Security Center provides the feature of proactive defense for containers. The feature allows you to detect risks on an image when you use the image to create resources in a cluster. The feature also allows you to create a container defense policy for a cluster. If an image hits the container defense policy, Security Center performs the action of the policy on the mage that is started in the cluster. The action can be Block, Alert, or Allow. This ensures that the image does not affect your business. This topic describes how to use the feature of proactive defense for container.

How proactive defense for containers works

After you create a container defense policy for a cluster, a request is sent to Security Center to detect image risks when you use an image to create resources such as pods in the cluster. Security Center detects risks on the image based on the container defense policy. The risks include vulnerabilities, baseline risks, and malicious samples. If the image hits the container defense policy, Security Center performs the action of the policy on the image, and an alert is generated for the risk detection result. The action can be Alert, Block, or Allow.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Supported ACK clusters

The feature of proactive defense for containers supports the following Container Service for Kubernetes (ACK) clusters.

ACK cluster Supported
Managed Kubernetes cluster Yes
Dedicated Kubernetes cluster Yes
Serverless Kubernetes cluster No
Managed edge Kubernetes cluster No
Registered cluster No

Create container defense policies

Before you create a container defense policy, make sure that the policy-template-controller component for security policy management is installed in the ACK console. For more information, see Install policy-template-controller.

Note You can create up to 40 container defense policies for each cluster.
  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.
  2. Create a container defense policy.
    • If you use the feature of proactive defense for containers for the first time, click Create Policy on the Proactive Defense for Containers page.
    • If you used the feature of proactive defense for containers, select the name of the cluster on the left side of the Policy tab.
  3. Click Create Policy to go to the Create Policy panel. In the Create Policy panel , configure the parameters and click OK.

    If you created a container defense policy for the cluster, find the policy and click Copy in the Actions column to create another policy in a convenient manner. After you click Copy, the Copy Policy panel appears. In the Copy Policy panel, modify the parameters of the policy based on your business requirements and click OK.

    Parameter Description
    Policy Template Select a template to create the policy. You can select Blank template to create a policy based on your business requirements. You can also select an existing template with preconfigured risk detection settings.
    Unscanned Image Specify whether to allow the images that are not scanned by container image scan to start.
    Note If you turn on the switch, the images that you specify in the policy are scanned. If you turn on the switch, we recommend that you set Action to Alert. If you have high demands for security performance, you can change the action to Block. Before you change the action, we recommend that you observe the alerts that are generated based on the current policy and check whether your business is affected. If your business is not affected, you can change the action of the policy.
    Malicious Internet Image Specify whether to block the startup of malicious images that are spread over the Internet. Malicious images include malicious images that are downloaded from public image repositories and the images that are pulled from Docker Hub repositories and contain malicious programs such as webshells and trojans.
    Alert Policy Configure the alert policy for the following types of risks:
    • Baseline
    • Vulnerability
    • Malicious Sample
    You can configure alert policies for baseline risks, vulnerabilities, and malicious samples based on your business requirements.
    Notice
    • If an alert policy that is configured for a type of risk is matched, Security Center immediately handles the risks based on the action of the container defense policy. The remaining alert policies are no longer matched. Alert policies are matched against the following types of risks in sequence: malicious Internet images, unscanned images, malicious samples, baseline risks, and vulnerabilities.
    • The optional conditions of an alert policy are evaluated by using a logical OR. If you set Risk Level to High and specify CVE ID when you configure an alert policy for vulnerabilities, the alert policy is hit if the images that are started in the cluster contain high-risk vulnerabilities or if the images contain vulnerabilities with the specified CVE IDs.
    Policy Name Enter a name for the policy.
    Description Enter a description for the policy.
    Namespace Select the namespace in which images are started. You can select multiple namespaces.
    Image Select an image. You can select multiple images.
    Tag Select the tag of an image. You can select multiple tags.
    Action Specify the action of the container defense policy. Valid values:
    • Alert: If an image hits the policy, an alert is generated.
    • Block: If an image that hits the policy is being started, it is blocked.
    • Allow: If an image hits the policy, it is allowed.
    Add to Whitelist Enter the name of the image that you want to add to the whitelist. You can add up to 20 images to the whitelist.
    Fuzzy match is supported by using keywords. For example, if you want to add the image whose address is yundun-example-registry.cn-hangzhou.aliyuncs.com/yundun-example/yun-repo:test to the whitelist, you can enter one of the following keywords:
    • yun-repo
    • test
    • yun-repo:test
    • repo:test
    Notice After you add an image to the whitelist, Security Center does not detect risks on the image when the image is started. Proceed with caution.
    After the container defense policy is created, Security Center detects risks on the image that is specified in the policy based on the policy configurations when the image is started. The detection result is displayed as an alert in the alert list.

    You can modify or delete the created policies. You can click Edit or Delete in the Actions column of an created policy to modify or delete the policy.

View alerts

If an image that hits a container defense policy for a cluster is started in the cluster, an alert is generated. You can view the alert on the Alert tab of the Proactive Defense for Containers page.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.
  2. On the Alert tab, view alerts.
    The Alert tab displays the following sections: Defense Trend, Top 10 At-risk Clusters, and Alerts.
    • In the Defense Trend section, you can view the most recent defense trend of clusters for which you have created container defense policies in a trend chart.
    • In the Top 10 At-risk Clusters section, you can view the top 10 clusters whose container defense policies are most frequently hit.
    • In the Alerts section, you can view the details about alerts. The details include policy and image details.
      • In the alert list, click the name of an image in the Image column to go to the image details page. You can view and handle the risks that are detected on the image on the details page.
        Note The image details page is provided for an image only after the image is added to Security Center. For more information about how to add images to Security Center, see Add image repositories to Security Center.
      • In the alert list, find an image and click the icon in the Actions column. In the message that appears, you can view the details of the alert policy in the container defense policy that is used to detect image risks.
        Notice The message contains only the information about a risk that is detected on the image. If you want to start the image, you must handle other risks that are detected on the image. This ensures that no container defense policies are hit when the image is started the next time. For more information, see Handle alerts.
      • In the alert list, find a policy and click Change Policy in the Actions column to change the action of the policy.

Handle alerts

To ensure the runtime security of containers, we recommend that you view and handle the alerts in Security Center at the earliest opportunity.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Proactive Defense for Containers.
  2. On the Proactive Defense for Containers page, click the Alert tab. On the Alert tab, find the image for which an alert is generated and click the image name in the Image column to go to the image details page.
    The image details page is provided for an image only after the image is added to Security Center. For more information about how to add images to Security Center, see Add image repositories to Security Center.
  3. On the image details page, handle the risks that are detected on the image.
    You can handle all risks on the following tabs: Image System Vul, Image Application Vul, Image Baseline Check, and Image Malicious Sample. The risks are detected based on the container defense policy of the cluster to which the image belongs. After the risks are handled, Security Center allows the startup of the image, and the existing containers that run in the cluster do not have security risks.