Configuring a Container Cluster Protection Policy

Scenario

You can configure container cluster protection policies based on your service requirements, including policy rules, protection scopes, whitelists, and protection actions taken by HSS after an alarm event occurs.

Creating a Protection Policy

1. Log in to the HSS console.
2. Click in the upper left corner and select a region or project.

3. In the navigation pane, choose > Container Cluster Protection.
4. Click the Protection Policies tab and click Create Policy.
5. In the Create Policy dialog box, set policy parameters. For details about related parameters, see Table 1.
   Figure 1 Creating a protection policy
   

   Table 1 Container cluster protection policy parameters

   Parameter	Description	Example Value
   Policy Template	Select a policy template. The procedure is as follows: Click Select Template. Select a policy template and click OK. You can select a policy template based on the policy description. After selecting a policy template, configure policy parameters based on the policy template requirements. You can refer to the parameter description. For details about the policy template, see Container Cluster Protection Policy Templates.	K8sPSPPrivilegedContainer
   Policy Name	Enter a policy name. The name can only contain letters, numbers, commas (,), periods (.), spaces, underscores (_), and hyphens (-).	test
   Policy Description	Enter policy description. The description can only contain letters, numbers, commas (,), periods (.), spaces, underscores (_), and hyphens (-).	Test
   Action	Select the protection action when HSS detects that cluster resources are not created or modified as required by the policy. Alarm: Generate an event whose Action is Alarm on the Protection Events tab of the Container Cluster Protection page. Block: Prevent resource creation or modification and generate an event whose Action is Block on the Protection Events tab of the Container Cluster Protection page. Allow: Generate an event whose Action is Allow on the Protection Events tab of the Container Cluster Protection page.	Image blocking
   Protection Scope	Configure the protection scope of clusters. If the namespace cannot be selected, return to the container cluster protection page, choose Prevention > Container Firewalls in the navigation pane on the left, and click Synchronize to synchronize the namespace information.	-
   (Optional) Whitelist	Images to be added to the whitelist. HSS does not check whitelisted images when they are started. Enter values in ImageName:ImageVersion format. An image name can contain only numbers, letters, underscores (_), hyphens (-), and periods (.). Each image name occupies a separate line. Example: A single image image:1.0 Multiple images image1:1.0 image2:1.0	-

6. Click OK.

   You can view the protection policy in the policy list.

Editing or Deleting a Cluster Protection Policy

1. Choose Container Cluster Protection and click the Protection Policies tab.
2. In the Operation column of a policy, click a button as required.
   • View YAML: View the protection policy content in YAML format.
   • Edit: Modify a protection policy.
   • Delete: Delete a protection policy. After a policy is deleted, the container clusters associated with it will not be protected. Exercise caution when performing this operation.

3. Click OK.