Security Center provides you with integrated capabilities to protect your containers, and prevents and detects threats to containers in real time. The threats include vulnerabilities, configuration compliance risks, attacks, and intrusions. After you add your container assets to Security Center, you can use Security Center to manage the container assets in a centralized manner. This topic describes how to view the security information about container assets.
Limits
Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.
Prerequisites
Your container assets are added to Security Center. For more information, see Add image repositories to Security Center and Connect a self-managed Kubernetes cluster to Security Center.
If you want to view the alerts on container clusters, you must enable the threat detection feature for Kubernetes containers. For more information, see Enable features on the Container Protection Settings tab.
Synchronize the information about the most recent container assets
Before you view the information about container assets, you must synchronize the information about the most recent container assets. This ensures that the information about newly added container assets is displayed in the asset list.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Container page, click the Cluster or Image tab, and click Synchronize Assets.
Optional. In the upper-right corner of the Container page, click Task Management. On the Container Asset Synchronization and Synchronize Image Asset tabs of the Task Management panel, view the progress, status, and details of a synchronization task.
Manage a cluster
View cluster information
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Cluster tab of the Container page, view the number of connected clusters, the number of at-risk clusters, and a list of connected clusters.
Search for a cluster
You can specify a search condition in the search box above the list to search for a cluster. The search conditions include the cluster ID and cluster type.
View the risk details of a cluster
Click the name of the cluster or click View in the Actions column to go to the risk details page of the cluster. You can view the statistics of alerts, vulnerabilities, baseline risks, and alerts generated by the container firewall feature. You can also view the list of corresponding risks.
Perform exposure analysis on a cluster
If the port of a container is exposed to the Internet, your business may encounter security risks, such as network attacks and data leaks. Security Center provides the port exposure analysis feature for container clusters. You can use the feature to check whether the public port of a container cluster is exposed and prevent the security risks that may occur due to the exposed port.
The port exposure analysis feature is available for Container Service for Kubernetes (ACK) managed clusters and ACK dedicated clusters.
Perform exposure analysis.
You can use one of the following methods to perform exposure analysis on a cluster:
Automatic exposure analysis: After a Kubernetes cluster is connected, Security Center automatically synchronizes full data in the cluster in the early morning every day and performs exposure analysis on all connected clusters.
Manual exposure analysis: You can go to the Cluster tab of the Container page, find the required cluster, and then click Exposure Analysis in the Actions column.
Optional. In the upper-right corner of the Container page, click Task Management. On the Container Exposure tab of the Task Management panel, view the progress and details of the exposure analysis task.
View the execution result of the exposure analysis task.
On the Container page, click the name of the current cluster.
On the page that appears, select Container from the drop-down list and set Exposed to Yes.
Move the pointer over the icon in the Exposed column to view the exposed port of the container cluster.
If you no longer require the port that is exposed to the Internet, we recommend that you disable the port at the earliest opportunity to reduce security risks.
Manage an image
View image information
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Image tab of the Container page, view the image information.
View overview information about images
In the section that displays overview information about images, you can view the information such as the number of at-risk images and the remaining quota on container image scan.
You can click Increase Quota in the Remaining Quota section to increase the quota on container image scan. For more information, see Upgrade and downgrade Security Center.
You can click Add in the Add Third-party Image Repository section to add third-party image repositories. For more information, see Add image repositories to Security Center.
View the list of image repositories
The list of image repositories displays the information about all image repositories that are added to Security Center. The information includes names, regions, types, and security status of image repositories. You can perform the following operations:
Search for an image repository
You can specify a search condition in the search box above the list to search for an image repository. The search conditions include Instance ID and Namespace.
View information about an image repository
Click the name of the image repository or click View in the Actions column of the image repository. On the details page of the image repository, you can view the names, versions, sizes, and risk statuses of all images in the image repository. You can also find a version of the image repository and click Handle in the Actions column to view information about the detected vulnerabilities or export the information in a list.
Synchronize Container Registry assets
Click Synchronize in the Actions column to enable automatic synchronization of assets in a Container Registry Enterprise Edition instance. After you enable automatic synchronization, the assets that are added to the Container Registry Enterprise Edition instance are automatically synchronized to the image list of Security Center.
Scan a container image
Security Center provides the container image scan feature to help you detect vulnerabilities, baseline risks, malicious samples, and sensitive files in your images. This ensures the security of the image runtime environment.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Image tab of the Container page, click Immediate Scan in the Container Image Scan section.
In the Quick Scan dialog box, select an image type and configure the scan scope based on your business requirements. Then, click OK.
For more information about how to configure the scan scope, see Scan images.
Optional. In the upper-right corner of the Container page, click Task Management. In the Task Management panel, click the Image Scan, Image Risk Fixing, and Container Runtime Image Scan tabs to view the information about image scans and risk fixing tasks.
References
The feature of container asset overview allows you to perform security-related operations on your assets, such as clusters, containers, images, and applications, in a visualized manner. The feature also displays the network topology of your containers, which allows you to manage your containers in a more efficient manner. For more information, see Use the container asset overview feature.
The Container Protection Settings tab in the Security Center console displays container-related features such as threat detection on Kubernetes containers and container escape prevention. You can enable the features to ensure the runtime security of your containers. For more information, see Enable features on the Container Protection Settings tab.
The container signature feature supports signing container images and verifying container image signatures. This feature ensures that only trusted container images are deployed and prevents unauthorized images from being started. This reinforces your asset security. For more information, see Use the container signature feature.
Security Center can detect system vulnerabilities, application vulnerabilities, baseline risks, and malicious image samples in your images, and displays the detected risks by category. You can view risk details and fix the risks. For more information, see View and handle detected image risks.
The security monitoring feature can monitor clusters and generate alerts for security risks. The security risks include startups of malicious container images, attacks by viruses or malware, intrusions into containers, container escapes, and high-risk operations. For more information, see Use security monitoring.