In Container Service for Kubernetes (ACK) managed clusters, security is a shared responsibility between Alibaba Cloud and you. ACK is responsible for ensuring the security of the infrastructure resources on which ACK clusters are deployed and the security of control plane components and etcd. You are responsible for securing your applications, workloads, and the cluster configuration you control.
Knowing this boundary before you design and deploy your systems helps you identify which security tasks require your action.
What Alibaba Cloud is responsible for
Alibaba Cloud manages the security of the control plane and the infrastructure it runs on:
Control plane infrastructure: Computing, storage, and network resources that underpin ACK control planes are secured and managed by Alibaba Cloud.
Control plane hardening: Control plane component configurations and images are hardened against security baselines defined by security protection features such as Alibaba Cloud Linux Security Hardening.
Vulnerability notifications: When OS or Kubernetes component vulnerabilities are discovered, Alibaba Cloud releases vulnerability notices at the earliest opportunity and releases patches, new OS versions, or new component versions to fix them.
Security tooling: Alibaba Cloud provides security protection features and security best practices for enterprise-grade cloud-native application lifecycle management.
What you are responsible for
You are responsible for the security of everything you deploy and configure on the cluster:
| Layer | Responsibility |
|---|---|
| OS and runtime | Apply OS, system component, and container runtime vulnerability patches based on notices and updates from Alibaba Cloud. |
| Cluster configuration | Configure ACK clusters, node pools, and network resources according to security principles. Avoid security parameters or permission settings that could be exploited. |
| Access control | Follow the principle of least privilege. Grant only required permissions to applications, accounts, and roles when managing credentials, deploying security policies, and configuring security parameters. |
| Supply chain | Ensure supply chain security for application artifacts. |
| Data and runtime security | Protect sensitive data and secure the application runtime environment. |
| Offboarding | When you delete RAM users or RAM roles for resigned employees or untrusted individuals, their Role-Based Access Control (RBAC) permissions in the kubeconfig file will not be automatically revoked. Revoke the kubeconfig credential before deleting the RAM user or RAM role. See Revoke a KubeConfig credential. |
Responsibility boundaries by cluster type
The following diagrams show how the responsibility boundary shifts depending on your cluster type.
ACK managed clusters
ACK Serverless clusters and ack-virtual-node
When you use ACK Serverless clusters or deploy ack-virtual-node in an ACK managed cluster, Alibaba Cloud ensures the security of the control plane components, infrastructure, and the Elastic Container Instance (ECI) that each pod runs on. Your responsibility is to recreate pods so that patches can take effect.
Managed node pools in ACK managed clusters
With managed node pools, Alibaba Cloud can automate OS vulnerability patching and kubelet version updates based on your node pool configuration. OS patches are provided by Security Center. If you deploy nodes using custom OS images, OS vulnerabilities can only be manually patched.
