Help Center/ Container Guard Service/ User Guide/ (Optional) Configuring Policies
Updated on 2022-10-08 GMT+08:00

(Optional) Configuring Policies

You can customize security policies by configuring a process whitelist (a list of file paths allowed to be executed in the container) and file protection list (a list of the read-only file directories in the container) to prevent risks during the running of the container, and keep systems and applications secure.

Prerequisites

The cluster protection function has been enabled.

Adding a Security Policy

  1. Log in to the management console.
  2. In the upper part of the page, select a region, click , and choose Security & Compliance > Container Guard Service.
  3. In the navigation pane on the left, choose Security Configurations.
  4. Click the Policies tab. In the upper part of the policy list, click Add.
  5. On the displayed page, configure the policy. See Figure 1. For details, see Table 1.

    Figure 1 Add dialog box
    Table 1 Parameter description

    Parameter

    Description

    Policy Name

    Name of a policy

    Process Whitelist

    User-defined.

    Indicates process file paths allowed to be executed in a container. The process whitelist function can effectively prevent security risks, such as abnormal processes, privilege escalation attacks, and violation operations.

    File Protection

    User-defined.

    Indicates read-only file directories in a container. Setting the file protection list can effectively prevent security risks such as file tampering.

  6. Click OK.

Associating an Image

After adding a policy, you can associate an image and apply the policy to the associated image.

  1. Log in to the management console.
  2. In the upper part of the page, select a region, click , and choose Security & Compliance > Container Guard Service.
  3. In the navigation pane on the left, choose Security Configurations.
  4. Click the Policies tab. Locate the row that contains the policy which you want to associate an image with, and click Associate Image in the Operation column.
  5. In the Associate Image dialog box, select images, as shown in Figure 2.

    Figure 2 Associate Image dialog box

  6. Select an image and click OK.

    After the image is associated, you can view the monitoring results of malicious files and container exceptions in the image file. For details, see Viewing Malicious File Detection Results and Viewing Container Runtime Security Details.

Other Operations

  • Viewing a policy

    In the policy list, click the name of a policy to view its information.

  • Editing a policy

    In the row containing the policy to be modified, click Edit in the Operation column to modify the policy name, process name, and file protection information.

  • Deleting a policy

    In the row containing the policy to be deleted, click Delete in the Operation column.