To use the container firewall feature of Security Center, you must create a source network object and a destination network object and then create defense rules. This topic describes how to create a network object.
Limits
Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Prerequisites
The malicious behavior defense feature is enabled for your assets. For more information, see Use the proactive defense feature.
Procedure
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Container Firewall page, click the Network Object tab.
On the Network Object tab, click Create Network Object.
In the Create Network Object panel, configure the parameters. The following table describes the parameters.
Parameter
Description
Object Name
Enter a name for the network object.
Namespace
Select or enter the namespace to which the network object belongs.
NoteYou can enter the namespace of a cluster. Fuzzy match is supported. Example: a*.
Application Name
Select or enter the name of the application to which the network object belongs.
NoteYou can enter the tag value of a pod whose tag key is app. Fuzzy match is supported. Example: a*.
Image
Select or enter the image of the network object.
Tag
Select or enter the tag of the pod that you want to protect. You can select one or more tags.
Tags refer to the business attributes that are associated with a container after it launches within a Kubernetes (K8s) Cluster. You can add custom tags to identify container groups, as tags serve as the fundamental matching criteria for isolation rules.
Click OK.
The created network object is displayed on the Network Object tab.
You can find the network object and click Edit or Delete in the Actions column to modify or delete the network object.
You can also select multiple network objects and click Batch delete below the network object list to delete the network objects at a time.
NoteYou can delete a network object only if the network object is not added to a defense rule.
What to do next
After you create a source network object and a destination network object, you can create a defense rule to control traffic from the source network object to the destination network object. You can use the defense rule to allow, block, or generate alerts for unusual traffic from the source network object to the destination network object. For more information, see Create a defense rule.