Container Cluster Protection Overview

HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks.

You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security.

Constraints and Limitations

To enable container cluster protection, the following conditions must be met:

The HSS container edition has been enabled for container node servers. For more information, see Purchasing HSS Quotas.
The server agent version falls within the following scope. For more information, see Upgrading the Agent.
- Linux: 3.2.7 or later
- Windows: 4.0.19 or later
The cluster version is 1.20 or later.
In a CCE cluster, to operate and protect resource objects, you need to obtain either of the following operation permissions:
- IAM permissions: Tenant Administrator or CCE Administrator.
- Namespace permissions (authorized by Kubernetes RBAC): O&M permissions. For details about how to configure permissions, see Configuring namespace permissions.

Process of Using Container Cluster Protection

Figure 1 Usage process

**Table 1** Process of using container cluster protection
Operation	Description
Enable container cluster protection.	Enable protection for a cluster to protect its workloads and critical data. When protection is enabled, HSS automatically installs the policy management plug-in on the cluster.
Configure a protection policy.	Configure the severity of baseline, vulnerability, and malicious file risks that trigger alarms; container cluster protection scope; image whitelist; and actions to be taken on alarms.
Check container cluster protection events.	On the HSS console, you can view unauthorized or high-risk container image running events that are reported or blocked, and check and clear insecure container images in a timely manner.