All Products
Search

This Product

    Container Service for Kubernetes:Scan workload configuration risks

    Document Center

    Container Service for Kubernetes:Scan workload configuration risks

    Last Updated:Mar 26, 2026

    The inspection feature scans your ACK cluster workloads for security misconfigurations and generates a report. Use inspection reports to identify and remediate failed items, keeping your workloads secure and healthy.

    Prerequisites

    Before you begin, ensure that you have:

    • A cluster running Kubernetes 1.14 or later. For upgrade instructions, see Manually update ACK clusters.

    • (RAM users only) RAM authorization and role-based access control (RBAC) authorization, as described below.

    Grant permissions to a RAM user

    If you use a Resource Access Management (RAM) user to access the Inspections page, complete both of the following authorization steps.

    RAM authorization

    Create a custom RAM policy that grants the following actions on your cluster resource:

    {
  "Statement": [
    {
      "Action": [
        "cs:DescribePolarisConfig",
        "cs:DescribePolarisJob",
        "cs:DescribePolarisCronJob",
        "cs:UpdatePolarisJob",
        "cs:UpdatePolarisCronJob"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>"
      ]
    }
  ],
  "Version": "1"
}

    To view inspection reports, also grant the RAM user read permissions on the Simple Log Service project used by the logtail-ds component in your cluster:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/*",
      "Effect": "Allow"
    }
  ]
}

    For instructions on creating custom RAM policies, see Create a custom RAM policy and Use custom policies to grant permissions to a RAM user.

    RBAC authorization

    Grant the RAM user administrator-level RBAC permissions on the cluster. This allows the user to manage the Kubernetes resources shown on the Inspections page. For instructions, see Grant RBAC permissions to RAM users or RAM roles.

    Run an inspection task

    1. Log in to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find your cluster and click its name. In the left-side pane, choose Security > Inspections.

    3. (Optional) Install or update the security-inspector component. The security-inspector component is free of charge but consumes pod resources. For more information, see security-inspector.

    4. Run an inspection task. By default, all inspection items are enabled. To customize which inspection items are included, click Configure Periodic Inspection and adjust the item selection. For the full list of inspection items, see Inspection items.

      • Immediate inspection: In the upper-right corner of the Inspections page, click Inspect.

      • Scheduled inspection: In the upper-right corner, click Configure Periodic Inspection. In the panel that appears, select Configure Periodic Inspection and set the inspection cycle.

      Important

      Run inspection tasks during off-peak hours to minimize the impact on workloads.

    5. After the task completes, go to the Inspections tab, find the result entry, and click Details in the Actions column.

    View inspection results

    Inspection details

    The Inspections tab shows results for each workload. Use the Passed or Failed, Namespace, and Workload Type filters to locate workloads of interest. The table displays the Number of Passed Items and Number of Failed Items for each workload.

    Click Details to open the inspection details page, which shows:

    • Passed and failed inspection items for each pod and container

    • A description of each inspection item and remediation suggestions

    • The YAML file of the workload

    To suppress a failed item, click Add to Whitelist on the inspection details page. Whitelisted items are excluded from future inspection results.

    Inspection reports

    The Reports page displays the results of the most recent inspection task, including:

    • Overview: Total inspection items, count and percentage of each resource type, and overall cluster health status

    • Category statistics: Breakdown across health checks, images, networks, resources, and security conditions

    • Detailed results: Per-workload results including resource category, resource name, namespace, inspection type, inspection item, and result

    Inspection items

    The following table lists all 17 inspection items.

    Item ID Inspection item Fails when Risk Remediation
    hostNetworkSet Disable sharing of network namespaces between containers and hosts hostNetwork: true is set in the pod specification Containers share the host network namespace, allowing them to sniff host network traffic or attack the host network directly. Remove the hostNetwork field from the pod specification.
    hostIPCSet Disable sharing of IPC namespaces between containers and hosts hostIPC: true is set in the pod specification Containers share the host IPC namespace, allowing them to attack host processes or sniff inter-process communication data. Remove the hostIPC field from the pod specification.
    hostPIDSet Disable sharing of PID namespaces between containers and hosts hostPID: true is set in the pod specification Containers share the host PID namespace, allowing them to attack host processes or collect process data. Remove the hostPID field from the pod specification.
    hostPortSet Prevent processes in containers from listening on host ports The hostPort field is present in the pod specification The specified host port may be occupied without authorization, and containers may receive unexpected external requests. Remove the hostPort field from the pod specification.
    runAsRootAllowed Disable container startup as a root user runAsNonRoot: true is absent from the pod specification Containers may run as root, allowing malicious processes to intrude into your applications, hosts, or cluster. Add runAsNonRoot: true to the pod specification.
    runAsPrivileged Disable container startup in privileged mode privileged: true is set in the pod specification Privileged containers have nearly unrestricted access to the host, allowing malicious processes to compromise your applications, hosts, or cluster. Remove the privileged field from the pod specification.
    privilegeEscalationAllowed Disable privilege escalation for child processes in containers allowPrivilegeEscalation: false is absent from the pod specification Child processes may gain higher privileges than their parent process, enabling unauthorized operations. Add allowPrivilegeEscalation: false to the pod specification.
    capabilitiesAdded Disable unnecessary Linux capabilities The capabilities field includes capabilities such as SYS_ADMIN, NET_ADMIN, or ALL Excess Linux capabilities allow malicious processes to intrude into your applications, cluster components, or cluster. If containers require no Linux capabilities, remove all capabilities from the pod specification. If containers require specific Linux capabilities, keep only those required and remove the rest.
    notReadOnlyRootFileSystem Enable read-only mode for container file systems readOnlyRootFilesystem: true is absent from the pod specification Malicious processes may modify the root file system, altering application binaries or configuration files. Add readOnlyRootFilesystem: true to the pod specification. If you need to write to specific directories, configure volumeMounts for those paths.
    cpuRequestsMissing Set the minimum CPU resources for containers resources.requests.cpu is absent from the pod specification The pod may be scheduled to a node with insufficient CPU resources, causing slow or degraded processes. Add resources.requests.cpu to the pod specification.
    cpuLimitsMissing Set the maximum CPU resources for containers resources.limits.cpu is absent from the pod specification Abnormal container processes may consume excessive CPU resources, starving other workloads on the node or cluster. Add resources.limits.cpu to the pod specification.
    memoryRequestsMissing Set the minimum memory resources for containers resources.requests.memory is absent from the pod specification The pod may be scheduled to a node with insufficient memory, causing processes to be terminated by the OOM killer. Add resources.requests.memory to the pod specification.
    memoryLimitsMissing Set the maximum memory resources for containers resources.limits.memory is absent from the pod specification Abnormal container processes may consume excessive memory, exhausting node or cluster memory resources. Add resources.limits.memory to the pod specification.
    readinessProbeMissing Configure container readiness probes readinessProbe is absent from the pod specification Traffic may be routed to containers before they are ready, causing request failures during startup or rolling updates. Add a readinessProbe to the pod specification.
    livenessProbeMissing Configure container liveness probes livenessProbe is absent from the pod specification Application failures that require a container restart may go undetected, causing service interruptions. Add a livenessProbe to the pod specification.
    tagNotSpecified Specify image versions for containers The image field has no version tag, or the tag is set to latest Containers may pull an unintended image version, causing unexpected behavior or service interruptions. Set the image field to a specific version tag other than latest.
    anonymousUserRBACBinding Prohibit anonymous access to the cluster RBAC role bindings allow access from anonymous users Anonymous users can access sensitive cluster information, attack the cluster, and intrude into the cluster. Remove any RBAC role bindings that grant access to anonymous users.

    Events

    The inspection feature emits the following events:

    Event type Event name Example content Description Action
    Normal SecurityInspectorConfigAuditStart Start to running config audit The inspection task has started. No action required.
    Normal SecurityInspectorConfigAuditFinished Finished running once config audit The inspection task has completed. No action required.
    Warning SecurityInspectorConfigAuditHighRiskFound 2 high risks have been found after running config audit The inspection identified security risks in workloads. 1. Go to the Inspections tab and use the Passed or Failed, Namespace, and Workload Type filters to locate affected workloads. 2. Click Details to review the results for each inspection item. To suppress a risk, click Add to Whitelist. To fix a risk, follow the remediation suggestions on the details page.

    What's next

    References