security-inspector

The security-inspector component is a key component for performing security inspections. This topic describes the features, usage notes, and release notes for security-inspector.

Overview

You can use security-inspector to scan workload configurations from various dimensions. This helps you better understand the security risks of your workloads. The following figure shows the architecture of security-inspector.

Usage notes

security-inspector provides the following inspection features:

security-inspector uses Polaris to perform security inspections. This allows you to detect security risks of workload configurations in your cluster in real time.
Note
Polaris is an open source project that is used to identify security risks of workload configurations in a Kubernetes cluster. For more information, see Polaris.
security-inspector can scan workload configurations from various dimensions and provide reports that contain the following information: health checks, images, networks, resources, and security. This allows you to better understand the security risks of your applications in real time and reinforce your system based on the suggestions that are provided by security-inspector. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.

Release notes

March 2025

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.16.1.0-gea4d02f-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.1.0-gea4d02f-aliyun	2025-03-18	Note This version is in canary release. The Go version used by the component is upgraded to 1.23.7, which improves the stability of the component.	No impact on workloads

January 2025

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.16.0.0-g4e93dcd-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.16.0.0-g4e93dcd-aliyun	2025-01-02	The Go version used by the component is upgraded to 1.23.4, which improves the stability of the component.	No impact on workloads

October 2024

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.15.0.0-g4218661-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.15.0.0-g4218661-aliyun	2024-10-10	You can verify whether plaintext AccessKey pairs are stored in the environment variables.	No impact on workloads

August 2024

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.14.1.0-g829a93d-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.14.1.0-g829a93d-aliyun	2024-08-01	Version compatibility is optimized.	No impact on workloads

July 2024

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.14.0.0-gfc02c67-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.14.0.0-gfc02c67-aliyun	2024-07-26	Inspection tasks are run in the security-inspector namespace since this version.	No impact on workloads

March 2024

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.13.0.0-g88dfa8f-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.13.0.0-g88dfa8f-aliyun	2024-03-26	Role-based access control (RBAC)-related inspection items are supported, including wildcard check, check on the cluster-admin role, and check on modifications to predefined roles, such as system:basic-user, system:discovery, and system:public-info-viewer.	No impact on workloads

February 2024

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.12.0.7-g6f9d47f-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.12.0.7-g6f9d47f-aliyun	2024-02-21	You can specify whether the component uses the host network on the Add-ons page and modify the health check port.	No impact on workloads

December 2023

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.11.0.3-ga2fad87-aliyun	registry-cn-hangzhou.ack.aliyuncs.com/acs/security-inspector:v0.11.0.3-ga2fad87-aliyun	2023-12-21	Modifications to the ttlSecondsAfterFinished configuration item for security-inspector-polaris-cronjob can be retained during component updates.	No impact on workloads

June 2023

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.10.1.2-g13c9de7-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.10.1.2-g13c9de7-aliyun	2023-06-02	The issue that the component malfunctions after you update the Kubernetes version of a cluster to 1.26.3-aliyun.1 is fixed. The periodic scanning logic of the component is optimized. After the component is updated, it can run only one inspection task at a time. This prevents provisioning multiple pending pods for inspection tasks in the cluster.	No impact on workloads

April 2023

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.10.0.3-g15b35c4-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.10.0.3-g15b35c4-aliyun	2023-04-13	Kubernetes 1.26 is supported.	No impact on workloads

February 2023

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.9.1.0-gcdddfa7-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.9.1.0-gcdddfa7-aliyun	2023-02-27	CVE-2023-0286 is fixed in the base image used by the image of the component.	No impact on workloads

December 2022

Version	Image address	Release date	Description	Impact

Version

Image address

Release date

Description

Impact

v0.9.0.0-g1d38ec6-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.9.0.0-g1d38ec6-aliyun

2022-12-22

ACK Serverless clusters that run Kubernetes 1.18 and later are supported.
Accidentally deleted Simple Log Service dashboards can be recreated by restarting the pods of security-inspector.

No impact on workloads

v0.8.3.2-ge5496db-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.3.2-ge5496db-aliyun

2022-12-13

This version is in canary release.

The initialization process of security-inspector is accelerated. Previously, it requires a few minutes to initialize security-inspector after you install security-inspector. security-inspector cannot perform security inspections during the initialization period.

No impact on workloads

August 2022

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.8.3.1-gf7bf0e0-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.3.1-gf7bf0e0-aliyun	2022-08-30	The message content of the `SecurityInspectorConfigAuditHighRiskFound` and `SecurityInspectorConfigAuditFinished` events is optimized. Links to event details are added to the message content.	No impact on workloads

June 2022

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.8.2.16-gc84d60d-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.2.16-gc84d60d-aliyun	2022-06-21	The issue that the `MountVolume.SetUp failed for volume "config" : object "kube-system"/"security-inspector-polaris-config" not registered` event may be generated in clusters that run Kubernetes 1.22 is fixed. The requests that security-inspector sends to the API server are optimized to reduce the loads of the API server when security-inspector scans large clusters.	No impact on workloads

April 2022

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.8.1.0-g58d1a56-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.1.0-g58d1a56-aliyun	2022-04-11	The issue that automatic node draining fails due to the improper configurations of security-inspector is fixed. The issue that inspection reports are not displayed as expected when multiple clusters share the same Simple Log Service project is fixed.	No impact on workloads

February 2022

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.8.0.0-gb0edd1d-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.8.0.0-gb0edd1d-aliyun	2022-02-15	The severity level of the `privilegeEscalationAllowed` inspection item is set to medium. Support for clusters that run Kubernetes 1.16 is optimized and the issue caused by #84880 is fixed.	No impact on workloads

December 2021

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.7.0.5-g8cc37b6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.7.0.5-g8cc37b6-aliyun	2021-12-03	Kubernetes 1.22 is supported. security-inspector 0.7.0.5 and later versions support only clusters that run Kubernetes 1.16 and later. The ARM64 architecture is supported.	No impact on workloads

September 2021

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.6.0.4-gc12ad66-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.6.0.4-gc12ad66-aliyun	2021-09-20	Center for Internet Security (CIS) Kubernetes V1.20 Benchmark v1.0.0 is supported. Case sensitivity is removed for the capabilitiesAdded inspection item. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.	No impact on workloads

June 2021

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.5.0.2-g5e33765-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.5.0.2-g5e33765-aliyun	2021-06-24	The issue that inspection reports are not displayed as expected when one Simple Log Service project is shared among multiple clusters is fixed.	No impact on workloads

March 2021

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.4.0.0-g541eb31-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.4.0.0-g541eb31-aliyun	2021-03-15	The CIS Kubernetes benchmark is supported. The following Kubernetes events are added. You can find the events in the event center of your cluster when a scan is triggered. SecurityInspectorConfigAuditStart: Configuration inspection is started. SecurityInspectorConfigAuditFinished: Configuration inspection is complete. SecurityInspectorConfigAuditHighRiskFound: High-risk configurations are found after configuration inspection is complete. SecurityInspectorBenchmarkStart: The benchmark check is started. SecurityInspectorBenchmarkFinished: The benchmark check is complete. SecurityInspectorBenchmarkFailedCheckFound: Failed inspection items are found after the benchmark check is complete.	No impact on workloads

January 2021

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.3.0.2-gcb49252-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.3.0.2-gcb49252-aliyun	2021-01-05	Permissions of anonymous users can be scanned to identify risky RBAC permissions that are granted to the users.	No impact on workloads

December 2020

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.2.0.22-gd1fbaff-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.2.0.22-gd1fbaff-aliyun	2020-12-16	Custom Resource Definitions (CRDs) can be used to store the latest inspection results. Specified inspection items can be enabled or disabled based on your needs. The workload whitelist feature is supported.	No impact on workloads

July 2020

Version	Image address	Release date	Description	Impact

Version	Image address	Release date	Description	Impact
v0.1.0.3-g69f71f6-aliyun	registry.cn-hangzhou.aliyuncs.com/acs/security-inspector:v0.1.0.3-g69f71f6-aliyun	2020-07-06	Inspection tasks can be manually triggered to inspect the workloads in your cluster and generate inspection reports.	No impact on workloads

Overview

Usage notes

Release notes

March 2025

January 2025

October 2024

August 2024

July 2024

March 2024

February 2024

December 2023

June 2023

April 2023

February 2023

December 2022

August 2022

June 2022

April 2022

February 2022

December 2021

September 2021

June 2021

March 2021

January 2021

December 2020

July 2020

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)