security-inspector - Release Notes| Alibaba Cloud Documentation Center

The security-inspector component is a key component for performing security inspections. This topic describes the features, usage notes, and release notes for security-inspector.

Introduction

You can use security-inspector to scan workload configurations based on multiple dimensions. This helps you better understand the security risks of your workloads. The following figure shows the architecture of security-inspector.

Usage notes

security-inspector provides the following inspection features:

security-inspector uses Polaris to perform security inspections. This allows you to identify security risks of workload configurations in your cluster in real time.

Note Polaris is an open source project that is used to identify security risks of workload configurations in a Kubernetes cluster. For more information, see Polaris.
security-inspector can scan workload configurations from various perspectives and provide reports that contain the following information: health checks, images, networks, resources, and security. This allows you to better understand the security risks of your applications in real time and reinforce your system based on the suggestions that are provided by the system. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.

Release notes

April 2022


Version	Image address	Release date	Description	Impact
v0.8.1.0-g58d1a56-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.1.0-g58d1a56-aliyun	2022-04-11	The issue that automatic node draining fails due to the improper configurations of security-inspector is fixed. The issue that inspection reports are not displayed as normal when multiple clusters share the same log project is fixed.	No impact on workloads

February 2022


Version	Image address	Release date	Description	Impact
v0.8.0.0-gb0edd1d-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.0.0-gb0edd1d-aliyun	2022-02-15	The severity level of the `privilegeEscalationAllowed` inspection item is set to medium. Support for clusters of Kubernetes 1.16 is optimized and the issue caused by #84880 is fixed.	No impact on workloads

December 2021


Version	Image address	Release date	Description	Impact
v0.7.0.5-g8cc37b6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.7.0.5-g8cc37b6-aliyun	2021-12-03	Kubernetes 1.22 is supported. security-inspector 0.7.0.5 and later versions support only clusters of Kubernetes 1.16 and later. The ARM64 architecture is supported.	No impact on workloads

September 2021


Version	Image address	Release date	Description	Impact
v0.6.0.4-gc12ad66-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.6.0.4-gc12ad66-aliyun	2021-09-20	Center for Internet Security (CIS) Kubernetes V1.20 Benchmark v1.0.0 is supported. For more information, see Safety patrol inspection. Case sensitivity is removed for the capabilitiesAdded inspection item. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.	No impact on workloads

June 2021


Version	Image address	Release date	Description	Impact
v0.5.0.2-g5e33765-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.5.0.2-g5e33765-aliyun	2021-06-24	The issue that inspection reports are not displayed as normal when one Log Service project is shared among multiple clusters is fixed.	No impact on workloads

March 2021


Version	Image address	Release date	Description	Impact
v0.4.0.0-g541eb31-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.4.0.0-g541eb31-aliyun	2021-03-15	The CIS Kubernetes benchmark is supported. For more information, see Safety patrol inspection. The following Kubernetes events are added. You can find the events in event center of your cluster when a scan is triggered. SecurityInspectorConfigAuditStart: Configuration inspection is started. SecurityInspectorConfigAuditFinished: Configuration inspection is completed. SecurityInspectorConfigAuditHighRiskFound: High-risk configurations are found after configuration inspection is completed. SecurityInspectorBenchmarkStart: The benchmark check is started. SecurityInspectorBenchmarkFinished: The benchmark check is completed. SecurityInspectorBenchmarkFailedCheckFound: Failed inspection items are found after the benchmark check is completed.	No impact on workloads

January 2021


Version	Image address	Release date	Description	Impact
v0.3.0.2-gcb49252-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.3.0.2-gcb49252-aliyun	2021-01-05	Permissions of anonymous users can be scanned to identify risky role-based access control (RBAC) permissions that are granted to the users.	No impact on workloads

December 2020


Version	Image address	Release date	Description	Impact
v0.2.0.22-gd1fbaff-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.2.0.22-gd1fbaff-aliyun	2020-12-16	The CustomResourceDefinition (CRD) resource can be used to store the latest inspection results. Specified inspection items can be enabled or disabled based on your needs. The workload whitelist feature is supported.	No impact on workloads

July 2020


Version	Image address	Release date	Description	Impact
v0.1.0.3-g69f71f6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.1.0.3-g69f71f6-aliyun	2020-07-06	Inspection tasks can be manually triggered to inspect the workloads in your cluster and generate inspection reports.	No impact on workloads