This topic describes how to ensure the security of hosts in a Container Service for Kubernetes (ACK) cluster.

Periodically check whether the configurations of your ACK cluster comply with CIS benchmarks and the baseline for classified protection of cybersecurity.

Center for Internet Security (CIS) is a third-party security organization that is committed to leading a global community of enterprises, public service sectors, and academia to provide security best practices.

The CIS Kubernetes Benchmark is written for open source Kubernetes distributions and intended to be applicable to all distributions as possible. Each CIS Kubernetes Benchmark version is tied to a specific Kubernetes release. For more information, see CIS Kubernetes Benchmark.

The generic version of the CIS Kubernetes Benchmark consists of items that are related to the control plane and data plane. Most cloud service providers manage and maintain the control plane of Kubernetes clusters. Therefore, the generic version of the CIS Kubernetes Benchmark is not suitable for these cloud service providers. To resolve this issue, Alibaba Cloud released the CIS ACK Benchmark in the CIS community. The CIS ACK Benchmark can be used to audit the security compliance of ACK clusters.

ACK clusters provided by Alibaba Cloud are optimized based on the CIS ACK Benchmark to support a stronger security posture. For more information, see Use security-inspector to audit the CIS Kubernetes Benchmark.

Most OS images released by cloud service providers for nodes in Kubernetes clusters are tied to specific CIS Benchmarks. These OS images include Alibaba Cloud Linux 2, CentOS, and Ubuntu. Alibaba Cloud Linux 2 is an OS image released by Alibaba Cloud and is used as the default OS image by ACK clusters. Alibaba Cloud Linux 2 was certified by CIS on August 16, 2019. Then, CIS released CIS Aliyun Linux 2 Benchmark version 1.0.0. For more information, see CIS Aliyun Linux 2 Benchmark version 1.0.0.

You can enhance the OS security of all nodes in an ACK cluster. For more information, see CIS reinforcement.

Alibaba Cloud issued baselines for classified protection of OS security based on Information security technology - Baseline for classified protection of cybersecurity (GB/T 22239-2019) issued by State Market Regulatory Administration and Standardization Administration of PRC. These baselines help ensure the security of Alibaba Cloud Linux.

You can use the following security reinforcement configurations to ensure that your ACK clusters comply with the required baselines:
  • Identity authentication
  • Access control
  • Security audit
  • Intrusion prevention
  • Protection against malicious code execution

Use Alibaba Cloud Security Center to protect your ACK clusters

The following features of Alibaba Cloud Security Center can help ensure that the default configurations of the nodes in an ACK cluster are secure:
  • Vulnerability patching: detects common vulnerabilities and allows you to patch the vulnerabilities with a few clicks. You can view detected vulnerabilities or manually run scan tasks on the Vulnerabilities page. This feature helps you identify vulnerabilities and potential risks in your assets.
  • Baseline check: checks the configurations of server operating systems, databases, software, and containers, generates reports, and provides security suggestions. The baseline check feature can reinforce the security of your assets and reduce the risk of intrusions to comply with the baselines for classified protection.
  • Cloud service configuration check: checks the configurations of cloud services based on identity authentication and permissions, network access control, data security, log audit, monitoring and alerting, and basic security. Security Center also provides suggestions on how to mitigate the detected risks.
  • Container image scan: detects and identifies high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in container images. Security Center also provides suggestions on how to handle these issues. Security Center simplifies how you can patch vulnerabilities for container images.

Limit access to nodes in an ACK cluster

If you want to access a remote node, you can log on to the Container Service for Kubernetes (ACK) console and use Workbench or Virtual Network Computing (VNC) to access the node over the internal network. In this scenario, you do not need to associate an elastic IP address (EIP) with the node. If you want to access the node over the Internet, you must add access control list (ACL) rules to the security group of the ACK cluster to limit access to the node.

To further limit access to the node, you must modify the security group to limit access to the ports of the node that are exposed to the Internet.

Comply with the best practices to ensure ECS instance security

By default, Elastic Compute Service (ECS) instances that host the nodes of an ACK cluster run Alibaba Cloud Linux 2. For more information about how to reinforce the security of ECS instances, see Best practices for security.