Security in ACK managed clusters is a shared responsibility between Alibaba Cloud and you. Alibaba Cloud secures the platform—the infrastructure, control plane, and etcd. You secure your workloads—the configurations, access credentials, and runtime environments running on that platform.
Review this boundary before you design and deploy business systems on ACK.
Alibaba Cloud's responsibilities
Alibaba Cloud is responsible for the security of the platform on which your clusters run:
Protects the infrastructure resources used by control planes, including compute, storage, and network resources.
Hardens control plane component configurations and images against security baselines defined by Alibaba Cloud Linux Security Hardening.
Publishes vulnerability notices as soon as OS or Kubernetes component vulnerabilities are discovered, then releases patches, new OS versions, or new component versions to fix them.
Provides security protection features and security best practices for enterprise-class cloud-native application lifecycle management.
Your responsibilities
You are responsible for securing the workloads and configurations you control:
Patch vulnerabilities: Apply OS, system component, and container runtime patches based on the release notes, vulnerability patches, and version updates published by Alibaba Cloud.
Secure your cluster configuration: Configure security settings for ACK clusters, node pools, and network resources following security principles. Avoid security parameters or permission settings that attackers can exploit.
Apply least privilege: Grant only the permissions required by each application, account, or role—for managing credentials, implementing security policies, and configuring security parameters.
Secure your supply chain: Ensure supply chain security for application artifacts.
Protect your data and runtime: Ensure the security of sensitive data and the application runtime environment.
Revoke access for departed or untrusted users: Deleting a RAM user or RAM role does not automatically revoke their Role-Based Access Control (RBAC) permissions in the kubeconfig file. Before you delete a RAM user or RAM role of a resigned employee or untrusted individual, revoke their kubeconfig credentials. For more information, see Revoke a KubeConfig credential.
Responsibility boundaries by deployment type
As your deployment becomes more managed, Alibaba Cloud assumes responsibility for more layers of the stack. The following diagrams show how the boundary shifts across three cluster configurations.
ACK managed clusters
ACK Serverless clusters and ack-virtual-node
When you use ACK Serverless clusters or deploy ack-virtual-node in an ACK managed cluster, Alibaba Cloud also secures the Elastic Container Instance (ECI) that each pod runs on. Recreate the pod after patches are released so that patching takes effect.
Managed node pools in ACK managed clusters
If you use managed node pools, Alibaba Cloud can automate OS vulnerability patching and kubelet version updates based on the node pool configuration. OS patches are provided by Security Center. If you deploy nodes using custom OS images, OS vulnerabilities must be patched manually.
