Updated on 2022-04-01 GMT+08:00

CGS

Container Guard Service (CGS) scans vulnerabilities and configurations in images, helping enterprises detect the container environment, which cannot be achieved by the traditional security software. CGS also delivers functions such as process whitelist configuration, read-only file protection, and container escape detection to minimize the security risks for a running container.

Concepts

  • Image

    An image is a special file system. It provides not only programs, libraries, resources, configuration files but also some configuration parameters required for a running container. An image does not contain any dynamic data, and its content is unchangeable after creation.

  • Container

    A container is the instance of an image and can be created, started, stopped, deleted, and suspended.

Figure 1 describes the relationships between images, containers, and applications.
  • Multiple containers can be started for an image.
  • An application may include one or a set of containers.
Figure 1 Relationships between images, containers, and applications

Deployment Architecture

Figure 2 shows the CGS deployment architecture and Table 1 describes its key components.
Figure 2 CGS deployment architecture
Table 1 Key CGS components

Component

Description

CGS Container

Runs on each container node (host) to scan all container images on the node for image vulnerabilities, implement security policies, and collect exceptions.

Management Master

Manages and maintains CGS Containers.

Security Intelligence

Provides a security information knowledge base containing vulnerability and malicious program libraries, as well as big data AI training models.

Management console

Provides a console for users to use CGS.