Security in Container Service for Kubernetes (ACK) is a shared responsibility between Alibaba Cloud and you. Alibaba Cloud secures the underlying infrastructure and control plane — security of the cloud. You secure your workloads, configurations, and access controls — security in the cloud.
Understand this boundary before you design and deploy your systems on ACK.
What Alibaba Cloud is responsible for
Alibaba Cloud secures everything below the workload layer:
Control plane and etcd — Alibaba Cloud operates and secures all control plane components and the etcd datastore.
Infrastructure — computing, storage, and network resources that the control plane runs on are protected using comprehensive platform security capabilities.
Security baselines — control plane component configurations and images are hardened based on security baselines, including Alibaba Cloud Linux Security Hardening.
Vulnerability notifications and patches — when OS or Kubernetes component vulnerabilities are discovered, Alibaba Cloud publishes vulnerability notices at the earliest opportunity and releases patches, new OS versions, or updated component versions.
Alibaba Cloud also provides security protection features and security best practices to help you meet enterprise-class cloud-native application security requirements.
What you are responsible for
Security O&M engineers on your team are responsible for the following:
Apply vulnerability patches — fix vulnerabilities related to operating systems, system components, and container runtimes based on the release notes, vulnerability patches, or version updates provided by Alibaba Cloud.
Configure securely — configure parameters for ACK clusters, node pools, and network resources following security practices. Improper parameter or permission settings can expose your cluster to attacks.
Enforce least privilege — grant only the permissions required to applications, accounts, or roles. Apply this principle when managing credentials, deploying security policies, and configuring security parameters.
Secure your supply chain — ensure supply chain security for application artifacts.
Protect sensitive data and runtime — ensure the security of sensitive data and the application runtime environment.
Revoke kubeconfig access before deleting RAM users or roles — Role-Based Access Control (RBAC) permissions in kubeconfig files are not automatically revoked when a RAM user or RAM role is deleted. Before deleting a RAM user or RAM role, revoke their kubeconfig file. For more information, see Revoke the kubeconfig file of a cluster.
Maintain edge nodes (ACK Edge clusters) — ensure the stability of edge nodes, fix OS security vulnerabilities, and perform version updates.
Responsibility model by cluster type
The following table summarizes how responsibilities are distributed across four ACK cluster configurations.
| Layer | ACK managed cluster | ACK Serverless / ack-virtual-node | ACK managed cluster with managed node pools | ACK Edge cluster |
|---|---|---|---|---|
| Control plane and etcd | Alibaba Cloud | Alibaba Cloud | Alibaba Cloud | Alibaba Cloud |
| Infrastructure | Alibaba Cloud | Alibaba Cloud | Alibaba Cloud | Alibaba Cloud |
| Pod runtime (ECI) | — | Alibaba Cloud | — | — |
| Node OS patching | Customer | — | Alibaba Cloud (automated via Security Center) | Shared |
| kubelet version updates | Customer | — | Alibaba Cloud (automated) | Alibaba Cloud |
| Container runtime security | Customer | Customer | Customer | Customer |
| Workloads and applications | Customer | Customer | Customer | Customer |
| Cluster and network configuration | Customer | Customer | Customer | Customer |
| Access control and credentials | Customer | Customer | Customer | Customer |
| Edge node stability and OS | — | — | — | Customer |
If you use custom OS images to deploy nodes in your cluster, OS vulnerability patching must be done manually — automated patching through managed node pools does not apply.
Shared responsibility diagrams
ACK managed clusters
The following diagram shows the shared responsibility model for ACK managed clusters.
ACK Serverless clusters and ack-virtual-node
When you use ACK Serverless clusters or deploy ack-virtual-node in an ACK managed cluster, Alibaba Cloud also secures the Elastic Container Instance (ECI) that the pod runs on. Recreate the pod after Alibaba Cloud releases a patch so the patch takes effect.
ACK managed clusters with managed node pools
When you use managed node pools, Alibaba Cloud automates OS vulnerability patching and kubelet version updates based on your node pool configuration. OS patches are sourced from Security Center.
ACK Edge clusters
For ACK Edge clusters, Alibaba Cloud manages the control plane and delivers Kubernetes updates — including vulnerability patches and version upgrades — for edge node pools. You are responsible for fixing vulnerabilities in system components and container runtimes based on Alibaba Cloud release notes and patches, and for maintaining the stability and OS security of edge nodes.
