You can use the security monitoring feature to monitor Container Service for Kubernetes (ACK) clusters and generate alerts upon security events. These security events include use of malicious container images, attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations. This topic describes how to use the security monitoring feature.
Prerequisites
An ACK cluster is created. For more information, see Create an ACK managed cluster.
Security Center is activated. For more information, see Purchase Security Center.
If you use a Resource Access Management (RAM) user, you must attach the AliyunYundunSASReadOnlyAccess policy to the RAM user.
Background information
Cloud-native applications are deployed in containers after they pass the authentication and admission control of the API server. However, in accordance with the zero trust principle for application security, monitoring and alerting are required to ensure the security of application runtimes. The security monitoring feature is integrated with Security Center to detect vulnerabilities and generate alerts. This allows cluster administrators to monitor applications and receive alerts upon security events, such as use of malicious container images, attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations. Alerts are displayed on the cluster details page of the ACK console in real time. You can view and handle the alerts based on the information displayed on the page.
Procedure
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Security Monitoring page, view the monitoring and alerting information.
Alerts
Displays alerts that are triggered upon security events, such as attacks by viruses or malware in containers and hosts, intrusions into containers, container escapes, and high-risk operations. For more information about alerts, see Overview. You can click the Alerts section and then perform the following operations.
In the lower part of the page, click Handle in the Actions column of an alert. In the dialog box that appears, you can specify whether to add the alert to the whitelist or ignore the alert.
In the lower part of the page, click Details in the Actions column of an alert to view the detailed information, including the event time, affected assets, and process ID. On the Details page, click the Diagnosis tab. On the Diagnosis tab, you can trace the source of the event and view the raw data.
Vulnerabilities
Allows you to view and handle vulnerabilities in assets, including Linux vulnerabilities and application vulnerabilities. For more information about vulnerabilities, see Vulnerability Management. You can click the Vulnerabilities section and then perform the following operations.
In the lower part of the page, click the name of a vulnerability or click Handle in the Actions column of the vulnerability to view the detailed information and pending vulnerabilities. The vulnerability details list provides suggestions on how to fix the vulnerabilities. In the pending vulnerability list, you can fix vulnerabilities, verify fixes, and view details.
In the lower part of the page, click CVE ID on the right side of a vulnerability to access the Alibaba Cloud vulnerability library to view detailed information about the vulnerability.
Baseline Risks
Displays risks in Elastic Compute Service (ECS) instance operating systems, databases, software, and containers to help you enhance security, reduce intrusion risks, and meet security compliance requirements. For more information about baseline risks, see Baseline check. You can click the Baseline Risks section to view baseline risks. In the lower part of the page, click Details in the Actions column of a risk to view the description of the risk and the affected assets.
Alerts Generated by Container Firewall
Displays information about the container firewall. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature can generate alerts or block attacks. For more information about the container firewall feature, see Overview. You can click the Alerts Generated by Container Firewall section to view information about alerts generated by the container firewall.
The alerts list displays detailed information about each alert, including the severity level, alert name, source, targeted network objects, ports, clusters, and defense mode.
In the alerts list, you can click Edit Rule in the Actions column of an alert to modify the alert rule.