Enabling Container Node Protection

Check Frequency

HSS performs a full check in the early morning every day.

If you enable server protection before the check interval, you can view check results only after the check at 00:00 of the next day is complete.

Constraints

Currently, HSS can only protect Docker containers.

Prerequisites

• The Agent Status of a server is Online. To check the status, choose Asset Management > Containers & Quota.
• You have created nodes on CCE.
• The Protection Status of the node is Unprotected.

Procedure

1. Log in to the management console.
2. In the upper left corner of the page, click , select a region, and choose Security > Host Security Service.
3. In the navigation pane, choose Asset Management > Containers & Quota.
4. In the Operation column of the node list, click Enable Protection.
5. In the displayed dialog box, confirm the server information.
6. Click OK. If the Protection Status of the server changes to Protected, protection has been enabled.
   

   A container security quota protects one cluster node.

Follow-Up Procedure

Disabling protection for a node

Choose Asset Management > Containers & Quota, click the Container Nodes tab, and click Nodes. In the Operation column, click Disable Protection.

If protection is disabled, the quota status will change from occupied to idle. You can allocate the idle quota to another node to avoid quota waste.

• Before disabling protection, perform a comprehensive detection on the container, handle detected risks, and record operation information to prevent O&M errors and attacks on the container.
• After protection is disabled, clear important data on the container, stop important applications on the container, and disconnect the container from the external network to avoid unnecessary loss caused by attacks.