Security Center provides the container firewall feature. The feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks.


Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

How container firewall works

In the container firewall module, network objects are used to identify container applications. The information about a network object includes the namespace to which a container application belongs, the name of the container application, the image of the container that is used to run the container application, and labels. You can create a defense rule to protect a cluster based on network objects. The defense rule can detect and block unusual traffic that is destined for the cluster. For more information about how to configure and use the container firewall feature, see Create a network object, Create a defense rule, Manage the defense status and defense rules of a cluster, and View details on the Protection status tab.

Supported operating system versions

A cluster defense rule can be enabled based on the AliNet plug-in that defends against malicious network behavior. The AliNet plug-in is used to block suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before you use the container firewall feature, make sure that your cluster nodes run an operating system whose kernel version is supported by the AliNet plug-in. If your cluster nodes run an operating system whose kernel version is not supported by the AliNet plug-in, the defense rule that you create for your cluster does not take effect. The following table describes the versions and kernel versions of the operating systems that are supported by the AliNet plug-in.
Operating system Operating system version Kernel version
64-bit Ubuntu
  • Ubuntu 14.04
  • Ubuntu 16.04
  • Ubuntu 18.40
  • Ubuntu 20.04
  • 3.13.0-32-generic
  • 3.13.0-86-generic
  • 4.4.0-104-generic
  • 4.4.0-117-generic
  • 4.4.0-124-generic
  • 4.4.0-142-generic
  • 4.4.0-146-generic
  • 4.4.0-151-generic
  • 4.4.0-170-generic
  • 4.4.0-174-generic
  • 4.4.0-179-generic
  • 4.4.0-184-generic
  • 4.4.0-185-generic
  • 4.4.0-62-generic
  • 4.4.0-63-generic
  • 4.4.0-93-generic
  • 4.4.0-96-generic
  • 4.15.0-23-generic
  • 4.15.0-42-generic
  • 4.15.0-45-generic
  • 4.15.0-52-generic
  • 4.15.0-54-generic
  • 4.15.0-72-generic
  • 4.15.0-96-generic
  • 4.15.0-109-generic
  • 4.15.0-106-generic
  • 4.15.0-111-generic
  • 4.15.0-118-generic
  • 4.15.0-1047-gcp
  • 4.15.0-128-generic
  • 5.4.0-31-generic
  • 5.4.0-42-generic
  • 5.4.0-47-generic
  • 5.4.0-58-generic
  • 5.4.0-73-generic
64-bit CentOS
  • CentOS 6.5
  • CentOS 6.6
  • CentOS 6.7
  • CentOS 6.8
  • CentOS 6.9
  • CentOS 6.10
  • CentOS 7.0-1406
  • CentOS 7.1-1503
  • CentOS 7.2-1511
  • CentOS 7.3-1611
  • CentOS 7.4-1708
  • CentOS 7.5-1804
  • CentOS 7.6-1810
  • CentOS 7.7-1908
  • CentOS 7.8-2003
  • CentOS 7.9-2009
  • CentOS 8.0-1905
  • CentOS 8.1-1911
  • CentOS 8.2-2004
  • 2.6.32-**, which indicates all the CentOS kernels whose version numbers start with 2.6.32
  • 3.10.0-**, which indicates all the CentOS kernels whose version numbers start with 3.10.0
  • 4.18.0-**, which indicates all the CentOS kernels whose versions are 4.18.0-240.15.1 or earlier
  • 5.4.42-200.el7.x86_64
64-bit Alibaba Cloud Linux Alibaba Cloud Linux 2.1903
  • 3.10.0-1160.al7.1.x86_64
  • 4.4.95-1.al7.x86_64
  • 4.4.95-3.al7.x86_64
  • 4.19.24-7.al7.x86_64
  • 4.19.24-7.14.al7.x86_64
  • 4.19.81-17.al7.x86_64
  • 4.19.81-17.2.al7.x86_64
  • 4.19.91-19.1.al7.x86_64
  • 4.19.91-21.al7.x86_64
  • 4.19.91-21.2.al7.x86_64
  • 4.19.91-22.al7.x86_64
  • 4.19.91-22.2.al7.x86_64
  • 4.19.91-23.al7.x86_64
  • 4.19.91-24.1.al7.x86_64