Container Service for Kubernetes (ACK) provides the security overview feature to identify and remediate risks across nodes, container images, container runtimes, and workload configurations, improving security governance for your cloud resources and business applications.
Usage notes
This is a whitelist feature. To use it, please submit a ticket.
Except for container runtime risks, data for node vulnerabilities, container image risks, and workload configuration risks is delayed by 24 hours. After you enable this feature or remediate a risk, the latest data is available on the Security Overview page after 24 hours.
View the security overview
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
On the Cluster Information page, click the Security Overview tab.
The Security Overview page displays risks from two perspectives: risk and asset. The data in the red-boxed area shows the analysis from the risk perspective, and the data in the blue-boxed area shows the analysis from the asset perspective. For example, for node vulnerabilities, the risk perspective might show five high-risk findings in the cluster. The asset perspective shows that only one of two node pools is affected. The Security Overview page shows that the cluster severity level is High. The risk statistics include one high-risk node vulnerability, one high-risk container image risk, zero high-risk container runtime risks, and three high-risk workload configuration alerts. Asset statistics show the ratio of affected assets to total assets, including node pools, images, pods, and workloads. The Container Security Capabilities Overview section on the right provides quick access to features and documentation for cluster auditing, policy management, container runtime security, container image security, and node pool security. The table at the bottom displays details of specific vulnerabilities, including the node pool name, risk level, vulnerability bulletin, associated CVEs, and the number of affected nodes.
Category
Description
Displays the overall security status of the cluster.
Displays node vulnerability risks. This feature is enabled by default.
Identifies security risks in container images from Container Registry Enterprise Edition (ACR EE). Authorization is required to use this feature.
Displays container runtime risks and provides real-time protection. Container runtime risk analysis is based on Security Center. You must activate the Ultimate of Security Center to use this feature.
Identifies security risks in the configurations of running applications in real time. You must enable the cluster inspection feature to use this feature.
Cluster severity level
The cluster severity level indicates the security risk level of the cluster. The levels are defined as follows.
Healthy
The cluster severity level is healthy if no high-risk node vulnerabilities are found, and scans for container image risks, container runtime risks, and workload configuration risks are enabled and detect no high-risk findings.
High
The cluster severity level is high if high-risk node vulnerabilities or high-risk container runtime risks are detected.
Medium
In all other cases, the cluster severity level is medium.
Node vulnerabilities
Node vulnerability scanning is enabled by default.
On the Security Overview page, click the Node Vulnerabilities tab to view a list of vulnerabilities. The list includes the corresponding node pools and the number of affected nodes in each pool. Click Repair to navigate to the Node Pool Details page to fix the vulnerabilities. For more information about how to fix CVEs for a node pool, see Fix operating system CVEs for a node pool.
After you remediate the vulnerabilities, it takes 24 hours for the data on the Security Overview page to be updated.
Container image risks
You must grant permissions to Container Registry (ACR). Click Image Risks on the Authorize Now card and follow the on-screen instructions to grant the permissions. You can also click Revoke Permission to disable the container image risk analysis capability.
After you grant the required permissions, there is a 24-hour delay before the Security Overview page displays the number of running container images in the cluster and their associated security risks from Container Registry Enterprise Edition (ACR EE).
On the Security Overview page, click the Image Risks tab to view a list of container image risks. The list includes details such as the container image address, affected containers, and scan time. Click Fix to navigate to the image risk details page in ACR EE to view and remediate the risks.
After you remediate the risks, it takes 24 hours for the data on the Security Overview page to be updated.
Container runtime risks
Container runtime risk analysis is based on Security Center. You must purchase the Advanced Edition or higher of Security Center in advance. For more information, see Purchase Security Center. After purchasing Security Center, view container runtime risks and enable real-time protection.
On the Security Overview page, click the Container Runtime Risks tab to view a list of container runtime risks. The list includes the alert name and description. Click Handle to navigate to the Security Monitoring page to manage the risk.
Workload configuration risks
Enable the configuration inspection feature in advance. After you enable cluster inspection, there is a 24-hour delay before the system displays the workload configurations and risks in your cluster. For more information, see Perform an inspection.
On the Security Overview page, click the Workload Configuration Risks tab to view risk descriptions and hardening recommendations. Click View Details to navigate to the Inspections page to remediate the risks.
After you remediate the risks, it takes 24 hours for the data on the Security Overview page to be updated.