The ACK security overview feature helps you identify and mitigate risks in nodes, container images, container runtimes, and workload configurations. This helps improve the efficiency of security governance for your cloud resources and business applications. This topic describes how to use the security overview feature of ACK.
Usage notes
This feature is available by invitation only. To request access, submit a ticket.
Except for container runtime risk data, other risk data, including node vulnerabilities, image risks, and workload configuration risks, is subject to a 24-hour delay. After you grant the required permissions or fix a risk, you must wait 24 hours for the updated data to appear on the Security Overview page.
View the security overview
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
-
On the Cluster Information page, click the Security Overview tab.
The Security Overview page presents risk data from two perspectives: risk and asset. For example, for node vulnerabilities, the risk perspective may show five high-risk vulnerabilities in the cluster, while the asset perspective indicates that these vulnerabilities affect only one of the two node pools in the cluster.
Category
Description
Displays the overall security status of the cluster.
Displays node vulnerability risks. This feature is enabled by default.
Identifies security risks in container images from Container Registry Enterprise Edition. Authorization is required to use this feature.
Provides real-time visibility into container runtime risks and enables runtime protection. Container runtime risk detection is based on Security Center and requires you to activate the Ultimate of Security Center.
Helps you identify security risks in the configurations of running applications in real time. This feature requires cluster inspection to be enabled.
Cluster severity level
The cluster severity level indicates the overall security risk level of a container cluster. The levels are defined as follows:
-
Healthy
A cluster's severity level is Healthy if no high-risk node vulnerabilities are found, scans for image risks, container runtime risks, and workload configuration risks are enabled, and no high-risk issues are found by these scans.
-
High
A cluster's severity level is High if high-risk node vulnerabilities or container runtime risks are detected.
-
Medium
Otherwise, the cluster's severity level is Medium.
Node vulnerability
Node vulnerability scanning is enabled by default.
At the bottom of the Security Overview page, click the Node Vulnerabilities tab to view a list of node vulnerabilities. The list includes the corresponding node pool and the number of affected nodes in that pool. Click Repair to go to the Node Pool Details page to fix the vulnerabilities. For more information about fixing CVEs in a node pool, see Fix CVEs for the OS of a node pool.
After you fix the vulnerabilities, you must wait 24 hours for the data on the Security Overview page to be updated.
Image risk
You must first authorize Container Registry (ACR). On the Image Risks card, click Authorize Now and follow the prompts to complete the authorization. You can also click Revoke Permission to disable the image risk analysis feature.
After you grant the authorization, you must wait 24 hours for the data to be displayed. The data includes the number of container images running in the current cluster and the associated image risks from Container Registry Enterprise Edition.
At the bottom of the Security Overview page, click the Image Risks tab to view a list of image risks. The list includes details such as the image address, affected containers, and scan time. Click Fix to go to the corresponding image risk details page in Container Registry Enterprise Edition to view risk details and perform remediation.
After you fix the risks, you must wait 24 hours for the data on the Security Overview page to be updated.
Container runtime risk
Container runtime risk detection is based on Security Center. You must first purchase the Ultimate Edition of Security Center. For more information, see Purchase Security Center. After you purchase Security Center, you can view container runtime risks and enable real-time protection.
At the bottom of the Security Overview page, click the Container Runtime Risks tab to view a list of container runtime risks. The list includes details such as the alert name and description. Click Handle to go to the Security Monitoring page to manage the risk.
Workload configuration risk
You must first enable the cluster inspection feature. After you enable the feature, you must wait 24 hours for the workload configuration and risk data of the current cluster to be displayed. For more information, see Perform a cluster inspection.
At the bottom of the Security Overview page, click the Workload Configuration Risks tab to view the risk descriptions and hardening recommendations. Click View Details to go to the Inspections page of the cluster to fix the risks.
After you fix the risks, you must wait 24 hours for the data on the Security Overview page to be updated.