Updated on 2023-12-07 GMT+08:00

CCE Security Guide

Node Security Hardening

Cloud Container Engine (CCE) cluster nodes are created from the public images published by Image Management Service (IMS) in the public cloud. CCE performs security hardening on the CCE software installed on nodes. The OS configurations are the same as those of public images by default. You need to perform security hardening based on your own security requirements.

Container Security Suggestions

CCE provides you with an exclusive cluster. You are not advised to share a cluster with multiple tenants. If a cluster must be shared by multiple tenants, perform security hardening by following the suggestions in the following table.

Table 1 Container security configuration suggestions

Category

Suggestion

Least privilege

  1. Use the sudo whitelist to restrict the Docker commands that can be run in containers by common users.
  2. It is recommended that privileged containers be disabled for Kubernetes pods. To be specific, do not use the following settings:
    apiVersion: v1
    kind: Pod
    metadata:
      name: hello-world
    spec:
      containers:
        - name: hello-world-container
          # The container definition
          # ...
          securityContext:
            privileged: true

By default, the token of ServiceAccount default is not used.

  • The automatic mounting function is disabled for ServiceAccount default by default. If automountServiceAccountToken is set to false, the created workload will not be mounted to a token by default.
    CAUTION:

    Set this field for each namespace as required. After the setting is complete, perform a rolling restart for the pods in the corresponding namespace.

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: default
    automountServiceAccountToken: false
  • Mount the token of ServiceAccount default to specific workloads.
    ...
    spec:
      template:
        spec:
          serviceAccountName: default
          automountServiceAccountToken: true
          ...

Network isolation

Network isolation between containers in a cluster

Use network policies to implement access control.

Network isolation between containers and hosts outside the cluster

Use security groups in a VPC to implement access control.

Network isolation between containers and the cluster control plane

CCE clusters are private and workloads would access the cluster API server. Therefore, CCE does not restrict the network communication between containers and the Kubernetes control plane. You can harden the network security by limiting the pod QoS.

Mounting of sensitive host directories

  • If not necessary, do not mount the /var/run/docker.sock file on the host to a container when starting the container.
  • Do not mount the hostPath directory, such as /, /boot, /dev, /etc, /lib, /proc, /sys, and /usr, on the host to the container. If necessary, mount the hostPath directory in read-only mode.