The Security Overview feature in ACK helps you identify and harden against risks related to nodes, container images, container runtimes, and workload configurations, improving the security governance of your cloud resources and business applications.
Usage notes
This feature is currently in invitational preview. To use this feature, submit a ticket.
Except for container runtime risks, data for other categories, including node vulnerabilities, image risks, and workload configuration risks, has a 24-hour delay. After you grant the initial authorization or fix a risk, you must wait 24 hours to view the latest data on the Security Overview page.
View the security overview
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
-
On the Cluster Information page, click the Security Overview tab.
The Security Overview page displays risks from two perspectives: the risk perspective and the asset perspective. For example, for node vulnerabilities, the risk perspective might show five High-severity risks in the cluster, while the asset perspective shows that the cluster has two node pools, one of which contains the High-severity risk. On the right side of the page, the Container Security Capabilities area provides quick access to Cluster Auditing, Policy Management, Container Runtime Security, Container Image Security, and Node Pool Security. Each item includes Use and Documentation links. At the bottom of the page, you can switch between risk categories to view specific vulnerability details, including the vulnerability name, associated CVE ID, the number of affected nodes, and the Repair action.
Category
Description
Displays the overall security status of the cluster.
Displays node vulnerability risks. This feature is enabled by default.
Scans for security risks in container images from Container Registry Enterprise Edition. You must authorize this feature before use.
Detects and protects against container runtime risks in real time. This feature relies on Security Center for diagnostics and requires you to activate Security Center Ultimate or higher.
Checks in real time whether your running application configurations have security flaws. This feature requires you to enable cluster inspection before use.
Cluster security risk
The cluster severity level indicates the security risk of your container cluster. The levels are defined as follows.
-
Healthy
A cluster is rated as Healthy when no High-severity node vulnerabilities are present and scanning for all other risk categories (image, container runtime, and workload configuration) is enabled with no High-severity findings.
-
High
When a High-severity node vulnerability or container runtime risk is detected, the cluster severity level is High.
-
Medium
All other conditions result in a Medium severity level.
Node vulnerabilities
Node vulnerability scanning is enabled by default.
On the Security Overview page, click the Node Vulnerabilities tab to view a list of node vulnerabilities. The list includes the corresponding node pool and the number of affected nodes in that pool. Click Repair to go to the Node Pool Details page to fix the vulnerability. For more information about fixing CVE vulnerabilities in a node pool, see Fix CVEs in the operating systems of nodes in a node pool.
After you fix a vulnerability, you must wait 24 hours for the data on the Security Overview page to be updated.
Image risks
To use this feature, you must first grant the required permissions. On the Image Risks card, click Authorize Now and follow the on-screen instructions to complete the authorization. You can also click Revoke Permission to disable the image risk analysis feature.
After authorization, there is a 24-hour delay before the number of running container images in the cluster and their associated security risks from Container Registry Enterprise Edition are displayed.
On the Security Overview page, click the Image Risks tab to view the list of image risks. The list includes details such as the image address, affected containers, and scan time. Click Fix to go to the corresponding image risk details page in Container Registry Enterprise Edition to view risk details and perform remediation.
After you fix a risk, you must wait 24 hours for the data on the Security Overview page to be updated.
Container runtime risks
Container runtime risk analysis relies on Security Center for diagnostics. You must first purchase Security Center Advanced Edition or a higher version. For more information, see Purchase Security Center. After purchasing Security Center, you can view container runtime risks and enable real-time protection.
On the Security Overview page, click the Container Runtime Risks tab to view the list of container runtime risks. The list includes the names and descriptions of alerts. Click Handle to go to the Security Monitoring page to manage the risk.
Workload configuration risks
You must first enable the cluster inspection feature. After you enable it, there is a 24-hour delay before the workload configuration status and risks for the current cluster are displayed. For detailed instructions, see Perform an inspection.
On the Security Overview page, click the Workload Configuration Risks tab to view risk descriptions and recommended hardening suggestions. Click View Details to go to the cluster's Inspections page to fix the risks.
After you fix a risk, you must wait 24 hours for the data on the Security Overview page to be updated.