Container Service for Kubernetes (ACK) provides the security overview feature to help you reinforce cluster security and identify the security risks in nodes, container images, container runtimes, and workload configurations. This feature can improve security governance efficiency for cloud resources and applications. This topic describes how to use the security overview feature of ACK.
Usage notes
- The security overview feature is in invitational preview and is supported only by ACK managed clusters. To use this feature, Submit a ticket.
- Updates of information about node vulnerabilities, container image risks, and workload configuration risks are delayed by 24 hours. When you enable the security overview feature for the first time or after you mitigate risks, you must wait 24 hours before you can view the latest information about vulnerabilities and risks on the Security Overview page.
View information on the Security Overview page
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
- On the Cluster Information page, click the Security Overview tab.
The Security Overview page displays risks in two dimensions. The information in the red box shows different types of risks and the information in the blue box shows vulnerable or risky cloud assets. For example, the following figure shows that five high-severity risks are detected in the cluster. The following figure also shows that the cluster has two node pools and one node pool has a high-severity vulnerability.
Parameter Description Cluster severity level The severity level of the cluster. Node vulnerabilities The node vulnerabilities in the cluster. By default, this parameter is enabled. Image risks The risks in images that are stored in Container Registry Enterprise Edition. To enable this parameter, you must first complete authorization. Container runtime risks Real-time container runtime risks. ACK provides real-time protection for container runtimes. Container runtimes are diagnosed by using Security Center. To enable this parameter, you must first purchase Security Center Advanced or higher editions. For more information, see Purchase Security Center. Workload configuration risks Real-time risks in the configurations of workloads that run in your cluster. To enable this parameter, you must first enable the cluster inspection feature.
Cluster severity level
This parameter indicates the severity level of the cluster. The following section describes all severity levels:
- Healthy
Risk scanning is enabled for the cluster and no high-severity risks are detected in the scanning results of container images, container runtimes, and workload configurations.
- High
High-severity node vulnerabilities or high-severity container runtime risks are detected in the cluster.
- Medium
Other scenarios.
Node vulnerabilities
By default, node vulnerability inspection is enabled.
In the lower part of the Security Overview page, click the Node Vulnerabilities tab to view information about the node vulnerabilities in the cluster, including the node pools in which the vulnerabilities are detected and the number of vulnerable nodes in each node pool. To fix the vulnerabilities in a node pool, click Repair to go to the details page of the node pool and fix the vulnerabilities. For more information about how to fix node pool vulnerabilities, see CVE Patching.
Image risks
In the lower part of the Security Overview page, click the Image Risks tab to view the information about risky images, including the image addresses, affected containers, and scan time. To repair risky images, click Repair to go to the Image Risks page and handle the risks based on the details on the page.
Container runtime risks
Container runtimes are diagnosed by using Security Center. To enable this parameter, you must first purchase Security Center Advanced or higher editions. For more information, see Purchase Security Center. After you purchase Security Center Advanced or higher editions, you can view the real-time container runtime risks in your cluster and protect the container runtimes in your cluster.
In the lower part of the Security Overview page, click the Container Runtime Risks tab to view the information about container runtime alerts, including the alert names and descriptions. To resolve container runtime risks, click Handle to go to the Security Monitoring page and handle the risks based on the details on the page.
Workload configuration risks
To enable this parameter, you must first enable the cluster inspection feature. After the cluster inspection feature is enabled, you must wait 24 hours before information about workload configurations is displayed on the Security Overview page, including the workload configurations in the cluster and risky workload configurations. For more information, see Inspect workloads in an ACK cluster.
In the lower part of the Security Overview page, click the Workload Configuration Risks tab to view the information about workload configuration risks and suggestions on how to handle the risks. You can click View Details to go to the Inspections page to view the risk details and handle the risks.