Supports real-time monitoring of exceptional request behaviors of cluster APIs, and includes system policies and user-defined rules.
System Policy: Based on Tencent Cloud's security technology and multi-dimensional methods, it monitors exceptional request behaviors of cluster APIs through nine types of rules, including anonymous access, exceptional UA requests, anonymous permission change, credential acquisition, sensitive path mounts, command execution, exceptional scheduled task, static pod creation, and suspicious containers creation.
User-defined Rules: Supports custom exceptional request fields and specific effective ranges of K8s APIs, making it more flexible to meet actual business needs.
Event List
Log in to the TCSS console. In the left sidebar, click Advanced Prevention > Abnormal K8s API requests, and by default, you will enter the event list page. Security Status and Events Trend
For the security status, the pending exceptional request events of K8s APIs and the number of security events counted by high, medium, low, and note risks will be collected according to the security events reported by the system.
For the events trend, the security events trend over the past seven days will be collected based on the hit system rules and custom rules according to the security events reported by the system.
Event List
You can select the Last Occurred to view security events, or retrieve related events by cluster name or cluster ID. The fields in the event list include:
|
Hit Rules | Nine system rules and user-defined rules, including anonymous access, exceptional UA requests, anonymous permission change, credential acquisition, sensitive path mounts, command execution, exceptional scheduled task, static pod creation, and suspicious containers creation. |
Rule Type | System rules, and user-defined rules |
Threat Level | High, medium, low, and note |
Cluster Name/ID/Running Status | Display the cluster name, cluster ID, and cluster running status impacted by the security events. |
First Occurred | The time when this security event first occurred. |
Last Occurred | The time when this security event most recently occurred. |
Alarms | The system aggregates pending security events by cluster name, cluster ID, hit rules, and request logs. And the system displays them with an aggregation cycle of every day. |
Status | Pending, processed, ignored, and allowlisted |
Operation | Click details to view event details. |
Viewing Details
In the event list, click details to view event details. Details include event details, cluster name/ID, cluster runtime components, risk description, recommended solution, exceptional request information, and JSON logs.
Processing the Event
1. In the event list, click Process. You can select to mark the event as processed, add it to the allowlist, ignore it, or delete the records. Click Confirm.
2. In the secondary confirmation window, perform the following actions:
Mark as processed: It is recommended to process the event risk by following the solutions in the event details, and click OK. After processing, you can mark the event as processed.
Add to the allowlist: Configure relevant parameters, and click OK.
Note:
If you confirm that the K8s APIs request is a normal behavior, you can add it to the allowlist allow rules. Subsequent occurrences of this request will then be allowed to pass through without triggering alarms. Proceed with caution.
When users add to the allowlist, the system will automatically fill in the fields that trigger alarms and the cluster based on the source event. If needed, you can manually adjust the effective fields and effective cluster range of the allowlist.
Ignore: Click OK to ignore only the selected events. Alarms will still be triggered if the same events occur again.
Delete log: Click OK, the selected event record will be deleted. It will no longer be displayed in the console, and cannot be recovered. Proceed with caution.
Rule Configuration
Log in to the TCSS console. In the left sidebar, click Advanced Prevention > Abnormal K8s API Requests > Rule configuration to enter the rule configuration page. System Rules
On the rule configuration page, enable or disable system rules and custom rules. Click Rule name to view all types of system rules, as shown in the figure below. Users can also disable certain types of system rules through this page.
Custom Rules
In addition to the system rules provided by the TCSS products, users can also create custom rules.
On the rule configuration page, click Create rule, configure the relevant parameters, and click Save.
|
Basic Configuration | Includes the name of custom rules and the switch for enabling or disabling the rules. |
Rule Configuration
| Configure the fields for alarms and allowlisting in this section. When configuring alarm fields, you also need to concurrently configure the threat level for the rules. When there are multiple configuration items, click Add rule at the bottom. To configure the specific content of a rule, click Edit in the matching range column. Rule configuration supports regular expressions. |
Effective Range | Users can select the custom effective cluster range for configuration rules. Note:Only one custom rule can be bound to the same cluster. If multiple detection rules need to be configured for one cluster, it is recommended to edit and add them within the same rule. |
TKE K8s Cluster Enabling the Audit Process
When the audit feature of the cluster is not enabled, the audit logs of the K8s APIs cannot be collected for risk detection.
Note:
After the cluster audit is enabled, CLS will bill according to your actual usage. For billing standards, see the CLS billing overview. 2. On the feature setting page, click Edit of the Cluster Auditing feature.
3. Check Enable Cluster Auditing, and click Confirm.
Was this page helpful?