All Products
Search
Document Center

Container Service for Kubernetes:FAQ about container security

Last Updated:Nov 18, 2024

This topic provides answers to some frequently asked questions about container security.

Why do containers fail to communicate with each other?

The following section describes the causes of network communication failures due to different security group settings and provides solutions to the failures.

  • The inbound rule in which Authorization Object is Pod CIDR Block and Protocol Type is All is deleted.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.

    3. On the Cluster Information page, click the Basic Information tab, and then click the link to the right of Control Plane Security Group to go to the security group page in the Elastic Compute Service (ECS) console.

    4. On the Inbound tab of the Security Group page, click Add Rule.

    5. Configure Protocol Type, Port Range, and Authorization Object. Then, click Save.

      Note
      • Set Protocol Type to All.

      • Set Authorization Object to the pod CIDR block of the cluster.

        You can find the pod CIDR block in the Cluster Information section of the cluster details page in the Container Service for Kubernetes (ACK) console.集群信息

        For more information about Authorization Object, see Security groups for different use cases.

      A rule in which Authorization Object is set to the pod CIDR block of the cluster and Protocol Type is set to All is added.

  • The new ECS instance and the Kubernetes cluster belong to different security groups.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.

    3. On the Cluster Information page, click the Basic Informationf tab. Then, view and record the ID on the right side of Security Group.

    4. Add the desired ECS instance to the security group that is found in the previous step. For more information about how to add an ECS instance to a security group, see Manage the security groups of one or more ECS instances on the Instances page.

How do I specify a security group for an ACK cluster?

You cannot specify a security group for an ACK cluster. A default security group is automatically specified for an ACK cluster when the cluster is created. You can modify the rules of the default security group.

Can I disable cluster auditing when I create a cluster or enable cluster auditing after the cluster is created?

Yes, you can migrate a WAF 2.0 instance to which domain names are added in transparent proxy mode. For more information, see Work with the cluster auditing feature.

How do I renew the certificate of an ACK dedicated cluster and how do I renew the certificates of the components in the cluster?

How do I fix the "no providers available to validate pod request" error during pod creation?

Why am I unable to use existing Secrets in a new namespace?

Secrets are scoped to namespaces. You must create new Secrets in a new namespace.

How do I fix the mount error when I mount the default token?

The following error message is returned:

Normal Scheduled 13m default-scheduler Successfully assigned dev/alibaba-demo-67fcdbfb8-zklnp to cn-hangzhou.10.7.3.16  Warning FailedMount 13m (x2 over 13m) kubelet, cn-hangzhou.10.7.3.16 MountVolume.SetUp failed for volume 'default-token-8twx9' : mount failed: exit status 1 Mounting command: systemd-run Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/62d39b35-9a4d-11ea-9870-c24d56a0e904/volumes/kubernetes.io~secret/default-token-8twx9 --scope -- mount -t tmpfs tmpfs /var/lib/kubelet/pods/62d39b35-9a4d-11ea-9870-c24d56a0e904/volumes/kubernetes.io~secret/default-token-8twx9 Output: Failed to start transient scope unit: Argument list too long  Warning FailedCreatePodContainer 3m40s (x49 over 13m) kubelet, cn-hangzhou.10.7.3.16 unable to ensure pod container exists: failed to create container for [kubepods burstable pod62d39b35-9a4d-11ea-9870-c24d56a0e904] : Argument list too long

The systemd version is outdated.

  • Upgrade systemd. For more information, see systemd.

  • Run the sudo systemctl daemon-reload command to reload units. For more information, see systemd.

How do I query the auditing log?

Query the auditing log about Role-Based Access Control (RBAC) operations

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.

  3. On the Cluster Information page, click the Basic Information tab. Then, click the link to the right of Log Service Project.

  4. On the Log Storage > Logstores page, click the audit-<cluster_id> Logstore that you want to query and click Search & Analysis.

  5. In the upper-right corner, you cna specify the time period that you want to query. Example: 15 Minutes.

    Note

    Select a time period that covers the time when errors occurred, for example, 3 days, 7 day, or 15 days.

  6. In the Search & Analyze search bar, enter the following SQL statement and then click Search & Analyze.

    requestURI: "rbac.authorization.k8s.io" not (verb: get or verb: watch) 
  7. Click the 45 icon. In the Log Download dialog box, select Download All Logs with Cloud Shell and click OK.

Query the auditing log about ConfigMap operations

In the Search & Analyze search bar, enter the following SQL statement and then click Search & Analyze. For more information, see How do I query the auditing log?

requestURI: "configmaps" and <configmap_name> not (verb: get or verb: watch or verb: list) 
Note

Replace <configmap_name> with the name of the ConfigMap that you want to query.

Query the auditing log about Deployment scaling operations

In the Search & Analyze search bar, enter the following SQL statement and then click Search & Analyze. For more information, see How do I query the auditing log?

requestURI: deployments and (verb: update or verb: patch) and replicas and deployments and <deployment_name> not deployment-controller
Note

Replace <configmap_name> with the name of the ConfigMap that you want to query.