Compromised nodes put all containers running on them at risk. This page describes four host-level security measures for ACK clusters: OS baseline compliance, Alibaba Cloud Security Center capabilities, node access control, and ECS security best practices.
Perform baseline checks
Periodically run baseline checks against two hardening standards to keep cluster nodes compliant.
Best practice: Run both OS Security Hardening and MLPS Security Hardening checks on a regular schedule to detect configuration drift before it becomes a compliance or security incident.
OS Security Hardening
OS Security Hardening defines standards to strengthen the OS security of cluster nodes running Alibaba Cloud Linux, CentOS, or Ubuntu. Alibaba Cloud Linux 3 is the default OS for ACK clusters. For more information, see Use Alibaba Cloud Linux 3.
MLPS Security Hardening
Alibaba Cloud defines Multi-Level Protection Scheme (MLPS) standards based on GB/T 22239-2019 (Information Security Technology — Baseline for Classified Protection of Cybersecurity). MLPS Security Hardening covers five security controls:
Identity verification
Access control
Security audit
Intrusion prevention
Malicious code prevention
For details on enabling MLPS Security Hardening and configuring baseline check policies, see ACK security hardening based on MLPS.
Use Alibaba Cloud Security Center
Alibaba Cloud Security Center provides the following features to help secure the default configurations of ACK cluster nodes.
| Feature | What it does |
|---|---|
| Vulnerability patching | Detects common vulnerabilities and lets you patch them with a few clicks. View detected vulnerabilities or run scan tasks manually on the Vulnerabilities page. |
| Baseline check | Checks configurations of server operating systems, databases, software, and containers, then generates reports with security recommendations to help enhance the security of your OS, mitigate intrusion risks, and meet compliance requirements. |
| Cloud service configuration check | Checks cloud service configurations across six dimensions: identity verification and permissions, network access control, data security, log audit, monitoring and alerting, and basic security. Provides remediation suggestions for detected risks. |
| Container image scan | Detects high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in container images. Provides handling guidance and simplifies vulnerability patching. |
Limit node access
Follow the least privilege principle when accessing cluster nodes.
Best practice: Avoid associating an elastic IP address (EIP) with cluster nodes. Use the ACK console for node access over the internal network whenever possible.
Internal network access (recommended): Log in to the ACK console and use Workbench or Virtual Network Computing (VNC) to reach the node. No EIP association is required.
Internet access: Add rules to the cluster's security group to restrict which source addresses can reach the node. Modify the security group to limit the node ports exposed to the Internet to only those required for your workloads.
Follow ECS security best practices
ACK cluster nodes run on Elastic Compute Service (ECS) instances, which use Alibaba Cloud Linux 3 by default. For guidance on hardening these instances, see ECS instance security.