Quickly Enabling Container Security Protection

Scenario

A container cluster consists of a set of nodes. The HSS container edition uses nodes as protection units and provides functions such as container firewall, container cluster protection, and container image security scanning, helping enterprises solve container environment problems that cannot be achieved by traditional security software. For details about the security protection functions, see Specifications of Different Editions.

This document uses a EulerOS 2.9 container node server as an example to describe how to quickly enable container security protection.

Prerequisites

The ECS is in the Running state and can access the Internet.
Ensure the outbound rule of your security group allows access to the port 10180 on the 100.125.0.0/16 network segment. (This is the default setting.)
The DNS server address of the cloud server has been set to the private DNS server address. For details, see Changing the DNS Server Address of an ECS and Private DNS Server Addresses.
The available capacity of the disk where the agent is installed must be greater than 300 MB. Otherwise, the agent installation may fail.
The Security-Enhanced Linux (SELinux) firewall has been disabled. The firewall affects agent installation and should remain disabled until the agent is installed.
If any third-party security software has been installed on your server, the HSS agent may fail to be installed. In this case, disable or uninstall the software before installing the agent.

Constraints

64-bit Huawei Cloud servers and non-Huawei Cloud servers can be protected. 32-bit servers are no longer supported.
Mainstream OSs are supported. For details, see Supported OSs.

Step 1: Purchase HSS Quota

Log in to the management console.
Click in the upper left corner and select the region and project.
Click in the upper left corner and choose Security & Compliance > Host Security Service. The HSS console is displayed.
In the upper right corner of the Dashboard page, click Buy HSS.

Set the parameters for buying HSS as prompted. For details, see Table 1.

**Table 1** Parameters for purchasing HSS
Parameter	Description
Billing Mode	Select Yearly/Monthly.
Region	Select the region of container node.
Edition	Select Container.
Enterprise Project	This option is only available when you are logged in using an enterprise account, or when you have enabled enterprise projects. You can contact your service manager to enable this function You can select an enterprise project from the drop-down list. NOTE: Resources and incurred expenses are managed under the enterprise project you selected. Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project. The default option is available in the Enterprise Project drop-down list only after you purchased HSS under your Huawei ID.
Required Duration	Select 1 month and select Auto-renew. If you select Auto-renew, the system will automatically renew your subscription as long as your account balance is sufficient. The renewal period is the same as the required duration.
Node Quantity	Set the Node Quantity to 1.
Tag	If no predefined tag is available, click View predefined tags to create a predefined tag. If you have predefined tags, click the Tag key and Tag value boxes in sequence to select a predefined tag.
Quota Management	Select Assigning automatically. After automatic quota binding is enabled, HSS automatically binds available quotas to new servers or container nodes after the agent is installed for the first time. Only the yearly/monthly quotas that you have purchased can be automatically bound. No new order or fee is generated. Servers: Available yearly/monthly quotas are automatically bound in the following sequence: Premium Edition > Enterprise Edition > Professional Edition > Basic Edition. Container nodes: Available yearly/monthly quotas are automatically bound in the following sequence: Container Edition > Premium Edition > Enterprise Edition > Professional Edition > Basic Edition.

In the lower right corner of the page, click Next.
For details about pricing, see Product Pricing Details.
After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
Click Pay Now and complete the payment.
Click Back to Host Security Service Console.

Step 2: Install an Agent

Log in to the HSS console, in the navigation pane on the left, choose Installation & Configuration.
On the agent management tab, Click the value of Servers Without Agents area to filter the servers that have not installed agents.
In the Operation column of a server, click Install Agent.

Figure 1 Installing an agent
In the dialog box, click Copy to copy the command for installing the agent.
Remotely log in to the server where the agent is to be installed.
Run the copied installation command as user root to install the agent on the server.
If the command output shown in Installation completed is displayed, the agent is successfully installed.

Figure 2 Installation completed
Run the following command to check the runtime status of agent:
service hostguard status

If the command output shown in Agent running properly is displayed, the agent is running properly.

Figure 3 Agent running properly

Step 3: Enable Protection

In the navigation pane on the left, choose Asset Management > Containers & Quota.
In the Operation column of a server, click Enable Protection.

In the dialog box that is displayed, select the mode. Table 2 describes the parameters for enabling protection.

**Table 2** Parameters for enabling protection
Parameter	Description
Billing Mode	Select Yearly/Monthly.
Edition	Select Container.
Select Quota	Retain the default random quota.

Confirm the information, read the Container Security Service Disclaimer, and select I have read and agree to the Container Security Service Disclaimer.
Click OK.
If the Protection Status of the target server is Protected, the protection is enabled successfully.

Figure 4 Viewing the protection status