FAQ

更新时间:
复制 MD 格式

This topic answers frequently asked questions about container protection in Security Center.

Can I use container microsegmentation with the Enterprise Edition?

No. Container microsegmentation is only available in the Ultimate Edition.

To get access, upgrade to the Ultimate Edition using either purchase method:

Do I need to pay separately for container microsegmentation?

No. Container microsegmentation is included at no extra charge with the Ultimate Edition.

Does upgrading to the Ultimate Edition mean Security Center only protects containers?

No. The Ultimate Edition protects both containers and Elastic Compute Service (ECS) instances.

What detection mechanisms does Security Center provide for container runtime security?

Security Center uses cloud-native capabilities to monitor containers across two layers: image security and container security.

image

Image security

Container image scanning — for images added to Security Center

Security Center scans images from Container Registry Enterprise Edition, Harbor, and Quay repositories. It detects high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, sensitive files, and risks in image build commands, and provides fixes for the detected issues. For more information, see Create a Container Registry Enterprise Edition instance, Add image repositories to Security Center, and Overview of container image scan.

CI/CD-based container image scanning — for images not yet added to Security Center

This mechanism scans images during the build stage, before they are deployed to production. Install the CI/CD plug-in on Jenkins or GitHub to detect risks including high-risk system vulnerabilities, application vulnerabilities, viruses, webshells, execution of malicious scripts, configuration risks, and sensitive data — and get fix recommendations — without leaving your pipeline.

To review detected risks, go to the Image tab on the Container page and search by image ID or tag. For more information, see Overview of CI/CD-based container image scan.

At-risk Image Blocking rules

Create an At-risk Image Blocking rule for a cluster to gate what images can run. When an image is used to create resources, Security Center checks it for malicious Internet images, unscanned images, malicious samples, baseline risks, vulnerabilities, sensitive files, and image build command risks. Based on the rule's action (Alert, Block, or Allow), only images that meet your security requirements are allowed to start. For more information, see Use the feature of proactive defense for containers.

Container security

Container runtime image scanning

Detects security risks in running containers, including system vulnerabilities, application vulnerabilities, baseline risks, malicious samples, and sensitive files. Security Center also provides fixes for detected system vulnerabilities. For more information, see Scan images.

Proactive defense for containers

Monitors container activity across three dimensions — container security, runtime security, and running environment security — to stop threats before they spread.

  • Non-image Program Defense: Any program that starts inside a container but is not part of the container image is treated as abnormal behavior (for example, a trojan inserted by an attacker). Security Center detects and blocks such programs in specified clusters, guarding against both known and unknown attacks.

  • Container Escape Prevention: Containers share the host OS kernel, which means an attacker who exploits a container vulnerability can escalate privileges and gain control of the host or other containers on it. Configure container escape prevention rules to block this attack path.

For more information, see Use the feature of proactive defense for containers.

Container file protection

Monitors directories and files in containers in real time. When tampering is detected, Security Center generates an alert or blocks the operation to keep the container environment secure. For more information, see Use the container file protection feature.

Container microsegmentation

Controls network traffic between container applications using network objects. Each network object is identified by its namespace, application name, image, and labels. Defense rules specify how traffic flows from a source network object to a destination network object — Security Center alerts on or blocks abnormal access attempts, including attacks via exploited vulnerabilities or malicious images. For more information, see Container microsegmentation.

Trusted container deployment

Security Center signs trusted container images and verifies those signatures at startup. Only images with valid signatures are allowed to run, preventing unauthorized images from being deployed. For more information, see Use the container image signing.

Baseline checks

Performs security checks on container baseline configurations against Alibaba Cloud best practices for Kubernetes Node and Master, and generates alerts for any detected risks. For more information, see Baseline check.

How does Security Center protect the servers that run containers?

Security Center includes a host protection module that covers the servers on which your containers run. For more information, see Features.

How do I use container microsegmentation to control business traffic?

Container microsegmentation uses network objects to identify container applications by namespace, application name, image, and labels. Defense rules define how traffic is allowed or blocked between network objects, giving you network isolation at the container level.

Prerequisites

Before configuring container microsegmentation, confirm the following:

  • Your cluster nodes run an OS with a kernel version supported by the AliNet plug-in. If the kernel version is not supported, defense rules will not take effect. For supported OS and kernel versions, see Supported operating system versions.

  • Malicious Network Behavior Prevention is turned on. For details, see Use proactive defense.

Note

The AliNet plug-in also blocks suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks.

Configure and enable container microsegmentation

  1. Create a network object.

  2. Create a defense rule.

  3. Enable the defense rule for the cluster.

After the cluster is connected to Security Center and access traffic is generated, defense rules take effect in priority order. When traffic matches a rule, Security Center applies the rule's action:

Important

Defense rules only take effect when the cluster's interceptable status is normal. If the status is abnormal, troubleshoot the issue before proceeding. For more information, see Troubleshoot the issues that cause the abnormal interceptable status of a cluster.