Container Cluster Protection Overview
HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks.
You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security.
Constraints
To enable container cluster protection, the following conditions must be met:
- You have purchased a CCE cluster in version 1.20 or later.
- The HSS container edition has been enabled for container node servers. For more information, see Purchasing HSS Quotas.
- The server agent version falls within the following scope. For more information, see Upgrading the Agent.
- Linux: 3.2.7 or later
- Windows: 4.0.19 or later
Process of Using Container Cluster Protection
Procedure |
Description |
|---|---|
Enable protection for a CCE cluster to protect its workloads and critical data security. When protection is enabled, HSS automatically installs the policy management plug-in on the cluster. |
|
Configure the severity of baseline, vulnerability, and malicious file risks that trigger alarms; container cluster protection scope; image whitelist; and actions to be taken on alarms. |
|
On the HSS console, you can view unauthorized or high-risk container image running events that are reported or blocked, and check and clear insecure container images in a timely manner. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
