33+ Kubernetes kayan aikin tsaro

Lura. fassara: Idan kuna mamaki game da al'amuran tsaro a cikin kayan aikin Kubernetes, wannan kyakkyawan bayani daga Sysdig shine babban mafari don gabatarwa mai sauri ga mafita na yau. Ya haɗa da tsarin hadaddun biyu daga sanannun 'yan wasan kasuwa, da ƙarin kayan aiki masu sauƙi waɗanda ke rufe wata matsala. Kuma a cikin maganganun, mu, kamar kullum, za mu yi farin cikin koyo game da kwarewar ku ta amfani da waɗannan kayan aikin da kuma ganin hanyoyin haɗin kai zuwa wasu ayyuka.

Samfuran software na tsaro na Kubernetes… suna da yawa, kuma kowanne yana da nasa manufa, iyaka, da lasisi.

Wannan shine dalilin da ya sa muka yanke shawarar ƙirƙirar wannan jeri kuma mun haɗa duka biyun ayyukan buɗaɗɗen tushe da dandamali na kasuwanci daga masu siyarwa daban-daban. Muna fatan zai taimaka muku zaɓi waɗanda suka fi sha'awa kuma su nuna muku kan madaidaiciyar hanya dangane da takamaiman bukatunku na tsaro na Kubernetes.

Categories

Don sauƙaƙe kewaya cikin jeri, ana rarraba kayan aikin ta babban aiki da aikace-aikace. Abubuwan da aka samu sune:

• Binciken hoto na Kubernetes da bincike a tsaye;
• tsaro na lokacin aiki;
• Tsaro na cibiyar sadarwa na Kubernetes;
• Rarraba hotuna da sarrafa asirin;
• Kubernetes tsaro duba;
• Haɗin samfuran kasuwanci.

Mu sauka kan kasuwanci:

Ana duba hotunan Kubernetes

Anga

• Yanar Gizo: anchore.com
• Lasisi: kyauta (Apache) da tayin kasuwanci

Kunshin Anchore yana rarraba hotunan kwantena kuma yana ba da damar bincikar tsaro dangane da ƙayyadaddun manufofin mai amfani.

Baya ga binciken da aka saba yi na hotunan kwantena don sanannun lahani daga bayanan CVE, Anchore yana yin ƙarin bincike da yawa a matsayin wani ɓangare na manufofin dubawa: duba Dockerfile, leaked takaddun shaida, fakitin yarukan shirye-shirye da aka yi amfani da su (npm, maven, da sauransu) , lasisin software da ƙari mai yawa.

Clair

• Yanar Gizo: coreos.com/clair (yanzu a karkashin kulawar Red Hat)
• Lasisi: Kyauta (Apache)

Clair yana ɗaya daga cikin ayyukan Buɗewa na farko don duba hoto. An san shi sosai da na'urar daukar hoto ta tsaro a bayan rajistar Hoton Quay. (kuma daga CoreOS - kusan fassara). Clair yana iya tattara bayanai game da CVEs daga tushe iri-iri, gami da jerin takamaiman lahani na rarraba Linux waɗanda Debian, Red Hat, ko ƙungiyoyin tsaro na Ubuntu ke kiyayewa.

Ba kamar Anchore ba, Clair ya fi mayar da hankali kan nemo lahani da daidaita bayanai tare da CVE. Koyaya, samfurin yana ba masu amfani wasu zaɓuɓɓuka don faɗaɗa ayyuka ta hanyar direbobin plug-in.

Dagda

• Yanar Gizo: github.com/eliasgrandebio/dagda
• Lasisi: Kyauta (Apache)

Dagda yana nazarin hotunan ganga don sanannun lahani, Trojans, ƙwayoyin cuta, malware, da sauran barazanar.

Kunshin Dagda ya bambanta da sauran makamantan kayan aikin ta hanyoyi guda biyu masu shahara:

• Yana haɗawa da kyau ClamAV, Yin aiki ba kawai azaman kayan aiki don bincika hotunan kwantena ba, har ma azaman riga-kafi.
• Hakanan yana ba da kariya ta lokacin aiki ta hanyar karɓar abubuwan da suka faru na ainihi daga Docker daemon da haɗawa tare da Falco (duba ƙasa) don tattara abubuwan tsaro yayin da kwantena ke gudana.

KubeXray

• Yanar Gizo: github.com/jfrog/kubexray
• Lasisi: kyauta (Apache), amma yana buƙatar bayanai daga JFrog Xray (samfurin kasuwanci)

KubeXray yana sauraron abubuwan da suka faru daga uwar garken API na Kubernetes kuma yana amfani da metadata daga JFrog Xray don tabbatar da cewa kawai kwas ɗin da suka dace da manufofin yanzu sun fara.

KubeXray ba wai kawai yana duba sabbin ko sabunta kwantena a cikin turawa ba (mai kama da mai kula da shigar a Kubernetes), amma kuma yana bincikar kwantena masu ƙarfi don bin sabbin manufofin tsaro, cire albarkatun da ke nufin hotuna masu rauni.

Rariya

• Yanar Gizo: suke.io
• Lasisi: kyauta (Apache) da nau'ikan kasuwanci

Snyk na'urar daukar hoto ce ta rashin lahani da ba a saba gani ba ta ma'anar cewa yana yin niyya ta musamman akan tsarin haɓakawa kuma ana haɓaka shi azaman "mafi mahimmanci" ga masu haɓakawa.

Snyk yana haɗa kai tsaye zuwa wuraren ajiyar lambobin, yana nazarin bayyanar aikin, kuma yana nazarin lambar da aka shigo da ita tare da dogaro kai tsaye da kai tsaye. Snyk yana goyan bayan shahararrun yarukan shirye-shirye da yawa kuma yana iya gano ɓoyayyun haɗarin lasisi.

Rashin hankali

• Yanar Gizo: github.com/knqyf263/trivy
• Lasisi: Kyauta (AGPL)

Trivy shine na'urar daukar hoto mai sauƙi amma mai ƙarfi wanda ke haɗawa cikin sauƙi cikin bututun CI/CD. Babban fasalinsa shine sauƙin shigarwa da aiki: aikace-aikacen ya ƙunshi binary guda ɗaya kuma baya buƙatar shigar da bayanai ko ƙarin ɗakunan karatu.

Ƙarƙashin sauƙi na Trivy shine cewa dole ne ku gano yadda za ku rarraba da aika sakamakon JSON don sauran kayan aikin tsaro na Kubernetes su yi amfani da su.

Tsaron lokacin gudu a Kubernetes

Falco

• Yanar Gizo: falco.org
• Lasisi: Kyauta (Apache)

Falco babban kayan aiki ne don tabbatar da lokacin gudu. Sashe na iyali aikin Farashin CNCF.

Yin amfani da kayan aikin Sysdig don aiki a matakin kernel na Linux da kiran tsarin bayanan martaba, Falco yana ba ku damar nutsewa cikin yanayin tsarin. Injin ka'idojin lokacin aikin sa yana da ikon gano ayyukan tuhuma a cikin aikace-aikace, kwantena, mai masaukin baki, da mawaƙan Kubernetes.

Falco yana ba da cikakken nuna gaskiya a cikin aiki na lokaci-lokaci da gano barazanar ta hanyar saita wakilai na musamman akan nodes Kubernetes don wannan dalili. Sakamakon haka, babu buƙatar canza kwantena ta hanyar allurar lambar ɓangare na uku a cikinsu ko rataye kwantenan gefen mota.

Tsarin tsaro na Linux don lokacin aiki

Waɗannan ginshiƙai, na asali ga kernel na Linux, ba "kayan aikin tsaro na Kubernetes" ba ne a cikin ma'anar da aka saba, amma sun cancanci ambaton saboda suna da mahimmanci a cikin mahallin tsaro na lokaci, wanda aka haɗa a cikin Kubernetes Pod Security Policy (PSP) .

AppArmor yana liƙa bayanin martaba na tsaro ga tafiyar matakai da ke gudana a cikin akwati, yana bayyana gata na tsarin fayil, dokokin shiga hanyar sadarwa, haɗa ɗakunan karatu, da sauransu. Tsari ne da ya ginu akan Ikon Samun Mahimmanci (MAC). A wasu kalmomi, yana hana aiwatar da ayyukan da aka haramta.

Linux Ingantaccen Tsaro (SELinux) ingantaccen tsarin tsaro ne a cikin kwayayen Linux, mai kama da wani abu ga AppArmor kuma galibi idan aka kwatanta da shi. SELinux ya zarce AppArmor cikin sharuddan iko, sassauƙa, da finesse. Rashin hasaransa shine tsayin ci gaba da haɓaka rikitarwa.

Seccomp da seccomp-bpf suna ba ku damar tace kiran tsarin, toshe aiwatar da waɗanda ke da haɗari ga tushen OS kuma ba a buƙata don aiki na yau da kullun na aikace-aikacen mai amfani. Seccomp yayi kama da Falco a wasu hanyoyi, kodayake bai san takamaiman kwantena ba.

Sysdig bude tushen

• Yanar Gizo: www.sysdig.com/opensource
• Lasisi: Kyauta (Apache)

Sysdig cikakken kayan aiki ne don nazari, bincike, da kuma lalata tsarin Linux (kuma yana aiki akan Windows da macOS, amma tare da iyakanceccen fasali). Ana iya amfani da shi don tattara bayanai dalla-dalla, tabbatarwa da bincike (masu bincike) tsarin tushe da duk wani kwantena da ke gudana akansa.

Sysdig kuma yana goyan bayan abubuwan aiwatar da kwantena da metadata na Kubernetes, yana ƙara ƙarin girma da lakabi zuwa duk bayanan halayen tsarin da aka tattara. Akwai hanyoyi da yawa don bincika gunkin Kubernetes ta amfani da Sysdig: zaku iya ɗaukar batu cikin lokaci ta hanyar kubectl kama ko gudanar da mu'amala mai mu'amala bisa la'akari ta amfani da plugin kubectl digo.

Tsaro na cibiyar sadarwa na Kubernetes

Aporeto

• Yanar Gizo: www.aporeto.com
• Lasisi: kasuwanci

Aporeto yana ba da "tsaro da aka raba daga cibiyar sadarwa da kayan aiki". Wannan yana nufin cewa sabis na Kubernetes ba kawai samun ID na gida ba (watau ServiceAccount a Kubernetes), amma har da ID/Fingerprint na duniya wanda za'a iya amfani dashi don yin hulɗa cikin aminci da tabbatar da juna tare da kowane sabis, kamar a cikin gungu na OpenShift.

Aporeto yana iya samar da ID na musamman ba kawai don Kubernetes / kwantena ba har ma ga runduna, ayyukan girgije da masu amfani. Dangane da waɗannan masu ganowa da saitin ƙa'idodin tsaro na cibiyar sadarwa da mai gudanarwa ya saita, za a ba da izinin sadarwa ko toshe.

Calico

• Yanar Gizo: www.projectcalico.org
• Lasisi: Kyauta (Apache)

Calico yawanci ana tura shi yayin shigarwa na mawaƙan kwantena, wanda ke ba ku damar ƙirƙirar hanyar sadarwa mai kama da juna wacce ke haɗa kwantena. Baya ga wannan ainihin aikin sadarwar, aikin Calico yana aiki tare da Manufofin Sadarwar Kubernetes da kuma tsarin sa na bayanan bayanan tsaro na cibiyar sadarwa, yana goyan bayan ACLs na ƙarshe (Lissafin Sarrafa Shiga) da ka'idojin tsaro na tushen bayanai don Ingress da Egress zirga-zirga.

ciliya

• Yanar Gizo: www.cilium.io
• Lasisi: Kyauta (Apache)

Cilium yana aiki azaman bangon bangon kwantena kuma yana ba da fasalulluka na tsaro na cibiyar sadarwa wanda ya dace da Kubernetes da ƙananan ayyukan aiki. Cilium yana amfani da sabuwar fasahar kwaya ta Linux mai suna BPF (Berkeley Packet Filter) don tacewa, saka idanu, turawa da daidaita bayanai.

Cilium yana iya tura manufofin samun hanyar sadarwa bisa tushen ID na akwati ta amfani da alamun Docker ko Kubernetes da metadata. Cilium kuma yana fahimta da tace ka'idoji daban-daban na Layer 7 kamar HTTP ko gRPC, yana ba ku damar ayyana saitin kiran REST waɗanda za a ba da izini tsakanin tura Kubernetes biyu, misali.

Istio

• Yanar Gizo: iso.io
• Lasisi: Kyauta (Apache)

Istio sananne ne don aiwatar da tsarin saɓin sabis ta hanyar tura jirgin sama mai zaman kansa mai zaman kansa da kuma tura duk zirga-zirgar sabis ɗin da aka sarrafa ta hanyar amintattun wakilai na Manzo. Istio yana amfani da wannan ci gaba na hangen nesa na duk microservices da kwantena don aiwatar da dabarun tsaro na cibiyar sadarwa daban-daban.

Ƙarfin tsaro na cibiyar sadarwa na Istio ya haɗa da ɓoyayyen TLS na gaskiya don haɓaka ƙa'idar sadarwa ta atomatik tsakanin microservices zuwa HTTPS, da tsarin tantancewar RBAC da tsarin ba da izini don ba da izinin / hana sadarwa tsakanin nau'ikan ayyuka daban-daban a cikin tari.

Lura. fassaraDon ƙarin bayani game da damar da aka mayar da hankali kan tsaro na Istio, duba wannan labarin.

tigera

• Yanar Gizo: www.tigera.io
• Lasisi: kasuwanci

Wanda ake kira "Kubernetes Firewall", wannan maganin yana jaddada tsarin rashin amincewa da tsaro na cibiyar sadarwa.

Kamar sauran hanyoyin sadarwar hanyar Kubernetes-yan ƙasa, Tigera ya dogara da metadata don gano ayyuka da abubuwa daban-daban a cikin tari kuma yana ba da gano matsalar lokacin aiki, ci gaba da bin yarda, da hangen nesa na hanyar sadarwa don manyan gizagizai ko nau'ikan kayan haɗin gwal guda ɗaya.

Trireme

• Yanar Gizo: www.aporeto.com/opensource
• Lasisi: Kyauta (Apache)

Trireme-Kubernetes mai sauƙi ne mai tsabta aiwatar da ƙayyadaddun Manufofin Sadarwar Kubernetes. Babban abin lura shine - ba kamar samfuran tsaro na cibiyar sadarwa na Kubernetes ba - baya buƙatar babban jirgin sama mai sarrafawa don daidaita raga ( raga). Wannan yana sa maganin ya zama mai girma. Trireme yana samun wannan ta hanyar shigar da wakili akan kowane kumburi wanda ke haɗa kai tsaye zuwa tarin TCP/IP na mai watsa shiri.

Rarraba hotuna da sarrafa asirce

Grafeas

• Yanar Gizo: graphas.io
• Lasisi: Kyauta (Apache)

Grafeas buɗaɗɗen tushen API don dubawa da sarrafa sarkar samar da software. A matakin asali, Grafeas kayan aiki ne don tattara metadata da sakamakon tantancewa. Ana iya amfani da shi don bin bin bin ka'idodin tsaro mafi kyau a cikin ƙungiya.

Wannan tushen gaskiya ta tsakiya yana taimakawa amsa tambayoyi kamar:

• Wanene ya tattara kuma ya sanya hannu kan wani akwati na musamman?
• Shin ya wuce duk na'urorin tsaro da duba manufofin tsaro? Yaushe? Menene sakamakon?
• Wanene ya tura shi don samarwa? Wadanne sigogi aka yi amfani da su yayin turawa?

Ciki

• Yanar Gizo: in-zuwa.github.io
• Lasisi: Kyauta (Apache)

In-toto wani tsari ne da aka ƙera don samar da mutunci, tantancewa, da kuma duba duk sarkar samar da software. Lokacin tura In-toto zuwa abubuwan more rayuwa, an fara bayyana wani tsari wanda ke bayyana matakai daban-daban a cikin bututun (majiya, kayan aikin CI / CD, kayan aikin QA, magina, da sauransu) da masu amfani (masu alhakin) waɗanda aka ba su izini. qaddamar da su.

In-toto yana sarrafa aiwatar da shirin ta hanyar tabbatar da cewa kowane aiki a cikin sarkar ana yin shi da kyau ta hanyar ma'aikata masu izini kawai kuma ba a yi magudi mara izini tare da samfurin yayin motsi ba.

Porteris

• Yanar Gizo: github.com/IBM/porteris
• Lasisi: Kyauta (Apache)

Portieris shine mai kula da shigar da Kubernetes; amfani da su don tilasta abun ciki amin cak cak. Porteriis yana amfani da uwar garken notary (mun rubuta game da shi a karshen wannan labarin - kusan fassara) a matsayin tushen gaskiya don tabbatar da amintattun kayan tarihi da sa hannu (wato, hotunan akwati da aka amince).

Lokacin da kuka ƙirƙiri ko canza nauyin aiki a cikin Kubernetes, Portiris yana ɗaukar bayanan sa hannu da manufofin amintaccen abun ciki don hotunan kwantena da ake buƙata kuma, idan ya cancanta, yana yin canje-canje ga abin API JSON akan tashi don gudanar da sa hannu na waɗannan hotunan.

vault

• Yanar Gizo: www.vaultproject.io
• Lasisi: kyauta (MPL)

Vault amintaccen bayani ne don adana mahimman bayanai: kalmomin shiga, alamun OAuth, takaddun shaida na PKI, asusun shiga, sirrin Kubernetes, da ƙari. Vault yana goyan bayan manyan abubuwan ci gaba da yawa, kamar hayan alamun tsaro na ephemeral ko tsara jujjuyawar maɓalli.

Yin amfani da ginshiƙi na Helm, ana iya tura Vault azaman sabon turawa a cikin gungu na Kubernetes tare da Consul azaman ajiyar baya. Yana goyan bayan albarkatun Kubernetes na asali kamar alamun ServiceAccount kuma yana iya yin aiki azaman tsohuwar shagon sirrin Kubernetes.

Lura. fassara: Af, kawai jiya, HashiCorp, wanda ke haɓaka Vault, ya sanar da wasu haɓaka don amfani da Vault a Kubernetes, kuma musamman, suna da alaƙa da taswirar Helm. Karanta cikakken bayani a ciki mawallafi blog.

Kubernetes tsaro duba

Kube-bench

• Yanar Gizo: github.com/aquasecurity/kube-bench
• Lasisi: Kyauta (Apache)

Kube-bench aikace-aikacen Go ne wanda ke bincika idan an tura Kubernetes lafiya ta hanyar gudanar da gwaje-gwaje daga jeri. CIS Kubernetes Benchmark.

Kube-bench yana neman saitunan sanyi mara tsaro a tsakanin abubuwan gungu (da sauransu, API, manajan sarrafawa, da dai sauransu), izinin fayil mai tambaya, asusun ajiya ko buɗe tashar jiragen ruwa, keɓaɓɓun albarkatu, saitunan iyakar kiran API don karewa daga harin DoS, da sauransu.

Kube-mafarauta

• Yanar Gizo: github.com/aquasecurity/kube-hunter
• Lasisi: Kyauta (Apache)

Kube-mafarauta "farauta" don yuwuwar lahani (kamar aiwatar da lambar nesa ko bayyana bayanai) a cikin gungu na Kubernetes. Ana iya gudanar da Kube-mafarauta azaman na'urar daukar hotan takardu mai nisa - a cikin wannan yanayin zai kimanta gungu daga mahangar maharin ɓangare na uku - ko azaman kwafsa a cikin gungu.

Wani fasali na musamman na Kube-mafarauci shine yanayin "farauta mai aiki", wanda ba wai kawai yana ba da rahoton matsaloli ba, har ma yana ƙoƙarin yin amfani da raunin da aka samu a cikin gungu na manufa wanda zai iya cutar da aikinsa. Don haka yi amfani da hankali!

Kubeaudit

• Yanar Gizo: github.com/Shopify/kubeaudit
• Lasisi: Kyauta (MIT)

Kubeaudit kayan aikin wasan bidiyo ne wanda Shopify ya haɓaka asali don duba tsarin Kubernetes don batutuwan tsaro daban-daban. Misali, yana taimakawa gano kwantena waɗanda ke gudana ba tare da nuna bambanci ba, masu gudana azaman tushen, cin zarafin gata, ko amfani da tsohuwar AccountAccount.

Kubeaudit yana da wasu abubuwa masu ban sha'awa kuma. Misali, yana iya rarraba fayilolin YAML na gida, gano kurakuran daidaitawa waɗanda zasu iya haifar da lamuran tsaro, kuma ta gyara su ta atomatik.

Kubesec

• Yanar Gizo: kubesec.io
• Lasisi: Kyauta (Apache)

Kubesec na musamman ne domin kai tsaye yana bincika fayilolin YAML albarkatun Kubernetes don raunin saitunan da zai iya shafar tsaro.

Misali, yana iya gano gata mai yawa da izini da aka bai wa kwafsa, yana gudanar da akwati tare da tushe azaman tsoho mai amfani, haɗawa da sunan cibiyar sadarwar mai watsa shiri, ko hawa masu haɗari kamar /proc host ko Docker soket. Wani fasali mai ban sha'awa na Kubesec shine sabis na demo na kan layi inda zaku iya loda YAML kuma nan da nan bincika shi.

Buɗe Wakilin Siyasa

• Yanar Gizo: www.openpolicyagent.org
• Lasisi: Kyauta (Apache)

Manufar OPA (Open Policy Agent) ita ce raba manufofin tsaro da mafi kyawun ayyuka na tsaro daga takamaiman dandamali na lokacin aiki: Docker, Kubernetes, Mesosphere, OpenShift, ko kowane haɗuwa da su.

Misali, zaku iya tura OPA azaman abin baya ga mai kula da shigar Kubernetes, yana ba da shawarar tsaro gareshi. Ta wannan hanyar, wakilin OPA zai iya bincika, ƙaryatawa, har ma da canza buƙatun akan tashi, tabbatar da cewa ana mutunta ƙayyadaddun matakan tsaro. An rubuta manufofin tsaro a cikin OPA a cikin DSL nata, Rego.

Lura. fassara: Mun rubuta ƙarin game da OPA (da SPIFFE) a cikin wannan kayan.

Cikakken Kayan Aikin Binciken Tsaro na Kubernetes na Kasuwanci

Mun yanke shawarar ƙirƙirar keɓantaccen nau'in don dandamali na kasuwanci, saboda suna ɗaukar rufe wurare da yawa na tsaro lokaci ɗaya. Ana iya samun ra'ayi na gaba ɗaya na iyawar su daga tebur:

* Ƙwarewa na ci gaba da bincike na mutuwa tare da cikakke tsarin kira kama.

Tsaron Ruwa

• Yanar Gizo: www.aquasec.com
• Lasisi: kasuwanci

An tsara wannan kayan aiki na kasuwanci don kwantena da kayan aikin girgije. Yana bayar da:

• Haɗe-haɗen hoton hoto tare da rajistar akwati ko bututun CI/CD;
• Kariyar lokacin aiki tare da neman canje-canje a cikin kwantena da sauran ayyukan da ake tuhuma;
• Tacewar wuta ta asali;
• Tsaro don marasa sabar a cikin ayyukan girgije;
• Yarda da dubawa haɗe tare da shiga taron.

Lura. fassara: Yana da kyau a lura cewa akwai free bangaren samfurin da ake kira microscanner, wanda ke ba ku damar bincika hotunan kwantena don rashin ƙarfi. An gabatar da kwatancen fasalinsa tare da nau'ikan da aka biya a ciki wannan teburi.

Capsule 8

• Yanar Gizo: capsule8.com
• Lasisi: kasuwanci

Capsule8 yana haɗawa cikin abubuwan more rayuwa ta hanyar shigar da mai ganowa a cikin gungu na Kubernetes na gida ko gajimare. Wannan na'urar ganowa tana tattara mai watsa shirye-shirye da na'urar sadarwa ta hanyar sadarwa, tana daidaita shi da nau'ikan hare-hare iri-iri.

Tawagar Capsule8 ta himmatu wajen gano wuri da rigakafin hare-hare ta amfani da sabo (0-day) rauni. Capsule8 na iya loda sabunta ƙa'idodin tsaro kai tsaye zuwa ga masu ganowa don amsa sabbin barazanar da aka gano da kuma raunin software.

Cavirin

• Yanar Gizo: www.cavirin.com
• Lasisi: kasuwanci

Cavirin yana aiki azaman takwaransa na kamfani zuwa hukumomin matakan tsaro daban-daban. Ba wai kawai yana iya duba hotuna ba, har ma yana iya haɗawa cikin bututun CI/CD, tare da toshe hotunan da ba su dace ba kafin su shiga ma'ajiyar sirri.

Cavirin Security Suite yana amfani da koyo na na'ura don tantance yanayin tsaro na intanet, yana ba da shawara kan yadda za a ƙara tsaro da inganta tsaro.

Cibiyar Tsaro ta Google Cloud

• Yanar Gizo: cloud.google.com/security-command-center
• Lasisi: kasuwanci

Cibiyar Umurnin Tsaro ta Cloud tana taimaka wa ƙungiyoyin tsaro tattara bayanai, gano barazanar, da kuma gyara su kafin su cutar da kamfanin.

Kamar yadda sunan ke nunawa, Google Cloud SCC wani kwamiti ne mai haɗin kai wanda zai iya haɗawa da sarrafa rahotannin tsaro daban-daban, injunan sa ido na kadara, da tsarin tsaro na ɓangare na uku daga tushe guda ɗaya.

API ɗin haɗin gwiwar da Google Cloud SCC ke bayarwa yana sauƙaƙe haɗin abubuwan tsaro da ke fitowa daga tushe daban-daban kamar Sysdig Secure (tsaron kwantena don aikace-aikacen asali na girgije) ko Falco ( Tsaron lokaci na lokaci mai buɗewa).

Ƙwararren Ƙwararru (Qualys)

• Yanar Gizo: Layeredinsight.com
• Lasisi: kasuwanci

Layered Insight (yanzu wani ɓangare na Qualys Inc) an gina shi akan manufar "tsaro da aka haɗa". Bayan duba hoton asali don rashin lahani ta amfani da hanyoyin bincike na ƙididdiga da yin cak na CVE, Layered Insight ya maye gurbinsa da hoton kayan aiki wanda ya haɗa da wakili a cikin nau'i na binary.

Wannan wakili yana ƙunshe da gwaje-gwajen tsaro na lokacin aiki don nazarin zirga-zirgar hanyar sadarwar kwantena, kwararar I/O, da ayyukan aikace-aikace. Bugu da kari, yana iya yin ƙarin binciken tsaro da mai kula da kayan more rayuwa ko ƙungiyoyin DevOps suka ayyana.

NeuVector

• Yanar Gizo: neuvector.com
• Lasisi: kasuwanci

NeuVector yana aiwatar da binciken tsaro na kwantena da kariyar lokacin aiki ta hanyar nazarin ayyukan cibiyar sadarwa da halayen aikace-aikacen, ƙirƙirar bayanin martaba na tsaro na kowane akwati. Hakanan yana iya toshe barazanar da kansa ta hanyar keɓance ayyukan da ake tuhuma ta hanyar gyaggyara dokokin Tacewar zaɓi na gida.

Haɗin hanyar sadarwar NeuVector, wanda aka sani da Tsaro Mesh, yana da ikon bincika fakiti mai zurfi da tace Layer 7 don duk haɗin yanar gizo a cikin ragamar sabis.

stackrox

• Yanar Gizo: www.stackrox.com
• Lasisi: kasuwanci

Dandalin tsaro na StackRox yana da nufin rufe duk tsarin rayuwar Kubernetes aikace-aikacen a cikin tari. Kamar sauran dandamali na kasuwanci akan wannan jeri, StackRox yana haifar da bayanan lokacin gudu dangane da halayen kwantena da aka lura kuma yana ɗaga ƙararrawa ta atomatik akan kowane sabawa.

Bugu da kari, StackRox yana nazarin daidaitawar Kubernetes ta amfani da CIS Kubernetes da sauran littattafan ka'idoji don kimanta cikar kwantena.

Sysdig Secure

• Yanar Gizo: sysdig.com/products/amin
• Lasisi: kasuwanci

Sysdig Secure yana ba da kariya ga aikace-aikace a cikin kwantena da zagayen rayuwa na Kubernetes. Shi duba hotuna kwantena, bayar da Kariyar lokacin aiki bisa ga koyon inji, yana aikata laifi. gwaninta don gano lahani, toshe barazanar, masu saka idanu bin ka'idojin da aka kafa da kuma duba ayyuka a microservices.

Sysdig Secure yana haɗawa tare da kayan aikin CI / CD kamar Jenkins kuma yana sarrafa hotuna da aka ɗora daga rajistar Docker, yana hana hotuna masu haɗari daga bayyana a cikin samarwa. Hakanan yana ba da cikakken tsaro na lokacin aiki, gami da:

• Bayanan lokaci na tushen ML da gano abubuwan da ba su da kyau;
• Manufofin lokaci-lokaci dangane da abubuwan da suka faru na tsarin, K8s-audit API, ayyukan haɗin gwiwa na al'umma (FIM - sa ido kan amincin fayil; cryptojacking) da tsari MITER ATT & CK;
• amsawa da kawar da abubuwan da suka faru.

Tsaron kwantena mai ƙarfi

• Yanar Gizo: www.tenable.com/products/tenable-io/container-security
• Lasisi: kasuwanci

Kafin zuwan kwantena, Tenable an san shi sosai a cikin masana'antar a matsayin kamfanin da ya haɓaka Nessus, sanannen gano rauni da kayan aikin tantance tsaro.

Tsaron kwantena mai ɗaukar nauyi yana ba da damar ƙwarewar kamfani a cikin tsaro na kwamfuta don haɗa bututun CI/CD tare da bayanan rauni, fakitin gano malware na musamman, da shawarwarin tsaro.

Twistlock (Palo Alto Networks)

• Yanar Gizo: www.twistlock.com
• Lasisi: kasuwanci

Twistlock yana haɓaka kansa azaman dandamali da aka mayar da hankali kan ayyukan girgije da kwantena. Twistlock yana goyan bayan masu samar da girgije daban-daban (AWS, Azure, GCP), mawaƙan kwantena (Kubernetes, Mesospehere, OpenShift, Docker), lokutan runtime marasa sabar, tsarin raga, da kayan aikin CI/CD.

Baya ga hanyoyin tsaro na matakin kasuwanci na yau da kullun kamar haɗin bututun CI/CD ko duba hoto, Twistlock yana amfani da koyan na'ura don samar da ƙayyadaddun halaye na kwantena da dokokin cibiyar sadarwa.

Wani lokaci da ya wuce, Palo Alto Networks ya sayi Twistlock, wanda ya mallaki ayyukan Evident.io da RedLock. Har yanzu ba a san takamaiman yadda za a haɗa waɗannan dandamali guda uku ba PRISMA daga Palo Alto.

Taimaka gina mafi kyawun kundin kayan aikin tsaro na Kubernetes!

Muna ƙoƙari don yin wannan kasida a matsayin cikakke kamar yadda zai yiwu, kuma saboda wannan muna buƙatar taimakon ku! Tuntube mu (@sysdig) idan kuna da kayan aiki mai sanyi a zuciya wanda ya cancanci haɗawa cikin wannan jerin, ko kuma ku sami bug/tsohuwar bayanai.

Hakanan zaka iya yin subscribing din mu labarai na wata-wata tare da labarai na yanayin yanayin girgije da kuma labarun game da ayyuka masu ban sha'awa daga duniyar Kubernetes tsaro.

PS daga mai fassara

Karanta kuma a kan shafinmu:

• «Gabatarwa ga Manufofin Sadarwar Kubernetes don Ma'aikatan Tsaro";
• «Docker da Kubernetes a cikin wuraren da ake buƙatar tsaro";
• «9 Mafi kyawun Ayyuka na Tsaro Kubernetes";
• «Hanyoyi 11 don (Ba) Samun Hacked a Kubernetes";
• «OPA da SPIFFE sabbin ayyuka ne guda biyu a CNCF don tsaro aikace-aikacen girgije".

source: www.habr.com