33+ mau mea hana palekana Kubernetes

Nānā. unuhi.: Inā ʻoe e noʻonoʻo nei e pili ana i ka palekana ma nā ʻōnaehana kumu Kubernetes, ʻo kēia ʻike maikaʻi loa mai Sysdig he wahi hoʻomaka maikaʻi loa ia no ka nānā wikiwiki ʻana i nā hopena o kēia manawa. Loaʻa iā ia nā ʻōnaehana paʻakikī mai nā mea pāʻani mākeke kaulana a me nā pono hana maʻalahi e hoʻoponopono i kahi pilikia. A ma nā ʻōlelo, e like me nā manawa a pau, e hauʻoli mākou e lohe i kāu ʻike e hoʻohana ana i kēia mau mea hana a ʻike i nā loulou i nā papahana ʻē aʻe.

ʻO nā huahana lako polokalamu palekana Kubernetes ... nui loa lākou, kēlā me kēia me kā lākou mau pahuhopu, ka laulā, a me nā laikini.

ʻO ia ke kumu i hoʻoholo ai mākou e hana i kēia papa inoa a hoʻokomo i nā papahana open source a me nā kahua pāʻoihana mai nā mea kūʻai like ʻole. Manaʻo mākou e kōkua ia iā ʻoe e ʻike i nā mea hoihoi loa a kuhikuhi iā ʻoe i ke ala pololei e pili ana i kāu mau pono palekana Kubernetes.

Māhele

No ka maʻalahi o ka hoʻokele ʻana i ka papa inoa, hoʻonohonoho ʻia nā mea hana e ka hana nui a me ka noi. Ua loaa mai keia mau pauku:

• Ka nānā ʻana i nā kiʻi Kubernetes a me ka nānā ʻana;
• Palekana manawa holo;
• palekana pūnaewele Kubernetes;
• Hoʻolaha kiʻi a me ka hoʻokele huna;
• ʻO ka loiloi palekana Kubernetes;
• Nā huahana kālepa piha.

E iho kākou i ka ʻoihana:

Ke nānā nei i nā kiʻi Kubernetes

heleuma

• kahua pūnaewele: anchore.com
• Laikini: manuahi (Apache) a me ka hāʻawi pāʻoihana

Hoʻopili ʻo Anchore i nā kiʻi pahu a ʻae i nā loiloi palekana e pili ana i nā kulekele i wehewehe ʻia e ka mea hoʻohana.

Ma kahi o ka nānā maʻamau o nā kiʻi pahu no nā nāwaliwali i ʻike ʻia mai ka waihona CVE, hana ʻo Anchore i nā loiloi hou aʻe ma ke ʻano he ʻāpana o kāna kulekele scanning: nānā i ka Dockerfile, nā leaks hōʻoia, nā pūʻulu o nā ʻōlelo papahana i hoʻohana ʻia (npm, maven, etc. .), nā laikini lako polokalamu a me nā mea hou aku.

Clair

• kahua pūnaewele: coreos.com/clair (i kēia manawa ma lalo o ke aʻo ʻana a Red Hat)
• Laikini: manuahi (Apache)

ʻO Clair kekahi o nā papahana Open Source mua no ka nānā ʻana i nā kiʻi. Ua ʻike nui ʻia ʻo ia ka scanner palekana ma hope o ke kākau inoa kiʻi Quay (mai CoreOS mai - kokoke. unuhi). Hiki iā Clair ke hōʻiliʻili i ka ʻike CVE mai nā ʻano kumu like ʻole, me nā papa inoa o nā nāwaliwali kikoʻī kikoʻī Linux i mālama ʻia e ka Debian, Red Hat, a i ʻole nā ​​hui palekana ʻo Ubuntu.

ʻAʻole like me Anchore, kālele nui ʻo Clair i ka ʻimi ʻana i nā nāwaliwali a me ka hoʻohālikelike ʻana i ka ʻikepili i nā CVE. Eia naʻe, hāʻawi ka huahana i nā mea hoʻohana i nā manawa e hoʻonui i nā hana me ka hoʻohana ʻana i nā mea hoʻokele plug-in.

ʻO Dagda

• kahua pūnaewele: github.com/eliasgranderubio/dagda
• Laikini: manuahi (Apache)

Hana ʻo Dagda i ka nānā ʻana i nā kiʻi pahu no nā mea nāwaliwali i ʻike ʻia, Trojans, viruses, malware a me nā mea hoʻoweliweli ʻē aʻe.

ʻElua mau hiʻohiʻona kaulana e hoʻokaʻawale iā Dagda mai nā mea hana like ʻē aʻe:

• Ua hui pono me Kuhi, ʻaʻole wale he mea paahana no ka nānā ʻana i nā kiʻi pahu, akā he antivirus pū kekahi.
• Hāʻawi pū kekahi i ka pale runtime ma ka loaʻa ʻana o nā hanana manawa maoli mai ka daemon Docker a hoʻohui pū me Falco (e nānā ma lalo) e hōʻiliʻili i nā hanana palekana i ka wā e holo ana ka pahu.

KubeXray

• kahua pūnaewele: github.com/jfrog/kubexray
• Laikini: Free (Apache), akā koi i ka ʻikepili mai JFrog Xray (huahana kālepa)

Hoʻolohe ʻo KubeXray i nā hanana mai ka server Kubernetes API a hoʻohana i ka metadata mai JFrog Xray e hōʻoia i ka hoʻomaka ʻana o nā pods e kūlike me ke kulekele o kēia manawa.

ʻAʻole wale ʻo KubeXray e loiloi i nā ipu hou a i ʻole i hoʻonui ʻia i ka hoʻolaha ʻana (e like me ka mea hoʻokele komo ma Kubernetes), akā ke nānā ikaika nei nō hoʻi i nā ipu e holo ana no ka hoʻokō ʻana i nā kulekele palekana hou, e wehe ana i nā kumuwaiwai e kuhikuhi ana i nā kiʻi palupalu.

ʻO Snyk

• kahua pūnaewele: snyk.io
• Laikini: manuahi (Apache) a me nā mana pāʻoihana

ʻO Snyk kahi mea hoʻomaʻamaʻa ʻokoʻa maʻamau no ka mea e kuhikuhi pono ana i ke kaʻina hana hoʻomohala a hoʻolaha ʻia ma ke ʻano he "hoʻoponopono koʻikoʻi" no nā mea hoʻomohala.

Hoʻopili pololei ʻo Snyk i nā waihona waihona, hoʻopaʻa i ka hōʻike papahana a nānā i ka code i lawe ʻia mai me nā hilinaʻi pololei a pololei ʻole. Kākoʻo ʻo Snyk i nā ʻōlelo papahana kaulana a hiki ke ʻike i nā pilikia laikini huna.

Trivy

• kahua pūnaewele: github.com/knqyf263/trivy
• Laikini: manuahi (AGPL)

ʻO Trivy kahi maʻalahi maʻalahi akā ikaika no nā ipu e hoʻopili maʻalahi i kahi pipeline CI/CD. ʻO kāna hiʻohiʻona koʻikoʻi ʻo ia ka maʻalahi o ka hoʻonohonoho ʻana a me ka hana ʻana: aia ka palapala noi i kahi binary hoʻokahi a ʻaʻole pono e hoʻokomo i kahi waihona a i ʻole nā ​​hale waihona puke hou.

ʻO ka haʻahaʻa o ka maʻalahi o Trivy, pono ʻoe e noʻonoʻo pehea e hoʻopaʻa ai a hoʻouna i nā hopena ma JSON format i hiki i nā mea hana palekana Kubernetes ke hoʻohana iā lākou.

Palekana holo manawa ma Kubernetes

ʻO Falco

• kahua pūnaewele: falco.org
• Laikini: manuahi (Apache)

ʻO Falco kahi pūʻulu o nā mea hana no ka hoʻopaʻa ʻana i nā kaiapuni o ke ao holo. Mahele o ka ʻohana papahana ʻO CNCF.

Ke hoʻohana nei iā Sysdig's Linux kernel-level tooling and system call profiling, Falco hiki iā ʻoe ke luʻu hohonu i ka ʻōnaehana ʻōnaehana. Hiki i kona runtime rules engine ke ʻike i ka hana kānalua i nā noi, nā ipu, ka mea hoʻokipa lalo, a me ka Kubernetes orchestrator.

Hāʻawi ʻo Falco i ka ʻike piha i ka wā holo a me ka ʻike hoʻoweliweli ma o ka hoʻokau ʻana i nā ʻelele kūikawā ma nā node Kubernetes no kēia mau kumu. ʻO ka hopena, ʻaʻohe pono e hoʻololi i nā ipu ma ka hoʻokomo ʻana i nā code ʻaoʻao ʻekolu i loko o lākou a i ʻole ka hoʻohui ʻana i nā pahu sidecar.

Nā papa hana palekana Linux no ka wā holo

ʻAʻole kēia mau papa hana maoli no ka Linux kernel "nā mea hana palekana Kubernetes" ma ke ʻano kuʻuna, akā pono lākou e haʻi ʻia no ka mea he mea nui lākou i ka pōʻaiapili o ka palekana runtime, i hoʻokomo ʻia i ka Kubernetes Pod Security Policy (PSP).

AppArmor hoʻopili i kahi moʻolelo palekana i nā kaʻina hana e holo ana i loko o ka pahu, wehewehe i nā pono o ka ʻōnaehana faila, nā lula komo pūnaewele, ka hoʻopili ʻana i nā hale waihona puke, etc. He ʻōnaehana kēia e pili ana i ka Mandatory Access Control (MAC). ʻO ia hoʻi, pale ia i nā hana i pāpā ʻia mai ka hana ʻana.

Linux i hoʻonui i ka palekana (SELinux) he module palekana holomua ma ka Linux kernel, e like me kekahi mau mea me AppArmor a hoʻohālikelike pinepine ʻia me ia. ʻOi aku ka maikaʻi o SELinux ma mua o AppArmor i ka mana, ka maʻalahi a me ka hana maʻamau. ʻO kona mau hemahema, ʻo ia ka lōʻihi o ke aʻo ʻana a me ka hoʻonui paʻakikī.

Seccomp a ʻo seccomp-bpf e ʻae iā ʻoe e kānana i nā kelepona ʻōnaehana, e ālai i ka hoʻokō ʻana i nā mea hiki ke pilikia no ka OS kumu a ʻaʻole pono no ka hana maʻamau o nā noi mea hoʻohana. Ua like ʻo Seccomp me Falco i kekahi mau ʻano, ʻoiai ʻaʻole ia i ʻike i nā kikoʻī o nā ipu.

Sysdig kumu wehe

• kahua pūnaewele: www.sysdig.com/opensource
• Laikini: manuahi (Apache)

ʻO Sysdig kahi mea hana piha no ka nānā ʻana, ʻike a me ka hoʻopau ʻana i nā ʻōnaehana Linux (hana pū kekahi ma Windows a me macOS, akā me nā hana liʻiliʻi). Hiki ke hoʻohana ʻia no ka hōʻiliʻili ʻana i ka ʻike kikoʻī, hōʻoia a me ka nānā ʻana i ka forensic. (hoʻopaʻapaʻa) ka ʻōnaehana kumu a me nā pahu e holo ana ma luna.

Kākoʻo maoli ʻo Sysdig i nā manawa holo pahu a me nā metadata Kubernetes, me ka hoʻohui ʻana i nā ana a me nā lepili i nā ʻike pili ʻōnaehana āpau āna e hōʻiliʻili ai. Nui nā ala e kālailai ai i kahi pūʻulu Kubernetes me ka hoʻohana ʻana iā Sysdig: hiki iā ʻoe ke hana i ka hopu ʻana i ka manawa ma o hopu kubectl a i ʻole e hoʻomaka i kahi pānaʻi pili ncurses e hoʻohana ana i kahi plugin kubectl eli.

Kubernetes Pūnaewele Palekana

Aporeto

• kahua pūnaewele: www.aporeto.com
• Laikini: kalepa

Hāʻawi ʻo Aporeto i ka "palekana i hoʻokaʻawale ʻia mai ka pūnaewele a me nā ʻoihana." 'O ia ho'i, 'a'ole i loa'a i nā lawelawe Kubernetes kahi ID kūloko wale nō ('o ia ho'i.

Hiki iā Aporeto ke hana i kahi ID kū hoʻokahi ʻaʻole wale no nā Kubernetes/containers, akā no nā pūʻali koa, nā hana ao a me nā mea hoʻohana. Ma muli o kēia mau mea hōʻike a me ka hoʻonohonoho o nā lula palekana pūnaewele i hoʻonohonoho ʻia e ka luna hoʻomalu, e ʻae ʻia nā kamaʻilio ʻana.

ʻO Kalico

• kahua pūnaewele: www.projectcalico.org
• Laikini: manuahi (Apache)

Hoʻokomo pinepine ʻia ʻo Calico i ka wā o kahi hoʻonohonoho orchestrator pahu pahu, e ʻae iā ʻoe e hana i kahi pūnaewele virtual e hoʻopili i nā ipu. Ma waho aʻe o kēia hana pūnaewele maʻamau, hana pū ka papahana Calico me nā Kubernetes Network Policies a me kāna pūʻulu ponoʻī o nā ʻaoʻao palekana pūnaewele, kākoʻo i nā ACLs endpoint (papa inoa hoʻokele komo) a me nā lula palekana pūnaewele e pili ana i ka annotation no ka holo ʻana o Ingress a me Egress.

ʻO Cilium

• kahua pūnaewele: www.cilium.io
• Laikini: manuahi (Apache)

Hana ʻo Cilium ma ke ʻano he pā ahi no nā ipu a hāʻawi i nā hiʻohiʻona palekana pūnaewele i hoʻohālikelike maoli ʻia i nā Kubernetes a me nā hana microservices. Hoʻohana ʻo Cilium i kahi ʻenehana kernel Linux hou i kapa ʻia ʻo BPF (Berkeley Packet Filter) e kānana, nānā, hoʻihoʻi a hoʻoponopono i ka ʻikepili.

Hiki iā Cilium ke hoʻolālā i nā kulekele komo pūnaewele e pili ana i nā ID pahu me ka hoʻohana ʻana i nā lepili Docker a i ʻole Kubernetes a me metadata. Hoʻomaopopo a kānana ʻo Cilium i nā ʻano protocol Layer 7 e like me HTTP a i ʻole gRPC, e ʻae iā ʻoe e wehewehe i kahi pūʻulu o nā kelepona REST e ʻae ʻia ma waena o ʻelua hoʻolālā Kubernetes, no ka laʻana.

Istio

• kahua pūnaewele: isio.io
• Laikini: manuahi (Apache)

Ua ʻike nui ʻia ʻo Istio no ka hoʻokō ʻana i ka paradigm mesh service ma o ka hoʻohana ʻana i kahi mokulele kūʻokoʻa kūʻokoʻa platform a me ka hoʻokele ʻana i nā kaʻa lawelawe lawelawe āpau ma o nā proxies Envoy i hoʻonohonoho pono ʻia. Hoʻohana maikaʻi ʻo Istio i kēia ʻike holomua o nā microservices a me nā ipu e hoʻokō i nā hoʻolālā palekana pūnaewele.

Loaʻa i nā mana palekana pūnaewele ʻo Istio ka hoʻopunipuni TLS e hoʻomaikaʻi ʻakomi i nā kamaʻilio ma waena o nā microservices i HTTPS, a me kahi ʻōnaehana RBAC ponoʻī a me ka ʻae ʻana e ʻae a hōʻole i ke kamaʻilio ʻana ma waena o nā hana like ʻole i ka hui.

Nānā. unuhi.: No ke aʻo hou aku e pili ana i nā mana palekana o Istio, e heluhelu kēiaʻatikala.

Tigera

• kahua pūnaewele: www.tigera.io
• Laikini: kalepa

Kapa ʻia ʻo "Kubernetes Firewall," ʻo kēia hoʻonā e hoʻoikaika i kahi ala hilinaʻi ʻole i ka palekana pūnaewele.

E like me nā ʻōnaehana ʻoihana Kubernetes ʻē aʻe, hilinaʻi ʻo Tigera i ka metadata e ʻike i nā lawelawe like ʻole a me nā mea i loko o ka pūʻulu a hāʻawi i ka ʻike ʻana i nā pilikia runtime, ka nānā ʻana i ka hoʻokō mau ʻana, a me ka ʻike pūnaewele no nā ʻōnaehana multi-cloud a hybrid monolithic-containerized.

Trireme

• kahua pūnaewele: www.aporeto.com/opensource
• Laikini: manuahi (Apache)

ʻO Trireme-Kubernetes kahi hoʻokō maʻalahi a maʻalahi o ka kikoʻī Kubernetes Network Policies. ʻO ka hiʻohiʻona kaulana loa ʻo ia - ʻaʻole like me nā huahana palekana pūnaewele Kubernetes like - ʻaʻole pono ia i kahi mokulele hoʻokele kikowaena e hoʻonohonoho i ka mesh. Hoʻonui kēia i ka hoʻonā. Ma Trireme, loaʻa kēia ma ka hoʻokomo ʻana i kahi ʻelele ma kēlā me kēia node e pili pono ana i ka waihona TCP/IP o ka mea hoʻokipa.

Hoʻolaha kiʻi a me ka hoʻokele huna

ʻO Grafeas

• kahua pūnaewele: grafeas.io
• Laikini: manuahi (Apache)

ʻO Grafeas kahi API open source no ka loiloi a me ka hoʻokele lako polokalamu lako polokalamu. Ma kahi pae kumu, he mea hana ʻo Grafeas no ka hōʻiliʻili ʻana i nā metadata a me nā ʻike loiloi. Hiki ke hoʻohana ʻia e nānā i ka hoʻokō ʻana i nā hana palekana palekana i loko o kahi hui.

ʻO kēia kumu kikowaena o ka ʻoiaʻiʻo e kōkua i ka pane ʻana i nā nīnau e like me:

• ʻO wai ka mea i hōʻiliʻili a pūlima no kekahi pahu?
• Ua hala i nā mākaʻikaʻi palekana a me nā loiloi i koi ʻia e ke kulekele palekana? I ka manawa hea? He aha nā hopena?
• ʻO wai ka mea nāna i hoʻokomo i ka hana? He aha nā ʻāpana kikoʻī i hoʻohana ʻia i ka wā hoʻolaha?

In-toto

• kahua pūnaewele: in-toto.github.io
• Laikini: manuahi (Apache)

ʻO In-toto kahi hoʻolālā i hoʻolālā ʻia e hāʻawi i ka pono, ka hōʻoia a me ka loiloi o ke kaulahao lako lako polokalamu holoʻokoʻa. I ka hoʻokomo ʻana iā In-toto i loko o kahi ʻoihana, ua wehewehe mua ʻia kahi hoʻolālā e wehewehe ana i nā ʻanuʻu like ʻole o ka pipeline (repository, CI/CD tools, QA tools, artifact collectors, etc.) a me nā mea hoʻohana (nā kānaka kuleana) i ʻae ʻia e. hoʻomaka iā lākou.

Ke nānā nei ʻo In-toto i ka hoʻokō ʻana i ka hoʻolālā, e hōʻoia ana ua hana pono ʻia kēlā me kēia hana ma ke kaulahao e nā limahana i ʻae wale ʻia a ʻaʻole i hana ʻia nā manipulations ʻole me ka huahana i ka wā o ka neʻe ʻana.

Portieris

• kahua pūnaewele: github.com/IBM/portieris
• Laikini: manuahi (Apache)

ʻO Portieris kahi mea hoʻoponopono komo no Kubernetes; hoʻohana ʻia e hoʻokō i nā loiloi hilinaʻi maʻiʻo. Hoʻohana ʻo Portieris i kahi kikowaena Notiae (Ua kākau mākou e pili ana iā ia ma ka hope keia 'atikala - kokoke. unuhi) ma ke ʻano he kumu o ka ʻoiaʻiʻo e hōʻoia i nā mea waiwai i hilinaʻi ʻia a pūlima ʻia (ʻo ia hoʻi nā kiʻi pahu i ʻāpono ʻia).

Ke hana ʻia a hoʻololi ʻia paha kahi hana ma Kubernetes, hoʻoiho ʻo Portieris i ka ʻike pūlima a me ke kulekele hilinaʻi maʻiʻo no nā kiʻi pahu i noi ʻia, a inā pono, e hoʻololi i ka JSON API mea e holo ai i nā mana o kēlā mau kiʻi.

Vault

• kahua pūnaewele: www.vaultproject.io
• Laikini: manuahi (MPL)

ʻO Vault kahi hopena palekana no ka mālama ʻana i ka ʻike pilikino: nā ʻōlelo huna, nā hōʻailona OAuth, nā palapala PKI, nā moʻokāki komo, nā mea huna Kubernetes, etc. Kākoʻo ʻo Vault i nā hiʻohiʻona holomua, e like me ka hoʻolimalima ʻana i nā hōʻailona palekana ephemeral a i ʻole ka hoʻonohonoho ʻana i ka hoʻololi kī.

Me ka hoʻohana ʻana i ka pakuhi Helm, hiki ke kau ʻia ʻo Vault ma ke ʻano he hoʻolālā hou i loko o kahi pūʻulu Kubernetes me ke Kanikela ma ke ʻano he waihona hope. Kākoʻo ia i nā kumuwaiwai Kubernetes maoli e like me nā hōʻailona ServiceAccount a hiki ke hana ma ke ʻano he hale kūʻai paʻamau no nā mea huna Kubernetes.

Nānā. unuhi.: Ma ke ala, i nehinei wale nō ka hui ʻo HashiCorp, nāna i hoʻomohala iā Vault, hoʻolaha i kekahi mau hoʻomaikaʻi no ka hoʻohana ʻana iā Vault ma Kubernetes, a pili pū lākou i ka pakuhi Helm. Heluhelu hou aku ma blog hoʻomohala.

Kubernetes Security Audit

Kube-bench

• kahua pūnaewele: github.com/aquasecurity/kube-bench
• Laikini: manuahi (Apache)

ʻO Kube-bench kahi palapala Go e nānā inā ua hoʻonohonoho paʻa ʻia ʻo Kubernetes ma o ka holo ʻana i nā hoʻokolohua mai kahi papa inoa. CIS Kubernetes Benchmark.

Ke nānā nei ʻo Kube-bench i nā hoʻonohonoho hoʻonohonoho paʻa ʻole ma waena o nā ʻāpana puʻupuʻu (etcd, API, mana mana hoʻoponopono, a me nā mea ʻē aʻe), nā kuleana e komo ai i nā faila nīnau ʻole, nā moʻokāki i pale ʻole ʻia a i ʻole nā ​​awa hāmama, nā kumu waiwai, nā hoʻonohonoho no ka hoʻopaʻa ʻana i ka helu o nā kelepona API e pale aku i nā hoʻouka kaua DoS , etc.

Kube-holo

• kahua pūnaewele: github.com/aquasecurity/kube-hunter
• Laikini: manuahi (Apache)

Ke ʻimi nei ʻo Kube-hunter i nā mea palupalu (e like me ka hoʻokō ʻana i nā code mamao a i ʻole ka hōʻike ʻike ʻikepili) ma nā pūʻulu Kubernetes. Hiki ke holo ʻia ʻo Kube-hunter ma ke ʻano he scanner mamao - inā e loiloi ʻo ia i ka pūʻulu mai ka manaʻo o kahi mea hoʻouka kaua ʻekolu - a i ʻole he pod i loko o ka pūʻulu.

ʻO kahi hiʻohiʻona kūʻokoʻa o Kube-hunter ʻo kāna ʻano "holo hoʻoikaika", ʻaʻole ia e hōʻike wale i nā pilikia, akā e hoʻāʻo hoʻi e hoʻohana i nā nāwaliwali i ʻike ʻia i loko o ka puʻupuʻu i hiki ke hōʻeha i kāna hana. No laila e hoʻohana me ka akahele!

Kubeaudit

• kahua pūnaewele: github.com/Shopify/kubeaudit
• Laikini: manuahi (MIT)

ʻO Kubeaudit kahi hāmeʻa console i kūkulu mua ʻia ma Shopify e loiloi i ka hoʻonohonoho Kubernetes no nā pilikia palekana. No ka laʻana, kōkua ia e ʻike i nā ipu e holo ʻole ana, e holo ana ma ke ʻano he kumu, hōʻino i nā pono, a i ʻole ka hoʻohana ʻana i ka ServiceAccount.

Loaʻa iā Kubeaudit nā hiʻohiʻona hoihoi. No ka laʻana, hiki iā ia ke kālailai i nā faila YAML kūloko, ʻike i nā hemahema hoʻonohonoho i hiki ke alakaʻi i nā pilikia palekana, a hoʻoponopono aunoa iā lākou.

Kubesec

• kahua pūnaewele: kubesec.io
• Laikini: manuahi (Apache)

He mea hana kūikawā ʻo Kubesec i ka nānā pono ʻana i nā faila YAML e wehewehe ana i nā kumuwaiwai Kubernetes, e ʻimi ana i nā ʻāpana nāwaliwali e hiki ke hoʻopilikia i ka palekana.

No ka laʻana, hiki iā ia ke ʻike i nā pono nui a me nā ʻae i hāʻawi ʻia i kahi pod, e holo ana i kahi pahu me ke kumu ma ke ʻano he mea hoʻohana paʻamau, e hoʻopili ana i ka inoa kikowaena pūnaewele o ka mea hoʻokipa, a i ʻole nā ​​​​mauna weliweli e like me /proc host a i ʻole Docker socket. ʻO kekahi hiʻohiʻona hoihoi o Kubesec ka lawelawe demo i loaʻa ma ka pūnaewele, kahi e hiki ai iā ʻoe ke hoʻouka iā YAML a hoʻopaʻa koke iā ia.

Wehe Kulekele Agena

• kahua pūnaewele: www.openpolicyagent.org
• Laikini: manuahi (Apache)

ʻO ka manaʻo o OPA (Open Policy Agent) ʻo ia ka hoʻokaʻawale ʻana i nā kulekele palekana a me nā hoʻomaʻamaʻa maikaʻi maikaʻi loa mai kahi kahua runtime kikoʻī: Docker, Kubernetes, Mesosphere, OpenShift, a i ʻole kekahi hui pū ʻana.

No ka laʻana, hiki iā ʻoe ke kau iā OPA ma ke ʻano he hope no ka mea hoʻokele komo Kubernetes, e hāʻawi ana i nā hoʻoholo palekana iā ia. Ma kēia ala, hiki i ka luna OPA ke hōʻoia, hōʻole, a hoʻololi hoʻi i nā noi ma ka lele, e hōʻoia ana e hoʻokō ʻia nā ʻāpana palekana. Ua kākau ʻia nā kulekele palekana o OPA ma kāna ʻōlelo DSL ponoʻī, Rego.

Nānā. unuhi.: Ua kākau hou mākou e pili ana iā OPA (a me SPIFFE) ma kēia mea.

Nā mea hana kālepa piha no ka nānā ʻana i ka palekana Kubernetes

Ua hoʻoholo mākou e hana i kahi ʻāpana ʻokoʻa no nā paepae pāʻoihana no ka mea maʻamau lākou e uhi i nā wahi palekana he nui. Hiki ke loaʻa kahi manaʻo maʻamau o kā lākou hiki mai ka papa ʻaina:

* ʻO ka hoʻokolokolo kiʻekiʻe a me ka nānā ʻana i ka post mortem me ka piha ʻōnaewele kelepona ʻaihue.

Palekana Aqua

• kahua pūnaewele: www.aquasec.com
• Laikini: kalepa

Hoʻolālā ʻia kēia mea hana pāʻoihana no nā ipu a me nā mea hana ao. Hāʻawi ia:

• Hoʻopili ʻia ka nānā ʻana i nā kiʻi me kahi waihona waihona a i ʻole CI/CD pipeline;
• Ka pale ʻana i ka wā holo me ka ʻimi ʻana i nā loli i loko o nā pahu a me nā hana kānalua ʻē aʻe;
• ʻO ka pahu ahi ʻōiwi maoli;
• Palekana no ka serverless i nā lawelawe ao;
• ʻO ka hoʻāʻo ʻana a me ka loiloi i hui pū ʻia me ka logging hanana.

Nānā. unuhi.: He mea pono no hoi ke hoomaopopo aku aia ʻāpana manuahi o ka huahana i kapa ʻia MicroScanner, hiki iā ʻoe ke nānā i nā kiʻi pahu no nā nāwaliwali. Hōʻike ʻia kahi hoʻohālikelike o kona hiki me nā mana uku keia papaaina.

Kāpena8

• kahua pūnaewele: capsule8.com
• Laikini: kalepa

Hoʻohui ʻia ʻo Capsule8 i loko o ka ʻōnaehana ma o ka hoʻokomo ʻana i ka mea ʻike ma kahi hui kūloko a i ʻole ke ao Kubernetes. ʻOhi kēia mea ʻike i ka host a me ka telemetry pūnaewele, e hoʻopili iā ia me nā ʻano hoʻouka like ʻole.

ʻIke ka hui Capsule8 i kāna hana e like me ka ʻike mua ʻana a me ka pale ʻana i nā hoʻouka kaua me ka hoʻohana ʻana i ka mea hou (0-lā) nawaliwali. Hiki iā Capsule8 ke hoʻoiho pololei i nā lula palekana hou i nā mea ʻike i ka pane ʻana i nā mea hoʻoweliweli hou a me nā nāwaliwali o ka polokalamu.

Cavirin

• kahua pūnaewele: www.cavirin.com
• Laikini: kalepa

Hana ʻo Cavirin ma ke ʻano he ʻoihana ʻaoʻao ʻoihana no nā keʻena like ʻole e pili ana i nā kūlana palekana. ʻAʻole hiki iā ia ke nānā wale i nā kiʻi, akā hiki iā ia ke hoʻohui pū i loko o ka pipeline CI/CD, ke kāohi ʻana i nā kiʻi maʻamau ʻole ma mua o ko lākou komo ʻana i nā waihona paʻa.

Hoʻohana ʻo Cavirin's security suite i ka aʻo ʻana i ka mīkini e loiloi i kāu posture cybersecurity, hāʻawi i nā ʻōlelo aʻoaʻo e hoʻomaikaʻi i ka palekana a hoʻomaikaʻi i ka hoʻokō ʻana i nā kūlana palekana.

Google Cloud Security Command Center

• kahua pūnaewele: cloud.google.com/security-command-center
• Laikini: kalepa

Kōkua ʻo Cloud Security Command Center i nā hui palekana e hōʻiliʻili i ka ʻikepili, ʻike i nā mea hoʻoweliweli, a hoʻopau iā lākou ma mua o ka hana ʻino ʻana i ka hui.

E like me ka manaʻo o ka inoa, ʻo Google Cloud SCC kahi papa mana hoʻohui e hiki ke hoʻohui a mālama i nā ʻano hōʻike palekana, nā ʻenekini helu waiwai, a me nā ʻōnaehana palekana ʻaoʻao ʻekolu mai kahi kumu hoʻokahi.

ʻO ka API interoperable i hāʻawi ʻia e Google Cloud SCC he mea maʻalahi ka hoʻohui ʻana i nā hanana palekana e hele mai ana mai nā kumu like ʻole, e like me Sysdig Secure (palekana pahu no nā noi cloud-native) a i ʻole Falco (Open Source runtime security).

ʻIke Layered (Qualys)

• kahua pūnaewele: layeredinsight.com
• Laikini: kalepa

Kūkulu ʻia ʻo Layered Insight (i kēia manawa he ʻāpana o Qualys Inc) ma ka manaʻo o "palekana i hoʻopili ʻia." Ma hope o ka nānā ʻana i ke kiʻi kumu no nā nāwaliwali me ka hoʻohana ʻana i ka ʻikepili helu a me nā loiloi CVE, ua hoʻololi ʻo Layered Insight iā ia me kahi kiʻi i hoʻopili ʻia e komo pū ana ka ʻelele ma ke ʻano he binary.

Loaʻa i kēia ʻelele nā ​​hoʻāʻo palekana runtime no ka nānā ʻana i ke kahe o ka pūnaewele pahu, nā kahe I/O a me ka hana noi. Eia kekahi, hiki iā ia ke hana i nā loiloi palekana hou aʻe i kuhikuhi ʻia e ka luna hoʻokele waiwai a i ʻole nā ​​hui DevOps.

NeuVector

• kahua pūnaewele: neuvector.com
• Laikini: kalepa

Nānā ʻo NeuVector i ka palekana pahu a hāʻawi i ka pale manawa holo ma o ka nānā ʻana i ka hana pūnaewele a me ka hana noi, e hana ana i kahi ʻaoʻao palekana pilikino no kēlā me kēia pahu. Hiki iā ia ke ālai i nā mea hoʻoweliweli iā ia iho, me ka hoʻokaʻawale ʻana i nā hana hoʻohuoi ma o ka hoʻololi ʻana i nā lula firewall kūloko.

ʻO ka hoʻohui pūnaewele ʻo NeuVector, i kapa ʻia ʻo Security Mesh, hiki iā ia ke nānā i ka packet hohonu a me ka kānana layer 7 no nā pili pūnaewele āpau i ka mesh lawelawe.

ʻO StackRox

• kahua pūnaewele: www.stackrox.com
• Laikini: kalepa

Hoʻoikaika ka paepae palekana pahu StackRox e uhi i ke ola holoʻokoʻa o nā noi Kubernetes i kahi hui. E like me nā kahua pāʻoihana ʻē aʻe ma kēia papa inoa, hoʻopuka ʻo StackRox i kahi ʻaoʻao runtime e pili ana i ke ʻano o ka pahu i ʻike ʻia a hoʻokiʻekiʻe ʻokoʻa i kahi ala ala no nā ʻokoʻa.

Hoʻohui hou, kālailai ʻo StackRox i nā hoʻonohonoho Kubernetes me ka hoʻohana ʻana i ka Kubernetes CIS a me nā puke lula ʻē aʻe e loiloi i ka hoʻokō ʻana i ka ipu.

Palekana ʻo Sysdig

• kahua pūnaewele: sysdig.com/products/secure
• Laikini: kalepa

Mālama ʻo Sysdig Secure i nā noi i loko o ka pahu holoʻokoʻa a me ke ola ola Kubernetes. He nānā i nā kiʻi pahu, hoolako pale manawa holo e like me ka ʻikepili aʻo mīkini, hana i ka cream. akamai e ʻike i nā nāwaliwali, poloka i nā mea hoʻoweliweli, nānā ka hoʻokō ʻana i nā kūlana i hoʻokumu ʻia a hoʻopaʻa i ka hana ma nā microservices.

Hoʻohui pū ʻo Sysdig Secure me nā mea hana CI/CD e like me Jenkins a hoʻomalu i nā kiʻi i hoʻouka ʻia mai nā registries Docker, e pale ana i nā kiʻi weliweli mai ka ʻike ʻana i ka hana. Hāʻawi pū ia i ka palekana runtime holoʻokoʻa, me:

• ʻO ka hoʻopili ʻana i ka wā holo ma ML a me ka ʻike anomaly;
• nā kulekele runtime e pili ana i nā hanana ʻōnaehana, K8s-audit API, nā papahana kaiāulu hui (FIM - ka nānā pono ʻana i nā faila; cryptojacking) a me ka framework MITRE AT&CK;
• pane a me ka hoʻoholo ʻana i nā hanana.

Palekana pahu hoʻopaʻa ʻia

• kahua pūnaewele: www.tenable.com/products/tenable-io/container-security
• Laikini: kalepa

Ma mua o ka hiki ʻana mai o nā ipu, ua ʻike nui ʻia ʻo Tenable ma ka ʻoihana e like me ka ʻoihana ma hope o Nessus, kahi mea hoʻokele waiwai a me nā mea hoʻoponopono palekana.

Hoʻohana ʻo Tenable Container Security i ka loea palekana kamepiula o ka hui e hoʻohui i kahi paipu CI/CD me nā ʻikepili koʻikoʻi, nā pūʻolo ʻike malware kūikawā, a me nā ʻōlelo paipai no ka hoʻoholo ʻana i nā hoʻoweliweli palekana.

Twistlock (Palo Alto Networks)

• kahua pūnaewele: www.twistlock.com
• Laikini: kalepa

Hoʻolaha ʻo Twistlock iā ia iho ma ke ʻano he kahua e pili ana i nā lawelawe kapuaʻi a me nā ipu. Kākoʻo ʻo Twistlock i nā mea hāʻawi kapuaʻi like ʻole (AWS, Azure, GCP), nā mea hoʻokani pahu pahu (Kubernetes, Mesospehere, OpenShift, Docker), nā manawa holo server ʻole, nā mesh frameworks a me nā mea hana CI/CD.

Ma waho aʻe o nā ʻenehana palekana ʻoihana maʻamau e like me ka CI/CD pipeline integration a i ʻole ka nānā ʻana i nā kiʻi, hoʻohana ʻo Twistlock i ka aʻo ʻana i ka mīkini e hana ai i nā ʻano hoʻohālike kikoʻī a me nā lula pūnaewele.

I kekahi manawa i hala aku nei, ua kūʻai ʻia ʻo Twistlock e Palo Alto Networks, nona nā papahana Evident.io a me RedLock. ʻAʻole i ʻike ʻia pehea e hoʻohui ʻia ai kēia mau kahua ʻekolu PRISMA mai Palo Alto.

E kōkua i ke kūkulu ʻana i ka papa inoa maikaʻi loa o nā mea hana palekana Kubernetes!

Ke hoʻoikaika nei mākou e hoʻopiha i kēia papa inoa e like me ka hiki, a no kēia pono mākou i kāu kōkua! Kāhea iā mā˚ou (@sysdig) inā loaʻa iā ʻoe kahi mea hana maikaʻi i ka noʻonoʻo e kūpono ke hoʻokomo ʻia i kēia papa inoa, a i ʻole ʻike ʻoe i kahi hewa / ʻike kahiko.

Hiki iā ʻoe ke kau inoa i kā mākou nūpepa mahina me nā nūhou mai ka kaiaola ʻōiwi maoli a me nā moʻolelo e pili ana i nā papahana hoihoi mai ka honua o ka palekana Kubernetes.

PS mai ka unuhi

E heluhelu pū ma kā mākou blog:

• «He Hoʻolauna i nā Kubernetes Network Policies for Security Professionals";
• «ʻO Docker a me nā Kubernetes i nā kaiapuni palekana";
• «9 Nā hana maikaʻi loa no ka palekana Kubernetes";
• «11 mau ala e (ʻaʻole) e lilo i mea pōʻino i kahi hack Kubernetes";
• «ʻO OPA a me SPIFFE ʻelua mau papahana hou ma CNCF no ka palekana noi ao".

Source: www.habr.com