Use container firewall to control access traffic in container environments for network isolation - Security Center

Security Center provides the container firewall feature. The feature delivers firewall capabilities to protect containers. If attackers exploit vulnerabilities or malicious images to intrude into clusters, the container firewall feature generates alerts or blocks attacks on containers.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

How container firewall works

In the container firewall module, network objects are used to identify container applications. The information about a network object includes the namespace to which a container application belongs, the name of the container application, the image of the container application, and the labels of the container application. You can create a defense rule to protect a cluster based on network objects. The defense rule can detect and block unusual traffic that is destined for the cluster.

Note

If the interceptable status of a cluster is abnormal, you cannot enable defense for the cluster and the defense rule does not take effect. You must handle exceptions at the earliest opportunity. For more information, see Troubleshoot the issues causing the abnormal blocking status of a cluster.

Supported operating system versions

A cluster defense rule can be enabled based on the AliNet plug-in. The AliNet plug-in is used to block malicious network behavior such as suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before you use the container firewall feature, make sure that your cluster nodes run an operating system whose kernel version is supported by the AliNet plug-in. If your cluster nodes run an operating system whose kernel version is not supported by the AliNet plug-in, the defense rule that you create for your cluster does not take effect. The following table describes the operating systems and kernel versions of the operating systems that are supported by the container firewall feature.

Operating system	Kernel version
CentOS	3.10.0 series 3.10.0-123.9.3.el7.x86_64 3.10.0-229.el7.x86_64 3.10.0-229.14.1.el7.x86_64 3.10.0-327.el7.x86_64 3.10.0-327.10.1.el7.x86_64 3.10.0-327.13.1.el7.x86_64 3.10.0-327.18.2.el7.x86_64 3.10.0-327.22.2.el7.x86_64 3.10.0-327.36.3.el7.x86_64 3.10.0-514.el7.x86_64 3.10.0-514.2.2.el7.x86_64 3.10.0-514.6.1.el7.x86_64 3.10.0-514.6.2.el7.x86_64 3.10.0-514.10.2.el7.x86_64 3.10.0-514.16.1.el7.x86_64 3.10.0-514.21.1.el7.x86_64 3.10.0-514.21.2.el7.x86_64 3.10.0-514.26.2.el7.x86_64 3.10.0-693.el7.x86_64 3.10.0-693.2.2.el7.x86_64 3.10.0-693.5.2.el7.x86_64 3.10.0-693.11.1.el7.x86_64 3.10.0-693.11.6.el7.x86_64 3.10.0-693.17.1.el7.x86_64 3.10.0-693.21.1.el7.x86_64 3.10.0-862.el7.x86_64 3.10.0-862.2.3.el7.x86_64 3.10.0-862.3.2.el7.x86_64 3.10.0-862.3.3.el7.x86_64 3.10.0-862.6.3.el7.x86_64 3.10.0-862.9.1.el7.x86_64 3.10.0-862.11.6.el7.x86_64 3.10.0-862.14.4.el7.x86_64 3.10.0-957.el7.x86_64 3.10.0-957.1.3.el7.x86_64 3.10.0-957.5.1.el7.x86_64 3.10.0-957.10.1.el7.x86_64 3.10.0-957.12.1.el7.x86_64 3.10.0-957.12.2.el7.x86_64 3.10.0-957.21.2.el7.x86_64 3.10.0-957.21.3.el7.x86_64 3.10.0-957.27.2.el7.x86_64 3.10.0-1062.el7.x86_64 3.10.0-1062.1.1.el7.x86_64 3.10.0-1062.1.2.el7.x86_64 3.10.0-1062.4.1.el7.x86_64 3.10.0-1062.4.2.el7.x86_64 3.10.0-1062.4.3.el7.x86_64 3.10.0-1062.7.1.el7.x86_64 3.10.0-1062.9.1.el7.x86_64 3.10.0-1062.12.1.el7.x86_64 3.10.0-1062.18.1.el7.x86_64 3.10.0-1127.el7.x86_64 3.10.0-1127.8.2.el7.x86_64 3.10.0-1127.10.1.el7.x86_64 3.10.0-1127.13.1.el7.x86_64 3.10.0-1127.18.2.el7.x86_64 3.10.0-1127.19.1.el7.x86_64 3.10.0-1160.el7.x86_64 3.10.0-1160.2.2.el7.x86_64 3.10.0-1160.6.1.el7.x86_64 3.10.0-1160.11.1.el7.x86_64 3.10.0-1160.15.2.el7.x86_64 3.10.0-1160.21.1.el7.x86_64 3.10.0-1160.24.1.el7.x86_64 3.10.0-1160.25.1.el7.x86_64 3.10.0-1160.31.1.el7.x86_64 3.10.0-1160.36.2.el7.x86_64 3.10.0-1160.41.1.el7.x86_64 3.10.0-1160.42.2.el7.x86_64 3.10.0-1160.45.1.el7.x86_64 3.10.0-1160.49.1.el7.x86_64 3.10.0-1160.53.1.el7.x86_64 3.10.0-1160.59.1.el7.x86_64 3.10.0-1160.62.1.el7.x86_64 3.10.0-1160.66.1.el7.x86_64 3.10.0-1160.71.1.el7.x86_64 3.10.0-1160.76.1.el7.x86_64 3.10.0-1160.80.1.el7.x86_64 3.10.0-1160.81.1.el7.x86_64 3.10.0-1160.83.1.el7.x86_64 3.10.0-1160.88.1.el7.x86_64 4.19.X series 4.19.12-1.el7.elrepo.x86_64 4.19.94-300.el7.x86_64 4.19.104-300.el7.x86_64 4.19.113-300.el7.x86_64
Alibaba Cloud Linux (64-bit)	3.10.0 series 3.10.0-957.27.2.al7.1.x86_64 3.10.0-1062.12.1.al7.1.x86_64 3.10.0-1062.4.1.al7.1.x86_64 3.10.0-1160.al7.1.x86_64 3.10.0-1127.8.2.al7.1.x86_64 3.10.0-1127.13.1.al7.1.x86_64 3.10.0-1127.19.1.al7.1.x86_64 4.19.X series 4.19.24-7.al7.x86_64 4.19.24-7.14.al7.x86_64 4.19.43-13.2.al7.x86_64 4.19.57-15.1.al7.x86_64 4.19.81-17.al7.x86_64 4.19.81-17.2.al7.x86_64 4.19.91-18.al7.x86_64 4.19.91-19.1.al7.x86_64 4.19.91-19.2.al7.x86_64 4.19.91-21.al7.x86_64 4.19.91-21.2.al7.x86_64 4.19.91-22.al7.x86_64 4.19.91-22.2.al7.x86_64 4.19.91-23.al7.x86_64 4.19.91-23.1.al7.x86_64 4.19.91-24.al7.x86_64 4.19.91-24.1.al7.x86_64 4.19.91-25.al7.x86_64 4.19.91-25.1.al7.x86_64 4.19.91-25.3.al7.x86_64 4.19.91-25.6.al7.x86_64 4.19.91-25.7.al7.x86_64 4.19.91-25.8.al7.x86_64 4.19.91-26.al7.x86_64 4.19.91-26.1.al7.x86_64 4.19.91-26.2.al7.x86_64 4.19.91-26.3.al7.x86_64 4.19.91-26.4.al7.x86_64 4.19.91-26.5.al7.x86_64 4.19.91-26.6.al7.x86_64 4.19.91-27.al7.x86_64 4.19.91-27.1.al7.x86_64

Procedure

To configure and use container firewall, perform the following steps:

Create a source network object and a destination network object. For more information, see Create a network object.
Create and enable a defense rule. For more information, see Create a defense rule.
Enable defense for a cluster. For more information, see Manage the defense status and defense rules of a cluster.
View alerts that are generated when a defense rule is triggered. For more information, see View details on the Protection Status tab.