The security check feature provides the security checklist, cluster risk statistics, security check details, and check item management. It allows installing the scanner for specified clusters, performing risk checks, and viewing cluster risk details.
Installing the Scanner
1. Log in to the TCSS console and click Cluster Risk Management > Security Check on the left sidebar.
2. The Security Check page presets a scheduled cluster sync every hour. Click Sync assets to manually sync clusters.
Note:
Currently, the security checklist applies to the sync of TKE managed and self-deployed clusters.
During your first use of cluster security, you need to manually "sync the assets" once, and the system will then automatically sync them.
3. On the Security Check page, install the component for a single or multiple clusters.
Single: Select the target Cluster ID and click Install scanner or Install component.
Multiple: Select the target Cluster IDs and click Install component.
3. In the pop-up window, click OK.
4. After the confirmation, the system will deploy the DaemonSet component on all nodes in the cluster. The scanner will be in the Running status after the installation.
Note:
When the scanner is installed, the cluster-security-defender DaemonSet workload will be installed in the kube-system namespace of the cluster. To execute a cluster security check, make sure that the DaemonSet workload runs normally.
DaemonSet doesn't affect cluster running or performance. It is subject to the following resource limits:
CPU: 100–250 MB
MEM: 100–250 MiB
To delete the scanner, log in to the TKE console, click Workload on the Cluster details page, select DaemonSet, select cluster-security-defender in the kube-system namespace, and click More > Delete in the Operation column.
Performing a Security Check
On the Security Check page, the system will automatically perform a check after the scanner is installed successfully. You can specify a cluster and click Check again, or specify multiple clusters and click Batch check.
Note:
The scanner is not installed by default and needs to be installed before a scan is performed.
Viewing the Security Check Result
1. On the Security Check page, the Statistics card displays the total number of clusters and the numbers of clusters involving no risks and those not checked.
2. The Cluster risks card displays the numbers of risky clusters and clusters involving critical risks, high risks, medium risks, and low risks.
3. On the Security Check page, click View details in the Operation column of the cluster list to enter the Cluster risk details page.
4. The Cluster risk details page displays all identified cluster risks, cluster details, and risk details of the current cluster.
5. On the risk details list, select the target check item and click View details to enter the Risk check item details page.
6. The Risk check item details page displays the risk details, description, solution, and affected assets in the current cluster.
Enabling Automatic Check
Enabling automatic check for a single cluster
1. On the Security Check page, select the target cluster and toggle on
.
2. In the pop-up window, click OK.
Note:
After the confirmation, automatic check will be enabled and performed as follows:
Nodes newly added to the cluster will be automatically checked.
The cluster will be checked across every midnight.
Enabling automatic check for multiple clusters
On the Security Check page, select multiple clusters and click Batch check.
Note:
Automatic security check is disabled by default and can be enabled for the following check items:
Nodes newly added to the cluster will be automatically checked.
The cluster will be checked across every midnight.
Managing Security Check Items
1. On the Security Check page, click Check item management in the top-right corner.
2. On the check item settings page, the list of check items displays all check items of a security check performed by the system. Click View details to view the check item details.
