Help Center> Host Security Service (New)> User Guide> Accessing HSS> Enabling Protection> Enabling Container Protection
Updated on 2024-03-28 GMT+08:00
View PDF

Enabling Container Protection

Before enabling protection for a container node, you need to allocate quota to a specified node. If the protection is disabled or the node is deleted, the quota can be allocated to other nodes.

Check Frequency

HSS performs a full check in the early morning every day.

If you enable server protection before the check interval, you can view check results only after the check at 00:00 of the next day is complete.

Constraints

Currently, HSS can only protect Docker and Containerd containers.

Prerequisites

  • The Agent Status of a server is Online. To check the status, choose Asset Management > Containers & Quota.
  • You have created nodes on CCE.
  • The Protection Status of the node is Unprotected.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Asset Management > Containers & Quota.
  4. In the Operation column of the node list, click Enable Protection.

    Figure 1 Enabling container protection

  5. You can buy quota in pay-per-use or yearly/monthly mode.

    • Yearly/Monthly

      In the displayed dialog box, select Yearly/Monthly, read the Container Guard Service Disclaimer, and select I have read and agreed to Container Guard Service Disclaimer.

      The quotas can be allocated in the following ways:
      • Select Random quota to let the system allocate the quota with the longest remaining validity to the server.
      • Select a quota to allocate.
    • Pay-per-use

      In the displayed dialog box, select Pay-per-use, read the Container Guard Service Disclaimer, and select I have read and agreed to Container Guard Service Disclaimer.

  6. In the displayed dialog box, read the Container Guard Service Disclaimer, and select I have read and agreed to the Container Guard Service Disclaimer.
  7. Click OK. If the Protection Status of the server changes to Protected, protection has been enabled.

    A container security quota protects one cluster node.

    • A container security quota protects one cluster node.
    • If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the container edition. Deploy bait files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.

Related Operations

Disabling protection for a node

Choose Asset Management > Containers & Quota, click the Container Nodes tab, and click Nodes. In the Operation column, click Disable Protection.

If protection is disabled, the quota status will change from occupied to idle. You can allocate the idle quota to another node or unsubscribe unnecessary quota to avoid quota waste.

  • Before disabling protection, perform a comprehensive detection on the container, handle detected risks, and record operation information to prevent O&M errors and attacks on the container.
  • After protection is disabled, clear important data on the container, stop important applications on the container, and disconnect the container from the external network to avoid unnecessary loss caused by attacks.
Parent Topic: Enabling Protection