View container asset security status-Security Center(Security Center)-阿里云帮助中心

Security Center detects and defends against vulnerabilities, compliance issues, attacks, and intrusions in your containers in real time. After you connect your container assets to Security Center, you can manage them from a centralized location. This topic describes how to view and manage security risks in your container assets.

Version Limits

Subscription: Ultimate (If your current edition does not support this feature, upgrade).
Note
The protection edition of the server must be set to the edition you purchased. For more information, see Bind a server protection edition.
Pay-as-you-go: Host and Container Security pay-as-you-go is activated (If not activated, purchase).
Note
The server protection level must be set to Host and Container Security. For more information, see Bind a server protection level.

Prerequisites

You have connected your container assets to Security Center. For more information, see Add image repositories and Connect a self-managed K8s cluster.
To view alerts for container cluster anomalies, you must enable K8s threat detection. For more information, see K8s threat detection for containers.

Synchronize assets

Before viewing container asset information, synchronize your assets to ensure that newly added assets are displayed.

Log on to the Security Center console.
In the navigation pane on the left, choose Assets > Container. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Container page, on the Clusters or Repository Images tab, click Synchronize Assets.
(Optional) In the upper-right corner of the Container page, click Task Management. In the Task Management panel, on the Container Asset Synchronization and Image Asset Synchronization tabs, you can view the progress, status, and details of the asset synchronization.

Manage clusters

Supported cluster types

Managed and dedicated clusters that are created in Container Service for Kubernetes (ACK).

Security Center automatically synchronizes these assets daily at midnight. If you create new clusters, go to the Cluster tab and click Synchronize Assets to synchronize them manually.
Self-managed K8s clusters.

View cluster information

Log on to the Security Center console.
In the navigation pane on the left, choose Assets > Container. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Container page, click the Clusters tab to view the number of connected clusters, at-risk clusters, and the list of connected clusters.
- Search for a cluster
  
  Use the search component above the cluster list to search for a cluster by its ID or type.
- View the risk details of a cluster
  
  Click the cluster name or View in the Actions column to open the risk details page. This page displays statistics and lists for security alerts, vulnerabilities, configuration risks (K8s configuration risks and baseline risks), and container firewall alerts.

Enable K8s log threat detection

After you enable K8s log threat detection for a cluster, Security Center uses cluster logs to detect security risks such as high-risk operations and attacks.

Managed and dedicated ACK clusters
1. In the ACK console, enable the log audit feature. For more information, see Use the cluster API Server audit feature.
  1. Log on to the ACK console. In the navigation pane on the left, choose Clusters.
  2. On the Clusters page, click the name of the target cluster. Then, in the navigation pane on the left, choose Security.
  3. Follow the on-screen instructions to select an SLS project and enable log auditing.
2. In the Security Center console, enable K8s threat detection for containers.
Self-managed K8s clusters

For more information, see Enable log threat detection.

After the feature is enabled, go to the Container page in the Security Center console. On the Cluster tab, check the K8s Log Status column for the target cluster to confirm that K8s log threat detection is enabled.

Analyze cluster exposure

Exposing container ports to the internet may lead to security risks such as network attacks and data breaches. Security Center provides a port exposure analysis feature to detect publicly exposed ports.

Note

The exposure analysis feature is supported only for managed and dedicated ACK clusters.

Perform an exposure analysis.

You can perform an exposure analysis on a cluster automatically or manually:
- Automatic exposure analysis: After you connect a K8s cluster, Security Center automatically synchronizes cluster information and runs an exposure analysis on all connected clusters at midnight daily.
- Manual exposure analysis: On the Container page, on the Clusters tab, find the cluster that you want to check and click Exposure Analysis in the Actions column.
(Optional) In the upper-right corner of the Container page, click Task Management. In the Task Management panel, on the Container Exposure tab, view the progress and details of the cluster exposure analysis task.
View the results of the cluster exposure analysis.
1. On the Container page, click the name of the target cluster.
2. On the cluster details page, select the type as Container and set the Exposed filter to Yes.
3. Hover the pointer over the icon in the Exposed column for a container to view the information about the exposed port.
  
  If a port is exposed to the internet but not in use, close it to reduce security risks.

Manage images

View image information

Log on to the Security Center console.
In the navigation pane on the left, choose Assets > Container. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Container page, click the Repository Images tab to view information about your images.
- View overview information
  
  The overview section at the top of the page shows information such as the number of at-risk images and the Remaining Quota for image security scans.
  - In the Remaining Quota area, click Increase Quota to purchase more quota for image security scans. For more information, see Upgrade and downgrade.
  - In the Add Third-party Image Repository area, click Add to add private image repositories. For more information, see Add image repositories.
- View the image repository list
  
  The image repository list displays all repositories connected to Asset Center, including the name, region, type, and risk status of each repository.
  - Search for an image repository
    
    Use the search component above the list to search for an image repository by its instance ID or namespace.
  - View an image repository
    
    Click the repository name or click View in the Actions column to go to the repository details page. On this page, you can view all images in the repository, including the repository name, version, size, and risk status. The Created At/Updated At column shows when Security Center first and last synchronized the repository, not the repository's local creation and update times.
    
    On the repository details page, find the target image version and click Handle in the Actions column to view or export risk and vulnerability information.
  - View image repositories of Platform for AI (PAI)
    
    To view image repositories related to Platform for AI (PAI), select Tag > PAI in the search component.
  - Synchronize ACR assets
    
    For Container Registry (ACR) Enterprise Edition instances, click Synchronize in the Actions column for a target image repository to enable automatic asset synchronization. After this feature is enabled, assets added to the ACR instance are automatically synchronized to the image asset list in Security Center.

Scan container images

The image scan feature detects vulnerabilities, baseline risks, malicious samples, and sensitive files to help secure your image runtime environment.

Log on to the Security Center console.
In the navigation pane on the left, choose Assets > Container. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Container page, on the Repository Images tab, click Scan Now in the Container Image Scan section.
In the Quick Scan dialog box, select the types of images that you want to scan, configure a scan scope based on your business requirements, and then click OK.

For more information about how to configure the scan scope, see Perform image security scans.
(Optional) In the upper-right corner of the Container page, click Task Management. The Image Scan, Image Risk Fixing, and Container Runtime Image Scan tabs in the Task Management panel show information about image scans and fixes.

References

The Container Asset Overview feature provides a visual dashboard to manage security for clusters, containers, images, and applications. It also displays the network topology of your container assets, helping you manage container security more efficiently. For more information, see Container Asset Overview.
Security Center provides container security features such as K8s threat detection and container escape prevention to protect your container runtime environment. For more information, see Container protection settings.
Container signing ensures that only trusted images are deployed, preventing unauthorized images from starting. For more information, see Container signing.
Security Center detects system vulnerabilities, application vulnerabilities, baseline risks, and malicious samples in your image assets. You can view categorized results and fix detected risks. For more information, see View and fix detected image risks.
The security monitoring feature monitors and generates alerts for container attack vectors, including malicious images, malware, container intrusions, container escapes, and high-risk operations. For more information, see Use security monitoring.