ds component in your cluster:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:Get*",
"log:List*"
],
"Resource": "acs:log:*:*:project/<Project name>/*",
"Effect": "Allow"
}
]
}For instructions on creating custom RAM policies, see Create a custom RAM policy and Use custom policies to grant permissions to a RAM user.
RBAC authorization
Grant the RAM user administrator-level RBAC permissions on the cluster. This allows the user to manage the Kubernetes resources shown on the Inspections page. For instructions, see Grant RBAC permissions to RAM users or RAM roles.
Run an inspection task
Log in to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find your cluster and click its name. In the left-side pane, choose Security > Inspections.
(Optional) Install or update the security-inspector component. The security-inspector component is free of charge but consumes pod resources. For more information, see security-inspector.
Run an inspection task. By default, all inspection items are enabled. To customize which inspection items are included, click Configure Periodic Inspection and adjust the item selection. For the full list of inspection items, see Inspection items.
Immediate inspection: In the upper-right corner of the Inspections page, click Inspect.
Scheduled inspection: In the upper-right corner, click Configure Periodic Inspection. In the panel that appears, select Configure Periodic Inspection and set the inspection cycle.
ImportantRun inspection tasks during off-peak hours to minimize the impact on workloads.
After the task completes, go to the Inspections tab, find the result entry, and click Details in the Actions column.
View inspection results
Inspection details
The Inspections tab shows results for each workload. Use the Passed or Failed, Namespace, and Workload Type filters to locate workloads of interest. The table displays the Number of Passed Items and Number of Failed Items for each workload.
Click Details to open the inspection details page, which shows:
Passed and failed inspection items for each pod and container
A description of each inspection item and remediation suggestions
The YAML file of the workload
To suppress a failed item, click Add to Whitelist on the inspection details page. Whitelisted items are excluded from future inspection results.
Inspection reports
The Reports page displays the results of the most recent inspection task, including:
Overview: Total inspection items, count and percentage of each resource type, and overall cluster health status
Category statistics: Breakdown across health checks, images, networks, resources, and security conditions
Detailed results: Per-workload results including resource category, resource name, namespace, inspection type, inspection item, and result
Inspection items
The following table lists all 17 inspection items.
| Item ID | Inspection item | Fails when | Risk | Remediation |
|---|---|---|---|---|
hostNetworkSet | Disable sharing of network namespaces between containers and hosts | hostNetwork: true is set in the pod specification | Containers share the host network namespace, allowing them to sniff host network traffic or attack the host network directly. | Remove the hostNetwork field from the pod specification. |
hostIPCSet | Disable sharing of IPC namespaces between containers and hosts | hostIPC: true is set in the pod specification | Containers share the host IPC namespace, allowing them to attack host processes or sniff inter-process communication data. | Remove the hostIPC field from the pod specification. |
hostPIDSet | Disable sharing of PID namespaces between containers and hosts | hostPID: true is set in the pod specification | Containers share the host PID namespace, allowing them to attack host processes or collect process data. | Remove the hostPID field from the pod specification. |
hostPortSet | Prevent processes in containers from listening on host ports | The hostPort field is present in the pod specification | The specified host port may be occupied without authorization, and containers may receive unexpected external requests. | Remove the hostPort field from the pod specification. |
runAsRootAllowed | Disable container startup as a root user | runAsNonRoot: true is absent from the pod specification | Containers may run as root, allowing malicious processes to intrude into your applications, hosts, or cluster. | Add runAsNonRoot: true to the pod specification. |
runAsPrivileged | Disable container startup in privileged mode | privileged: true is set in the pod specification | Privileged containers have nearly unrestricted access to the host, allowing malicious processes to compromise your applications, hosts, or cluster. | Remove the privileged field from the pod specification. |
privilegeEscalationAllowed | Disable privilege escalation for child processes in containers | allowPrivilegeEscalation: false is absent from the pod specification | Child processes may gain higher privileges than their parent process, enabling unauthorized operations. | Add allowPrivilegeEscalation: false to the pod specification. |
capabilitiesAdded | Disable unnecessary Linux capabilities | The capabilities field includes capabilities such as SYS_ADMIN, NET_ADMIN, or ALL | Excess Linux capabilities allow malicious processes to intrude into your applications, cluster components, or cluster. | If containers require no Linux capabilities, remove all capabilities from the pod specification. If containers require specific Linux capabilities, keep only those required and remove the rest. |
notReadOnlyRootFileSystem | Enable read-only mode for container file systems | readOnlyRootFilesystem: true is absent from the pod specification | Malicious processes may modify the root file system, altering application binaries or configuration files. | Add readOnlyRootFilesystem: true to the pod specification. If you need to write to specific directories, configure volumeMounts for those paths. |
cpuRequestsMissing | Set the minimum CPU resources for containers | resources.requests.cpu is absent from the pod specification | The pod may be scheduled to a node with insufficient CPU resources, causing slow or degraded processes. | Add resources.requests.cpu to the pod specification. |
cpuLimitsMissing | Set the maximum CPU resources for containers | resources.limits.cpu is absent from the pod specification | Abnormal container processes may consume excessive CPU resources, starving other workloads on the node or cluster. | Add resources.limits.cpu to the pod specification. |
memoryRequestsMissing | Set the minimum memory resources for containers | resources.requests.memory is absent from the pod specification | The pod may be scheduled to a node with insufficient memory, causing processes to be terminated by the OOM killer. | Add resources.requests.memory to the pod specification. |
memoryLimitsMissing | Set the maximum memory resources for containers | resources.limits.memory is absent from the pod specification | Abnormal container processes may consume excessive memory, exhausting node or cluster memory resources. | Add resources.limits.memory to the pod specification. |
readinessProbeMissing | Configure container readiness probes | readinessProbe is absent from the pod specification | Traffic may be routed to containers before they are ready, causing request failures during startup or rolling updates. | Add a readinessProbe to the pod specification. |
livenessProbeMissing | Configure container liveness probes | livenessProbe is absent from the pod specification | Application failures that require a container restart may go undetected, causing service interruptions. | Add a livenessProbe to the pod specification. |
tagNotSpecified | Specify image versions for containers | The image field has no version tag, or the tag is set to latest | Containers may pull an unintended image version, causing unexpected behavior or service interruptions. | Set the image field to a specific version tag other than latest. |
anonymousUserRBACBinding | Prohibit anonymous access to the cluster | RBAC role bindings allow access from anonymous users | Anonymous users can access sensitive cluster information, attack the cluster, and intrude into the cluster. | Remove any RBAC role bindings that grant access to anonymous users. |
Events
The inspection feature emits the following events:
| Event type | Event name | Example content | Description | Action |
|---|---|---|---|---|
| Normal | SecurityInspectorConfigAuditStart | Start to running config audit | The inspection task has started. | No action required. |
| Normal | SecurityInspectorConfigAuditFinished | Finished running once config audit | The inspection task has completed. | No action required. |
| Warning | SecurityInspectorConfigAuditHighRiskFound | 2 high risks have been found after running config audit | The inspection identified security risks in workloads. | 1. Go to the Inspections tab and use the Passed or Failed, Namespace, and Workload Type filters to locate affected workloads. 2. Click Details to review the results for each inspection item. To suppress a risk, click Add to Whitelist. To fix a risk, follow the remediation suggestions on the details page. |
What's next
To improve pod security beyond workload inspection, configure pod security policies. See Configure pod security policies.
To detect cluster-level risks such as insufficient resource quotas or high resource watermarks, use the cluster inspection feature. See Work with the cluster inspection feature.