ACK provides the inspection feature to scan your cluster workloads for security risks in their configuration. After an inspection task runs, the system generates an inspection report. You can use the report to view and address risk items and monitor the health status of your workloads in real time.
Prerequisites
The cluster runs Kubernetes v1.14 or later. To upgrade your cluster, see Manually update an ACK cluster.
If you are a RAM user, complete the RAM authorization and RBAC authorization as described in the following sections.
RAM authorization
Complete the RAM authorization on the Inspections page to ensure that the current RAM user has the permissions to use the Inspections page for the current cluster. Otherwise, you will have insufficient permissions and be unable to use the features on the Inspections page. For more information, see Grant permissions to access clusters and cloud resources by using RAM.
If you want to use the inspection report feature, you must grant the RAM user read permissions on the specified Simple Log Service (SLS) project. The project is used by the log collection component of your cluster. Otherwise, insufficient permissions will prevent you from viewing inspection reports. For more information, see Examples of custom RAM authorization.
RBAC authorization
Complete the RBAC authorization for the resources on the Inspections page to grant administrator permissions for the specified cluster to the RAM user. This ensures that the RAM user has the permissions to operate on the Kubernetes resources on the Inspections page. For more information, see Use RBAC to authorize operations on resources within a cluster.
Run an inspection
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
Optional: Follow the on-screen instructions to install or update the inspection component.
The security-inspector component is free of charge but consumes pod resources. For more information about the component and its release notes, see security-inspector.
Run an inspection.
ImportantWe recommend running inspections during off-peak hours.
By default, the inspection scans all supported items. In the upper-right corner of the Inspections page, you can click Configure Periodic Inspection to specify the items to scan. For more information, see Inspection items.
To run an immediate inspection, in the upper-right corner of the Inspections page, click Inspect.
To run periodic inspections, in the upper-right corner of the Inspections page, click Configure Periodic Inspection. Then, select Configure Periodic Inspection and configure the inspection period.
After the inspection is complete, on the Inspections tab, find the desired inspection result and click Details in the Actions column.
Inspection details
The Inspections page lists detailed inspection results for different workloads. The page provides the following features:
Filter results by criteria such as Passed or Failed, Namespace, and Workload Type, and view the number of Number of Passed Items and Risk Item for each workload.
View details for each inspection item, including the check status (Passed or Failed) at the pod and container levels, a detailed description, and remediation suggestions. If a failed item does not require remediation, you can add it to the whitelist.
View the YAML file of a workload.
Inspection reports
The Reports page displays the results of the most recent inspection. The page includes the following information:
An overview of the scan results, including the total number of inspection items, the number and percentage of each inspected resource type, and the overall health score.
Statistics for major scan categories, including health checks, images, networking, resources, and security.
Detailed scan results for each workload configuration, including the resource type, resource name, namespace, check type, inspection item, and result.
Inspection items
The configuration inspection feature scans for and displays results for the following items.
Check ID | Check item | Description and security risk | Remediation |
hostNetworkSet | Prevent containers from sharing the host network namespace | Checks whether | Modify the pod spec to remove the Example: |
hostIPCSet | Prevent containers from sharing the host IPC namespace | Checks whether | Modify the pod spec to remove the Example: |
hostPIDSet | Prevent containers from sharing the host PID namespace | Checks whether | Modify the pod spec to remove the Example: |
hostPortSet | Prevent container processes from listening on node ports | Checks whether | Modify the pod spec to remove the Example: |
runAsRootAllowed | Prevent containers from running as the root user | Checks whether | Modify the pod spec to add Example: |
runAsPrivileged | Prevent containers from running in privileged mode | Checks whether | Modify the pod spec to remove the Example: |
privilegeEscalationAllowed | Prevent privilege escalation in containers | Checks whether | Modify the pod spec to add the Example: |
capabilitiesAdded | Drop unnecessary Linux capabilities | Checks the | Modify the pod spec to add only the required Linux capabilities and drop all others. If no extra Linux capabilities are required, drop all of them. Example: If specific capabilities are required, add only the necessary ones and drop all others. Example: |
notReadOnlyRootFilesystem | Use a read-only root filesystem for containers | Checks whether | Modify the pod spec to add Example: If you need to modify files in a specific directory, use a Example: |
cpuRequestsMissing | Set CPU requests for containers | Checks whether | Modify the pod spec to add a Example: |
cpuLimitsMissing | Set CPU limits for containers | Checks whether | Modify the pod spec to add a Example: |
memoryRequestsMissing | Set memory requests for containers | Checks whether | Modify the pod spec to add a Example: |
memoryLimitsMissing | Set memory limits for containers | Checks whether | Modify the pod spec to add a Example: |
readinessProbeMissing | Configure readiness probes for containers | Checks whether a | Modify the pod spec to add a Example: |
livenessProbeMissing | Configure liveness probes for containers | Checks whether a | Modify the pod spec to add a Example: |
tagNotSpecified | Use a specific image tag for containers | Checks whether the | Modify the Example: |
anonymousUserRBACBinding | Prohibit anonymous user access to the cluster | Checks the Role-Based Access Control (RBAC) bindings in the cluster to find any configurations that grant access to anonymous users. If anonymous access is allowed, malicious users can steal sensitive information or attack the cluster. | Modify the RBAC bindings to remove any permissions that allow anonymous users to access cluster resources. Example: |
Events
Event type | Event name | Content example | Description | Actions |
Normal | SecurityInspectorConfigAuditStart | Starting config audit | The inspection task starts. | No action is required. |
Normal | SecurityInspectorConfigAuditFinished | Config audit finished | The inspection task is complete. | No action is required. |
Warning | SecurityInspectorConfigAuditHighRiskFound | Found 2 high-risk items after config audit | After the inspection, unmitigated high-risk items were found in some workloads. |
|