The security of hosts ensures that containers deployed on the hosts can run as expected. We recommend that you periodically perform baseline checks to verify that your cluster complies with the standards defined by Alibaba Cloud Linux Security Hardening (OS Security Hardening), uses security capabilities provided by Alibaba Cloud Security Center, limits access to cluster nodes based on the least privilege principle, and follows the Elastic Compute Service (ECS) security best practices.
Periodically perform baseline checks to verify that your cluster complies with the standards defined by OS Security Hardening and Multi-Level Protection Scheme (MLPS) Security Hardening.
OS Security Hardening
OS Security Hardening defines standards to enhance the OS security of hosts, including Alibaba Cloud Linux, CentOS, and Ubuntu. Alibaba Cloud Linux 3 is an OS released by Alibaba Cloud and is used as the default OS by ACK clusters. For more information, see Use Alibaba Cloud Linux 3.
MLPS Security Hardening
Alibaba Cloud defines MLPS standards to enhance OS security based on "GB/T 22239-2019 Information Security Technology - Baseline for Classified Protection of Cybersecurity", and provides security hardening features to ensure the security of Alibaba Cloud Linux. These features include identity verification, access control, security audit, intrusion prevention, and malicious code prevention. For more information, see ACK security hardening based on MLPS.
Use security capabilities provided by Alibaba Cloud Security Center
The following features of Alibaba Cloud Security Center can help ensure that the default configurations of the nodes in an ACK cluster are secure:
Vulnerability patching: detects common vulnerabilities and allows you to patch the vulnerabilities with a few clicks. You can view detected vulnerabilities or manually run scan tasks on the Vulnerabilities page. This feature helps you identify vulnerabilities and potential risks in your assets.
Baseline check: checks the configurations of server OSs, databases, software, and containers, generates reports, and provides security suggestions. This feature helps you enhance the security of your OS, mitigate intrusion risks, and meets security compliance requirements.
Cloud service configuration check: checks the configurations of cloud services based on identity verification and permissions, network access control, data security, log audit, monitoring and alerting, and basic security. Security Center also provides suggestions on how to mitigate the detected risks.
Container image scan: detects and identifies high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in container images. Security Center also provides suggestions on how to handle these issues. Security Center simplifies how you can patch vulnerabilities for container images.
Limit access to cluster nodes based on the least privilege principle
If you want to access a remote node, you can log on to the ACK console and use Workbench or Virtual Network Computing (VNC) to access the node over the internal network. In this scenario, you do not need to associate an elastic IP address (EIP) with the node. If you want to access the node over the Internet, you must add rules to the security group of the ACK cluster to limit access to the node. To further limit access to the node, you must modify the security group to limit access to the ports of the node that are exposed to the Internet.
Follow the ECS security best practices
By default, ECS instances that host the nodes of an ACK cluster run Alibaba Cloud Linux 3. For more information about how to improve the security of ECS instances, see ECS instance security.