K8s 安全指南

原創 Andrew Zola 2021-12-17 17:58
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在容器部署方面,Kubernetes可以说是这个行业的领导者。据"},{"type":"link","attrs":{"href":"https:\/\/www.statista.com\/statistics\/1233945\/kubernetes-adoption-level-organization\/","title":null,"type":null},"content":[{"type":"text","text":"Statista"}]},{"type":"text","text":"报导,约46%的受访者表示,他们会使用Kubernetes来实现计算机应用的部署、管理和扩展的自动化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即使如此,在容器生命周期的阶段,我们仍需要注意一些安全问题。在开发和部署阶段,我们应采取措施缓解包括错误配置等已知漏洞的风险,而在运行阶段,我们还应有面对威胁时快速响应能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"为此,企业应对K8s攻击树和其相关文档有深入的了解。攻击树本质上是一个树状视图形式的威胁模型,为潜在的安全威胁和对应缓解措施提供详细的可视化展示。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们可以以这个威胁模型为参考,检查潜在安全漏洞,查找可能被黑客利用、对系统造成破坏的常见攻击向量。或利用攻击树测试Kubernetes的安全性,并在安全事件发生时获得输出日志的可见性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但攻击树不是万能的,它只负责Kubernetes的安全性,不能保证端对端容器是否安全。在软件部署生命周期中添加的任何其他应用程序和组件也不在它监管的范围内。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"当我们决定在生产环境中使用Kubernetes时,我们必须要考虑到系统的整体安全。根据"},{"type":"link","attrs":{"href":"https:\/\/media.defense.gov\/2021\/Aug\/03\/2002820425\/-1\/-1\/1\/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF","title":null,"type":null},"content":[{"type":"text","text":"美国国家安全局"}]},{"type":"text","text":"(NSA)发布的指南,常见安全威胁包含内部威胁、人为恶意攻击和供应链风险。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这就意味着我们必须要在项目的开始就建立Kubernetes的安全实践,这样才能更好地保护"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/blog\/cloud-vulnerability-management-101-part-1-key-vulnerability-areas","title":"xxx","type":null},"content":[{"type":"text","text":"云基础架构的关键区域"}]},{"type":"text","text":"和云原生环境。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Kubernetes攻击的种类"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"说起Kubernetes的攻击手段,大致可以分为三类:外部攻击者、恶意容器,以及被渗透的或恶意用户。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第一类:外部攻击者"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"为避免服务暴露在不信任的网络中,我们还需要对管理服务等控制措施的使用保持警惕。举例来说,一个没有集群访问权限的攻击者,在无需任何形式的认证协议的情况下,却可以以网络的形式直接接触到集群上运行的应用程序,甚至还有机会访问其管理接口。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第二类:恶意容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻击者成功攻陷一个容器,那么他们接下来会设法提高自己的权限,并最终接管整个集群。而如果我们没有有效的手段组织他们获取完整集群的管理权限,那么我们将只能坐以待毙。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这类风险的缓解措施是必须保证所有的端口都要在集群网络上可见,所有用户都要使用多重验证手段,并且避免容器中挂载服务账号,如果无可避免,确保账号权限受到限制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通过使用各种网络策略,再加上Magalix的“"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/blog\/what-is-policy-as-code","title":null,"type":null},"content":[{"type":"text","text":"策略即代码"}]},{"type":"text","text":"”,我们可以限制pod和命名空间的访问权限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"第三类:被渗透的或恶意用户"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"当我们忙于处理受损账户或恶意用户时,黑客盗窃的凭证仍旧有效,这时他们还可以执行命令攻击网络访问和Kubernetes的API。缓解这类危险的策略和最佳实践是执行“最小特权”的策略,以及对所有用户采用基于角色的访问控制(RABC)。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"主要攻击向量"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在2020年,"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group","title":null,"type":null},"content":[{"type":"text","text":"CNCF金融用户组"}]},{"type":"text","text":"发表了一个针对一般Kubernetes集群的威胁模型练习,主要为各类潜在威胁和其对应缓解措施提供一个详细的图解,并提供一个检查清单帮助团队识别Kubernetes集群内的常见漏洞和易被利用的点。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5e\/5e7ffbc615eabf73e224948b117d06f9.png","alt":"Image1","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"italic"}],"text":"由CNCF提供的Kubernetes可信边界"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"借助"},{"type":"link","attrs":{"href":"https:\/\/securityintelligence.com\/articles\/what-is-stride-threat-modeling-anticipate-cyberattacks\/","title":null,"type":null},"content":[{"type":"text","text":"STRIDE方法论"}]},{"type":"text","text":",CNCF分析了Kubernetes架构中的每一个元素,并总结出了一个平台内潜在安全问题的列表。STRIDE是六类威胁的首字母缩写:伪装身份、篡改数据、拒绝承认、信息泄露、拒绝服务、权限提升。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中一些主要的攻击向量有:"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"服务Token"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"服务Token在一般情况下是默认挂载到每个pod上的,但如果黑客成功骇入任何一个容器,那么他们将可以使用同一个凭据进一步利用该容器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"若要缓解此风险,我们必须建立严格的RBAS策略,并禁用服务Token自动挂载的协议。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"受损容器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"集群内的远程执行点是黑客们的主要集火点之一。除了利用服务Token之外,其他的攻击向量还包括所有运行中容器上,默认暴露的网络控制面板。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"网络端点"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"确保所有Kubernetes端点免受内部威胁,可以避免黑客利用攻击向量中的弱点。需要注意的是,如果黑客成功攻入一个容器,那么只要pod的网络策略允许,他们将迅速获得对端点的访问权限。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"拒绝服务攻击(DOS)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在版本1.14发布之前,针对DOS攻击的缓解策略相对较少。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"RBAC的问题"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RBAC的错误配置可能会被利用并导致数据泄露,但开发团队可以借助自动化工具来验证和确认策略。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"攻击树"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CNCF金融用户组提出了一套可能会协助确定集群内潜在攻击发起点的"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/tree\/master\/projects\/k8s-threat-model\/AttackTrees","title":null,"type":null},"content":[{"type":"text","text":"攻击树"}]},{"type":"text","text":",并提出了两种可行方法:1. 自下至上。2. 基于情景。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"自下至上的方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这种方法通过找出所有Kubernetes平台的入点来达成目标。我们借此摸清所有的安全控制和标准,更好地了解他们的覆盖范围。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基于情景的方法"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这种方法可以让我们确定在特定情况下暴露于威胁者的攻击向量,并将关注点更多地放在较为普遍攻击向量上。这种基于情景的方法虽然会借用自下至上方法中的大部分细节,但却更加基于现实情况。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下展示的是GitHub上开源可用的攻击树总结:"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.malicious.pdf","title":null,"type":null},"content":[{"type":"text","text":"执行恶意代码"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们一般会选择在一个集群上执行恶意代码,但这也就意味着我们得毁掉一个提供容器访问的应用程序。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,威胁者只要可以访问容器,他们就会将更多的恶意代码加载到环境之中。如果威胁者拿到了获取镜像的权限,他们可能会污染仓库并将恶意代码扩散到其他分支。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4-persistence.pdf","title":null,"type":null},"content":[{"type":"text","text":"确定持久化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"该攻击树的主要目标是探寻黑客访问集群的不同方式,并研究了其不同的寿命周期。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在这种情况下,一个分支会集中探查集群内的秘密,让黑客能发现其他的漏洞区域。另一个分支则侧重于黑客获取容器访问权限后的造成的威胁。攻击者会利用错误的配置,尝试建立对容器、节点或Pod重启持久且弹性的权限。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"自下至上: "},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.sensitive.data.pdf","title":null,"type":null},"content":[{"type":"text","text":"访问敏感数据"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大多数的方法都是在利用配置错误的RBAC权限直接从集群中读取机密数据,另一部分则是通过查看查看日志中存储的所有数据等方式获取数据。可以说,这类方法几乎和窃听网络流量和通信数据差不多。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"自下至上:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.dos.pdf","title":null,"type":null},"content":[{"type":"text","text":"拒绝服务攻击"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此攻击树主要分析攻击者在集群上发起DoS攻击时采用的不同手段。第一种,需要一个受损容器为前提,攻击者会尝试从集群中发起DoS,耗尽其所有资源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二种更关注拥有集群控制面板网络权限的威胁者。黑客会尝试在最合适的一个端点上发起冲击堵塞网络,并耗尽目标所有资源。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"情景一:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.scenario.compromised.pdf","title":null,"type":null},"content":[{"type":"text","text":"受损应用导致黑客在容器中立足"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"该场景重点介绍在利用容器内运行应用程序后,可能会暴露给黑客的攻击向量。黑客可以利用这些向量,通过编程或shell访问,远程在容器内执行代码。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"情景二:"},{"type":"link","attrs":{"href":"https:\/\/github.com\/cncf\/financial-user-group\/blob\/master\/projects\/k8s-threat-model\/AttackTrees\/pdfs\/Kubernetes%20Attack%20Trees%20v1.4.scenario.network.pdf","title":null,"type":null},"content":[{"type":"text","text":"通过网络的攻击"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此情景侧重于内部威胁。拥有Kubernetes集群网络访问权限的内部攻击者,不用直接访问集群便能拥有多种用户权限。不过,合适的Kubernetes配置和防火墙可以迅速地应对这类大多数的威胁。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多相关可参见"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/tree\/master\/wg-security-audit","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes安全审计工作组"}]},{"type":"text","text":",以及他们将安全审计工作总结后公布的"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/blob\/master\/wg-security-audit\/findings\/Kubernetes%20Threat%20Model.pdf","title":null,"type":null},"content":[{"type":"text","text":"威胁模型"}]},{"type":"text","text":"以及"},{"type":"link","attrs":{"href":"https:\/\/github.com\/kubernetes\/community\/blob\/master\/wg-security-audit\/findings\/Kubernetes%20White%20Paper.pdf","title":null,"type":null},"content":[{"type":"text","text":"白皮书"}]},{"type":"text","text":"。他们的关注点遍布Kubernetes集群的各个部分,这些文档值得我们花时间通读。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其他关于Kubernetes安全的最佳实践和推荐包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(如果可能)始终以最小权限策略运行Pod和容器。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要求使用强身份验证和授权协议,限制管理员和用户访问权限(缩小攻击面)。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"加密数据以确保机密性。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"利用防火墙限制非必要链接。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"应用网络分离控制来减少攻击造成的潜在损害。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通过日志审计监控容器活动。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定期检查所有设置,使用漏洞扫描工具识别潜在风险并安装安全补丁。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"扫描Pod和容器,检查是否存在配置错误或漏洞。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"利用 \"策略即代码 \"保护你的K8s环境"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"管理Kubernetes并预防黑客攻击载体需要大量的实践经验、配置和可维护性,即使是经验丰富的专家恐怕也会觉得颇具挑战。为此,Magalix提供的最大的“策略即代码”可扩展库之一,力求简化管理安全K8的复杂性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这些策略包括:- 容器不应以root权限运行- 容器不应共享hostIPC- 容器不应使用hostPort- 容器不应挂载Docker套接字- 容器不应缺失安全上下文- 容器不应缺失存活探针- 服务不应使用NodePort- 禁止RBAC的动词通配符- 用RBAC的集群角色绑定保护集群管理员权限- 容器应将根文件系统挂载为只读"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Magalix还提供以编程方式,"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/airtight-security-as-code","title":null,"type":null},"content":[{"type":"text","text":"安全"}]},{"type":"text","text":"且"},{"type":"link","attrs":{"href":"https:\/\/www.magalix.com\/usecases\/continuous-compliance-assessment","title":null,"type":null},"content":[{"type":"text","text":"符合规定"}]},{"type":"text","text":"地执行“策略即代码”标准,以开发者为中心,持续补充云原生应用程序的部署协议。这样,集群内的所有自动化操作都可通过监控仓库变化进行观测。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不仅如此,我们还可以通过一个集中的开发手册,让“策略即代码”贯彻整个软件开发生命周期,在不影响安全的情况下加速创新发展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果开发团队可以根据本文中提供的建议搭建开发云原生应用程序,那么环境的安全将得到保证,并提供更好的用户体验。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"  "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文链接"},{"type":"text","text":":"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.cncf.io\/blog\/2021\/11\/08\/kubernetes-main-attack-vectors-tree-an-explainer-guide\/","title":null,"type":null},"content":[{"type":"text","text":"Kubernetes Main Attack Vectors Tree: An Explainer Guide"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

ACK One x OpenKruiseGame 全球游戏服多地域一致性交付最佳实践

作者:劉秋陽、蔡靖 前言 在當今全球一體化的經濟環境下,數字娛樂產業正日益成爲文化和商業交流的有力代表。在此背景下大量遊戲廠商嘗試遊戲出海並取得了令人矚目的成績,許多遊戲以全球同服架構吸引着世界各地廣泛的玩家羣體。遊戲全球化部署不僅擴大了單

原創 2024-04-30 21:12:18

2024年DataOps趋势预测:AI不会取代数据工程师

APM digest收集了多位行業專家對DataOps在2024的發展形勢及對IT和業務的影響的預測,這些技術最高管理者,包括Confluent技術戰略負責人Andrew Sellers的深刻洞見可能與你的感覺一致嗎?快來探討一下。 數據可

原創 2024-04-30 11:49:29

云原生周刊:K8s 中的服务和网络 | 2024.4.29

開源項目推薦 k8s-image-swapper k8s-image-swapper 是 Kubernetes 的一個變更 Webhook,它將鏡像下載到自己的鏡像倉庫,並將鏡像指向該新位置。它是 docker pull-through p

原創 2024-04-30 10:48:10

华为云云原生FinOps解决方案,释放云原生最大价值

華爲云云原生FinOps通過可視化的成本洞察和成本優化,幫助用戶精細用雲以提升單位成本的資源利用率,實現降本增效目標 企業上雲現狀:上雲趨勢持續加深,但云上開支存在顯著浪費 根據Flexer 2024年最新的一項調查顯示,當前有超過7

原創 2024-04-29 22:33:46

1 名工程师轻松管理 20 个工作流,创业企业用 Serverless 让数据处理流程提效

作者:嶽洋、陳德全、劉靜娜 北京語勢科技有限公司成立於 2023 年 6 月,語勢科技定位爲“智能投資時代的主題入口”,在資管行業從以機構爲核心轉向以用戶爲核心的變革時代,通過打造主題投資引擎,賦能普惠投資一體化,打造以投資者和資管機構爲主

原創 2024-04-28 21:12:22

嘉为蓝鲸WeOps与DeepFlow强强联合,共同打造拓展性运维平台

直達原文: 嘉爲藍鯨WeOps x DeepFlow | 強強聯合,共同打造拓展性運維平臺 運維管理在企業信息化建設中扮演着至關重要的角色,嘉爲藍鯨WeOps一體化運維平臺致力於爲客戶提供更全面、智能的運維能力。在探索創新的過程中,我們深刻

原創 2024-04-26 23:23:22

华为云Stack8.3面向香港正式发布,六大亮点激发云上跃迁

本文分享自華爲雲社區《華爲雲Stack8.3面向香港正式發佈,六大亮點激發雲上躍遷》,作者:華爲雲頭條。 2024年4月23日,在華爲雲香港峯會2024上,華爲混合雲副總裁胡玉海面向香港市場發佈華爲雲Stack8.3,提供110+本地

原創 2024-04-26 10:33:21

RocketMQ 之 IoT 消息解析:物联网需要什么样的消息技术?

前言: 從初代開源消息隊列崛起,到 PC 互聯網、移動互聯網爆發式發展,再到如今 IoT、雲計算、雲原生引領了新的技術趨勢,消息中間件的發展已經走過了 30 多個年頭。 目前,消息中間件在國內許多行業的關鍵應用中扮演着至關重要的角色。隨着數

原創 2024-04-24 23:40:04

“企业创新新引擎”数据库专项赋能会,让云原生技术普惠千行百业!

本文分享自華爲雲社區《“企業創新新引擎”數據庫專項賦能會,讓雲原生技術普惠千行百業!》,作者: GaussDB 數據庫。 4月19日,由福州軟件園科技創新發展公司和華爲技術有限公司聯合主辦的HCDG城市行福州站——“企業創新新引擎”數據庫專

原創 2024-04-24 10:32:53

日志架构演进:从集中式到分布式的Kubernetes日志策略

當我們沒有使用雲原生方案部署應用時採用的日誌方案往往是 ELK 技術棧。 這套技術方案比較成熟,穩定性也很高,所以幾乎成爲了當時的標配。 可是隨着我們使用 kubernetes 步入雲原生的時代後, kubernetes 把以往的操作系統

原創 2024-04-23 11:47:10

【案例+PPT】普元信息臧一超:海量数据下“流批一体”的数据平台演进路线

“數據中臺新範式”雲端峯會,深入解析湖倉一體、批流一體、治理與運營“三位一體”的數據中臺新範式特徵,普元信息數智研究院副院長臧一超在峯會發表演講《海量數據下的高性能流批一體數據開發平臺》。 18分鐘完整回放視頻見文末,拎幾個特別精彩的內

原創 2024-04-23 11:43:51

世界读书日 | 开发者必读书单重磅来袭,华为云DTSE专家天团力荐

本文分享自華爲雲社區《世界讀書日 | 開發者必讀書單重磅來襲,華爲雲DTSE專家天團力薦》,作者: 華爲雲社區精選。 春色恰如許,讀書正當時。 讀書,就像解鎖一把神祕鑰匙,爲開發者洞開新世界的大門,賦予他們破譯複雜難題的能力、挑戰未知領域的

原創 2024-04-23 10:32:58

云原生周刊:Kubernetes v1.30 发布 | 2024.4.22

開源項目推薦 pv-migrate pv-migrate 是一個 CLI 工具/kubectl 插件,可輕鬆將一個 Kubernetes 的內容遷移 PersistentVolumeClaim 到另一個 Kubernetes。 Claudi

原創 2024-04-22 22:46:27

活动回顾丨云原生开源开发者沙龙北京站回放 & PPT 下载

“零信任架構” 是一種安全概念,它要求在任何時候不對任何請求默認信任,無論它的來源內部還是外部。服務安全性已成爲企業的核心關切,4 月 13 日,雲原生開源開發者沙龍在北京順利開展。阿里雲一線工程師圍繞《微服務面臨的安全挑戰、趨勢與解決方

原創 2024-04-22 21:12:01

从一次 RPC 请求,探索 MOSN 的工作流程

SOFA 六週年,歡迎來玩 本週六 4.20 上海螞蟻集團 S 空間 掃碼免費報名活動,來與 MOSN 社區負責人線下交流~ MOSN 社區歡迎您的加入! MOSN 官網:https://mosn.io/ MOSN Github:http

原創 2024-04-18 22:46:41