Updated on 2025-08-26 GMT+08:00

Enabling Container Protection

Scenarios

The HSS container edition protects containers throughout their lifecycles. This section describes how to enable protection for container nodes.

Prerequisites

Constraints

HSS can only protect Docker, Containerd, CRI-O, Podman, and iSulad containers.

Enabling the Container Edition

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. In the navigation pane, choose Asset Management > Containers & Quota.
  4. In the row of a server, click Enable Protection in the Operation column. The confirmation dialog box is displayed.

    By default, only the Linux servers where the agent is installed (that is, the servers eligible for the container edition) are displayed in the list. To install the agent on a server, perform the operations in Installing the Agent on Servers and Installing an Agent in a Cluster.
    Figure 1 Enabling container protection

  5. Confirm the node information and select a billing mode.

    You can buy quota in pay-per-use or yearly/monthly mode.

    • Yearly/Monthly
      • Billing Mode: Select Yearly/Monthly.
      • Select Quota: Select a quota allocation mode.
        • Random quota: Let the system allocate the quota with the longest remaining validity to the server.
        • Select a quota ID and allocate it to a server.
    • Pay-per-use
      • Billing Mode: Select Pay-per-use.
      • Tags: Select a tag if you want to use it to identify multiple types of cloud resources.
    • A container security quota protects one cluster node.
    • If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the container edition. Deploy honeypot files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.

  6. Read the Host Security Service Disclaimer and select I have read and agree to the Container Guard Service Disclaimer.
  7. Click OK. If the Protection Status of the node changes to Protected, protection has been enabled.

Viewing Scan Details

After server protection is enabled, HSS will immediately perform a comprehensive scan on the server. It may take a long time. After the scan is complete, you can check its details.

  1. Choose Asset Management > Servers & Quota. Locate the server on the Servers tab page.
  2. Check the Risk Level column of the server.

    Table 1 Risk status

    Status

    Description

    Pending risk detection

    The server is neither protected nor scanned.

    Safe

    No risks were found in the comprehensive scan on the server; or the protection has just been enabled, and no risks have been found yet.

    Risky

    The server has security risks.

  3. Hover the cursor over the risk status to view the risk distribution.

    You can click a value to go to the details page.

Follow-up Operations

HSS provides container protection functions for you to enable as needed. For more information, see Manual configuration.

Table 2 Manual configuration

Type

Function

Reference

Security configuration

  • Common login location/IP address
  • SSH login IP address whitelist
  • Isolating and killing malicious programs

Common Security Configuration

Server Protection

  • Application protection
  • Ransomware prevention
  • Application process control
  • File integrity management
  • Antivirus
  • Dynamic port honeypot

Server Protection

Container protection

  • Container firewall
  • Container cluster protection

Container Protection

Policy management

Policy management includes asset management, baseline inspection, intrusion detection, and self-protection policies. The intrusion detection policy is disabled by default. You can enable them as needed. If the configuration of a policy does not meet your requirements, you can modify it as needed.

Policy Management