{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在容器部署方面,Kubernetes可以說是這個行業的領導者。據"},{"type":"link","attrs":{"href":"https:\/\/www.statista.com\/statistics\/1233945\/kubernetes-adoption-level-organization\/","title":null,"type":null},"content":[{"type":"text","text":"Statista"}]},{"type":"text","text":"報導,約46%的受訪者表示,他們會使用Kubernetes來實現計算機應用的部署、管理和擴展的自動化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即使如此,在容器生命週期的階段,我們仍需要注意一些安全問題。在開發和部署階段,我們應採取措施緩解包括錯誤配置等已知漏洞的風險,而在運行階段,我們還應有面對威脅時快速響應能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲此,企業應對K8s攻擊樹和其相關文檔有深入的瞭解。攻擊樹本質上是一個樹狀視圖形式的威脅模型,爲潛在的安全威脅和對應緩解措施提供詳細的可視化展示。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以以這個威脅模型爲參考,檢查潛在安全漏洞,查找可能被黑客利用、對系統造成破壞的常見攻擊向量。或利用攻擊樹測試Kubernetes的安全性,並在安全事件發生時獲得輸出日誌的可見性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但攻擊樹不是萬能的,它只負責Kubernetes的安全性,不能保證端對端容器是否安全。在軟件部署生命週期中添加的任何其他應用程序和組件也不在它監管的範圍內。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當我們決定在生產環境中使用Kubernetes時,我們必須要考慮到系統的整體安全。根據"},{"type":"link","attrs":{"href":"https:\/\/media.defense.gov\/2021\/Aug\/03\/2002820425\/-1\/-1\/1\/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF","title":null,"type":null},"content":[{"type":"text","text":"美國國家安全局"}]},{"type":"text","text":"(NSA)發佈的指南,常見安全威脅包含內部威脅、人爲惡意攻擊和供應鏈風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就意味着我們必須要在項目的開始就建立Kubernetes的安全實踐,這樣才能更好地保護"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/blog\/cloud-vulnerability-management-101-part-1-key-vulnerability-areas","title":"xxx","type":null},"content":[{"type":"text","text":"雲基礎架構的關鍵區域"}]},{"type":"text","text":"和雲原生環境。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Kubernetes攻擊的種類"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"說起Kubernetes的攻擊手段,大致可以分爲三類:外部攻擊者、惡意容器,以及被滲透的或惡意用戶。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第一類:外部攻擊者"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲避免服務暴露在不信任的網絡中,我們還需要對管理服務等控制措施的使用保持警惕。舉例來說,一個沒有集羣訪問權限的攻擊者,在無需任何形式的認證協議的情況下,卻可以以網絡的形式直接接觸到集羣上運行的應用程序,甚至還有機會訪問其管理接口。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第二類:惡意容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻擊者成功攻陷一個容器,那麼他們接下來會設法提高自己的權限,並最終接管整個集羣。而如果我們沒有有效的手段組織他們獲取完整集羣的管理權限,那麼我們將只能坐以待斃。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類風險的緩解措施是必須保證所有的端口都要在集羣網絡上可見,所有用戶都要使用多重驗證手段,並且避免容器中掛載服務賬號,如果無可避免,確保賬號權限受到限制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過使用各種網絡策略,再加上Magalix的“"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/blog\/what-is-policy-as-code","title":null,"type":null},"content":[{"type":"text","text":"策略即代碼"}]},{"type":"text","text":"”,我們可以限制pod和命名空間的訪問權限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第三類:被滲透的或惡意用戶"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當我們忙於處理受損賬戶或惡意用戶時,黑客盜竊的憑證仍舊有效,這時他們還可以執行命令攻擊網絡訪問和Kubernetes的API。緩解這類危險的策略和最佳實踐是執行“最小特權”的策略,以及對所有用戶採用基於角色的訪問控制(RABC)。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"主要攻擊向量"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在2020年,"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group","title":null,"type":null},"content":[{"type":"text","text":"CNCF金融用戶組"}]},{"type":"text","text":"發表了一個針對一般Kubernetes集羣的威脅模型練習,主要爲各類潛在威脅和其對應緩解措施提供一個詳細的圖解,並提供一個檢查清單幫助團隊識別Kubernetes集羣內的常見漏洞和易被利用的點。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5e\/5e7ffbc615eabf73e224948b117d06f9.png","alt":"Image1","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"italic"}],"text":"由CNCF提供的Kubernetes可信邊界"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"藉助"},{"type":"link","attrs":{"href":"https:\/\/securityintelligence.com\/articles\/what-is-stride-threat-modeling-anticipate-cyberattacks\/","title":null,"type":null},"content":[{"type":"text","text":"STRIDE方法論"}]},{"type":"text","text":",CNCF分析了Kubernetes架構中的每一個元素,並總結出了一個平臺內潛在安全問題的列表。STRIDE是六類威脅的首字母縮寫:僞裝身份、篡改數據、拒絕承認、信息泄露、拒絕服務、權限提升。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中一些主要的攻擊向量有:"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"服務Token"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"服務Token在一般情況下是默認掛載到每個pod上的,但如果黑客成功駭入任何一個容器,那麼他們將可以使用同一個憑據進一步利用該容器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"若要緩解此風險,我們必須建立嚴格的RBAS策略,並禁用服務Token自動掛載的協議。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"受損容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"集羣內的遠程執行點是黑客們的主要集火點之一。除了利用服務Token之外,其他的攻擊向量還包括所有運行中容器上,默認暴露的網絡控制面板。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"網絡端點"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保所有Kubernetes端點免受內部威脅,可以避免黑客利用攻擊向量中的弱點。需要注意的是,如果黑客成功攻入一個容器,那麼只要pod的網絡策略允許,他們將迅速獲得對端點的訪問權限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"拒絕服務攻擊(DOS)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在版本1.14發佈之前,針對DOS攻擊的緩解策略相對較少。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"RBAC的問題"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC的錯誤配置可能會被利用並導致數據泄露,但開發團隊可以藉助自動化工具來驗證和確認策略。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"攻擊樹"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CNCF金融用戶組提出了一套可能會協助確定集羣內潛在攻擊發起點的"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/tree\/master\/projects\/k8s-threat-model\/AttackTrees","title":null,"type":null},"content":[{"type":"text","text":"攻擊樹"}]},{"type":"text","text":",並提出了兩種可行方法:1. 自下至上。2. 基於情景。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"自下至上的方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種方法通過找出所有Kubernetes平臺的入點來達成目標。我們藉此摸清所有的安全控制和標準,更好地瞭解他們的覆蓋範圍。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基於情景的方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種方法可以讓我們確定在特定情況下暴露於威脅者的攻擊向量,並將關注點更多地放在較爲普遍攻擊向量上。這種基於情景的方法雖然會借用自下至上方法中的大部分細節,但卻更加基於現實情況。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下展示的是GitHub上開源可用的攻擊樹總結:"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.malicious.pdf","title":null,"type":null},"content":[{"type":"text","text":"執行惡意代碼"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們一般會選擇在一個集羣上執行惡意代碼,但這也就意味着我們得毀掉一個提供容器訪問的應用程序。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,威脅者只要可以訪問容器,他們就會將更多的惡意代碼加載到環境之中。如果威脅者拿到了獲取鏡像的權限,他們可能會污染倉庫並將惡意代碼擴散到其他分支。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4-persistence.pdf","title":null,"type":null},"content":[{"type":"text","text":"確定持久化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該攻擊樹的主要目標是探尋黑客訪問集羣的不同方式,並研究了其不同的壽命週期。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這種情況下,一個分支會集中探查集羣內的祕密,讓黑客能發現其他的漏洞區域。另一個分支則側重於黑客獲取容器訪問權限後的造成的威脅。攻擊者會利用錯誤的配置,嘗試建立對容器、節點或Pod重啓持久且彈性的權限。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上: "},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.sensitive.data.pdf","title":null,"type":null},"content":[{"type":"text","text":"訪問敏感數據"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大多數的方法都是在利用配置錯誤的RBAC權限直接從集羣中讀取機密數據,另一部分則是通過查看查看日誌中存儲的所有數據等方式獲取數據。可以說,這類方法幾乎和竊聽網絡流量和通信數據差不多。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.dos.pdf","title":null,"type":null},"content":[{"type":"text","text":"拒絕服務攻擊"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此攻擊樹主要分析攻擊者在集羣上發起DoS攻擊時採用的不同手段。第一種,需要一個受損容器爲前提,攻擊者會嘗試從集羣中發起DoS,耗盡其所有資源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二種更關注擁有集羣控制面板網絡權限的威脅者。黑客會嘗試在最合適的一個端點上發起衝擊堵塞網絡,並耗盡目標所有資源。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"情景一:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.scenario.compromised.pdf","title":null,"type":null},"content":[{"type":"text","text":"受損應用導致黑客在容器中立足"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該場景重點介紹在利用容器內運行應用程序後,可能會暴露給黑客的攻擊向量。黑客可以利用這些向量,通過編程或shell訪問,遠程在容器內執行代碼。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"情景二:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.scenario.network.pdf","title":null,"type":null},"content":[{"type":"text","text":"通過網絡的攻擊"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此情景側重於內部威脅。擁有Kubernetes集羣網絡訪問權限的內部攻擊者,不用直接訪問集羣便能擁有多種用戶權限。不過,合適的Kubernetes配置和防火牆可以迅速地應對這類大多數的威脅。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多相關可參見"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/tree\/master\/wg-security-audit","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes安全審計工作組"}]},{"type":"text","text":",以及他們將安全審計工作總結後公佈的"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/blob\/master\/wg-security-audit\/findings\/Kubernetes%20Threat%20Model.pdf","title":null,"type":null},"content":[{"type":"text","text":"威脅模型"}]},{"type":"text","text":"以及"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/blob\/master\/wg-security-audit\/findings\/Kubernetes%20White%20Paper.pdf","title":null,"type":null},"content":[{"type":"text","text":"白皮書"}]},{"type":"text","text":"。他們的關注點遍佈Kubernetes集羣的各個部分,這些文檔值得我們花時間通讀。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其他關於Kubernetes安全的最佳實踐和推薦包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(如果可能)始終以最小權限策略運行Pod和容器。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要求使用強身份驗證和授權協議,限制管理員和用戶訪問權限(縮小攻擊面)。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"加密數據以確保機密性。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"利用防火牆限制非必要鏈接。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"應用網絡分離控制來減少攻擊造成的潛在損害。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過日誌審計監控容器活動。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定期檢查所有設置,使用漏洞掃描工具識別潛在風險並安裝安全補丁。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"掃描Pod和容器,檢查是否存在配置錯誤或漏洞。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"利用 \"策略即代碼 \"保護你的K8s環境"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"管理Kubernetes並預防黑客攻擊載體需要大量的實踐經驗、配置和可維護性,即使是經驗豐富的專家恐怕也會覺得頗具挑戰。爲此,Magalix提供的最大的“策略即代碼”可擴展庫之一,力求簡化管理安全K8的複雜性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些策略包括:- 容器不應以root權限運行- 容器不應共享hostIPC- 容器不應使用hostPort- 容器不應掛載Docker套接字- 容器不應缺失安全上下文- 容器不應缺失存活探針- 服務不應使用NodePort- 禁止RBAC的動詞通配符- 用RBAC的集羣角色綁定保護集羣管理員權限- 容器應將根文件系統掛載爲只讀"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Magalix還提供以編程方式,"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/airtight-security-as-code","title":null,"type":null},"content":[{"type":"text","text":"安全"}]},{"type":"text","text":"且"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/usecases\/continuous-compliance-assessment","title":null,"type":null},"content":[{"type":"text","text":"符合規定"}]},{"type":"text","text":"地執行“策略即代碼”標準,以開發者爲中心,持續補充雲原生應用程序的部署協議。這樣,集羣內的所有自動化操作都可通過監控倉庫變化進行觀測。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不僅如此,我們還可以通過一個集中的開發手冊,讓“策略即代碼”貫徹整個軟件開發生命週期,在不影響安全的情況下加速創新發展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果開發團隊可以根據本文中提供的建議搭建開發雲原生應用程序,那麼環境的安全將得到保證,並提供更好的用戶體驗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接"},{"type":"text","text":":"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2021\/11\/08\/kubernetes-main-attack-vectors-tree-an-explainer-guide\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes Main Attack Vectors Tree: An Explainer Guide"}]}]}]}
K8s 安全指南
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在容器部署方面,Kubernetes可以說是這個行業的領導者。據"},{"type":"link","attrs":{"href":"https:\/\/www.statista.com\/statistics\/1233945\/kubernetes-adoption-level-organization\/","title":null,"type":null},"content":[{"type":"text","text":"Statista"}]},{"type":"text","text":"報導,約46%的受訪者表示,他們會使用Kubernetes來實現計算機應用的部署、管理和擴展的自動化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即使如此,在容器生命週期的階段,我們仍需要注意一些安全問題。在開發和部署階段,我們應採取措施緩解包括錯誤配置等已知漏洞的風險,而在運行階段,我們還應有面對威脅時快速響應能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲此,企業應對K8s攻擊樹和其相關文檔有深入的瞭解。攻擊樹本質上是一個樹狀視圖形式的威脅模型,爲潛在的安全威脅和對應緩解措施提供詳細的可視化展示。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以以這個威脅模型爲參考,檢查潛在安全漏洞,查找可能被黑客利用、對系統造成破壞的常見攻擊向量。或利用攻擊樹測試Kubernetes的安全性,並在安全事件發生時獲得輸出日誌的可見性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但攻擊樹不是萬能的,它只負責Kubernetes的安全性,不能保證端對端容器是否安全。在軟件部署生命週期中添加的任何其他應用程序和組件也不在它監管的範圍內。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當我們決定在生產環境中使用Kubernetes時,我們必須要考慮到系統的整體安全。根據"},{"type":"link","attrs":{"href":"https:\/\/media.defense.gov\/2021\/Aug\/03\/2002820425\/-1\/-1\/1\/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF","title":null,"type":null},"content":[{"type":"text","text":"美國國家安全局"}]},{"type":"text","text":"(NSA)發佈的指南,常見安全威脅包含內部威脅、人爲惡意攻擊和供應鏈風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就意味着我們必須要在項目的開始就建立Kubernetes的安全實踐,這樣才能更好地保護"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/blog\/cloud-vulnerability-management-101-part-1-key-vulnerability-areas","title":"xxx","type":null},"content":[{"type":"text","text":"雲基礎架構的關鍵區域"}]},{"type":"text","text":"和雲原生環境。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Kubernetes攻擊的種類"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"說起Kubernetes的攻擊手段,大致可以分爲三類:外部攻擊者、惡意容器,以及被滲透的或惡意用戶。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第一類:外部攻擊者"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲避免服務暴露在不信任的網絡中,我們還需要對管理服務等控制措施的使用保持警惕。舉例來說,一個沒有集羣訪問權限的攻擊者,在無需任何形式的認證協議的情況下,卻可以以網絡的形式直接接觸到集羣上運行的應用程序,甚至還有機會訪問其管理接口。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第二類:惡意容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻擊者成功攻陷一個容器,那麼他們接下來會設法提高自己的權限,並最終接管整個集羣。而如果我們沒有有效的手段組織他們獲取完整集羣的管理權限,那麼我們將只能坐以待斃。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這類風險的緩解措施是必須保證所有的端口都要在集羣網絡上可見,所有用戶都要使用多重驗證手段,並且避免容器中掛載服務賬號,如果無可避免,確保賬號權限受到限制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過使用各種網絡策略,再加上Magalix的“"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/blog\/what-is-policy-as-code","title":null,"type":null},"content":[{"type":"text","text":"策略即代碼"}]},{"type":"text","text":"”,我們可以限制pod和命名空間的訪問權限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第三類:被滲透的或惡意用戶"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當我們忙於處理受損賬戶或惡意用戶時,黑客盜竊的憑證仍舊有效,這時他們還可以執行命令攻擊網絡訪問和Kubernetes的API。緩解這類危險的策略和最佳實踐是執行“最小特權”的策略,以及對所有用戶採用基於角色的訪問控制(RABC)。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"主要攻擊向量"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在2020年,"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group","title":null,"type":null},"content":[{"type":"text","text":"CNCF金融用戶組"}]},{"type":"text","text":"發表了一個針對一般Kubernetes集羣的威脅模型練習,主要爲各類潛在威脅和其對應緩解措施提供一個詳細的圖解,並提供一個檢查清單幫助團隊識別Kubernetes集羣內的常見漏洞和易被利用的點。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5e\/5e7ffbc615eabf73e224948b117d06f9.png","alt":"Image1","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"italic"}],"text":"由CNCF提供的Kubernetes可信邊界"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"藉助"},{"type":"link","attrs":{"href":"https:\/\/securityintelligence.com\/articles\/what-is-stride-threat-modeling-anticipate-cyberattacks\/","title":null,"type":null},"content":[{"type":"text","text":"STRIDE方法論"}]},{"type":"text","text":",CNCF分析了Kubernetes架構中的每一個元素,並總結出了一個平臺內潛在安全問題的列表。STRIDE是六類威脅的首字母縮寫:僞裝身份、篡改數據、拒絕承認、信息泄露、拒絕服務、權限提升。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中一些主要的攻擊向量有:"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"服務Token"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"服務Token在一般情況下是默認掛載到每個pod上的,但如果黑客成功駭入任何一個容器,那麼他們將可以使用同一個憑據進一步利用該容器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"若要緩解此風險,我們必須建立嚴格的RBAS策略,並禁用服務Token自動掛載的協議。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"受損容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"集羣內的遠程執行點是黑客們的主要集火點之一。除了利用服務Token之外,其他的攻擊向量還包括所有運行中容器上,默認暴露的網絡控制面板。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"網絡端點"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保所有Kubernetes端點免受內部威脅,可以避免黑客利用攻擊向量中的弱點。需要注意的是,如果黑客成功攻入一個容器,那麼只要pod的網絡策略允許,他們將迅速獲得對端點的訪問權限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"拒絕服務攻擊(DOS)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在版本1.14發佈之前,針對DOS攻擊的緩解策略相對較少。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"RBAC的問題"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC的錯誤配置可能會被利用並導致數據泄露,但開發團隊可以藉助自動化工具來驗證和確認策略。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"攻擊樹"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CNCF金融用戶組提出了一套可能會協助確定集羣內潛在攻擊發起點的"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/tree\/master\/projects\/k8s-threat-model\/AttackTrees","title":null,"type":null},"content":[{"type":"text","text":"攻擊樹"}]},{"type":"text","text":",並提出了兩種可行方法:1. 自下至上。2. 基於情景。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"自下至上的方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種方法通過找出所有Kubernetes平臺的入點來達成目標。我們藉此摸清所有的安全控制和標準,更好地瞭解他們的覆蓋範圍。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基於情景的方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種方法可以讓我們確定在特定情況下暴露於威脅者的攻擊向量,並將關注點更多地放在較爲普遍攻擊向量上。這種基於情景的方法雖然會借用自下至上方法中的大部分細節,但卻更加基於現實情況。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下展示的是GitHub上開源可用的攻擊樹總結:"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.malicious.pdf","title":null,"type":null},"content":[{"type":"text","text":"執行惡意代碼"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們一般會選擇在一個集羣上執行惡意代碼,但這也就意味着我們得毀掉一個提供容器訪問的應用程序。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,威脅者只要可以訪問容器,他們就會將更多的惡意代碼加載到環境之中。如果威脅者拿到了獲取鏡像的權限,他們可能會污染倉庫並將惡意代碼擴散到其他分支。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4-persistence.pdf","title":null,"type":null},"content":[{"type":"text","text":"確定持久化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該攻擊樹的主要目標是探尋黑客訪問集羣的不同方式,並研究了其不同的壽命週期。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這種情況下,一個分支會集中探查集羣內的祕密,讓黑客能發現其他的漏洞區域。另一個分支則側重於黑客獲取容器訪問權限後的造成的威脅。攻擊者會利用錯誤的配置,嘗試建立對容器、節點或Pod重啓持久且彈性的權限。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上: "},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.sensitive.data.pdf","title":null,"type":null},"content":[{"type":"text","text":"訪問敏感數據"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大多數的方法都是在利用配置錯誤的RBAC權限直接從集羣中讀取機密數據,另一部分則是通過查看查看日誌中存儲的所有數據等方式獲取數據。可以說,這類方法幾乎和竊聽網絡流量和通信數據差不多。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.dos.pdf","title":null,"type":null},"content":[{"type":"text","text":"拒絕服務攻擊"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此攻擊樹主要分析攻擊者在集羣上發起DoS攻擊時採用的不同手段。第一種,需要一個受損容器爲前提,攻擊者會嘗試從集羣中發起DoS,耗盡其所有資源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二種更關注擁有集羣控制面板網絡權限的威脅者。黑客會嘗試在最合適的一個端點上發起衝擊堵塞網絡,並耗盡目標所有資源。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"情景一:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.scenario.compromised.pdf","title":null,"type":null},"content":[{"type":"text","text":"受損應用導致黑客在容器中立足"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該場景重點介紹在利用容器內運行應用程序後,可能會暴露給黑客的攻擊向量。黑客可以利用這些向量,通過編程或shell訪問,遠程在容器內執行代碼。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"情景二:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.scenario.network.pdf","title":null,"type":null},"content":[{"type":"text","text":"通過網絡的攻擊"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此情景側重於內部威脅。擁有Kubernetes集羣網絡訪問權限的內部攻擊者,不用直接訪問集羣便能擁有多種用戶權限。不過,合適的Kubernetes配置和防火牆可以迅速地應對這類大多數的威脅。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多相關可參見"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/tree\/master\/wg-security-audit","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes安全審計工作組"}]},{"type":"text","text":",以及他們將安全審計工作總結後公佈的"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/blob\/master\/wg-security-audit\/findings\/Kubernetes%20Threat%20Model.pdf","title":null,"type":null},"content":[{"type":"text","text":"威脅模型"}]},{"type":"text","text":"以及"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/blob\/master\/wg-security-audit\/findings\/Kubernetes%20White%20Paper.pdf","title":null,"type":null},"content":[{"type":"text","text":"白皮書"}]},{"type":"text","text":"。他們的關注點遍佈Kubernetes集羣的各個部分,這些文檔值得我們花時間通讀。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其他關於Kubernetes安全的最佳實踐和推薦包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(如果可能)始終以最小權限策略運行Pod和容器。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要求使用強身份驗證和授權協議,限制管理員和用戶訪問權限(縮小攻擊面)。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"加密數據以確保機密性。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"利用防火牆限制非必要鏈接。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"應用網絡分離控制來減少攻擊造成的潛在損害。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過日誌審計監控容器活動。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定期檢查所有設置,使用漏洞掃描工具識別潛在風險並安裝安全補丁。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"掃描Pod和容器,檢查是否存在配置錯誤或漏洞。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"利用 \"策略即代碼 \"保護你的K8s環境"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"管理Kubernetes並預防黑客攻擊載體需要大量的實踐經驗、配置和可維護性,即使是經驗豐富的專家恐怕也會覺得頗具挑戰。爲此,Magalix提供的最大的“策略即代碼”可擴展庫之一,力求簡化管理安全K8的複雜性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些策略包括:- 容器不應以root權限運行- 容器不應共享hostIPC- 容器不應使用hostPort- 容器不應掛載Docker套接字- 容器不應缺失安全上下文- 容器不應缺失存活探針- 服務不應使用NodePort- 禁止RBAC的動詞通配符- 用RBAC的集羣角色綁定保護集羣管理員權限- 容器應將根文件系統掛載爲只讀"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Magalix還提供以編程方式,"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/airtight-security-as-code","title":null,"type":null},"content":[{"type":"text","text":"安全"}]},{"type":"text","text":"且"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/usecases\/continuous-compliance-assessment","title":null,"type":null},"content":[{"type":"text","text":"符合規定"}]},{"type":"text","text":"地執行“策略即代碼”標準,以開發者爲中心,持續補充雲原生應用程序的部署協議。這樣,集羣內的所有自動化操作都可通過監控倉庫變化進行觀測。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不僅如此,我們還可以通過一個集中的開發手冊,讓“策略即代碼”貫徹整個軟件開發生命週期,在不影響安全的情況下加速創新發展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果開發團隊可以根據本文中提供的建議搭建開發雲原生應用程序,那麼環境的安全將得到保證,並提供更好的用戶體驗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接"},{"type":"text","text":":"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2021\/11\/08\/kubernetes-main-attack-vectors-tree-an-explainer-guide\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes Main Attack Vectors Tree: An Explainer Guide"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章
4場和Zabbix春日約會,“承包”四月天
在全國各地和Zabbix相遇互動,4月活動集錦,來約會吧! 時間 活動名稱 城市 4/20(週六) KCD雲原生社區日 上海 4/20(週六) OceanBase開發者大會