Help Center/ Host Security Service/ User Guide/ Container Protection/ Container Cluster Protection/ Configuring a Container Cluster Protection Policy
Updated on 2024-11-15 GMT+08:00

Configuring a Container Cluster Protection Policy

You can configure container cluster protection policies to specify the level of risks (unsafe baselines, vulnerabilities, or malicious files) that trigger alarms, cluster protection scope, image whitelist, and the actions taken on an alarm.

Creating a Protection Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  1. In the navigation pane, choose Container Cluster Protection.
  2. Click the Protection Policies tab and click Create Policy.
  3. In the Create Policy dialog box, set policy parameters. For details about related parameters, see Table 1.

    Figure 1 Creating a protection policy
    Table 1 Container cluster protection policy parameters

    Parameter

    Description

    Example Value

    Policy Template

    Select a policy template. The procedure is as follows:

    1. Click Select Template.
    2. Select a policy template and click OK.

      You can select a policy template based on the policy description.

    After selecting a policy template, configure policy parameters based on the policy template requirements. You can refer to the parameter description.

    K8sPSPPrivilegedContainer

    Policy Name

    Enter a policy name.

    test

    Policy Description

    Enter policy description.

    Test

    Action

    Action taken by HSS if it detects that an image to be started contains specified unsafe baseline items, vulnerabilities, or malicious scripts.

    • Alarm: Generate an event whose Action is Alarm on the Protection Events tab of the Container Cluster Protection page.
    • Block: Block an unsafe image and generate an event whose Action is Block on the Protection Events tab of the Container Cluster Protection page.
    • Allow: Generate an event whose Action is Allow on the Protection Events tab of the Container Cluster Protection page.

    Block

    Protection Scope

    Configure the protection scope of clusters.

    If you select the image blocking policy, you need to set the images and tags to specify the protection scope.

    -

    (Optional) Whitelist

    Images to be added to the whitelist. Enter values in ImageName:ImageVersion format. An image name can contain only numbers, letters, underscores (_), hyphens (-), and periods (.). Each image name occupies a separate line.

    Example:

    • A single image

      image:1.0

    • Multiple images

      image1:1.0

      image2:1.0

    NOTICE:

    Exercise caution when performing this operation. HSS does not check whitelisted images when they are started.

    -

  4. Click OK.

    You can view the protection policy in the policy list.

Editing or Deleting a Cluster Protection Policy

  1. Choose Container Cluster Protection and click the Protection Policies tab.
  2. In the Operation column of a policy, click a button as required.

    • View YAML: View the protection policy content in YAML format.
    • Edit: Modify a protection policy.
    • Delete: Delete a protection policy.

    After a policy is deleted, the container clusters associated with it will no be protected. Exercise caution when performing this operation.

  3. Click OK.