Alibaba Cloud secures the ACK control plane and infrastructure; you secure your workloads and cluster configuration.
Understand this boundary to identify which security tasks require your action.
What Alibaba Cloud is responsible for
Alibaba Cloud secures the control plane and its underlying infrastructure:
-
Control plane infrastructure: Computing, storage, and network resources that underpin ACK control planes.
-
Control plane hardening: Configurations and images are hardened against baselines from security features such as Alibaba Cloud Linux Security Hardening.
-
Vulnerability notifications: When OS or Kubernetes vulnerabilities are found, Alibaba Cloud publishes notices and provides patches, OS updates, or component updates.
-
Security tooling: Alibaba Cloud provides security protection features and security best practices for cloud-native application lifecycle management.
What you are responsible for
You secure everything you deploy and configure on the cluster:
| Layer | Responsibility |
|---|---|
| OS and runtime | Apply OS, system component, and container runtime patches based on Alibaba Cloud notices. |
| Cluster configuration | Configure ACK clusters, node pools, and network resources following security principles. Avoid exploitable security or permission settings. |
| Access control | Follow the principle of least privilege. Grant only required permissions to applications, accounts, and roles when managing credentials, deploying security policies, and configuring security parameters. |
| Supply chain | Ensure supply chain security for application artifacts. |
| Data and runtime security | Protect sensitive data and secure the application runtime environment. |
| Offboarding | When you delete RAM users or RAM roles for resigned employees or untrusted individuals, their Role-Based Access Control (RBAC) permissions in the kubeconfig file are not automatically revoked. Revoke the kubeconfig credential before deleting the RAM user or RAM role. See Revoke a KubeConfig credential. |
Responsibility boundaries by cluster type
The responsibility boundary shifts by cluster type.
ACK managed clusters
ACK Serverless clusters and ack-virtual-node
With ACK Serverless clusters or ack-virtual-node in managed clusters, Alibaba Cloud secures the control plane, infrastructure, and the Elastic Container Instance (ECI) running each pod. Recreate pods for patches to take effect.
Managed node pools in ACK managed clusters
With managed node pools, Alibaba Cloud automates OS vulnerability patching and kubelet updates based on your node pool configuration. Security Center provides OS patches. For nodes with custom OS images, patch OS vulnerabilities manually.
