All Products
Search

This Product

    Container Service for Kubernetes:Security overview

    Document Center

    Container Service for Kubernetes:Security overview

    Last Updated:Aug 30, 2025

    Container Service for Kubernetes (ACK) provides a security overview feature. This feature helps you identify security risks and harden nodes, container images, container runtimes, and workload configurations to improve the security governance of your cloud resources and applications. This topic describes how to use the security overview feature.

    Usage notes

    This feature is in invitational preview. To use this feature, submit a ticket.

    Except for container runtime risks, the data for node vulnerabilities, container image risks, and workload configuration risks is delayed by 24 hours. After you grant the required permissions for the first time or fix risks, you must wait 24 hours for the latest data to be displayed on the Security Overview page.

    View the security overview

    1. Log on to the ACK console. In the navigation pane on the left, click Clusters.

    2. On the Clusters page, find the target cluster and click its name. In the navigation pane on the left, click Cluster Information.

    3. On the Cluster Information page, click the Security Overview tab.

      Category

      Description

      Cluster security risk

      Displays the overall security status of the cluster.

      Node vulnerabilities

      Displays node vulnerability risks. This feature is enabled by default.

      Container image risks

      Identifies security risks in container images from Container Registry Enterprise Edition (ACR EE). Authorization is required before use.

      Container runtime risks

      Provides real-time viewing of container runtime risks and real-time runtime protection. Container runtime risks are diagnosed by Security Center. You must purchase Security Center Premium Edition or a higher version. For more information, see Purchase Security Center.

      Workload configuration risks

      Helps you understand in real time whether the configurations of running applications have security risks. You must enable the configuration inspection feature before use.

    Cluster security risk

    Cluster security risk indicates the security risk level of a container cluster. The levels are defined as follows.

    • Healthy

      The cluster security risk level is Healthy if there are no high-severity node vulnerabilities, and scans for container image risks, container runtime risks, and workload configuration risks are enabled and detect no high-severity risks.

    • High

      The cluster security risk level is High if high-severity node vulnerabilities or high-severity container runtime risks are detected.

    • Medium

      The cluster security risk level is Medium in all other cases.

    Node vulnerabilities

    Node vulnerability scanning is enabled by default.

    At the bottom of the Security Overview page, click the Node Vulnerabilities tab. You can view the list of node vulnerabilities, which includes the corresponding node pools and the number of affected nodes in each node pool. Then, click Repair to go to the Node Pool Details page to fix the vulnerabilities. For more information about how to fix CVE vulnerabilities in a node pool, see Fix CVE vulnerabilities in the operating systems of a node pool.

    Note

    After you fix the vulnerabilities, it takes 24 hours for the related data on the Security Overview page to refresh.

    Container image risks

    You must grant permissions to ACR beforehand. On the Container Image Risks card, click Authorize and follow the prompts to complete the authorization. To disable the container image risk analysis feature, click Revoke Permission.

    Note

    After the authorization is complete, it takes 24 hours for the number of running container images in the current cluster and the associated security risks from ACR EE to be displayed.

    At the bottom of the Security Overview page, click the Container Image Risks tab. You can view the list of container image risks, which includes details such as the container image address, affected containers, and scan time. Then, click Repair to go to the corresponding image risk details page in ACR EE to view risk details and fix them.

    Note

    After you fix the risks, it takes 24 hours for the related data on the Security Overview page to refresh.

    Container runtime risks

    Container runtime risks are diagnosed by Security Center. You must purchase Security Center Premium Edition or a higher edition. For more information, see Purchase Security Center. After you purchase the required edition of Security Center, you can view container runtime risks in real time and enable real-time runtime protection.

    At the bottom of the Security Overview page, click the Container Runtime Risks tab. You can view the list of container runtime risks, which includes the alert name and alert description. Then, click Handle to go to the Security Monitoring page for risk administration.

    Workload configuration risks

    You must enable the configuration inspection feature beforehand. After you enable this feature, it takes 24 hours for the workload configuration and risk information for the current cluster to be displayed. For more information, see Perform an inspection.

    At the bottom of the Security Overview page, click the Workload Configuration Risks tab. You can view the risk descriptions and the corresponding hardening suggestions. Then, click View Details to go to the cluster's Configuration Inspection page to fix the risks.

    Note

    After you fix the risks, it takes 24 hours for the related data on the Security Overview page to refresh.