What is the container firewall feature? - Security Center

Security Center provides the container firewall feature. The feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks on containers.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

How container firewall works

In the container firewall module, network objects are used to identify container applications. The information about a network object includes the namespace to which a container application belongs, the name of the container application, the image of the container application, and the labels of the container application. You can create a defense rule to protect a cluster based on network objects. The defense rule can detect and block unusual traffic that is destined for the cluster. For more information about how to configure and use the container firewall feature, see Create a network object, Create a defense rule, Manage the defense status and defense rules of a cluster, and View details on the Protection status tab.

Supported operating system versions

A cluster defense rule can be enabled based on the AliNet plug-in. The AliNet plug-in is used to block malicious network behavior such as suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before you use the container firewall feature, make sure that your cluster nodes run an operating system whose kernel version is supported by the AliNet plug-in. If your cluster nodes run an operating system whose kernel version is not supported by the AliNet plug-in, the defense rule that you create for your cluster does not take effect. The following table describes the versions and kernel versions of the operating systems that are supported by the container firewall feature.

Operating system	Kernel version
CentOS	3.10.0 series 3.10.0-123.9.3.el7.x86_64 3.10.0-229.el7.x86_64 3.10.0-229.14.1.el7.x86_64 3.10.0-327.el7.x86_64 3.10.0-327.10.1.el7.x86_64 3.10.0-327.13.1.el7.x86_64 3.10.0-327.18.2.el7.x86_64 3.10.0-327.22.2.el7.x86_64 3.10.0-327.36.3.el7.x86_64 3.10.0-514.el7.x86_64 3.10.0-514.2.2.el7.x86_64 3.10.0-514.6.1.el7.x86_64 3.10.0-514.6.2.el7.x86_64 3.10.0-514.10.2.el7.x86_64 3.10.0-514.16.1.el7.x86_64 3.10.0-514.21.1.el7.x86_64 3.10.0-514.21.2.el7.x86_64 3.10.0-514.26.2.el7.x86_64 3.10.0-693.el7.x86_64 3.10.0-693.2.2.el7.x86_64 3.10.0-693.5.2.el7.x86_64 3.10.0-693.11.1.el7.x86_64 3.10.0-693.11.6.el7.x86_64 3.10.0-693.17.1.el7.x86_64 3.10.0-693.21.1.el7.x86_64 3.10.0-862.el7.x86_64 3.10.0-862.2.3.el7.x86_64 3.10.0-862.3.2.el7.x86_64 3.10.0-862.3.3.el7.x86_64 3.10.0-862.6.3.el7.x86_64 3.10.0-862.9.1.el7.x86_64 3.10.0-862.11.6.el7.x86_64 3.10.0-862.14.4.el7.x86_64 3.10.0-957.el7.x86_64 3.10.0-957.1.3.el7.x86_64 3.10.0-957.5.1.el7.x86_64 3.10.0-957.10.1.el7.x86_64 3.10.0-957.12.1.el7.x86_64 3.10.0-957.12.2.el7.x86_64 3.10.0-957.21.2.el7.x86_64 3.10.0-957.21.3.el7.x86_64 3.10.0-957.27.2.el7.x86_64 3.10.0-1062.el7.x86_64 3.10.0-1062.1.1.el7.x86_64 3.10.0-1062.1.2.el7.x86_64 3.10.0-1062.4.1.el7.x86_64 3.10.0-1062.4.2.el7.x86_64 3.10.0-1062.4.3.el7.x86_64 3.10.0-1062.7.1.el7.x86_64 3.10.0-1062.9.1.el7.x86_64 3.10.0-1062.12.1.el7.x86_64 3.10.0-1062.18.1.el7.x86_64 3.10.0-1127.el7.x86_64 3.10.0-1127.8.2.el7.x86_64 3.10.0-1127.10.1.el7.x86_64 3.10.0-1127.13.1.el7.x86_64 3.10.0-1127.18.2.el7.x86_64 3.10.0-1127.19.1.el7.x86_64 3.10.0-1160.el7.x86_64 3.10.0-1160.2.2.el7.x86_64 3.10.0-1160.6.1.el7.x86_64 3.10.0-1160.11.1.el7.x86_64 3.10.0-1160.15.2.el7.x86_64 3.10.0-1160.21.1.el7.x86_64 3.10.0-1160.24.1.el7.x86_64 3.10.0-1160.25.1.el7.x86_64 3.10.0-1160.31.1.el7.x86_64 3.10.0-1160.36.2.el7.x86_64 3.10.0-1160.41.1.el7.x86_64 3.10.0-1160.42.2.el7.x86_64 3.10.0-1160.45.1.el7.x86_64 3.10.0-1160.49.1.el7.x86_64 3.10.0-1160.53.1.el7.x86_64 3.10.0-1160.59.1.el7.x86_64 3.10.0-1160.62.1.el7.x86_64 3.10.0-1160.66.1.el7.x86_64 3.10.0-1160.71.1.el7.x86_64 3.10.0-1160.76.1.el7.x86_64 3.10.0-1160.80.1.el7.x86_64 3.10.0-1160.81.1.el7.x86_64 3.10.0-1160.83.1.el7.x86_64 3.10.0-1160.88.1.el7.x86_64 4.19.X series 4.19.12-1.el7.elrepo.x86_64 4.19.94-300.el7.x86_64 4.19.104-300.el7.x86_64 4.19.113-300.el7.x86_64
Alibaba Cloud Linux (64-bit)	3.10.0 series 3.10.0-957.27.2.al7.1.x86_64 3.10.0-1062.12.1.al7.1.x86_64 3.10.0-1062.4.1.al7.1.x86_64 3.10.0-1160.al7.1.x86_64 3.10.0-1127.8.2.al7.1.x86_64 3.10.0-1127.13.1.al7.1.x86_64 3.10.0-1127.19.1.al7.1.x86_64 4.19.X series 4.19.24-7.al7.x86_64 4.19.24-7.14.al7.x86_64 4.19.43-13.2.al7.x86_64 4.19.57-15.1.al7.x86_64 4.19.81-17.al7.x86_64 4.19.81-17.2.al7.x86_64 4.19.91-18.al7.x86_64 4.19.91-19.1.al7.x86_64 4.19.91-19.2.al7.x86_64 4.19.91-21.al7.x86_64 4.19.91-21.2.al7.x86_64 4.19.91-22.al7.x86_64 4.19.91-22.2.al7.x86_64 4.19.91-23.al7.x86_64 4.19.91-23.1.al7.x86_64 4.19.91-24.al7.x86_64 4.19.91-24.1.al7.x86_64 4.19.91-25.al7.x86_64 4.19.91-25.1.al7.x86_64 4.19.91-25.3.al7.x86_64 4.19.91-25.6.al7.x86_64 4.19.91-25.7.al7.x86_64 4.19.91-25.8.al7.x86_64 4.19.91-26.al7.x86_64 4.19.91-26.1.al7.x86_64 4.19.91-26.2.al7.x86_64 4.19.91-26.3.al7.x86_64 4.19.91-26.4.al7.x86_64 4.19.91-26.5.al7.x86_64 4.19.91-26.6.al7.x86_64 4.19.91-27.al7.x86_64 4.19.91-27.1.al7.x86_64