Alibaba Cloud Container Service (ACS) provides a layered security system covering runtime security, trusted software supply chains, and infrastructure security. These layers address security inspection, policy management, runtime monitoring and alerting, image scanning, image signing, cloud-native application delivery, default hardening, identity management, and fine-grained access control.

Runtime security
Secure sandbox management: The secure sandbox is an alternative container runtime that runs workloads inside a lightweight virtual machine with an independent kernel. This architecture provides stronger security isolation than standard containers, making it suited for untrusted application isolation, fault isolation, performance isolation, and multi-tenant workload separation. The secure sandbox has minimal performance overhead and delivers the same operational experience as Docker containers, including logging, monitoring, and autoscaling.
Trusted software supply chains
-
Image scanning
Container Registry scans all Linux-based container images for known vulnerabilities and provides vulnerability assessments and fix suggestions to reduce security risks. The integrated cloud security scan engine identifies system vulnerabilities, application vulnerabilities, and malicious samples inside images.
-
Image signing
Container Registry supports a content trust mechanism that lets image creators apply a digital signature to each image. Before deployment, ACS verifies image signatures to ensure that only trusted images run in the cluster. This prevents unexpected or malicious code from entering your environment and makes application images traceable throughout the deployment process.
-
Cloud-native application delivery chains
Container Registry provides a cloud-native application delivery chain for secure, efficient container delivery. Use it to configure image building, image scanning, global image synchronization, and image deployment, and to define fine-grained security policies — achieving full-link, observable, and traceable delivery. Code submitted once is securely distributed and efficiently deployed across multiple regions, upgrading your DevOps pipeline to DevSecOps. For more information, see Create a delivery chain.
Infrastructure security
-
Default security
ACS hardens cluster nodes and control plane components against CIS Kubernetes Benchmarks. All system components are hardened following container security best practices, ensuring that system component images contain no critical Common Vulnerabilities and Exposures (CVE) vulnerabilities.
Worker nodes of managed clusters operate under the principle of least privilege. Resource Access Management (RAM) users are granted only the minimal permissions required to access other cloud resources. For more information, see Authorization best practices.
-
Identity management
All communication between ACS cluster components requires TLS certificate verification, securing data transmission across the entire cluster. ACS automatically renews certificates for cluster system components. RAM users and roles can get a kubeconfig file to connect to the cluster API server through the console or OpenAPI. For specific operations, see Obtain cluster KubeConfig and connect to the cluster using kubectl. ACS maintains the identity information in access credentials and can revoke credentials when needed. For specific operations, see Revoke a cluster kubeconfig file.
-
Fine-grained access control
ACS implements Kubernetes resource access control using Role-Based Access Control (RBAC) — a foundational hardening measure for application security. The Authorization management page in the console provides fine-grained RBAC authorization at the namespace level, including:
RBAC permission templates: Preset templates for administrator, operations, and developer roles based on different permission requirements.
Batch authorization: Supports batch authorization across multiple clusters and multiple RAM users.
RAM roles: Supports authorization for RAM roles.
Custom ClusterRoles: Supports binding users to custom ClusterRoles within the cluster. For more information, see Configure RBAC permissions for RAM users or RAM roles.
-
Secret encryption
By default, Kubernetes Secrets are stored in etcd encoded only in Base64 — not encrypted. In ACS clusters, you can encrypt Secrets using keys managed by Alibaba Cloud Key Management Service (KMS), protecting sensitive application data on disk.