The security-inspector component performs security inspections on your ACK clusters by scanning workload configurations across multiple dimensions.
Overview
security-inspector scans workload configurations in your cluster in real time to detect security risks and provide hardening recommendations. The following figure shows the component architecture.
Usage notes
security-inspector supports secure configuration inspection. It integrates with Polaris, an open source tool by FairwindsOps that scans Kubernetes workload configurations for security risks. For more information about Polaris, see the Polaris GitHub repository.
Inspection results are organized into five dimensions, each targeting a specific risk area:
Health checks: Detect missing or misconfigured liveness and readiness probes that could cause undetected failures.
Images: Identify containers using unsafe image configurations, such as missing tags.
Networks: Flag workload configurations that expose unnecessary network access.
Resources: Detect missing CPU and memory limits that could lead to resource contention.
Security: Surface high-risk security settings, such as privilege escalation, plaintext AccessKey pairs in environment variables, and insecure RBAC permissions.
For instructions on running an inspection, see Use configuration inspection to check workloads in an ACK cluster.
Release notes
The tables below list all security-inspector releases. The Type column categorizes each change:
Feature: New inspection capability or scan dimension
Fix: Bug fix or CVE patch
Stability: Dependency upgrade (Go version) with no functional change
Improvement: Performance, compatibility, or configuration enhancement
December 2025
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.16.7 | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.7 | 2025-12-03 | Stability | Upgrade Go to 1.24.11 to improve stability. | No impact on business. |
August 2025
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.16.6 | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.6 | 2025-08-11 | Stability | Upgrade Go to 1.24.6 to improve stability. | No impact on business. |
July 2025
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.16.5.2-gffa860c-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.5.2-gffa860c-aliyun | 2025-07-09 | Stability | Upgrade Go to 1.24.4 to improve stability. | No impact on business. |
April 2025
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.16.3.3-ge515753-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.3.3-ge515753-aliyun | 2025-04-16 | Stability | Upgrade Go to 1.24.2 to improve stability. | No impact on business. |
| v0.16.2.0-gbce6b15-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.2.0-gbce6b15-aliyun | 2025-04-09 | Fix | Fix a crash in the component pod when resources in the security-inspector namespace are deleted. The component now logs error messages to the container logs instead of crashing. | No impact on business. |
March 2025
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.16.1.0-gea4d02f-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.1.0-gea4d02f-aliyun | 2025-03-18 | Stability | Upgrade Go to 1.23.7 to improve stability. | No impact on business. |
January 2025
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.16.0.0-g4e93dcd-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.0.0-g4e93dcd-aliyun | 2025-01-02 | Stability | Upgrade Go to 1.23.4 to improve stability. | No impact on business. |
October 2024
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.15.0.0-g4218661-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.15.0.0-g4218661-aliyun | 2024-10-10 | Feature | Add detection of plaintext AccessKey pairs stored in environment variables. | No impact on business. |
August 2024
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.14.1.0-g829a93d-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.14.1.0-g829a93d-aliyun | 2024-08-01 | Improvement | Improve version compatibility. | No impact on business. |
July 2024
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.14.0.0-gfc02c67-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.14.0.0-gfc02c67-aliyun | 2024-07-26 | Improvement | Starting with this version, inspection tasks run in the security-inspector namespace. | No impact on business. |
March 2024
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.13.0.0-g88dfa8f-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.13.0.0-g88dfa8f-aliyun | 2024-03-26 | Feature | Expand RBAC inspection to include wildcard detection, cluster-admin role detection, and detection of modifications to default cluster roles (system:basic-user, system:discovery, and system:public-info-viewer). | No impact on business. |
February 2024
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.12.0.7-g6f9d47f-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.12.0.7-g6f9d47f-aliyun | 2024-02-21 | Feature | Add support for configuring host network usage and the health check port on the Add-ons page. | No impact on business. |
December 2023
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.11.0.3-ga2fad87-aliyun | registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.11.0.3-ga2fad87-aliyun | 2023-12-21 | Fix | Preserve user modifications to the ttlSecondsAfterFinished field of security-inspector-polaris-cronjob during component upgrades. | No impact on business. |
June 2023
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.10.1.2-g13c9de7-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.10.1.2-g13c9de7-aliyun | 2023-06-02 | Fix | - Fix a component malfunction that occurred after upgrading the cluster to version 1.26.3-aliyun.1.
- Optimize periodic scanning to ensure only one task runs at a time, preventing multiple pending task pods in the cluster.
| No impact on business. |
April 2023
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.10.0.3-g15b35c4-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.10.0.3-g15b35c4-aliyun | 2023-04-13 | Improvement | Add support for Kubernetes 1.26. | No impact on business. |
February 2023
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.9.1.0-gcdddfa7-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.9.1.0-gcdddfa7-aliyun | 2023-02-27 | Fix | Fix CVE-2023-0286 in the component base image. | No impact on business. |
December 2022
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.9.0.0-g1d38ec6-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.9.0.0-g1d38ec6-aliyun | 2022-12-22 | Feature | - Add support for ACK Serverless clusters running Kubernetes 1.18 or later.
- Automatically restore accidentally deleted Simple Log Service (SLS) dashboards by restarting component containers.
| No impact on business. |
| v0.8.3.2-ge5496db-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.3.2-ge5496db-aliyun | 2022-12-13 | Fix | Canary release. Speed up program initialization to resolve an issue where inspection tasks could not run immediately after component installation. | No impact on business. |
August 2022
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.8.3.1-gf7bf0e0-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.3.1-gf7bf0e0-aliyun | 2022-08-30 | Improvement | Improve SecurityInspectorConfigAuditHighRiskFound and SecurityInspectorConfigAuditFinished event messages by adding links to detailed information. | No impact on business. |
June 2022
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.8.2.16-gc84d60d-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.2.16-gc84d60d-aliyun | 2022-06-21 | Fix | - Fix the
MountVolume.SetUp failed for volume "config" : object "kube-system"/"security-inspector-polaris-config" not registered event in Kubernetes 1.22 clusters. - Optimize API server requests to reduce load on large clusters.
| No impact on business. |
April 2022
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.8.1.0-g58d1a56-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.1.0-g58d1a56-aliyun | 2022-04-11 | Fix | - Fix an issue where nodes hosting pods could not be automatically drained due to improper component configuration.
- Fix an issue where inspection reports displayed incorrectly when multiple clusters shared the same log project.
| No impact on business. |
February 2022
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.8.0.0-gb0edd1d-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.0.0-gb0edd1d-aliyun | 2022-02-15 | Fix | - Set the severity level of the
privilegeEscalationAllowed inspection item to medium. - Improve support for Kubernetes 1.16 clusters and fix the issue described in <a href="https://github.com/kubernetes/kubernetes/issues/84880">#84880</a>.
| No impact on business. |
December 2021
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.7.0.5-g8cc37b6-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.7.0.5-g8cc37b6-aliyun | 2021-12-03 | Feature | - Add support for Kubernetes 1.22. Starting with this version, only Kubernetes 1.16 or later is supported.
- Add support for ARM64 architecture.
| No impact on business. |
September 2021
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.6.0.4-gc12ad66-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.6.0.4-gc12ad66-aliyun | 2021-09-20 | Feature | - Add support for scanning against the CIS Kubernetes Benchmark v1.0.0 for Kubernetes V1.20.
- Make the
capabilitiesAdded inspection item case-insensitive. For more information, see <a href="https://www.alibabacloud.com/help/en/document_detail/173303.html#task-2552179">Use configuration inspection to check workloads in an ACK cluster</a>.
| No impact on business. |
June 2021
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.5.0.2-g5e33765-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.5.0.2-g5e33765-aliyun | 2021-06-24 | Fix | Fix an issue where report data displayed incorrectly when multiple clusters shared the same SLS project. | No impact on business. |
March 2021
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.4.0.0-g541eb31-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.4.0.0-g541eb31-aliyun | 2021-03-15 | Feature | - Add support for CIS Kubernetes baseline checks.
- Add the following Kubernetes events, visible in Event Hub when a scan is triggered:
- <code>SecurityInspectorConfigAuditStart</code>: Configuration inspection started.
- <code>SecurityInspectorConfigAuditFinished</code>: Configuration inspection completed.
- <code>SecurityInspectorConfigAuditHighRiskFound</code>: High-risk configurations found after configuration inspection.
- <code>SecurityInspectorBenchmarkStart</code>: Baseline check started.
- <code>SecurityInspectorBenchmarkFinished</code>: Baseline check completed.
- <code>SecurityInspectorBenchmarkFailedCheckFound</code>: Failed scored checks found after baseline check.
| No impact on business. |
January 2021
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.3.0.2-gcb49252-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.3.0.2-gcb49252-aliyun | 2021-01-05 | Feature | Add support for scanning anonymous user access permissions to identify insecure RBAC configurations. | No impact on business. |
December 2020
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.2.0.22-gd1fbaff-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.2.0.22-gd1fbaff-aliyun | 2020-12-16 | Feature | - Store the latest inspection results using Custom Resource Definitions (CRDs).
- Enable or disable specific inspection items as needed.
- Configure workload whitelists.
| No impact on business. |
July 2020
| Version | Image address | Change date | Type | Changes | Impact |
|---|
| v0.1.0.3-g69f71f6-aliyun | registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.1.0.3-g69f71f6-aliyun | 2020-07-06 | Feature | Manually trigger configuration inspection tasks to check workloads in your cluster and generate inspection reports. | No impact on business. |