Container WTP Overview

What Is Container WTP?

Companies are deploying an increasing number of services on containers. They demand strong protection on containerized website applications to blocking tampering on the web page files in containers. However, common web tamper protection solutions are designed for traditional server environments and not fully adapted to containerized workloads, posing high risks in container environment. For example, after companies deploy containerized web applications, their web page files in containers may be modified without authorization, affecting service stability and security. They urgently need an effective solution to prevent web page tampering in containers.

To address this issue, HSS provides container WTP. You can set containers to read-only mode, monitor specified directories of the container file system, back up files, and restore tampered files using their backups. In this way, you can enhance the security of web pages in containers.

Container WTP Principles

Container WTP protects the static web pages of containerized website applications. Container WTP protects the images associated with website applications. If you enable the HSS container edition for a container node, all the containers associated with the image on the node will be protected. An image in a cluster or on an independent node requires a container WTP quota. Table 1 shows the protection principles.

**Table 1** Container WTP principles
Type	Protection Scope	Protection Principle
Cluster	After protection is enabled for the image associated with a website application, HSS applies a WTP policy to all the nodes protected by the container edition to protect all the containers associated with the image.	Setting containers to read-only After protection is enabled, the specified containers that are deployed as Deployments and upgraded on a rolling basis will be automatically set to read-only. Real-time monitoring and blocking of tampering The changes of protected directories and files are monitored in real time. In blocking mode, the service blocks unauthorized modifications once detecting them. Proactive backup and restoration In blocking mode, if file tampering fails to be blocked, the tampered file will be immediately restored using its backup.
Independent node	After protection is enabled for the image associated with a website application, HSS applies a WTP policy to the node to protect all the containers associated with the image.	Real-time monitoring and blocking of tampering The changes of protected directories and files are monitored in real time. In blocking mode, the service blocks unauthorized modifications once detecting them. Proactive backup and restoration In blocking mode, if file tampering fails to be blocked, the tampered file will be immediately restored using its backup.

Container WTP Application Scenarios

Websites that are containerized can be protected, including but are not limited to:

Financial websites provide information and services of banks, securities companies, and other financial institutions.
E-commerce platforms release product information, prices, and promotional activities.
Social networking websites,where people send posts.

Notes and Constraints

To use container WTP, the following conditions must be met:
- You have enabled the HSS container edition for a container node. For details, see Enabling Protection.
- You have purchased container WTP. For details, see Purchasing Container WTP.
After container WTP is enabled, the files and folders in the protected directory cannot be modified. You can configure privileged processes to modify them. The privileged process feature is available only on nodes with kernel 5.10 or later.

Process of using container WTP

Figure 1 Usage process
Click to enlarge

**Table 2** Process of using container WTP
Operation	Description
Purchasing Container WTP	Container web tamper protection is available only if you have purchased the value-added container WTP service.
Enabling Container WTP	When enabling container WTP, you need to select images to be protected and configure protection policies (including protected directories, excluded subdirectories, and excluded file paths).
Configuring Containers on Independent Nodes to Read-Only	When providing container WTP to the containers deployed on independent nodes (single-node containers), HSS does not set them to read-only. To enhance security, you can manually set them.
Viewing Container WTP Events	Tampering events that occur during web tamper protection are recorded and displayed in the event list.