ACK security enhancement-阿里云开发者社区

开发者社区> 阿里云容器服务 ACK> 正文

ACK security enhancement

简介: Brief introduction on some security enhancement for ACK, including BYOK, AD/LDAP support, and collaboration with Vault and NeuVector


This is KMS provider plugin for Alibaba Cloud - Enable encryption at rest of Kubernetes secret backed by Alibaba Cloud Key Management Service

Here let us verify the secret encryption on ACK cluster.

Firstly create one ACK cluster on Alibaba Cloud Container Service console, refine the apiserver configuration and install the ack-kms-plugin successfully:


then create a test secret and use etcdctl to fetch and check if the secret data is encrypted as below:


also the secret data should be decode when an authorized user using kubectl to get the secret value as:




Alibaba Cloud RAM user can upload the metadata file provided by external IdP and enable SAML-based Single Sign-On. It supports SAML 2.0 standard and enables you to log on to Alibaba Cloud from the local account system of your enterprise. Here we give Microsoft AD as an example:


then enable sso status and upload the target metadata xml file:


config the AD FS to trust RAM as SAML SP


add claim rules:


then user can login from Alibaba Cloud RAM page and the browser would auto skip to the target AD login page as:


after AD auth the user success, it would redirect back to Alibaba Cloud console as:


Besides, Alibaba Cloud Container Service support to deploy KeyCloak with helm charts, which comes with a built-in LDAP/AD provider in user application side.




NeuVector, the leader in Kubernetes security delivering the first and only multi-vector container firewall, had annouced the partnership with Alibaba Cloud to strengthen Kubernetes security for enterprise customers. see

NeuVector’s platform includes these key features:

  • Support throughout the entire DevOps container deployment lifecycle, from build to ship to run.
  • Security automation, starting with a Jenkins plug-in for vulnerability scanning during the build process.
  • Container registries such as the Alibaba Cloud Container Registry can be configured so that any new images in a repository will be automatically scanned by NeuVector.
  • Kubernetes and Docker CIS benchmarks will test host and container configurations before and after production deployments.
  • Run-time security is delivered by the unique, cloud-native Layer-7 container firewall that combines deep packet inspection (DPI) of east-west traffic with container inspection and host security to detect and prevent attacks at multiple points in the kill chain.

the detail please refer to



Vault is a famous open-source product for manage secret and protect sensitive secret, and Alibaba Cloud has also integrated into its dynamic infrastructure.

Vault treats AliCloud as a Trusted Third Party and uses a special Alibaba Cloud request signed with private credentials for its auth system:

also it support dynamic generate, store and encrypt Alibaba Cloud access tokens based on RAM policies as

Besides, Alibaba Cloud Container Service support to deploy Vault in app-catalog, which help customers friendly deploy it based on official helm charts.



阿里云容器服务 ACK
+ 订阅