Configuring a Container Cluster Protection Policy
You can configure container cluster protection policies to specify the level of risks (unsafe baselines, vulnerabilities, or malicious files) that trigger alarms, cluster protection scope, image whitelist, and the actions taken on an alarm.
Creating a Protection Policy
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane, choose Container Cluster Protection.
- Click the Protection Policies tab and click Create Policy.
- In the Create Policy dialog box, set policy parameters. For details about related parameters, see Table 1.
Figure 1 Creating a protection policy
Table 1 Container cluster protection policy parameters Parameter
Description
Example Value
Policy Template
Select a policy template. The procedure is as follows:
- Click Select Template.
- Select a policy template and click OK.
You can select a policy template based on the policy description.
After selecting a policy template, configure policy parameters based on the policy template requirements. You can refer to the parameter description.
K8sPSPPrivilegedContainer
Policy Name
Enter a policy name.
test
Policy Description
Enter policy description.
Test
Action
Action taken by HSS if it detects that an image to be started contains specified unsafe baseline items, vulnerabilities, or malicious scripts.
- Alarm: Generate an event whose Action is Alarm on the Protection Events tab of the Container Cluster Protection page.
- Block: Block an unsafe image and generate an event whose Action is Block on the Protection Events tab of the Container Cluster Protection page.
- Allow: Generate an event whose Action is Allow on the Protection Events tab of the Container Cluster Protection page.
Block
Protection Scope
Configure the protection scope of clusters.
If you select the image blocking policy, you need to set the images and tags to specify the protection scope.
-
(Optional) Whitelist
Images to be added to the whitelist. Enter values in ImageName:ImageVersion format. An image name can contain only numbers, letters, underscores (_), hyphens (-), and periods (.). Each image name occupies a separate line.
Example:
NOTICE:Exercise caution when performing this operation. HSS does not check whitelisted images when they are started.
-
- Click OK.
You can view the protection policy in the policy list.
Editing or Deleting a Cluster Protection Policy
- Choose Container Cluster Protection and click the Protection Policies tab.
- In the Operation column of a policy, click a button as required.
- View YAML: View the protection policy content in YAML format.
- Edit: Modify a protection policy.
- Delete: Delete a protection policy.
After a policy is deleted, the container clusters associated with it will no be protected. Exercise caution when performing this operation.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot