This topic provides answers to some frequently asked questions about container protection.
My Security Center runs the Enterprise edition. Can I use the container microsegmentation feature?
No, you cannot use the container microsegmentation feature. Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Do I need to pay for the container microsegmentation feature?
No, you do not need to pay for the container microsegmentation feature. After you purchase the Ultimate edition of Security Center, you can use the container microsegmentation feature free of charge.
After I upgrade Security Center to the Ultimate edition, does Security Center protect only containers?
No, the Ultimate edition of Security Center can protect both containers and Elastic Compute Service (ECS) instances.
What detection mechanisms are provided by Security Center to ensure container security in runtime?
Security Center fully leverages cloud-native capabilities to provide the following detection mechanisms for container images to reduce risks such as intrusion into containers and tampering.
Image security
The container image scan feature provided for images that are added to Security Center
The container image scan feature provides comprehensive security check and management capabilities for images that are added to Security Center. The images are images of Container Registry Enterprise Edition and images of Harbor and Quay image repositories. You can use the feature to detect image risks such as high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, sensitive files, and risks of image build commands. The feature also provides solutions to fix the detected image risks. For more information, see Create a Container Registry Enterprise Edition instance, Add image repositories to Security Center,
The CI/CD-based container image scan feature provided for images that are not added to Security Center
The CI/CD-based container image scan feature can scan images by using the CI/CD plug-in. To use the feature, you need to only install the CI/CD plug-in on Jenkins or GitHub to allow Security Center to detect image risks in the project building stage on Jenkins and GitHub. The image risks include high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, configuration risks, and sensitive data. The feature also provides solutions to fix the detected image risks.
To view image risks that are detected by the CI/CD-based container image scan feature, go to the Image tab of the Container page, set the Image Type search condition to CI/CD, and then enter the ID or tag of the required image in the search box. You can also handle detected risks based on the risk details and fixing suggestions.
For more information, see Overview of CI/CD-based container image scan.
Rules of the at-risk image blocking type
You can create a rule of the At-risk Image Blocking type for a cluster. After you create a rule, when you use images specified in the rule to create resources in the cluster, a request is sent to Security Center to check the images for the following risks: malicious Internet images, unscanned images, malicious samples, baseline risks, vulnerabilities, sensitive files, and risks of image build commands. If an image hits the rule, Security Center handles the image based on the action that is specified in the rule. The action can be Alert, Block, or Allow. This ensures that only images that meet your security requirements can be started in your cluster.
For more information, see Use the feature of proactive defense for containers.
Container security
The container runtime image scan feature
The container runtime image scan feature can be used to detect security risks during container runtime. The security risks include system vulnerabilities, application vulnerabilities, baseline risks, malicious samples, and sensitive files. The feature also provides solutions to fix detected image system vulnerabilities.
For more information, see Scan images.
Rules supported by the proactive defense for containers feature
The proactive defense for containers feature proactively detects risks when your containers start or run from the following dimensions: container security, runtime security, and running environment security. You can configure rules to stop untrusted processes and block container escapes. This helps improve the overall runtime security of your containers.
Non-image Program Defense
The startup of a program that is not included in images during the runtime of a container is considered an abnormal behavior. The behavior may be caused by malicious software such as trojans that are inserted by attackers.
After you create a rule of the Non-image Program Defense type, Security Center detects and blocks the startup of programs that are not included in the images of specified clusters in the rule. This helps defend against malicious software intrusion and known and unknown attacks.
Container Escape Prevention
A container on a host uses the kernel of the operating system that runs on the host. In this case, attackers can exploit the vulnerabilities in the container to implement privilege escalation and control the operating system of the host or the other containers that reside on the host. Security Center provides the container escape prevention feature that blocks container escapes to ensure the runtime security of containers. To use the feature, you must configure rules of the container escape prevention type.
For more information, see Use the feature of proactive defense for containers.
The container file protection feature
The container file protection feature can monitor directories and files in containers in real time, and generate alerts or block tampering operations when the directories or files are tampered with. This ensures the security of the container environment.
For more information, see Use the container file protection feature.
Blocking of abnormal access to containers
In the container microsegmentation module, network objects are used to identify container applications. The information about a network object includes the namespace to which a container application belongs, the name of the container application, the image of the container application, and the labels of the container application. You can create a defense rule to control traffic from a source network object to a destination network object. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container microsegmentation feature generates alerts or blocks attacks on containers.
For more information, see Container microsegmentation feature.
Deployment of trusted containers
Security Center signs trusted container images and verifies the signatures to ensure that only trusted images are deployed. This prevents unauthorized container images from being started and improves the security of assets.
For more information, see Use the container signature feature.
Baseline checks on containers
Security Center performs security checks on the baseline configurations of containers against the Alibaba Cloud standard of best practices for Kubernetes Node and Master. Security Center also generates alerts for the detected risks.
For more information, see Baseline check.
Security of servers on which containers run
Security Center provides the host protection module. For more information, see Functions and features.
How do I use the container microsegmentation feature to control business traffic in a container environment?
The Ultimate edition of Security Center provides the container microsegmentation feature. In the container microsegmentation module, network objects are used to identify container applications. The information about a network object includes the namespace to which a container application belongs, the name of the container application, the image of the container application, and the labels of the container application. You can create a defense rule to protect a cluster based on network objects. The defense rule can detect, block, and generate alerts for unusual traffic that is destined for the cluster. You can use the container microsegmentation feature to control access traffic in container environments for network isolation.
A cluster defense rule can be enabled by using the AliNet plug-in. The AliNet plug-in is used to block suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before you use the container microsegmentation feature, make sure that your cluster nodes run an operating system whose kernel version is supported by the AliNet plug-in. If your cluster nodes run an operating system whose kernel version is not supported by the AliNet plug-in, the defense rule that you create for your cluster does not take effect. For more information about the supported operating systems and kernel versions, see Supported operating system versions.
To use the container microsegmentation feature, turn on Malicious Network Behavior Prevention. For more information, see Use proactive defense.
Perform the following operations to configure and enable a defense rule for the cluster that is connected to Security Center.
Enable the defense rule for the cluster.
The defense status of the cluster can be managed, and the defense rule that is created for the cluster can take effect only when the interceptable status of the cluster is normal. If the interceptable status is abnormal, you must troubleshoot the issue. For more information, see Troubleshoot the issues that cause the abnormal interceptable status of a cluster.
After you connect a cluster to Security Center and access traffic is generated for the cluster, the defense rules created for the cluster take effect in sequence based on the priorities that you specify. When a defense rule is hit, Security Center blocks or generates alerts for unusual traffic. If a defense rule is hit and the action specified in the rule is Passed, or no defense rule is hit, Security Center allows the traffic.
If the action specified in the rule is Alert or Block, Security Center generates alerts. For more information, see View details on the Protection Status tab.