Updated on 2024-01-16 GMT+08:00

Enabling Container Security Protection

You can enable the container security edition for your containers.

To enable protection for a container node, you need to allocate a quota to the node. If the protection is disabled or the node is deleted, the quota can be allocated to another node.

Check Frequency

HSS performs a full check in the early morning every day.

After you enable server protection, you can view scan results after the automatic scan at 04:10 in the next morning.

Prerequisite

  • The Agent Status of a server is Online. To check the status, choose Host Security Service > Asset Management > Containers & Quota.
  • You have created a node on CCE.
  • The Protection Status of the node is Unprotected.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Asset Management > Containers & Quota.

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

  4. Enable protection for one or multiple servers.

    • Enabling protection for a server
      1. In the Operation column of a server, click Enable Protection.
      2. In the dialog box that is displayed, confirm the information and select a billing mode.
        • To enable protection in the yearly/monthly billing mode, ensure you have purchased sufficient quotas. For details, see Purchasing a Container Edition Quota. You can also enable protection in pay-per-use mode without using quotas.
        • A container security quota protects one cluster node.
        Figure 1 Confirming container edition information
      3. Confirm the information, read the Container Guard Service Disclaimer, select I have read and agreed to the Container Guard Service Disclaimer, and click OK. If the Protection Status in the container list changes to Protected, it indicates the protection has been enabled.
    • Enabling protection in batches
      1. In the node list, select servers, and click Enable Protection above the list.
        Figure 2 Selecting servers
      2. In the dialog box that is displayed, confirm the information and select a billing mode.
        • To enable protection in the yearly/monthly billing mode, ensure you have purchased sufficient quotas. For details, see Purchasing a Container Edition Quota. You can also enable protection in pay-per-use mode without using quotas.
        • A container security quota protects one cluster node.
        Figure 3 Confirming container edition information about multiple servers
      3. Confirm the information, read the Container Guard Service Disclaimer, select I have read and agreed to the Container Guard Service Disclaimer, and click OK. If the Protection Status in the container list changes to Protected, it indicates the protection has been enabled.

        If the version of the agent installed on the Linux server is 3.2.8 or later or the version of the agent installed on the Windows server is 4.0.16 or later, ransomware prevention is automatically enabled with the container edition. To enhance ransomware prevention, you can configure specified protected directories. You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Modifying a Protection Policy and Enabling Ransomware Backup.

Follow-up Procedure

The container edition supports ransomware protection. For details about how to enable ransomware protection for your servers in the container edition, see Enabling Ransomware Protection.