Help Center/ Host Security Service/ Getting Started/ Purchasing and Enabling Container Security Protection
Updated on 2024-12-26 GMT+08:00
View PDF

Purchasing and Enabling Container Security Protection

Scenario

A container cluster consists of a set of nodes. The HSS container edition uses nodes as protection units and provides functions such as container firewall, container cluster protection, and container image security scanning, helping enterprises solve container environment problems that cannot be achieved by traditional security software. For details about the server security protection functions provided by HSS container edition, see Product Functions.

The following is an example to describe how to buy and enable container protection.

  • Container node: EulerOS 2.9 Huawei Cloud ECS
  • Protection quotas
    • Billing mode: Yearly/Monthly
    • Edition: container
    • Quantity: 1

Process

Procedure

Description

Preparations

After registering a Huawei Cloud and enabling Huawei Cloud services, complete real-name authentication, top up your account, grant permissions to IAM users, and prepare container node resources to be protected.

Step 1: Purchase HSS Quota

Set the billing mode and edition, and purchase protection quota for the target container nodes.

Step 2: Install an Agent

Install the agent on the target container node.

Step 3: Enable Protection

Enable protection for the target container node.

Preparations

  1. Before purchasing container protection, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. Ensure that your account has sufficient funds to prevent failures in purchasing HSS protection quotas. For details, see Topping Up an Account.
  3. If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions.

    When purchasing HSS protection quotas, you need to assign the BSS Administrator permission to IAM users.

  4. You have prepared a container node for which container security protection will be enabled.

Step 1: Purchase HSS Quota

  1. Log in to the management console.
  2. Click in the upper left corner and select the region and project.
  3. Click in the upper left corner of the page and choose Security & Compliance > HSS.
  4. In the upper right corner of the Dashboard page, click Buy HSS.
  5. Configure parameters.

    Table 1 Parameters for purchasing HSS

    Parameter

    Example

    Description

    Billing Mode

    Yearly/Monthly

    Select the billing mode. For more information, see Pricing Details.

    • Yearly/Monthly: You can buy a prepaid yearly/monthly package if you intend to use the service for a long time. The fee is lower than that of pay-per-use.
    • Pay-per-use: You pay for the used resources based on the actual service duration (in hours), without a minimum fee.

    Region

    EU-Dublin

    Select the region of container node. After the HSS is purchased, the region cannot be changed. Exercise caution when selecting a region.

    Edition Specifications

    Container edition

    HSS provides basic, professional, premium, WTP, and container editions. Functions vary depending on editions. For details about functions supported by each edition, see Functions.

    Enterprise Project

    default

    This parameter is displayed only when you use an enterprise account to purchase protection quotas.

    It enables unified management of cloud resources by project.

    Tag

    Not added

    Tags are used to identify container security, facilitating cloud resource classification and management.

    Automatically assign

    Not selected

    When a server or container node is added and the agent is installed for the first time, it will be bound to an available yearly/monthly quota.

    Only unused quotas will be bound, and no new order or fee will be generated.

    Required Duration

    1 month

    Select the required duration. The longer the subscription period, the higher the discount. You do not need to configure the pay-per-use billing mode.

    Auto-Renewal

    Not selected

    If this option is selected, the system automatically renews the service based on the subscription period. You do not need to configure the pay-per-use billing mode.

    Quantity

    1

    Set the value based on the actual number of container nodes.

  6. In the lower right corner of the page, click Next.
  7. After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
  8. Click Pay Now and complete the payment.
  9. Click Host Security Service to return to the HSS console.

Step 2: Install an Agent

  1. In the navigation pane, choose Installation & Configuration > Server Install & Config.
  2. Choose Agents > Servers Without Agents.
  3. In the Operation column of the target server, click Install Agent. The Install Agent dialog box is displayed.

    Figure 1 Installing an agent

  4. Select and set the server verification information.

    Table 2 Parameters for installing the agent

    Parameter

    Example

    Description

    Server Authentication Mode

    Account and Password
    • Account and password: Use the server IP address and password to verify the installation.
    • Key: Authenticate the installation using a cloud key (in DEW) or a user-created key (Linux only).

    Allow direct connection with root permissions

    Select it.

    The root account can be used to directly log in to the server. After you enter the root user password and login port, HSS will use your root account to install the agent for the server.

    Server Root Password

    -

    Set the parameters based on the actual server information.

    Server Login Port

    22

    Enter the actual login port of the server.
    Figure 2 Enter the server verification information.

  1. Click OK to start installation.
  2. Choose Servers With Agents page and view the agent status of the target server.

    If the Agent Status is Online, the agent is successfully installed.

Step 3: Enable Protection

  1. In the navigation pane, choose Asset Management > Containers & Quota.
  2. In the Operation column of a server, click Enable.
  3. In the dialog box that is displayed, select the mode.

    Table 3 Parameters for enabling protection

    Parameter

    Example

    Description

    Billing Mode

    Yearly/Monthly

    The value must be the same as the charging mode specified by Step 1: Purchase Protection Quota.

    Edition

    Container edition

    The value must be the same as the edition specified by Step 1: Purchase Protection Quota.

    Select Quota

    709440b9-0d6c-407e-a51c-ac7169beada9

    Select the quota purchased in Step 1: Purchase Protection Quota.

  4. Confirm the information, read the Container Security Service Disclaimer, and select I have read and agree to the Container Security Service Disclaimer.
  5. Click OK.
  6. If the Protection Status of the target server is Protected, the protection is enabled successfully.

    Figure 3 Viewing the protection status

Follow-Up Procedure

Enable server protection for container nodes.

HSS container edition provides some proactive functions for servers. These functions are not enabled or not completely enabled when container security protection is enabled. You can determine whether to use these functions based on your requirements, the following table Table 4 describes the functions.

Table 4 Container node protection functions

Function

Description

Container Image Security Scanning

The container image security scanning function scans for vulnerabilities and malicious files in images. You are advised to scan images periodically so that you can handle image security risks in a timely manner.

Ransomware Prevention

Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses.

Ransomware prevention is automatically enabled with the container edition. Deploy bait files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data.

Application Protection

To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.

Application Process Control

HSS can learn the characteristics of application processes on servers and manage their running. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.

Virus scanning and removal

The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system.

Container Firewall

A container firewall controls and intercepts network traffic inside and outside a container cluster to prevent malicious access and attacks.