Purchasing and Enabling Container Security
Scenario
A container cluster consists of a set of nodes. The HSS container edition uses nodes as protection units and provides functions such as container firewall, container cluster protection, and container image security scanning, helping enterprises solve container environment problems that cannot be achieved by traditional security software. For details about the server security protection functions provided by HSS container edition, see Product Functions.
The following is an example to describe how to buy and enable container protection.
- Container node: EulerOS 2.9 Huawei Cloud ECS
- Protection quotas
- Billing mode: Yearly/Monthly
- Edition: container
- Quantity: 1
Process
Procedure |
Description |
---|---|
Grant permissions to IAM users, and prepare the container nodes to be protected. |
|
Set the billing mode and edition, and purchase protection quota for the target container nodes. |
|
Install the agent on the target container node. |
|
Enable protection for the target container node. |
Preparations
- If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions .
When purchasing HSS protection quotas, you need to assign the BSS Administrator and Tenant Guest permissions to IAM users.
- You have prepared a Huawei Cloud container node for which container security protection will be enabled.
Step 1: Purchase HSS Quota
- Log in to the management console.
- Click
in the upper left corner and select the region and project.
- Click
in the upper left corner of the page and choose Security & Compliance > HSS.
- In the upper right corner of the Dashboard page, click Buy HSS.
- Configure parameters.
Table 1 Parameters for purchasing HSS Parameter
Example
Description
Region
CN-Hong Kong
Select the region of container node. After the HSS is purchased, the region cannot be changed. Exercise caution when selecting a region.
Billing Mode
Yearly/Monthly
Select the billing mode. For more information, see Pricing Details.
- Yearly/Monthly: You can buy a prepaid yearly/monthly package if you intend to use the service for a long time. The fee is lower than that of pay-per-use.
- Pay-per-use: You pay for the used resources based on the actual service duration (in hours), without a minimum fee.
Edition Specifications
Container edition
HSS provides basic, professional, premium, WTP, and container editions. Functions vary depending on editions. For details about functions supported by each edition, see Functions.
Enterprise Project
default
This parameter is displayed only when you use an enterprise account to purchase protection quotas.
It enables unified management of cloud resources by project.
Tag
Not added
Tags are used to identify container security, facilitating cloud resource classification and management.
Automatically assign
Not selected
When a server or container node is added and the agent is installed for the first time, it will be bound to an available yearly/monthly quota.
Only unused quotas will be bound, and no new order or fee will be generated.
Required Duration
1 month
Select the required duration. The longer the subscription period, the higher the discount. You do not need to configure the pay-per-use billing mode.
Auto-Renewal
Not selected
If this option is selected, the system automatically renews the service based on the subscription period. You do not need to configure the pay-per-use billing mode.
Quantity
1
Set the value based on the actual number of container nodes.
- In the lower right corner of the page, click Next.
- After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
- Click Pay Now and complete the payment.
- Click Host Security Service to return to the HSS console.
Step 2: Install an Agent
- In the navigation pane, choose .
- In the upper right corner of the page, click Install HSS Agent.
- Select ECS and click Configure Now.
- Select an installation mode. For details about the parameters, see Table 2.
Figure 1 Installing an agent
Table 2 Parameters for installing the agent Parameter
Example
Description
Installation Mode
CLI-based installation
- GUI: You need to provide server account password or key for installing the agent. HSS does not save the password file you upload. To install the agent in this mode, ensure there is already an executor ECS, which is an ECS with an online agent in the same VPC as the target ECS.
- CLI: You need to log in to the server and run commands or scripts. This method is used when you install the agent for the first time.
Owner Account
Current account
- Current account installation: The server and the HSS quota you purchased are under the same account. You can log in to the account to obtain the installation commands or script and install the agent on the server.
- Cross-account installation: The server and the HSS quota you purchased are not under the same account. You can log in to account A to obtain the installation command or script and install the agent on the target server under account B. After the agent is successfully installed, you can view the target server on the page of account A.
Server OS
Linux
Select an OS type based on the server OS.
Scale
A single
Select the scale based on the number of servers on which the agent is to be installed.
- (Optional) Select the servers that need to be connected to the current HSS region and click Next.
- Perform this operation only in the CN East2 and CN Southwest-Guiyang1 regions. HSS will automatically create a VPC endpoint, which occupies an IP address of your VPC subnet. Only one VPC endpoint will be created for each of your VPCs to ensure the communication between your servers and HSS.
- In other regions, ensure the security groups of your servers allow outbound traffic through port 10180 of the 100.125.0.0/16 CIDR block. This port is used to communicate with HSS.
- Install the agent as prompted.
For CN East2 and CN Southwest-Guiyang1 regions, wait until the network communication succeeds (that is, the VPC endpoint is created) before performing the following operations.
- On the console page, click
in the Install HSS Agent dialog box to copy the installation command.
Figure 2 Copying the installation command - Log in to the server as the root user and paste the installation command.
If the command output shown in Figure 3 is displayed, the agent has been installed.
- On the console page, click
- Wait for 5 to 10 minutes and return to the HSS console. On the Server Install & Config page, click the Agents tab, and click Servers with Agents. Check the agent status of the target server.
If the Agent Status is Online, the agent is successfully installed.
Step 3: Enable Protection
- In the navigation pane, choose Asset Management > Containers & Quota.
- In the Operation column of a server, click Enable.
- In the dialog box that is displayed, select the mode.
Table 3 Parameters for enabling protection Parameter
Example
Description
Billing Mode
Yearly/Monthly
The value must be the same as the charging mode specified by Step 1: Purchase Protection Quota.
Edition
Container edition
The value must be the same as the edition specified by Step 1: Purchase Protection Quota.
Select Quota
709440b9-0d6c-407e-a51c-ac7169beada9
Select the quota purchased in Step 1: Purchase Protection Quota.
- Confirm the information, read the Container Security Service Disclaimer, and select I have read and agree to the Container Security Service Disclaimer.
- Click OK.
- If the Protection Status of the target server is Protected, the protection is enabled successfully.
Figure 4 Viewing the protection status
Follow-Up Procedure
Enable server protection for container nodes.
HSS container edition provides some proactive functions for servers. These functions are not enabled or not completely enabled when container security protection is enabled. You can determine whether to use these functions based on your requirements, the following table Table 4 describes the functions.
Function |
Description |
---|---|
The container image security scanning function scans for vulnerabilities and malicious files in images. You are advised to scan images periodically so that you can handle image security risks in a timely manner. |
|
Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses. Ransomware prevention is automatically enabled with the container edition. HSS will deploy honeypot files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data. |
|
To protect your applications with RASP, you simply need to add probes to them, without having to modify application files. |
|
HSS can learn the characteristics of application processes on servers and manage their running. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes. |
|
The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system. |
|
HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks. You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security. |
|
A container firewall controls and intercepts network traffic inside and outside a container cluster to prevent malicious access and attacks. |
|
HSS comes in multiple editions, including basic, professional, premium, WTP, and container editions. Except for the basic edition, they each have a default protection policy group. A policy group is a collection of policies. These policies can be applied to container nodes to centrally manage and configure the sensitivity, rules, and scope of HSS detection and protection. You can customize policies for asset management, baseline inspection, and intrusion detection as needed. Some policies in the policy group are not enabled by default. You can enable them as needed. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot