Container microsegmentation adds firewall-level network controls to your Kubernetes clusters. When an attacker exploits a vulnerability or a malicious image to break into a cluster, container microsegmentation generates alerts or blocks the attack.
Edition requirement
Container microsegmentation requires the Ultimate edition of Security Center. To purchase or upgrade, see Purchase Security Center and Upgrade and downgrade Security Center.
How it works
Container microsegmentation uses network objects to identify container applications and defense rules to control traffic between them.
A network object represents a container application and is defined by four attributes: its namespace, name, image, and labels. Defense rules are built on top of network objects — each rule specifies which traffic is blocked between a source network object and a destination network object, then is applied to protect a cluster.
Once a defense rule is active on a cluster, it continuously inspects traffic destined for that cluster and blocks anything that matches an unusual traffic pattern.
If the interceptable status of a cluster is abnormal, defense cannot be enabled for that cluster and any existing defense rules will not take effect. Resolve the abnormal status before proceeding. For details, see Troubleshoot the issues causing the abnormal blocking status of a cluster.
Supported operating systems
Container microsegmentation uses the AliNet plug-in to enforce defense rules on cluster nodes. The AliNet plug-in blocks malicious network behavior, including suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks.
Defense rules only take effect on cluster nodes running a kernel version that the AliNet plug-in supports. The following table lists the supported operating systems and kernel versions.
| Operating system | Kernel series | Supported versions |
|---|---|---|
| CentOS | 3.10.0 | See full list below (63 discrete versions from 3.10.0-123.9.3.el7.x86_64 to 3.10.0-1160.88.1.el7.x86_64) |
| CentOS | 4.19.X | 4.19.12-1.el7.elrepo.x86_64, 4.19.94-300.el7.x86_64, 4.19.104-300.el7.x86_64, 4.19.113-300.el7.x86_64 |
| Alibaba Cloud Linux (64-bit) | 3.10.0 | See full list below (7 discrete versions) |
| Alibaba Cloud Linux (64-bit) | 4.19.X | See full list below (32 discrete versions from 4.19.24-7.al7.x86_64 to 4.19.91-27.1.al7.x86_64) |
Get started
To set up container microsegmentation, complete the following steps in order.
Create network objects. Define the source and destination container applications you want to control traffic between. Each network object is identified by its namespace, name, image, and labels. See Create a network object.
Create and enable a defense rule. Specify which traffic between the source and destination network objects to detect and block. See Create a defense rule.
Enable defense for your cluster. Apply the defense rule to a cluster and verify its interceptable status is normal before enabling. See Manage the defense status and defense rules of a cluster.
Monitor alerts. Review alerts generated when a defense rule is triggered to confirm protection is working as expected. See View details on the Protection Status tab.