{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着越來越多的企業開始採用容器技術,他們正在面臨一個重大挑戰——如何保護容器應用程序的安全?比起存儲、網絡和監控,安全常常是一個被積壓已久的問題。再加上需要對員工進行Kubernetes相關的培訓,對安全問題的關注已經遠遠滯後了。事實上,The New Stack發佈的一項調查顯示,近50%的Kubernetes用戶表示,安全是他們尚未解決的首要問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在本文中,我們將深入瞭解Kubernetes所面臨的安全威脅並展示保護集羣的最佳實踐,然後提供一些有用的工具以幫助開發人員維護集羣安全。這些工具包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Rancher Kubernetes Engine(RKE),以實現聲明式部署"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"KubeLinter,用於以開發者爲中心的安全檢查"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"StackRox,在構建、部署和運行時執行安全策略"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"工具介紹"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Rancher Kubernetes Engine(RKE)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RKE是一個經過CNCF認證的Kubernetes發行版,可以在Docker容器內完整運行。它通過移除大多數的主機依賴項並提供一個部署、升級和回滾的穩定路徑,解決了Kubernetes安裝過於複雜的問題。RKE使用聲明式YAML文件來配置和創建Kubernetes環境。這可以實現可重現的本地或遠程環境。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"KubeLinter"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"KubeLinter是一個靜態的分析工具,它可以查看Kubernetes YAML文件以確保聲明的應用程序配置堅持最佳實踐。KubeLinter是StackRox首個開源工具,用於從命令行實現安全檢查以及作爲CI流程的一部分。KubeLinter是一個二進制文件,它接收YAML文件的路徑,並對它們進行一系列的檢查。管理員和開發人員可以創建自己的策略來執行,從而實現更快、更自動化的部署。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"StackRox"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"StackRox Kubernetes安全平臺通過構建、部署和運行時保護重要的應用程序。StackRox部署在您的基礎設施中,並於您的DevOps工具和工作流程集成,以提供無摩擦的安全性和合規性。StackRox Policy Engine包含了數百個內置控制,以執行DevOps和安全最佳實踐、CIS基準和NIST等行業標準、容器和Kubernetes運行時安全的配置管理。StackRox對您的工作負載進行剖析,使您能夠對工作負載的安全性做出明智的決定。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"組合使用"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RKE、KubeLinter和StackRox使您能夠部署可重現的安全集羣、可視化配置文件和訪問安全漏洞,並創建聲明式安全策略。接下來,我們來談談這些應用程序如何共同應對安全威脅。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"評估安全風險"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們先來關注一下Kubernetes的攻擊載體。微軟最近發佈了一個基於MITRE ATT&CK框架的Kubernetes攻擊矩陣:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/www.microsoft.com\/security\/blog\/2020\/04\/02\/attack-matrix-kubernetes\/"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/563830ddd779e98db033bae7b6bc7093.jpeg","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該框架針對Kubernetes進行了調整,並基於真實世界的觀察和案例。幸運的是,存在一些策略可以緩解所有不同的問題。首先,我們可以從hardening我們的Kubernetes控制平面開始。之後,我們將把重點轉移到保護我們運行的容器工作負載的安全上。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"控制平面Hardening"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes控制平面包括以下組件:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes API Server"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"kube-scheduler"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"kube-controller-manager"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"etcd (如果適用)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cloud-controller-manager (如果適用)"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"etcd將可能在控制平面節點上,但是它也可以爲高可用用例提供一個遠程環境。cloud-controller-manager也安裝在提供程序實例中。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Kubernetes API Server"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes REST API server是control-plane的核心組件。該server處理REST API的調用,這些調用包含不同組件和用戶之間的所有通信。該依賴項使得保障API Server的安全成爲人們最關心的問題。在此前的K8S版本中,只要升級到較新的版本就可以修復一些特定的漏洞。然而,你也可以控制以下hardening任務:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓用基於角色控制訪問(RBAC)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保所有API流量是TLS加密的"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓用審計日誌"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲所有K8S API客戶端設置身份驗證"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"藉助諸如RKE等開發工具,可以很輕鬆地設置這種聲明式格式的集羣。以下是一個默認的RKE config.yml.file代碼段。從中可以看到,我們能夠默認啓用審計日誌、TLS(在Kubernetes組件之間)以及RBAC。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n kube-api:\n image: \"\"\n extra_args: {}\n extra_binds: []\n extra_env: []\n win_extra_args: {}\n win_extra_binds: []\n win_extra_env: []\n service_cluster_ip_range: 10.43.0.0\/16\n service_node_port_range: \"\"\n pod_security_policy: false\n always_pull_images: false\n secrets_encryption_config: null\n audit_log: null\n admission_configuration: null\n event_rate_limit: null\n…\nauthentication:\n strategy: x509\n sans: []\n webhook: null\n…\nauthorization:\n mode: rbac\n options: {}"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲所有的K8S API客戶端設置身份驗證是當前面臨的挑戰。我們需要應用一個零信任的模型到運行在我們集羣中的工作負載上。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"kube-scheduler"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes的默認scheduler是可插拔的。因此你可以構建你的scheduler或者爲不同的工作負載設置多個scheduler。不管哪種實現方式,都需要保證安全。以下這些任務可以確保它是安全的:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置與API Server通信的安全端口"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保scheduler以最低要求的權限運行(RBAC)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制kube-scheduler pod規範和kubeconfig文件的文件權限"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過RKE,我們可以通過驗證默認的scheduler地址(設置爲127.0.0.1)來保證其與API server的連接。另外,通過確保根用戶擁有scheduler YAML文件來限制文件權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"stat -c %U:%G \/etc\/kubernetes\/manifests\/kube-scheduler.yaml"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"kube-controller-manager"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes系統調節器,即kube-controller-manager,是一個使用核心控制循環調節系統的守護進程。保護controller的安全,需要採取與scheduler類似的策略:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置一個與API Server通信的安全端口"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保scheduler以最低所需權限運行(RBAC)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制kube-controller-manager pod規範和kubeconfig文件的文件權限"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"和scheduler一樣,我們可以確保通信使用本地地址(而不是不安全的loopback接口),並確保根用戶擁有controller YAML文件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nstat -c %U:%G \/etc\/kubernetes\/manifests\/kube-controller-manager.yaml"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"etcd"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"控制平面的最後一個核心組件是它的鍵值存儲,etcd。所有的Kubernetes對象都位於etcd中,這意味着你所有的配置文件和密鑰都存儲在這裏。最好的做法是使用單獨的密鑰管理解決方案(如Hashicorp Vault或雲提供商的密鑰管理服務)來加密密鑰或管理密鑰信息。當你管理數據庫時,需要記住以下關鍵因素:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制對數據庫的讀\/寫訪問"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"加密"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們希望將manifest的任何更新或更改限制在允許訪問的服務上。使用RBAC控制與零信任模型相結合將可以幫助你入門。最後,使用etcd加密可能很麻煩。基於此,Rancher有一個獨特的方法,即在初始集羣配置中生產密鑰。Kubernetes有類似的策略,儘管帶有密鑰的文件也需要安全。企業的安全要求將決定你在何處以及如何保護敏感信息。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Cloud-controller-manager"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於雲提供商而言,雲的cloud-controller-manager是獨一無二的,同時它對於需要集羣與提供程序API通信的發行版來說也是獨有的。與雲提供商一起使用時,管理員將無法訪問其集羣的主節點,因此將無法運行此前提到的hardening步驟。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"使用Kubernetes原生控件保護工作負載安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"既然我們的控制平面的安全已經得到保障,那麼是時候研究一下我們在Kubernetes中運行的應用程序了。與此前的部分類似,讓我們把安全拆分爲以下幾個部分:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像安全"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"運行時"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"持久化"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於角色的訪問控制(RBAC)"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在以下部分,我們將深入探討每個部分的各種注意事項。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"容器鏡像安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在使用容器之前對其進行管理是採用容器的第一個障礙。首先,我們需要考慮:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基本鏡像的選擇"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更新頻率"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非必要軟件"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可訪問的構建\/CI工具"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最重要的是選擇安全的基礎鏡像,限制不必要的包並保障鏡像倉庫安全。現在,大部分鏡像倉庫都有內置的鏡像掃描工具,可以輕鬆地確保安全。StackRox Kubernetes安全平臺可以在與底層基礎操作系統(OS)鏡像分離的鏡像層中自動執行可用於啓動容器並識別安全問題(包括漏洞和有問題的程序包)的鏡像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/22\/22a8af61620aa13f1842f20cefcee890.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想了解更多,可以訪問以下鏈接查看相關文章:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/www.stackrox.com\/post\/2020\/04\/container-image-security-beyond-vulnerability-scanning\/"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Runtime"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"運行時安全跨越不同的Kubernetes功能,核心目標是確保我們的工作負載是安全的。Pod安全策略具備以下能力保護容器安全:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Linux功能"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器的SELinux上下文"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主機網絡和端口的使用情況"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主機文件系統的使用"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器的用戶和groupID"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"請記住應用於系統的零信任方法,應該在其中設置功能,以便容器具有運行時起作用所需的最低功能。爲了更好地實現可視化,StackRox的風險剖析會自動識別哪些容器中包含對攻擊者有用的工具,包括bash。它還會對可疑工具的使用發出告警,並監控、檢測和警告有關運行時活動,如在容器內執行異常或意外的進程。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/8f\/8f69b0e1c23b44f2cd1510c6b900d90b.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"持久化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Kubernetes中運行有狀態的工作負載會創建一個後門進入你的容器。通過附加存儲並可能將可執行文件或信息提供給不應訪問的容器,遭受攻擊的可能性會大大增加。Kubernetes的最佳實踐可以確保有狀態工作負載以所需的最小特權運行。其他注意事項包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用命名空間作爲存儲的自然邊界"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"沒有特權容器"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用Pod安全策略限制Pod volume訪問"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"StackRox通過提供動態策略驅動的准入控制作爲StackRox平臺的一部分,幫助緩解這些威脅。這使企業能夠自動執行安全策略,包括在將容器部署到Kubernetes集羣之前對主機掛載的限制及其可寫性。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"網絡訪問"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於缺乏對容器的可見性,網絡訪問在Kubernetes中是一個艱難的挑戰。默認情況下,網絡策略是禁用的,每個pod都可以到達Kubernetes網絡上的其他pod。如果沒有這個默認值,新人會很難上手。隨着企業的成熟,除了我們認爲必要的流量之外,我們應該努力鎖定所有流量。這可以使用由命名空間配置的網絡策略來完成,同時關注以下幾點也很重要:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用命名空間作爲網絡策略的自然邊界"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在每個命名空間中啓用默認的拒絕策略"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用特定於每個 pod 所需流量的網絡策略"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡策略的重大挑戰之一是可視化。StackRox通過監控pod之間的活動網絡流量,自動生成和配置網絡策略,將通信限制在應用程序組件運行所需的範圍內,從而幫助防止網絡映射。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/9f\/9f04653374228a6b23baee32d73601b9.jpeg","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基於角色的訪問控制(RBAC)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC是保護集羣安全的核心。Kubernetes的RBAC權限是相加的,因此,RBAC唯一的漏洞是管理員或用戶授予可利用的權限。我們遇到的最常見的問題是用戶在不該有的時候擁有集羣管理員權限。幸運的是,有很多RBAC最佳實踐可以幫助減少此類問題:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對不同類型的工作負載使用不同的服務賬戶,並應用最小權限原則。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定期審覈您的集羣的RBAC配置。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對不同類型的工作負載使用不同的服務賬戶,並應用最小權限原則。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"避免集羣管理員的過度使用"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RKE集羣在集羣設置時使用RBAC作爲默認的身份驗證選項。StackRox通過幫助企業根據最小權限原則(the least privilege principle)限制Kubernetes RBAC權限來擴展這個默認選項。我們監控集羣RBAC設置的用戶和服務賬戶,並識別集羣上權限過大的賬戶。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"獨自解決Kubernetes安全問題是很有挑戰性的。在企業中,安全問題很有可能會阻礙DevOps,導致在追求交付時放棄安全原則。但實際上,不一定如此。通過主動識別威脅並制定合理的政策,我們進一步將安全左移(shift left)。我們可以評估我們的時間需要用在哪裏,避免用額外的工作量拖累DevOps團隊。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:RancherLabs(ID:RancherLabs)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/9ReuccjuWkfyFmvDFNPMJg","title":"xxx","type":null},"content":[{"type":"text","text":"藉助3款K8S原生控件,保護你的雲原生應用"}]}]}]}
藉助3款K8S原生控件,保護你的雲原生應用
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着越來越多的企業開始採用容器技術,他們正在面臨一個重大挑戰——如何保護容器應用程序的安全?比起存儲、網絡和監控,安全常常是一個被積壓已久的問題。再加上需要對員工進行Kubernetes相關的培訓,對安全問題的關注已經遠遠滯後了。事實上,The New Stack發佈的一項調查顯示,近50%的Kubernetes用戶表示,安全是他們尚未解決的首要問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在本文中,我們將深入瞭解Kubernetes所面臨的安全威脅並展示保護集羣的最佳實踐,然後提供一些有用的工具以幫助開發人員維護集羣安全。這些工具包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Rancher Kubernetes Engine(RKE),以實現聲明式部署"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"KubeLinter,用於以開發者爲中心的安全檢查"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"StackRox,在構建、部署和運行時執行安全策略"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"工具介紹"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Rancher Kubernetes Engine(RKE)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RKE是一個經過CNCF認證的Kubernetes發行版,可以在Docker容器內完整運行。它通過移除大多數的主機依賴項並提供一個部署、升級和回滾的穩定路徑,解決了Kubernetes安裝過於複雜的問題。RKE使用聲明式YAML文件來配置和創建Kubernetes環境。這可以實現可重現的本地或遠程環境。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"KubeLinter"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"KubeLinter是一個靜態的分析工具,它可以查看Kubernetes YAML文件以確保聲明的應用程序配置堅持最佳實踐。KubeLinter是StackRox首個開源工具,用於從命令行實現安全檢查以及作爲CI流程的一部分。KubeLinter是一個二進制文件,它接收YAML文件的路徑,並對它們進行一系列的檢查。管理員和開發人員可以創建自己的策略來執行,從而實現更快、更自動化的部署。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"StackRox"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"StackRox Kubernetes安全平臺通過構建、部署和運行時保護重要的應用程序。StackRox部署在您的基礎設施中,並於您的DevOps工具和工作流程集成,以提供無摩擦的安全性和合規性。StackRox Policy Engine包含了數百個內置控制,以執行DevOps和安全最佳實踐、CIS基準和NIST等行業標準、容器和Kubernetes運行時安全的配置管理。StackRox對您的工作負載進行剖析,使您能夠對工作負載的安全性做出明智的決定。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"組合使用"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RKE、KubeLinter和StackRox使您能夠部署可重現的安全集羣、可視化配置文件和訪問安全漏洞,並創建聲明式安全策略。接下來,我們來談談這些應用程序如何共同應對安全威脅。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"評估安全風險"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們先來關注一下Kubernetes的攻擊載體。微軟最近發佈了一個基於MITRE ATT&CK框架的Kubernetes攻擊矩陣:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/www.microsoft.com\/security\/blog\/2020\/04\/02\/attack-matrix-kubernetes\/"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/56\/563830ddd779e98db033bae7b6bc7093.jpeg","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該框架針對Kubernetes進行了調整,並基於真實世界的觀察和案例。幸運的是,存在一些策略可以緩解所有不同的問題。首先,我們可以從hardening我們的Kubernetes控制平面開始。之後,我們將把重點轉移到保護我們運行的容器工作負載的安全上。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"控制平面Hardening"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes控制平面包括以下組件:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes API Server"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"kube-scheduler"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"kube-controller-manager"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"etcd (如果適用)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"cloud-controller-manager (如果適用)"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"etcd將可能在控制平面節點上,但是它也可以爲高可用用例提供一個遠程環境。cloud-controller-manager也安裝在提供程序實例中。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Kubernetes API Server"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes REST API server是control-plane的核心組件。該server處理REST API的調用,這些調用包含不同組件和用戶之間的所有通信。該依賴項使得保障API Server的安全成爲人們最關心的問題。在此前的K8S版本中,只要升級到較新的版本就可以修復一些特定的漏洞。然而,你也可以控制以下hardening任務:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓用基於角色控制訪問(RBAC)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保所有API流量是TLS加密的"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啓用審計日誌"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲所有K8S API客戶端設置身份驗證"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"藉助諸如RKE等開發工具,可以很輕鬆地設置這種聲明式格式的集羣。以下是一個默認的RKE config.yml.file代碼段。從中可以看到,我們能夠默認啓用審計日誌、TLS(在Kubernetes組件之間)以及RBAC。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\n kube-api:\n image: \"\"\n extra_args: {}\n extra_binds: []\n extra_env: []\n win_extra_args: {}\n win_extra_binds: []\n win_extra_env: []\n service_cluster_ip_range: 10.43.0.0\/16\n service_node_port_range: \"\"\n pod_security_policy: false\n always_pull_images: false\n secrets_encryption_config: null\n audit_log: null\n admission_configuration: null\n event_rate_limit: null\n…\nauthentication:\n strategy: x509\n sans: []\n webhook: null\n…\nauthorization:\n mode: rbac\n options: {}"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲所有的K8S API客戶端設置身份驗證是當前面臨的挑戰。我們需要應用一個零信任的模型到運行在我們集羣中的工作負載上。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"kube-scheduler"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes的默認scheduler是可插拔的。因此你可以構建你的scheduler或者爲不同的工作負載設置多個scheduler。不管哪種實現方式,都需要保證安全。以下這些任務可以確保它是安全的:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置與API Server通信的安全端口"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保scheduler以最低要求的權限運行(RBAC)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制kube-scheduler pod規範和kubeconfig文件的文件權限"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過RKE,我們可以通過驗證默認的scheduler地址(設置爲127.0.0.1)來保證其與API server的連接。另外,通過確保根用戶擁有scheduler YAML文件來限制文件權限。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"stat -c %U:%G \/etc\/kubernetes\/manifests\/kube-scheduler.yaml"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"kube-controller-manager"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes系統調節器,即kube-controller-manager,是一個使用核心控制循環調節系統的守護進程。保護controller的安全,需要採取與scheduler類似的策略:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置一個與API Server通信的安全端口"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保scheduler以最低所需權限運行(RBAC)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制kube-controller-manager pod規範和kubeconfig文件的文件權限"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"和scheduler一樣,我們可以確保通信使用本地地址(而不是不安全的loopback接口),並確保根用戶擁有controller YAML文件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"\nstat -c %U:%G \/etc\/kubernetes\/manifests\/kube-controller-manager.yaml"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"etcd"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"控制平面的最後一個核心組件是它的鍵值存儲,etcd。所有的Kubernetes對象都位於etcd中,這意味着你所有的配置文件和密鑰都存儲在這裏。最好的做法是使用單獨的密鑰管理解決方案(如Hashicorp Vault或雲提供商的密鑰管理服務)來加密密鑰或管理密鑰信息。當你管理數據庫時,需要記住以下關鍵因素:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制對數據庫的讀\/寫訪問"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"加密"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們希望將manifest的任何更新或更改限制在允許訪問的服務上。使用RBAC控制與零信任模型相結合將可以幫助你入門。最後,使用etcd加密可能很麻煩。基於此,Rancher有一個獨特的方法,即在初始集羣配置中生產密鑰。Kubernetes有類似的策略,儘管帶有密鑰的文件也需要安全。企業的安全要求將決定你在何處以及如何保護敏感信息。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Cloud-controller-manager"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於雲提供商而言,雲的cloud-controller-manager是獨一無二的,同時它對於需要集羣與提供程序API通信的發行版來說也是獨有的。與雲提供商一起使用時,管理員將無法訪問其集羣的主節點,因此將無法運行此前提到的hardening步驟。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"使用Kubernetes原生控件保護工作負載安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"既然我們的控制平面的安全已經得到保障,那麼是時候研究一下我們在Kubernetes中運行的應用程序了。與此前的部分類似,讓我們把安全拆分爲以下幾個部分:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器鏡像安全"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"運行時"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"持久化"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於角色的訪問控制(RBAC)"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在以下部分,我們將深入探討每個部分的各種注意事項。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"容器鏡像安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在使用容器之前對其進行管理是採用容器的第一個障礙。首先,我們需要考慮:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基本鏡像的選擇"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更新頻率"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非必要軟件"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可訪問的構建\/CI工具"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最重要的是選擇安全的基礎鏡像,限制不必要的包並保障鏡像倉庫安全。現在,大部分鏡像倉庫都有內置的鏡像掃描工具,可以輕鬆地確保安全。StackRox Kubernetes安全平臺可以在與底層基礎操作系統(OS)鏡像分離的鏡像層中自動執行可用於啓動容器並識別安全問題(包括漏洞和有問題的程序包)的鏡像。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/22\/22a8af61620aa13f1842f20cefcee890.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想了解更多,可以訪問以下鏈接查看相關文章:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/www.stackrox.com\/post\/2020\/04\/container-image-security-beyond-vulnerability-scanning\/"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"Runtime"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"運行時安全跨越不同的Kubernetes功能,核心目標是確保我們的工作負載是安全的。Pod安全策略具備以下能力保護容器安全:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Linux功能"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器的SELinux上下文"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主機網絡和端口的使用情況"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主機文件系統的使用"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容器的用戶和groupID"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"請記住應用於系統的零信任方法,應該在其中設置功能,以便容器具有運行時起作用所需的最低功能。爲了更好地實現可視化,StackRox的風險剖析會自動識別哪些容器中包含對攻擊者有用的工具,包括bash。它還會對可疑工具的使用發出告警,並監控、檢測和警告有關運行時活動,如在容器內執行異常或意外的進程。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/8f\/8f69b0e1c23b44f2cd1510c6b900d90b.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"持久化"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Kubernetes中運行有狀態的工作負載會創建一個後門進入你的容器。通過附加存儲並可能將可執行文件或信息提供給不應訪問的容器,遭受攻擊的可能性會大大增加。Kubernetes的最佳實踐可以確保有狀態工作負載以所需的最小特權運行。其他注意事項包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用命名空間作爲存儲的自然邊界"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"沒有特權容器"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用Pod安全策略限制Pod volume訪問"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"StackRox通過提供動態策略驅動的准入控制作爲StackRox平臺的一部分,幫助緩解這些威脅。這使企業能夠自動執行安全策略,包括在將容器部署到Kubernetes集羣之前對主機掛載的限制及其可寫性。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"網絡訪問"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於缺乏對容器的可見性,網絡訪問在Kubernetes中是一個艱難的挑戰。默認情況下,網絡策略是禁用的,每個pod都可以到達Kubernetes網絡上的其他pod。如果沒有這個默認值,新人會很難上手。隨着企業的成熟,除了我們認爲必要的流量之外,我們應該努力鎖定所有流量。這可以使用由命名空間配置的網絡策略來完成,同時關注以下幾點也很重要:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用命名空間作爲網絡策略的自然邊界"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在每個命名空間中啓用默認的拒絕策略"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用特定於每個 pod 所需流量的網絡策略"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡策略的重大挑戰之一是可視化。StackRox通過監控pod之間的活動網絡流量,自動生成和配置網絡策略,將通信限制在應用程序組件運行所需的範圍內,從而幫助防止網絡映射。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/9f\/9f04653374228a6b23baee32d73601b9.jpeg","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基於角色的訪問控制(RBAC)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC是保護集羣安全的核心。Kubernetes的RBAC權限是相加的,因此,RBAC唯一的漏洞是管理員或用戶授予可利用的權限。我們遇到的最常見的問題是用戶在不該有的時候擁有集羣管理員權限。幸運的是,有很多RBAC最佳實踐可以幫助減少此類問題:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對不同類型的工作負載使用不同的服務賬戶,並應用最小權限原則。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定期審覈您的集羣的RBAC配置。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對不同類型的工作負載使用不同的服務賬戶,並應用最小權限原則。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"避免集羣管理員的過度使用"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RKE集羣在集羣設置時使用RBAC作爲默認的身份驗證選項。StackRox通過幫助企業根據最小權限原則(the least privilege principle)限制Kubernetes RBAC權限來擴展這個默認選項。我們監控集羣RBAC設置的用戶和服務賬戶,並識別集羣上權限過大的賬戶。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"獨自解決Kubernetes安全問題是很有挑戰性的。在企業中,安全問題很有可能會阻礙DevOps,導致在追求交付時放棄安全原則。但實際上,不一定如此。通過主動識別威脅並制定合理的政策,我們進一步將安全左移(shift left)。我們可以評估我們的時間需要用在哪裏,避免用額外的工作量拖累DevOps團隊。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:RancherLabs(ID:RancherLabs)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/9ReuccjuWkfyFmvDFNPMJg","title":"xxx","type":null},"content":[{"type":"text","text":"藉助3款K8S原生控件,保護你的雲原生應用"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章