Security Center provides the container firewall feature. The feature delivers firewall
capabilities to protect containers. If attackers exploit vulnerabilities or malicious
images to intrude into clusters, the container firewall feature generates alerts or
blocks attacks.
Limits
Only Security Center Ultimate supports this feature. If you do not use the Ultimate
edition, you must upgrade Security Center to the Ultimate edition before you can use
this feature. For more information about how to purchase and upgrade Security Center,
see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.
How container firewall works
In the container firewall module, network objects are used to identify container applications.
The information about a network object includes the namespace to which a container
application belongs, the name of the container application, the image of the container
that is used to run the container application, and labels. You can create a defense
rule to protect a cluster based on network objects. The defense rule can detect and
block unusual traffic that is destined for the cluster. For more information about
how to configure and use the container firewall feature, see Create a network object, Create a defense rule, Manage the defense status and defense rules of a cluster, and View details on the Protection status tab.
Supported operating system versions
A cluster defense rule can be enabled based on the AliNet plug-in that defends against
malicious network behavior. The AliNet plug-in is used to block suspicious network
connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before you
use the container firewall feature, make sure that your cluster nodes run an operating
system whose kernel version is supported by the AliNet plug-in. If your cluster nodes
run an operating system whose kernel version is not supported by the AliNet plug-in,
the defense rule that you create for your cluster does not take effect. The following
table describes the versions and kernel versions of the operating systems that are
supported by the AliNet plug-in.
| Operating system |
Operating system version |
Kernel version |
| 64-bit Ubuntu |
- Ubuntu 14.04
- Ubuntu 16.04
- Ubuntu 18.40
- Ubuntu 20.04
|
- 3.13.0-32-generic
- 3.13.0-86-generic
- 4.4.0-104-generic
- 4.4.0-117-generic
- 4.4.0-124-generic
- 4.4.0-142-generic
- 4.4.0-146-generic
- 4.4.0-151-generic
- 4.4.0-170-generic
- 4.4.0-174-generic
- 4.4.0-179-generic
- 4.4.0-184-generic
- 4.4.0-185-generic
- 4.4.0-62-generic
- 4.4.0-63-generic
- 4.4.0-93-generic
- 4.4.0-96-generic
- 4.15.0-23-generic
- 4.15.0-42-generic
- 4.15.0-45-generic
- 4.15.0-52-generic
- 4.15.0-54-generic
- 4.15.0-72-generic
- 4.15.0-96-generic
- 4.15.0-109-generic
- 4.15.0-106-generic
- 4.15.0-111-generic
- 4.15.0-118-generic
- 4.15.0-1047-gcp
- 4.15.0-128-generic
- 5.4.0-31-generic
- 5.4.0-42-generic
- 5.4.0-47-generic
- 5.4.0-58-generic
- 5.4.0-73-generic
|
| 64-bit CentOS |
- CentOS 6.5
- CentOS 6.6
- CentOS 6.7
- CentOS 6.8
- CentOS 6.9
- CentOS 6.10
- CentOS 7.0-1406
- CentOS 7.1-1503
- CentOS 7.2-1511
- CentOS 7.3-1611
- CentOS 7.4-1708
- CentOS 7.5-1804
- CentOS 7.6-1810
- CentOS 7.7-1908
- CentOS 7.8-2003
- CentOS 7.9-2009
- CentOS 8.0-1905
- CentOS 8.1-1911
- CentOS 8.2-2004
|
- 2.6.32-**, which indicates all the CentOS kernels whose version numbers start with
2.6.32
- 3.10.0-**, which indicates all the CentOS kernels whose version numbers start with
3.10.0
- 4.18.0-**, which indicates all the CentOS kernels whose versions are 4.18.0-240.15.1
or earlier
- 5.4.42-200.el7.x86_64
|
| 64-bit Alibaba Cloud Linux |
Alibaba Cloud Linux 2.1903 |
- 3.10.0-1160.al7.1.x86_64
- 4.4.95-1.al7.x86_64
- 4.4.95-3.al7.x86_64
- 4.19.24-7.al7.x86_64
- 4.19.24-7.14.al7.x86_64
- 4.19.81-17.al7.x86_64
- 4.19.81-17.2.al7.x86_64
- 4.19.91-19.1.al7.x86_64
- 4.19.91-21.al7.x86_64
- 4.19.91-21.2.al7.x86_64
- 4.19.91-22.al7.x86_64
- 4.19.91-22.2.al7.x86_64
- 4.19.91-23.al7.x86_64
- 4.19.91-24.1.al7.x86_64
|