tencent cloud

Feedback

Container Escape

Last updated: 2024-01-23 15:44:44

    Event List

    Viewing the set status

    1. Log in to the TCSS console and click Runtime Security > Container Escape on the left sidebar.
    2. On the Container Escape page, the security status module displays whether a container escape event exists, and if so, we recommend you process it immediately.
    
    
    3. On the Container Escape page, the monitoring status module displays the container escape event types that can be checked by the system. Toggle on
    
    to customize the monitoring status.
    
    

    Viewing the list of container escapes

    Log in to the TCSS console and click Runtime Security > Container Escape on the left sidebar.

    Filtering and refreshing container escapes

    1. On the Container Escape page, click the search box and search for container escape events by keyword such as container name, image name, or server name.
    
    
    2. On the Container Escape page, click
    
    on the right of the Operation column to refresh the container escape events.

    Exporting a container escape

    On the Container Escape page, click
    
    to select the target container escape event and click
    
    to export it.
    Note:
    You can click
    
    to select multiple events and click
    
    to batch export them.
    
    
    

    Event status processing

    On the Container Escape page, you can mark a container escape event as processed or ignore or delete it.
    Mark as processed: Click
    
    to select the target container escape event and click Mark as processed > OK.
    Note:
    It's recommended to handle the event by following "Solution" in the event details and mark it as processed.
    Ignore: Click
    
    to select the target container escape event and click Ignore > OK.
    Note:
    Only the selected events are ignored. Alerts will be triggered when the same events occur again.
    Delete: Click
    
    to select the target container escape event and click Delete > OK.
    Note:
    The selected event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.

    Viewing list details

    1. On the Container Escape page, click
    
    on the left of Event type to view the event description.
    
    
    2. On the Container Escape page, click the Container name/ID or Image name/ID to enter the asset management list.
    
    
    3. On the Container Escape page, click View details to pop up the drawer on the right, which displays the event details, process information, and event description.
    
    
    4. On the Container Escape page, the event status can be Processed, Ignored, or Pending resolved. You can manipulate events in different statuses as follows:
    Processed: Click Delete and click OK in the pop-up window.
    Note:
    The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
    
    
    
    Pending resolved: Click Process now to mark the event as processed or ignore or delete it. For detailed directions, see Event status processing.
    
    
    Ignored: Click Unignore or Delete to turn the event into the Pending resolved status or delete it.
    
    

    Custom list management

    1. On the Container Escape page, click
    
    to pop up the Custom List Management window.
    2. In the pop-up window, select the target type and click OK.
    
    
    Fields in the list
    1. Event type: Type of the container escape event, which can be host file access escape, mount namespace escape, program privilege escalation, privileged container startup escape, sensitive path mounts, or syscall escape.
    2. First occurred: The time when an alert is first triggered by the escape event.
    Note:
    By default, the system aggregates the same escape events not processed.
    3. Last occurred: The time when an alert is last triggered by the aggregated alert events. You can click the sort button on the right to sort the events in the list in chronological or reverse chronological order.
    4. Events: Total number of alerts triggered by the escape event within the aggregation period.
    5. Status: Processed, Ignored, Pending resolved, or Allowed. You can quickly filter events in the list by status.

    Escape Allowlist

    When troubleshooting a container escape alert, for example, if a business container requires startup in privileged mode, sensitive path mounting, or other configuration that will trigger an escape alert, you can add the alert event to the allowlist or create an allowlist on the Allowlist policies tab.

    Adding an alert event to the allowlist

    1. On the Container Escape page, click Process, select Add to allowlist, and click OK to allow an alert event.
    Note:
    If you are sure that this container escape event is normal, add the images associated with the container to the allowlist. This kind of escape events will not trigger alerts any more.
    
    
    2. On the Add allowed images page, the escape alert type and source image associated with the alert event are selected by default. You can add allowed event types and images to be added to the allowlist and click OK.
    
    3. To add all images to the allowlist for an event type, click Monitoring settings on the right of the Monitoring status and adjust the event type with monitoring enabled.
    
    

    Allowlist policies

    You can batch add images to the allowlist on the Allowlist policies tab to avoid further alerts.

    Adding to the allowlist

    1. On the Container Escape > Allowlist policies page, click Add allowed policies.
    
    
    2. On the Add allowed images page, select allowed event types and images and click OK.
    
    
    3. The list of allowlist policies can be managed based on the image ID. It displays the allowed event types of each image. For example, if three images are added to the allowlist, their records will be updated in the list.

    Editing the allowlist

    Edit the allowlist for an image
    1.1 On the Container Escape > Allowlist policies page, click the Edit allowed types in the Operation column of the target image.
    
    
    1.2 In the Edit allowed event types pop-up window, change the allowed event types and click Save.
    
    
    Edit the allowlist for multiple images To change the allowed event types to the same types for multiple images, take the following steps:
    1.1 On the Container Escape > Allowlist policies page, select one or multiple images and click Edit allowed types in the top-left corner.
    
    
    1.2 In the Edit allowed event types pop-up window, change the allowed event types and click Save.
    Note:
    After the event type is changed for the selected images, the previously set event type will be cleared.
    

    Deleting an image from the allowlist

    1. On the Container Escape > Allowlist policies page, delete one or multiple allowed images.
    Deleting an allowed image: Select the target image and click Delete in the Operation column.
    
    
    Batch deleting allowed images: Select one or multiple images and click Delete in the top-left corner.
    
    
    2. In the pop-up window, click OK.
    Note:
    Alerts will be triggered when this kind of escape events occur again.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support