ããŒãã 翻蚳ã: Kubernetes ããŒã¹ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ã»ãã¥ãªãã£ã«ã€ããŠçåãããå Žåã¯ãSysdig ã®ãã®åªããæŠèŠã¯ãçŸåšã®ãœãªã¥ãŒã·ã§ã³ãç°¡åã«ç¢ºèªããããã®åªããåºçºç¹ãšãªããŸãã ããã«ã¯ãæåãªåžå Žåå è ã«ããè€éãªã·ã¹ãã ãšãç¹å®ã®åé¡ã解決ããã¯ããã«å°èŠæš¡ãªãŠãŒãã£ãªãã£ã®äž¡æ¹ãå«ãŸããŠããŸãã ãã€ãã®ããã«ãã³ã¡ã³ãæ¬ã§ããããã®ããŒã«ã®äœ¿çšäœéšãä»ã®ãããžã§ã¯ããžã®ãªã³ã¯ãåãã§èããŸãã
Kubernetes ã»ãã¥ãªã㣠ãœãããŠã§ã¢è£œåã«ã¯éåžžã«å€ãã®è£œåããããããããã«ç¬èªã®ç®çãç¯å²ãã©ã€ã»ã³ã¹ããããŸãã
ãã®ãããç§ãã¡ã¯ãã®ãªã¹ããäœæãããªãŒãã³ãœãŒã¹ ãããžã§ã¯ããšããŸããŸãªãã³ããŒã®åçšãã©ãããã©ãŒã ã®äž¡æ¹ãå«ããããšã«ããŸããã æãé¢å¿ã®ãããã®ãç¹å®ããç¹å®ã® Kubernetes ã»ãã¥ãªã㣠ããŒãºã«åºã¥ããŠæ£ããæ¹åã«å°ãã®ã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
ÐаÑегПÑОО
ãªã¹ããããã²ãŒãããããããããã«ãããŒã«ã¯äž»ãªæ©èœãšã¢ããªã±ãŒã·ã§ã³ããšã«æŽçãããŠããŸãã 次ã®ã»ã¯ã·ã§ã³ãåŸãããŸããã
- Kubernetes ã€ã¡ãŒãžã®ã¹ãã£ã³ãšéçåæã
- å®è¡æã®ã»ãã¥ãªãã£ã
- Kubernetes ãããã¯ãŒã¯ã®ã»ãã¥ãªãã£ã
- ç»åã®é åžãšç§å¯ã®ç®¡çã
- Kubernetes ã»ãã¥ãªãã£ç£æ»ã
- ç·åçãªæ¥åçšè£œåã
æ¬é¡ã«å ¥ããŸããã:
Kubernetes ã€ã¡ãŒãžã®ã¹ãã£ã³
ã¢ã³ã«ãŒ
- ãŠã§ããµã€ãïŒ
ã¢ã³ã«ãŒã¬.com - ã©ã€ã»ã³ã¹: ç¡æ (Apache) ããã³åçšæäŸ
Anchore ã¯ã³ã³ãã ã€ã¡ãŒãžãåæãããŠãŒã¶ãŒå®çŸ©ã®ããªã·ãŒã«åºã¥ããŠã»ãã¥ãªã㣠ãã§ãã¯ãå¯èœã«ããŸãã
CVE ããŒã¿ããŒã¹ããã®æ¢ç¥ã®è匱æ§ã«å¯Ÿããã³ã³ãã ã€ã¡ãŒãžã®éåžžã®ã¹ãã£ã³ã«å ããAnchore ã¯ã¹ãã£ã³ ããªã·ãŒã®äžç°ãšããŠå€ãã®è¿œå ãã§ãã¯ãå®è¡ããŸããDockerfileãèªèšŒæ å ±ã®æŒæŽ©ã䜿çšãããŠããããã°ã©ãã³ã°èšèªã®ããã±ãŒãž (npmãmaven ãªã©) ããã§ãã¯ããŸãã .)ããœãããŠã§ã¢ã©ã€ã»ã³ã¹ãªã©ã
æ確ãª
- ãŠã§ããµã€ãïŒ
coreos.com/ã¯ã¬ã¢ (çŸåšã¯ Red Hat ã®æå°äžã«ãããŸã) - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Clair ã¯ãç»åã¹ãã£ã³ã«é¢ããæåã®ãªãŒãã³ãœãŒã¹ ãããžã§ã¯ãã® XNUMX ã€ã§ãã Quay ã€ã¡ãŒãž ã¬ãžã¹ããªã®èåŸã«ããã»ãã¥ãªã㣠ã¹ãã£ããšããŠåºãç¥ãããŠããŸãã (CoreOSããã - çŽã 翻蚳)ã Clair ã¯ãDebianãRed HatããŸã㯠Ubuntu ã»ãã¥ãªã㣠ããŒã ã«ãã£ãŠç®¡çãããŠãã Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³åºæã®è匱æ§ã®ãªã¹ããªã©ãããŸããŸãªãœãŒã¹ãã CVE æ
å ±ãåéã§ããŸãã
Anchore ãšã¯ç°ãªããClair ã¯äž»ã«è匱æ§ã®çºèŠãšããŒã¿ãš CVE ã®ç §åã«éç¹ã眮ããŠããŸãã ãã ãããã®è£œåã¯ãŠãŒã¶ãŒã«ãã©ã°ã€ã³ ãã©ã€ããŒã䜿çšããŠæ©èœãæ¡åŒµããæ©äŒãæäŸããŸãã
ãã°ã
- ãŠã§ããµã€ãïŒ
github.com/eliasgranderubio/dagda - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Dagda ã¯ãæ¢ç¥ã®è匱æ§ãããã€ã®æšéŠ¬ããŠã€ã«ã¹ããã«ãŠã§ã¢ããã®ä»ã®è
åšã«ã€ããŠã³ã³ãã ã€ã¡ãŒãžã®éçåæãå®è¡ããŸãã
Dagda ãä»ã®åæ§ã®ããŒã«ãšåºå¥ãã XNUMX ã€ã®æ³šç®ãã¹ãæ©èœ:
- ãšå®å
šã«çµ±åãããŸã
ClamAVã® ãã³ã³ããã€ã¡ãŒãžãã¹ãã£ã³ããããŒã«ãšããŠã ãã§ãªãããŠã€ã«ã¹å¯ŸçãšããŠãæ©èœããŸãã - ãŸããDocker ããŒã¢ã³ãããªã¢ã«ã¿ã€ã ã€ãã³ããåä¿¡ããFalco ãšçµ±åããããšã«ãããã©ã³ã¿ã€ã ä¿è·ãæäŸããŸãã ïŒäžèšåç §ïŒ ã³ã³ãããŒã®å®è¡äžã«ã»ãã¥ãªã㣠ã€ãã³ããåéããŸãã
KubeXray
- ãŠã§ããµã€ãïŒ
github.com/jfrog/kubexray - ã©ã€ã»ã³ã¹: ç¡æ (Apache)ããã ã JFrog Xray (åçšè£œå) ããã®ããŒã¿ãå¿ èŠ
KubeXray ã¯ãKubernetes API ãµãŒããŒããã®ã€ãã³ãããªãã¹ã³ããJFrog Xray ããã®ã¡ã¿ããŒã¿ã䜿çšããŠãçŸåšã®ããªã·ãŒã«äžèŽãããããã®ã¿ãèµ·åãããããã«ããŸãã
KubeXray ã¯ããããã€ã¡ã³ãå ã®æ°èŠãŸãã¯æŽæ°ãããã³ã³ãã㌠(Kubernetes ã®ã¢ãããã·ã§ã³ ã³ã³ãããŒã©ãŒãšåæ§) ãç£æ»ããã ãã§ãªããå®è¡äžã®ã³ã³ãããŒãæ°ããã»ãã¥ãªã㣠ããªã·ãŒã«æºæ ããŠãããã©ãããåçã«ãã§ãã¯ããè匱ãªã€ã¡ãŒãžãåç §ãããªãœãŒã¹ãåé€ããŸãã
ã¹ããã¯
- ãŠã§ããµã€ãïŒ
snyk.io - ã©ã€ã»ã³ã¹: ç¡æ (Apache) ããã³åçšããŒãžã§ã³
Snyk ã¯ãç¹ã«éçºããã»ã¹ãã¿ãŒã²ããã«ããŠãããéçºè
ã«ãšã£ãŠãå¿
é ã®ãœãªã¥ãŒã·ã§ã³ããšããŠå®£äŒãããŠãããšããç¹ã§ãçããè匱æ§ã¹ãã£ãã§ãã
Snyk ã¯ã³ãŒã ãªããžããªã«çŽæ¥æ¥ç¶ãããããžã§ã¯ã ãããã§ã¹ãã解æããã€ã³ããŒããããã³ãŒããçŽæ¥ããã³éæ¥çãªäŸåé¢ä¿ãšãšãã«åæããŸãã Snyk ã¯å€ãã®äžè¬çãªããã°ã©ãã³ã°èšèªããµããŒãããŠãããé ããã©ã€ã»ã³ã¹ ãªã¹ã¯ãç¹å®ã§ããŸãã
éåŠ
- ãŠã§ããµã€ãïŒ
github.com/knqyf263/trivy - ã©ã€ã»ã³ã¹: ç¡æ (AGPL)
Trivy ã¯ãCI/CD ãã€ãã©ã€ã³ã«ç°¡åã«çµ±åã§ãããã³ã³ããçšã®ã·ã³ãã«ãã€åŒ·åãªè匱æ§ã¹ãã£ãã§ãã ãã®æ³šç®ãã¹ãæ©èœã¯ãã€ã³ã¹ããŒã«ãšæäœãç°¡åã§ããããšã§ããã¢ããªã±ãŒã·ã§ã³ã¯åäžã®ãã€ããªã§æ§æãããŠãããããŒã¿ããŒã¹ãè¿œå ã®ã©ã€ãã©ãªãã€ã³ã¹ããŒã«ããå¿
èŠã¯ãããŸããã
Trivy ã®ã·ã³ãã«ãã®æ¬ ç¹ã¯ãçµæãä»ã® Kubernetes ã»ãã¥ãªã㣠ããŒã«ã§äœ¿çšã§ããããã«ãçµæã解æã㊠JSON 圢åŒã§è»¢éããæ¹æ³ãç解ããå¿ èŠãããããšã§ãã
Kubernetes ã®ã©ã³ã¿ã€ã ã»ãã¥ãªãã£
ãã¡ã«ã³
- ãŠã§ããµã€ãïŒ
ãã¡ã«ã³.org - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Falco ã¯ãã¯ã©ãŠã ã©ã³ã¿ã€ã ç°å¢ãä¿è·ããããã®ããŒã« ã»ããã§ãã ãããžã§ã¯ããã¡ããªãŒã®äžå¡
Sysdig ã® Linux ã«ãŒãã«ã¬ãã«ã®ããŒã«ãšã·ã¹ãã ã³ãŒã« ãããã¡ã€ãªã³ã°ã䜿çšãããšãFalco ã䜿çšããŠã·ã¹ãã ã®åäœãæ·±ãæãäžããããšãã§ããŸãã ãã®ã©ã³ã¿ã€ã ã«ãŒã« ãšã³ãžã³ã¯ãã¢ããªã±ãŒã·ã§ã³ãã³ã³ãããŒãåºç€ãšãªããã¹ããããã³ Kubernetes ãªãŒã±ã¹ãã¬ãŒã¿ãŒå ã®äžå¯©ãªã¢ã¯ãã£ããã£ãæ€åºã§ããŸãã
Falco ã¯ããããã®ç®çã®ããã« Kubernetes ããŒãã«ç¹å¥ãªãšãŒãžã§ã³ãããããã€ããããšã§ãã©ã³ã¿ã€ã ãšè åšã®æ€åºã«ãããå®å šãªéææ§ãæäŸããŸãã ãã®çµæããµãŒãããŒãã£ã®ã³ãŒããã³ã³ããã«å°å ¥ãããããµã€ãã«ãŒ ã³ã³ãããè¿œå ãããããŠã³ã³ãããå€æŽããå¿ èŠã¯ãããŸããã
ã©ã³ã¿ã€ã çšã® Linux ã»ãã¥ãªã㣠ãã¬ãŒã ã¯ãŒã¯
Linux ã«ãŒãã«çšã®ãããã®ãã€ãã£ã ãã¬ãŒã ã¯ãŒã¯ã¯ãåŸæ¥ã®æå³ã§ã®ãKubernetes ã»ãã¥ãªã㣠ããŒã«ãã§ã¯ãããŸããããKubernetes ããã ã»ãã¥ãªã㣠ããªã·ãŒ (PSP) ã«å«ãŸããã©ã³ã¿ã€ã ã»ãã¥ãªãã£ã®ã³ã³ããã¹ãã«ãããŠéèŠãªèŠçŽ ã§ãããããèšåãã䟡å€ããããŸãã
ã»ãã¥ãªãã£åŒ·åããã Linux (
Sysdig ãªãŒãã³ãœãŒã¹
- ãŠã§ããµã€ãïŒ
www.sysdig.com/opensource - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Sysdig ã¯ãLinux ã·ã¹ãã ãåæã蚺æããããã°ããããã®å®å
šãªããŒã«ã§ã (Windows ããã³ macOS ã§ãåäœããŸãããæ©èœã¯éãããŠããŸã)ã 詳现ãªæ
å ±åéãæ€èšŒããã©ã¬ã³ãžãã¯åæã«äœ¿çšã§ããŸãã (æ³å»åŠ) åºæ¬ã·ã¹ãã ãšãã®äžã§å®è¡ãããŠããã³ã³ããã
Sysdig ã¯ãã³ã³ãã㌠ã©ã³ã¿ã€ã ãš Kubernetes ã¡ã¿ããŒã¿ããã€ãã£ãã«ãµããŒãããåéãããã¹ãŠã®ã·ã¹ãã åäœæ
å ±ã«è¿œå ã®ãã£ã¡ã³ã·ã§ã³ãšã©ãã«ãè¿œå ããŸãã Sysdig ã䜿çšã㊠Kubernetes ã¯ã©ã¹ã¿ãŒãåæããã«ã¯ãããã€ãã®æ¹æ³ããããŸãã次ã®ããã«ããŠãã€ã³ãã€ã³ã¿ã€ã ãã£ããã£ãå®è¡ã§ããŸãã
Kubernetesãããã¯ãŒã¯ã»ãã¥ãªãã£
ã¢ãã¬ãŒã
- ãŠã§ããµã€ãïŒ
www.aporeto.com - ã©ã€ã»ã³ã¹: åçš
Aporetoã¯ããããã¯ãŒã¯ãã€ã³ãã©ããåãé¢ãããã»ãã¥ãªãã£ããæäŸããŸãã ããã¯ãKubernetes ãµãŒãã¹ãããŒã«ã« ID (ã€ãŸããKubernetes ã® ServiceAccount) ãåãåãã ãã§ãªããOpenShift ã¯ã©ã¹ã¿ãŒãªã©ã®ä»ã®ãµãŒãã¹ãšå®å
šãã€çžäºã«éä¿¡ããããã«äœ¿çšã§ãããŠãããŒãµã« ID/ãã£ã³ã¬ãŒããªã³ããåãåãããšãæå³ããŸãã
Aporeto ã¯ãKubernetes/ã³ã³ããã ãã§ãªãããã¹ããã¯ã©ãŠãæ©èœããŠãŒã¶ãŒã«å¯ŸããŠãäžæã® ID ãçæã§ããŸãã ãããã®èå¥åãšç®¡çè ãèšå®ããäžé£ã®ãããã¯ãŒã¯ ã»ãã¥ãªã㣠ã«ãŒã«ã«å¿ããŠãéä¿¡ãèš±å¯ãŸãã¯ãããã¯ãããŸãã
ãµã©ãµ
- ãŠã§ããµã€ãïŒ
www.projectcalico.org - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Calico ã¯éåžžãã³ã³ãã㌠ãªãŒã±ã¹ãã¬ãŒã¿ãŒã®ã€ã³ã¹ããŒã«äžã«ãããã€ãããã³ã³ãããŒãçžäºæ¥ç¶ããä»®æ³ãããã¯ãŒã¯ãäœæã§ããããã«ãªããŸãã ãã®åºæ¬çãªãããã¯ãŒã¯æ©èœã«å ããŠãCalico ãããžã§ã¯ãã¯ãKubernetes ãããã¯ãŒã¯ ããªã·ãŒããã³ç¬èªã®ãããã¯ãŒã¯ ã»ãã¥ãªã㣠ãããã¡ã€ã«ã®ã»ãããšé£æºãããšã³ããã€ã³ã ACL (ã¢ã¯ã»ã¹ ã³ã³ãããŒã« ãªã¹ã) ãšãã€ã³ã°ã¬ã¹ããã³ãšã°ã¬ã¹ ãã©ãã£ãã¯ã®ã¢ãããŒã·ã§ã³ ããŒã¹ã®ãããã¯ãŒã¯ ã»ãã¥ãªã㣠ã«ãŒã«ããµããŒãããŸãã
ç¹æ¯
- ãŠã§ããµã€ãïŒ
www.cilium.io - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Cilium ã¯ã³ã³ããã®ãã¡ã€ã¢ãŠã©ãŒã«ãšããŠæ©èœããKubernetes ããã³ãã€ã¯ããµãŒãã¹ã®ã¯ãŒã¯ããŒãã«ãã€ãã£ãã«èª¿æŽããããããã¯ãŒã¯ ã»ãã¥ãªãã£æ©èœãæäŸããŸãã Cilium ã¯ãBPF (Berkeley Packet Filter) ãšåŒã°ããæ°ãã Linux ã«ãŒãã« ãã¯ãããžã䜿çšããŠãããŒã¿ã®ãã£ã«ã¿ãªã³ã°ãç£èŠããªãã€ã¬ã¯ããä¿®æ£ãè¡ããŸãã
Cilium ã¯ãDocker ãŸã㯠Kubernetes ã®ã©ãã«ãšã¡ã¿ããŒã¿ã䜿çšããŠãã³ã³ãã ID ã«åºã¥ããŠãããã¯ãŒã¯ ã¢ã¯ã»ã¹ ããªã·ãŒãå±éã§ããŸãã Cilium ã¯ãHTTP ã gRPC ãªã©ã®ããŸããŸãªã¬ã€ã€ãŒ 7 ãããã³ã«ãç解ããŠãã£ã«ã¿ãªã³ã°ãããããããšãã° XNUMX ã€ã® Kubernetes ãããã€ã¡ã³ãéã§èš±å¯ãããäžé£ã® REST åŒã³åºããå®çŸ©ã§ããŸãã
ã€ã¹ãã£ãª
- ãŠã§ããµã€ãïŒ
istio.io - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Istio ã¯ããã©ãããã©ãŒã ã«äŸåããªãã³ã³ãããŒã« ãã¬ãŒã³ãå±éãããã¹ãŠã®ç®¡ç察象ãµãŒãã¹ ãã©ãã£ãã¯ãåçã«æ§æå¯èœãª Envoy ãããã·ãéããŠã«ãŒãã£ã³ã°ããããšã«ããããµãŒãã¹ ã¡ãã·ã¥ ãã©ãã€ã ãå®è£
ããããšã§åºãç¥ãããŠããŸãã Istio ã¯ããã¹ãŠã®ãã€ã¯ããµãŒãã¹ãšã³ã³ãããŒã®ãã®é«åºŠãªãã¥ãŒãå©çšããŠãããŸããŸãªãããã¯ãŒã¯ ã»ãã¥ãªãã£æŠç¥ãå®è£
ããŸãã
Istio ã®ãããã¯ãŒã¯ ã»ãã¥ãªãã£æ©èœã«ã¯ããã€ã¯ããµãŒãã¹éã®éä¿¡ã HTTPS ã«èªåçã«ã¢ããã°ã¬ãŒãããéé TLS æå·åãšãã¯ã©ã¹ã¿ãŒå ã®ç°ãªãã¯ãŒã¯ããŒãéã®éä¿¡ãèš±å¯/æåŠããç¬èªã® RBAC èå¥ããã³æ¿èªã·ã¹ãã ãå«ãŸããŸãã
ããŒãã 翻蚳ã: Istio ã®ã»ãã¥ãªãã£ã«éç¹ã眮ããæ©èœã«ã€ããŠè©³ããã¯ããã¡ãããèªã¿ãã ããã
ã¿ã€ã¬ãŒã©
- ãŠã§ããµã€ãïŒ
www.tigera.io - ã©ã€ã»ã³ã¹: åçš
ãKubernetes ãã¡ã€ã¢ãŠã©ãŒã«ããšåŒã°ãããã®ãœãªã¥ãŒã·ã§ã³ã¯ããããã¯ãŒã¯ ã»ãã¥ãªãã£ã«å¯ŸãããŒããã©ã¹ã ã¢ãããŒãã匷調ããŠããŸãã
ä»ã®ãã€ãã£ã Kubernetes ãããã¯ãŒãã³ã° ãœãªã¥ãŒã·ã§ã³ãšåæ§ã«ãTigera ã¯ã¡ã¿ããŒã¿ã«äŸåããŠã¯ã©ã¹ã¿ãŒå ã®ããŸããŸãªãµãŒãã¹ãšãªããžã§ã¯ããèå¥ããå®è¡æã®åé¡æ€åºãç¶ç¶çãªã³ã³ãã©ã€ã¢ã³ã¹ ãã§ãã¯ãããã³ãã«ãã¯ã©ãŠããŸãã¯ãã€ããªããã®ã¢ããªã·ã㯠ã³ã³ãããŒåã€ã³ãã©ã¹ãã©ã¯ãã£ã®ãããã¯ãŒã¯å¯èŠåãæäŸããŸãã
äžæ®µæ«è¹
- ãŠã§ããµã€ãïŒ
www.aporeto.com/opensource - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Trireme-Kubernetes ã¯ãKubernetes ãããã¯ãŒã¯ ããªã·ãŒä»æ§ã®ã·ã³ãã«ãã€çŽæ¥çãªå®è£
ã§ãã æã泚ç®ãã¹ãæ©èœã¯ãåæ§ã® Kubernetes ãããã¯ãŒã¯ ã»ãã¥ãªãã£è£œåãšã¯ç°ãªããã¡ãã·ã¥ã調æŽããããã®äžå€®ã³ã³ãããŒã« ãã¬ãŒã³ãå¿
èŠãšããªãããšã§ãã ããã«ããããœãªã¥ãŒã·ã§ã³ã¯ç°¡åã«ã¹ã±ãŒã©ãã«ã«ãªããŸãã Trireme ã§ã¯ãããã¯ããã¹ãã® TCP/IP ã¹ã¿ãã¯ã«çŽæ¥æ¥ç¶ããåããŒãã«ãšãŒãžã§ã³ããã€ã³ã¹ããŒã«ããããšã«ãã£ãŠå®çŸãããŸãã
ã€ã¡ãŒãžã®äŒæãšç§å¯ã®ç®¡ç
ã°ã©ãã§ã¢ã¹
- ãŠã§ããµã€ãïŒ
ã°ã©ãã§ã¢ã¹.io - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Grafeas ã¯ããœãããŠã§ã¢ ãµãã©ã€ ãã§ãŒã³ã®ç£æ»ãšç®¡çã®ããã®ãªãŒãã³ãœãŒã¹ API ã§ãã åºæ¬ã¬ãã«ã§ã¯ãGrafeas ã¯ã¡ã¿ããŒã¿ãšç£æ»çµæãåéããããã®ããŒã«ã§ãã ããã䜿çšããŠãçµç¹å
ã®ã»ãã¥ãªãã£ã®ãã¹ã ãã©ã¯ãã£ã¹ãžã®æºæ ã远跡ã§ããŸãã
ãã®äžå åãããä¿¡é Œã§ããæ å ±æºã¯ã次ã®ãããªè³ªåã«çããã®ã«åœ¹ç«ã¡ãŸãã
- ç¹å®ã®ã³ã³ãããåéããŠçœ²åããã®ã¯èª°ã§ãã?
- ã»ãã¥ãªã㣠ããªã·ãŒã§èŠæ±ããããã¹ãŠã®ã»ãã¥ãªã㣠ã¹ãã£ã³ãšãã§ãã¯ã«åæ ŒããŸããã? ãã€ïŒ çµæã¯ã©ãã§ãããïŒ
- 誰ããããéçšç°å¢ã«ãããã€ããŸããã? å°å ¥äžã«ã©ã®ãããªç¹å®ã®ãã©ã¡ãŒã¿ã䜿çšãããŸããã?
ã€ã³ãã
- ãŠã§ããµã€ãïŒ
toto.github.io å - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
In-toto ã¯ããœãããŠã§ã¢ ãµãã©ã€ ãã§ãŒã³å
šäœã®æŽåæ§ãèªèšŒãç£æ»ãæäŸããããã«èšèšããããã¬ãŒã ã¯ãŒã¯ã§ãã In-toto ãã€ã³ãã©ã¹ãã©ã¯ãã£ã«ãããã€ããå Žåããã€ãã©ã€ã³å
ã®ããŸããŸãªã¹ããã (ãªããžããªãCI/CD ããŒã«ãQA ããŒã«ãã¢ãŒãã£ãã¡ã¯ã ã³ã¬ã¯ã¿ãŒãªã©) ãšãå®è¡ãèš±å¯ããããŠãŒã¶ãŒ (責任è
) ã説æããèšç»ãæåã«å®çŸ©ãããŸããããããéå§ããŸãã
In-toto ã¯èšç»ã®å®è¡ãç£èŠãããã§ãŒã³å ã®åã¿ã¹ã¯ãèš±å¯ãããæ åœè ã®ã¿ã«ãã£ãŠé©åã«å®è¡ãããŠããããšãããã³ç§»åäžã«è£œåã«äžæ£ãªæäœãè¡ãããŠããªãããšãæ€èšŒããŸãã
ãã«ãã£ãšãªã¹
- ãŠã§ããµã€ãïŒ
github.com/IBM/portieris - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Portieris 㯠Kubernetes ã®ã¢ãããã·ã§ã³ ã³ã³ãããŒã©ãŒã§ãã ã³ã³ãã³ãã®ä¿¡é Œæ§ãã§ãã¯ã匷å¶ããããã«äœ¿çšãããŸãã ãã«ãã£ãšãªã¹ã¯ãµãŒããŒã䜿çšããŸã
Kubernetes ã§ã¯ãŒã¯ããŒããäœæãŸãã¯å€æŽããããšãPortieris ã¯ãèŠæ±ãããã³ã³ãã㌠ã€ã¡ãŒãžã®çœ²åæ å ±ãšã³ã³ãã³ãä¿¡é Œããªã·ãŒãããŠã³ããŒãããå¿ èŠã«å¿ã㊠JSON API ãªããžã§ã¯ãã«ãªã³ã¶ãã©ã€å€æŽãå ããŠããããã®ã€ã¡ãŒãžã®çœ²åæžã¿ããŒãžã§ã³ãå®è¡ããŸãã
ããŒã«ã
- ãŠã§ããµã€ãïŒ
www.vaultproject.io - ã©ã€ã»ã³ã¹: ç¡æ (MPL)
Vault ã¯ããã¹ã¯ãŒããOAuth ããŒã¯ã³ãPKI 蚌ææžãã¢ã¯ã»ã¹ ã¢ã«ãŠã³ããKubernetes ã·ãŒã¯ã¬ãããªã©ã®å人æ
å ±ãä¿åããããã®å®å
šãªãœãªã¥ãŒã·ã§ã³ã§ãã Vault ã¯ãäžæçãªã»ãã¥ãªã㣠ããŒã¯ã³ã®ãªãŒã¹ãããŒã®ããŒããŒã·ã§ã³ã®æŽçãªã©ãå€ãã®é«åºŠãªæ©èœããµããŒãããŠããŸãã
Helm ãã£ãŒãã䜿çšãããšãConsul ãããã¯ãšã³ã ã¹ãã¬ãŒãžãšããŠäœ¿çšããŠãVault ã Kubernetes ã¯ã©ã¹ã¿ãŒã«æ°ãããããã€ã¡ã³ããšããŠãããã€ã§ããŸãã ServiceAccount ããŒã¯ã³ãªã©ã®ãã€ãã£ã Kubernetes ãªãœãŒã¹ããµããŒãããKubernetes ã·ãŒã¯ã¬ããã®ããã©ã«ã ã¹ãã¢ãšããŠæ©èœããããšãã§ããŸãã
ããŒãã 翻蚳ãïŒãšããã§ãã€ãæšæ¥ãVault ãéçºããŠããäŒç€Ÿ HashiCorp ããKubernetes 㧠Vault ã䜿çšããããã®ããã€ãã®æ¹åç¹ãçºè¡šããŸãããç¹ã«ãããã㯠Helm ãã£ãŒãã«é¢é£ããŠããŸãã ç¶ããèªã
Kubernetes ã»ãã¥ãªãã£ç£æ»
ä¹ éšãã³ã
- ãŠã§ããµã€ãïŒ
github.com/aquasecurity/kube-bench - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Kube-bench ã¯ããªã¹ããããã¹ããå®è¡ããããšã§ Kubernetes ãå®å
šã«ãããã€ãããŠãããã©ããããã§ãã¯ãã Go ã¢ããªã±ãŒã·ã§ã³ã§ã
Kube-bench ã¯ãã¯ã©ã¹ã¿ãŒ ã³ã³ããŒãã³ã (etcdãAPIãã³ã³ãããŒã©ãŒ ãããŒãžã£ãŒãªã©) éã®å®å šã§ãªãæ§æèšå®ãçããããã¡ã€ã« ã¢ã¯ã»ã¹æš©ãä¿è·ãããŠããªãã¢ã«ãŠã³ããŸãã¯éããŠããããŒãããªãœãŒã¹ ã¯ã©ãŒã¿ãDoS æ»æããä¿è·ããããã® API åŒã³åºãã®æ°ãå¶éããèšå®ãæ¢ããŸãã ããªã©ã
ãã¥ãŒããã³ã¿ãŒ
- ãŠã§ããµã€ãïŒ
github.com/aquasecurity/kube-hunter - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Kube-hunter ã¯ãKubernetes ã¯ã©ã¹ã¿ãŒå
ã®æœåšçãªèåŒ±æ§ (ãªã¢ãŒã ã³ãŒãå®è¡ãããŒã¿æŒæŽ©ãªã©) ãæ¢ããŸãã Kube-hunter ã¯ããªã¢ãŒã ã¹ãã£ããŒãšããŠå®è¡ã§ããŸã (ãã®å ŽåããµãŒãããŒãã£ã®æ»æè
ã®èŠ³ç¹ããã¯ã©ã¹ã¿ãŒãè©äŸ¡ããŸã)ããŸãã¯ã¯ã©ã¹ã¿ãŒå
ã®ããããšããŠå®è¡ã§ããŸãã
Kube-hunter ã®ç¹åŸŽã¯ããã®ãã¢ã¯ãã£ã ãã³ãã£ã³ã°ãã¢ãŒãã§ãããã®ã¢ãŒãã§ã¯ãåé¡ãå ±åããã ãã§ãªããã¿ãŒã²ãã ã¯ã©ã¹ã¿ã§çºèŠããããã¯ã©ã¹ã¿ã®éçšã«æªåœ±é¿ãäžããå¯èœæ§ã®ããè匱æ§ãå©çšããããšããŸãã ãããã£ãŠã泚æããŠäœ¿çšããŠãã ããã
ã¯ããŒãã£ãã
- ãŠã§ããµã€ãïŒ
github.com/Shopify/kubeaudit - ã©ã€ã»ã³ã¹: ç¡æ (MIT)
Kubeaudit ã¯ãããšããš Shopify ã§éçºãããã³ã³ãœãŒã« ããŒã«ã§ãããŸããŸãªã»ãã¥ãªãã£åé¡ã«ã€ã㊠Kubernetes æ§æãç£æ»ããŸãã ããšãã°ãç¡å¶éã«å®è¡ãããŠããã³ã³ãããroot ãšããŠå®è¡ãããŠããã³ã³ãããç¹æš©ãæªçšããŠããã³ã³ããããŸãã¯ããã©ã«ãã® ServiceAccount ã䜿çšããŠããã³ã³ãããèå¥ããã®ã«åœ¹ç«ã¡ãŸãã
Kubeaudit ã«ã¯ä»ã«ãèå³æ·±ãæ©èœããããŸãã ããšãã°ãããŒã«ã«ã® YAML ãã¡ã€ã«ãåæããã»ãã¥ãªãã£äžã®åé¡ã«ã€ãªããå¯èœæ§ã®ããæ§æäžã®æ¬ é¥ãç¹å®ããããããèªåçã«ä¿®æ£ã§ããŸãã
ã¯ãã»ãã¯
- ãŠã§ããµã€ãïŒ
kubesec.io - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
Kubesec ã¯ãKubernetes ãªãœãŒã¹ãèšè¿°ãã YAML ãã¡ã€ã«ãçŽæ¥ã¹ãã£ã³ããã»ãã¥ãªãã£ã«åœ±é¿ãäžããå¯èœæ§ã®ãã匱ããã©ã¡ãŒã¿ãŒãæ¢ãç¹å¥ãªããŒã«ã§ãã
ããšãã°ããããã«ä»äžãããéå°ãªç¹æš©ãšã¢ã¯ã»ã¹èš±å¯ãããã©ã«ã ãŠãŒã¶ãŒãšã㊠root ã§ã³ã³ãããå®è¡ããããšããã¹ãã®ãããã¯ãŒã¯åå空éãžã®æ¥ç¶ããŸãã¯æ¬¡ã®ãããªå±éºãªããŠã³ããæ€åºã§ããŸãã /proc
ãã¹ããŸã㯠Docker ãœã±ããã Kubesec ã®ãã XNUMX ã€ã®èå³æ·±ãæ©èœã¯ããªã³ã©ã€ã³ã§å©çšã§ããã㢠ãµãŒãã¹ã§ãããã®ãµãŒãã¹ã« YAML ãã¢ããããŒãããŠãããã«åæã§ããŸãã
ããªã·ãŒãšãŒãžã§ã³ããéã
- ãŠã§ããµã€ãïŒ
www.openpolicyagent.org - ã©ã€ã»ã³ã¹ïŒç¡æïŒApacheïŒ
OPA (Open Policy Agent) ã®æŠå¿µã¯ãã»ãã¥ãªã㣠ããªã·ãŒãšã»ãã¥ãªãã£ã®ãã¹ã ãã©ã¯ãã£ã¹ãç¹å®ã®ã©ã³ã¿ã€ã ãã©ãããã©ãŒã (DockerãKubernetesãMesosphereãOpenShiftããŸãã¯ãããã®çµã¿åãã) ããåãé¢ãããšã§ãã
ããšãã°ãOPA ã Kubernetes ã¢ãããã·ã§ã³ ã³ã³ãããŒã©ãŒã®ããã¯ãšã³ããšããŠãããã€ããã»ãã¥ãªãã£ã®æ±ºå®ãããã«å§ä»»ã§ããŸãã ãã®ããã«ããŠãOPA ãšãŒãžã§ã³ãã¯ãèŠæ±ããã®å Žã§æ€èšŒãæåŠãããã«ã¯å€æŽããããšãã§ããæå®ãããã»ãã¥ãªã㣠ãã©ã¡ãŒã¿ãŒã確å®ã«æºããããŠããããšã確èªã§ããŸãã OPA ã®ã»ãã¥ãªã㣠ããªã·ãŒã¯ãç¬èªã® DSL èšèªã§ãã Rego ã§èšè¿°ãããŠããŸãã
ããŒãã 翻蚳ã: OPA (ããã³ SPIFFE) ã«ã€ããŠè©³ããã¯ã
Kubernetes ã»ãã¥ãªãã£åæã®ããã®å æ¬çãªåçšããŒã«
åçšãã©ãããã©ãŒã ã¯éåžžãè€æ°ã®ã»ãã¥ãªãã£åéãã«ããŒããŠãããããåçšãã©ãããã©ãŒã çšã«å¥ã®ã«ããŽãªãäœæããããšã«ããŸããã ãããã®æ©èœã®äžè¬çãªã¢ã€ãã¢ã¯ãè¡šããååŸã§ããŸãã
* é«åºŠãªæ€æ»ãšå®å
šãªæ»åŸåæ
ã¢ã¯ã¢ã»ãã¥ãªãã£
- ãŠã§ããµã€ãïŒ
www.aquasec.com - ã©ã€ã»ã³ã¹: åçš
ãã®åçšããŒã«ã¯ãã³ã³ãããŒãšã¯ã©ãŠã ã¯ãŒã¯ããŒãåãã«èšèšãããŠããŸãã ããã¯ä»¥äžãæäŸããŸã:
- ã³ã³ãã ã¬ãžã¹ããªãŸã㯠CI/CD ãã€ãã©ã€ã³ãšçµ±åãããã€ã¡ãŒãž ã¹ãã£ã³ã
- ã³ã³ããå ã®å€æŽããã®ä»ã®äžå¯©ãªã¢ã¯ãã£ããã£ãæ€çŽ¢ããã©ã³ã¿ã€ã ä¿è·ã
- ã³ã³ãããã€ãã£ãã®ãã¡ã€ã¢ãŠã©ãŒã«ã
- ã¯ã©ãŠã ãµãŒãã¹ã«ããããµãŒããŒã¬ã¹ã®ã»ãã¥ãªãã£ã
- ã€ãã³ããã°ãšçµã¿åãããã³ã³ãã©ã€ã¢ã³ã¹ãã¹ããšç£æ»ã
ããŒãã 翻蚳ã: ãããããšã«ã泚ç®ããŠãã ããã ãšåŒã°ãã補åã®ç¡æã³ã³ããŒãã³ã
ã«ãã»ã«8
- ãŠã§ããµã€ãïŒ
ã«ãã»ã«8.com - ã©ã€ã»ã³ã¹: åçš
Capsule8 ã¯ãããŒã«ã«ãŸãã¯ã¯ã©ãŠãã® Kubernetes ã¯ã©ã¹ã¿ãŒã«æ€åºåšãã€ã³ã¹ããŒã«ããããšã§ã€ã³ãã©ã¹ãã©ã¯ãã£ã«çµ±åããŸãã ãã®æ€åºåšã¯ãã¹ããšãããã¯ãŒã¯ã®ãã¬ã¡ããªãåéãããããããŸããŸãªçš®é¡ã®æ»æãšé¢é£ä»ããŸãã
Capsule8 ããŒã ã¯ãæ°ããããŒã«ã䜿çšããæ»æã®æ©æçºèŠãšé²æ¢ãèªåãã¡ã®ä»»åã§ãããšèããŠããŸãã (0æ¥) è匱æ§ã Capsule8 ã¯ãæ°ããçºèŠãããè åšããœãããŠã§ã¢ã®è匱æ§ã«å¯Ÿå¿ããŠãæŽæ°ãããã»ãã¥ãªã㣠ã«ãŒã«ãæ€åºåšã«çŽæ¥ããŠã³ããŒãã§ããŸãã
ãã£ããªã³
- ãŠã§ããµã€ãïŒ
www.cavirin.com - ã©ã€ã»ã³ã¹: åçš
Cavirin ã¯ãå®å
šåºæºã«é¢ããããŸããŸãªæ©é¢ã®äŒæ¥åŽè«è² æ¥è
ãšããŠã®åœ¹å²ãæãããŠããŸãã ã€ã¡ãŒãžãã¹ãã£ã³ã§ããã ãã§ãªããCI/CD ãã€ãã©ã€ã³ã«çµ±åããŠãéæšæºã®ã€ã¡ãŒãžãéãããããªããžããªã«å
¥ãåã«ãããã¯ããããšãã§ããŸãã
Cavirin ã®ã»ãã¥ãªã㣠ã¹ã€ãŒãã¯ãæ©æ¢°åŠç¿ã䜿çšããŠãµã€ããŒã»ãã¥ãªãã£ã®äœå¶ãè©äŸ¡ããã»ãã¥ãªãã£ãåäžãããã»ãã¥ãªãã£æšæºãžã®ã³ã³ãã©ã€ã¢ã³ã¹ãåäžãããããã®ãã³ããæäŸããŸãã
Google Cloud ã»ãã¥ãªã㣠ã³ãã³ã ã»ã³ã¿ãŒ
- ãŠã§ããµã€ãïŒ
Cloud.google.com/security-command-center - ã©ã€ã»ã³ã¹: åçš
Cloud Security Command Center ã¯ãã»ãã¥ãªã㣠ããŒã ãããŒã¿ãåéããè
åšãç¹å®ããäŒæ¥ã«æ害ãäžããåã«ããããæé€ããã®ã«åœ¹ç«ã¡ãŸãã
ååã瀺ãããã«ãGoogle Cloud SCC ã¯ãããŸããŸãªã»ãã¥ãªã㣠ã¬ããŒããè³ç£äŒèšãšã³ãžã³ããµãŒãããŒãã£ã®ã»ãã¥ãªã㣠ã·ã¹ãã ãåäžã®äžå çãªãœãŒã¹ããçµ±åããŠç®¡çã§ããçµ±åã³ã³ãããŒã« ããã«ã§ãã
Google Cloud SCC ãæäŸããçžäºéçšå¯èœãª API ã䜿çšãããšãSysdig Secure (ã¯ã©ãŠããã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ã®ã³ã³ãã ã»ãã¥ãªãã£) ã Falco (ãªãŒãã³ãœãŒã¹ ã©ã³ã¿ã€ã ã»ãã¥ãªãã£) ãªã©ãããŸããŸãªãœãŒã¹ããã®ã»ãã¥ãªã㣠ã€ãã³ããç°¡åã«çµ±åã§ããŸãã
éå±€åãããã€ã³ãµã€ã (Qualys)
- ãŠã§ããµã€ãïŒ
ã¬ã€ã€ãŒãã€ã³ãµã€ã.com - ã©ã€ã»ã³ã¹: åçš
Layered Insight (çŸåšã¯ Qualys Inc ã®äžéš) ã¯ããçµã¿èŸŒã¿ã»ãã¥ãªãã£ãã®æŠå¿µã«åºã¥ããŠæ§ç¯ãããŠããŸãã çµ±èšåæãš CVE ãã§ãã¯ã䜿çšããŠå
ã®ã€ã¡ãŒãžã®è匱æ§ãã¹ãã£ã³ããåŸãLayered Insight ã¯ããã€ããªãšããŠãšãŒãžã§ã³ããå«ãã€ã³ã¹ãã«ã¡ã³ãåãããã€ã¡ãŒãžã«çœ®ãæããŸãã
ãã®ãšãŒãžã§ã³ãã«ã¯ãã³ã³ãã ãããã¯ãŒã¯ ãã©ãã£ãã¯ãI/O ãããŒãã¢ããªã±ãŒã·ã§ã³ ã¢ã¯ãã£ããã£ãåæããããã®ã©ã³ã¿ã€ã ã»ãã¥ãªã㣠ãã¹ããå«ãŸããŠããŸãã ããã«ãã€ã³ãã©ã¹ãã©ã¯ãã£ç®¡çè ãŸã㯠DevOps ããŒã ã«ãã£ãŠæå®ãããè¿œå ã®ã»ãã¥ãªã㣠ãã§ãã¯ãå®è¡ã§ããŸãã
ãã€ãã¯ã¿ãŒ
- ãŠã§ããµã€ãïŒ
neuvector.com - ã©ã€ã»ã³ã¹: åçš
NeuVector ã¯ããããã¯ãŒã¯ ã¢ã¯ãã£ããã£ãšã¢ããªã±ãŒã·ã§ã³ã®åäœãåæããã³ã³ããããšã«åå¥ã®ã»ãã¥ãªã㣠ãããã¡ã€ã«ãäœæããããšã§ãã³ã³ããã®ã»ãã¥ãªãã£ããã§ãã¯ããã©ã³ã¿ã€ã ä¿è·ãæäŸããŸãã ãŸããããŒã«ã«ã®ãã¡ã€ã¢ãŠã©ãŒã« ã«ãŒã«ãå€æŽããããšã§ãè
åšãç¬èªã«ãããã¯ããäžå¯©ãªã¢ã¯ãã£ããã£ãéé¢ããããšãã§ããŸãã
NeuVector ã®ãããã¯ãŒã¯çµ±åã¯ã»ãã¥ãªã㣠ã¡ãã·ã¥ãšããŠç¥ãããŠããããµãŒãã¹ ã¡ãã·ã¥å ã®ãã¹ãŠã®ãããã¯ãŒã¯æ¥ç¶ã«å¯Ÿãã詳现ãªãã±ããåæãšã¬ã€ã€ãŒ 7 ãã£ã«ã¿ãªã³ã°ãå¯èœã§ãã
StackRox
- ãŠã§ããµã€ãïŒ
www.stackrox.com - ã©ã€ã»ã³ã¹: åçš
StackRox ã³ã³ãã ã»ãã¥ãªã㣠ãã©ãããã©ãŒã ã¯ãã¯ã©ã¹ã¿å
ã® Kubernetes ã¢ããªã±ãŒã·ã§ã³ã®ã©ã€ããµã€ã¯ã«å
šäœãã«ããŒããããåªããŠããŸãã ãã®ãªã¹ãã«ããä»ã®åçšãã©ãããã©ãŒã ãšåæ§ã«ãStackRox ã¯èŠ³å¯ãããã³ã³ãããŒã®åäœã«åºã¥ããŠã©ã³ã¿ã€ã ãããã¡ã€ã«ãçæããéžè±ãããã°èªåçã«ã¢ã©ãŒã ãçºããŸãã
ããã«ãStackRox ã¯ãKubernetes CIS ããã³ãã®ä»ã®ã«ãŒã«ããã¯ã䜿çšã㊠Kubernetes æ§æãåæããã³ã³ãããŒã®ã³ã³ãã©ã€ã¢ã³ã¹ãè©äŸ¡ããŸãã
ã·ã¹ãã£ã°ã»ãã¥ã¢
- ãŠã§ããµã€ãïŒ
sysdig.com/products/secure - ã©ã€ã»ã³ã¹: åçš
Sysdig Secure ã¯ãã³ã³ãããŒãš Kubernetes ã®ã©ã€ããµã€ã¯ã«å
šäœãéããŠã¢ããªã±ãŒã·ã§ã³ãä¿è·ããŸãã 圌
Sysdig Secure ã¯ãJenkins ãªã©ã® CI/CD ããŒã«ãšçµ±åããDocker ã¬ãžã¹ããªããããŒããããã€ã¡ãŒãžãå¶åŸ¡ããŠãæ¬çªç°å¢ã«å±éºãªã€ã¡ãŒãžã衚瀺ãããã®ãé²ããŸãã ãŸãã次ã®ãããªå æ¬çãªã©ã³ã¿ã€ã ã»ãã¥ãªãã£ãæäŸããŸãã
- ML ããŒã¹ã®ã©ã³ã¿ã€ã ãããã¡ã€ãªã³ã°ãšç°åžžæ€åºã
- ã·ã¹ãã ã€ãã³ããK8s ç£æ» APIãå
±åã³ãã¥ãã㣠ãããžã§ã¯ã (FIM - ãã¡ã€ã«å®å
šæ§ç£èŠãã¯ãªãããžã£ããã³ã°) ããã³ãã¬ãŒã ã¯ãŒã¯ã«åºã¥ãã©ã³ã¿ã€ã ããªã·ãŒ
MITER ATTïŒCK ; - ã€ã³ã·ãã³ããžã®å¯Ÿå¿ãšè§£æ±ºã
ç¶æå¯èœãªã³ã³ããã®ã»ãã¥ãªãã£
- ãŠã§ããµã€ãïŒ
www.tenable.com/products/tenable-io/container-security - ã©ã€ã»ã³ã¹: åçš
ã³ã³ãããŒãç»å ŽããåãTenable ã¯ã人æ°ã®ããè匱æ§ãã³ãã£ã³ã°ããã³ã»ãã¥ãªãã£ç£æ»ããŒã«ã§ãã Nessus ã®èåŸã«ããäŒæ¥ãšããŠæ¥çã§åºãç¥ãããŠããŸããã
Tenable Container Security ã¯ãå瀟ã®ã³ã³ãã¥ãŒã¿ ã»ãã¥ãªãã£ã®å°éç¥èã掻çšããŠãCI/CD ãã€ãã©ã€ã³ãè匱æ§ããŒã¿ããŒã¹ãç¹æ®ãªãã«ãŠã§ã¢æ€åºããã±ãŒãžãã»ãã¥ãªãã£è åšã解決ããããã®æšå¥šäºé ãšçµ±åããŸãã
ãã€ã¹ããã㯠(ããã¢ã«ããããã¯ãŒã¯ã¹)
- ãŠã§ããµã€ãïŒ
www.twistlock.com - ã©ã€ã»ã³ã¹: åçš
Twistlock ã¯ãã¯ã©ãŠã ãµãŒãã¹ãšã³ã³ããã«çŠç¹ãåœãŠããã©ãããã©ãŒã ãšããŠèªç€Ÿã宣äŒããŠããŸãã Twistlock ã¯ãããŸããŸãªã¯ã©ãŠã ãããã€ã㌠(AWSãAzureãGCP)ãã³ã³ãã ãªãŒã±ã¹ãã¬ãŒã¿ãŒ (KubernetesãMesospehereãOpenShiftãDocker)ããµãŒããŒã¬ã¹ ã©ã³ã¿ã€ã ãã¡ãã·ã¥ ãã¬ãŒã ã¯ãŒã¯ãããã³ CI/CD ããŒã«ããµããŒãããŸãã
CI/CD ãã€ãã©ã€ã³çµ±åãã€ã¡ãŒãž ã¹ãã£ã³ãªã©ã®åŸæ¥ã®ãšã³ã¿ãŒãã©ã€ãº ã°ã¬ãŒãã®ã»ãã¥ãªãã£æè¡ã«å ããŠãTwistlock ã¯æ©æ¢°åŠç¿ã䜿çšããŠã³ã³ããåºæã®åäœãã¿ãŒã³ãšãããã¯ãŒã¯ ã«ãŒã«ãçæããŸãã
å°ãåã«ãTwistlock 㯠Evident.io ãããžã§ã¯ããš RedLock ãããžã§ã¯ããææããããã¢ã«ããããã¯ãŒã¯ã¹ã«è²·åãããŸããã ããã XNUMX ã€ã®ãã©ãããã©ãŒã ãã©ã®ããã«æ£ç¢ºã«çµ±åããããã¯ãŸã äžæã§ãã
Kubernetes ã»ãã¥ãªã㣠ããŒã«ã®æé«ã®ã«ã¿ãã°ã®äœæã«ãååãã ããã
ç§ãã¡ã¯ãã®ã«ã¿ãã°ãå¯èœãªéãå®å
šãªãã®ã«ããããåªããŠããããã®ããã«ã¯çæ§ã®ãååãå¿
èŠã§ãã ãåãåãã ïŒ
賌èªããããšãã§ããŸã
翻蚳è ããã®è¿œäŒž
ç§ãã¡ã®ããã°ããèªã¿ãã ãã:
- «
ã»ãã¥ãªãã£å°é家ã®ããã® Kubernetes ãããã¯ãŒã¯ ããªã·ãŒã®æŠèŠ "; - «
ã»ãã¥ãªãã£ãèŠæ±ãããç°å¢ã«ããã Docker ãš Kubernetes "; - «
9 Kubernetes ã»ãã¥ãªãã£ã®ãã¹ã ãã©ã¯ãã£ã¹ "; - «
Kubernetes ãããã³ã°ã®è¢«å®³è ã«ãªããªã (被害è ã«ãªããªã) 11 ã®æ¹æ³ "; - «
OPA ãš SPIFFE ã¯ãã¯ã©ãŠã ã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªãã£ã®ããã® CNCF ã® XNUMX ã€ã®æ°ãããããžã§ã¯ãã§ã 'ã
åºæïŒ habr.com