What built-in security features does CloudOS7.0's container cluster service have？

Cloud Platform Container Security Assurance Description 

1.How to secure container images to prevent possible vulnerabilities, configuration flaws, or embedded malware: 

· Integrate the Trivy image scanning tool to detect security risks in application images in a timely manner. 

2.How to ensure the security of container image repositories to prevent insecure connections to image repositories, outdated images in the repository, and insufficient authentication and authorization restrictions that may lead to security risks. 

· Based on the RBAC permission model, the operation of the container image warehouse is effectively managed, and the control of container image data is realized through private and public warehouses. 

· Perform a security scan of the container images in the image repository to detect vulnerabilities in the images. At the same time, the outdated images in the image warehouse are cleaned up automatically or manually in a timely manner. Set the access credentials of the image repository for specific users; 

3.How to ensure the security of orchestration tools and prevent container security risks caused by problems such as imperfect management access restrictions, unauthorized access, and poor network traffic isolation between containers. 

· Access control: Effectively control access rights of users and platform application tools by managing all organizations in the system, such as creating, editing, or deleting organizations. 

· Network traffic isolation: Use NameSpace to isolate traffic from different applications, and configure Network Policy to define and isolate network traffic between different containers to prevent unauthorized communication between containers. 

4.How to ensure the security of containers to prevent vulnerabilities in runtime software, unrestricted network access of containers, insecure container runtime configurations, application vulnerabilities, and rogue containers may all pose security risks. 

· By integrating SonarQube, the application code quality is checked to avoid code defects, vulnerabilities, and bad tastes that bring secure sharing. 

· Ensure that container IP and route control are controlled through cluster network plug-ins. 

· Network access restrictions are restricted by configuring Network Policy for container access in and out rules. 

5.How to ensure the security of the host operating system, prevent vulnerabilities in the shared kernel and host operating system components from affecting container security, improper user access rights, tampering with the host operating system file system, Docker kernel attack protection measures, whether to enable or share sockets, etc.; 

· First, through the cloud management platform, authorized users allow the container node template to perform supporting operating system security settings, patch upgrades, and other operations, all operations can be audited, and the front-end user has no right to operate.

 · Secondly, ensure runtime security through container image scanning, container environment detection, and process abnormal behavior detection. 

· Set the container to run as a non-root user again and restrict the permissions of processes inside the container. 

6.How to ensure the normal operation of Docker, Kubernetes, and other technologies and tools that containerized deployments rely on in the event of failures or upgrades;

 · Kubernetes itself is a three-node deployment, and a single-node failure does not affect the application. 

7.the resource allocation and guarantee mechanism of the host machine; 

· Resource allocation and guarantee are based on the labeling of container nodes, the affinity and anti-affinity of containers and resources during deployment. 

8.how to control data sharing and management between containers;

 · Based on static volumes and dynamic volumes, multi-node reading and writing of data through file storage and object storage can be realized.