Container microsegmentation lets you control traffic between groups of Pods by pairing a source network object with a destination network object, then applying a defense rule. This topic explains how to create a network object.
Limitations
Only the Ultimate edition of Security Center supports container microsegmentation. To purchase or upgrade, see Purchase Security Center and Upgrade and downgrade Security Center.
Prerequisites
Before you begin, ensure that you have:
The Ultimate edition of Security Center
The malicious behavior defense feature enabled for your assets. For more information, see Use the proactive defense feature.
Create a network object
A network object defines a group of Pods that share the same namespace, application name, image, or tags. Tags are the Kubernetes (K8s) key-value attributes attached to a Pod — they are the fundamental matching criteria for isolation rules. Define one network object for the traffic source and another for the destination before creating a defense rule.
Log on to the Security Center console. In the top navigation bar, select the region of the asset you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Microsegmentation.
On the Container Microsegmentation page, click the Network Object tab.
Click Create Network Object.
In the Create Network Object panel, configure the following parameters.
Parameter Description Example Object Name A name for the network object. frontend-podsNamespace The namespace the network object belongs to. Fuzzy match is supported. a*Application Name The application the network object belongs to. This is the value of the Pod tag whose key is app. Fuzzy match is supported.a*Image The container image for the network object. — Tag One or more Pod tags to match. Tags are the business attributes associated with a container after it launches within a Kubernetes (K8s) Cluster, and serve as the fundamental matching criteria for isolation rules. — Click OK.
The network object appears on the Network Object tab.
Manage network objects
After a network object is created, you can manage it from the Network Object tab:
To update a network object, find it in the list and click Edit in the Actions column.
To delete a single network object, click Delete in the Actions column.
To delete multiple network objects at once, select them and click Batch delete below the list.
A network object can only be deleted if it is not referenced by any defense rule.
What's next
After creating a source network object and a destination network object, create a defense rule to control traffic between them. The rule can allow, block, or generate alerts for unusual traffic from the source to the destination. For more information, see Create a defense rule.