Kuphatikiza pa kusanthula kwanthawi zonse kwa zithunzi zokhala ndi zovuta zomwe zimadziwika kuchokera ku nkhokwe ya CVE, Anchore imachitanso macheke ambiri monga gawo la ndondomeko yake yosanthula: imayang'ana Dockerfile, kutayikira kwaumboni, mapaketi azilankhulo zomwe zimagwiritsidwa ntchito (npm, maven, etc. .), zilolezo zamapulogalamu ndi zina zambiri.
Clair inali imodzi mwama projekiti oyamba a Open Source pakusanthula zithunzi. Imadziwika kwambiri ngati scanner yachitetezo kuseri kwa registry ya Quay image (komanso kuchokera ku CoreOS - pafupifupi. kumasulira). Clair atha kutolera zambiri za CVE kuchokera kumagwero osiyanasiyana, kuphatikiza mindandanda yazachitetezo cha Linux yosungidwa ndi magulu achitetezo a Debian, Red Hat, kapena Ubuntu.
Mosiyana ndi Anchore, Clair imayang'ana kwambiri pakupeza zofooka ndikufanizira deta ndi ma CVE. Komabe, mankhwalawa amapatsa ogwiritsa ntchito mwayi wowonjezera ntchito pogwiritsa ntchito madalaivala a plug-in.
License: Yaulere (Apache), koma imafuna zambiri kuchokera ku JFrog Xray (zamalonda)
KubeXray amamvetsera zochitika kuchokera ku seva ya Kubernetes API ndipo amagwiritsa ntchito metadata kuchokera ku JFrog Xray kuti atsimikizire kuti ma pods okha omwe akufanana ndi ndondomeko yamakono akuyambitsidwa.
Trivy ndi sikani yachiwopsezo yophweka koma yamphamvu ya zotengera zomwe zimalumikizana mosavuta ndi mapaipi a CI/CD. Chodziwika bwino ndikuyika kwake kosavuta komanso kugwiritsa ntchito kwake: kugwiritsa ntchito kumakhala ndi binary imodzi ndipo sikufuna kuyika nkhokwe kapena malaibulale owonjezera.
Choyipa pa kuphweka kwa Trivy ndikuti muyenera kudziwa momwe mungasinthire ndi kutumiza zotsatira mumtundu wa JSON kuti zida zina zachitetezo za Kubernetes zizigwiritsa ntchito.
Falco ndi gulu la zida zotetezera malo othamanga pamtambo. Gawo la banja la polojekitiyi Zamgululi.
Pogwiritsa ntchito zida za Sysdig's Linux kernel-level-level komanso mbiri yoyimba foni, Falco imakupatsani mwayi wolowera mozama pamachitidwe amachitidwe. Injini yake yoyendetsera nthawi yothamanga imatha kuzindikira zochitika zokayikitsa muzogwiritsira ntchito, zotengera, oyambitsa, ndi oimba a Kubernetes.
Falco imapereka kuwonekera kwathunthu mu nthawi yothamanga komanso kuzindikira ziwopsezo potumiza othandizira apadera pa Kubernetes node pazifukwa izi. Zotsatira zake, palibe chifukwa chosinthira zotengera polowetsamo ma code ena kapena kuwonjezera zotengera zam'mbali.
Zosungirako za Linux za nthawi yothamanga
Mapangidwe amtundu wa Linux kernel si "Zida zachitetezo za Kubernetes" mwachikhalidwe, koma ndizofunika kuzitchula chifukwa ndizofunika kwambiri pachitetezo cha nthawi yothamanga, chomwe chikuphatikizidwa mu Kubernetes Pod Security Policy (PSP).
Zithunzi za AppArmor imaphatikiza mbiri yachitetezo pamachitidwe omwe akuyendetsa mu chidebe, kufotokozera mwayi wamafayilo, malamulo ofikira pamaneti, kulumikiza malaibulale, ndi zina. Iyi ndi dongosolo lozikidwa pa Mandatory Access Control (MAC). Mwa kuyankhula kwina, zimalepheretsa zochita zoletsedwa kuti zichitike.
Linux Yowonjezera Chitetezo (SELinux) ndi gawo lachitetezo chapamwamba mu Linux kernel, yofanana m'mbali zina ndi AppArmor ndipo nthawi zambiri imafaniziridwa nayo. SELinux ndiyabwino kuposa AppArmor mu mphamvu, kusinthasintha komanso makonda. Zoyipa zake ndi kuphunzira kwanthawi yayitali komanso kuchuluka kwazovuta.
Seccomp ndi seccomp-bpf amakulolani kusefa mafoni amtundu, kuletsa kuphedwa kwa omwe ali owopsa kwa OS yoyambira ndipo sizofunikira kuti mugwiritse ntchito bwino ntchito za ogwiritsa ntchito. Seccomp ndi yofanana ndi Falco m'njira zina, ngakhale sadziwa zenizeni za nkhokwe.
Sysdig ndi chida chathunthu chosanthula, kuzindikira ndikusintha machitidwe a Linux (imagwiranso ntchito pa Windows ndi macOS, koma ndi ntchito zochepa). Itha kugwiritsidwa ntchito kusonkhanitsa zidziwitso mwatsatanetsatane, kutsimikizira ndi kusanthula kwazamalamulo. (zofufuza) maziko ndi zotengera zilizonse zomwe zikuyenda pamenepo.
Sysdig imathandiziranso nthawi yoyendetsera chidebe ndi metadata ya Kubernetes, ndikuwonjezera miyeso ndi zolemba pazambiri zonse zamachitidwe zomwe zimasonkhanitsa. Pali njira zingapo zowunikira gulu la Kubernetes pogwiritsa ntchito Sysdig: mutha kujambula nthawi-nthawi kudzera. kubectl kugwidwa kapena yambitsani mawonekedwe ochezera a ncurses pogwiritsa ntchito pulogalamu yowonjezera kubectl dig.
Aporeto imapereka "chitetezo chosiyana ndi maukonde ndi zomangamanga." Izi zikutanthauza kuti mautumiki a Kubernetes samangolandira ID yakumaloko (ie ServiceAccount ku Kubernetes), komanso ID/chala chapadziko lonse chomwe chingagwiritsidwe ntchito kulumikizana motetezeka komanso mogwirizana ndi ntchito ina iliyonse, mwachitsanzo pagulu la OpenShift.
Aporeto imatha kupanga chizindikiritso chapadera osati cha Kubernetes / zotengera zokha, komanso zokhala ndi makamu, ntchito zamtambo ndi ogwiritsa ntchito. Kutengera zozindikiritsa izi komanso malamulo otetezedwa pamaneti omwe amakhazikitsidwa ndi woyang'anira, kulumikizana kudzaloledwa kapena kutsekedwa.
Calico nthawi zambiri imayikidwa pakuyika kwa orchestrator, kukulolani kuti mupange netiweki yomwe imalumikiza zotengera. Kuphatikiza pa magwiridwe antchito apaintaneti, pulojekiti ya Calico imagwira ntchito ndi Kubernetes Network Policies ndi mbiri yake yachitetezo chapaintaneti, imathandizira ma endpoint ACLs (mindandanda yowongolera zofikira) ndi malamulo okhudzana ndi chitetezo pamaneti a Ingress ndi Egress traffic.
Cilium imagwira ntchito ngati chowotcha moto pazotengera ndipo imapereka mawonekedwe achitetezo pamaneti omwe amapangidwa ndi Kubernetes ndi ntchito za microservices. Cilium imagwiritsa ntchito ukadaulo watsopano wa Linux kernel wotchedwa BPF (Berkeley Packet Filter) kusefa, kuyang'anira, kulondoleranso ndikuwongolera deta.
Cilium imatha kuyika mfundo zofikira pamaneti kutengera ma ID a chidebe pogwiritsa ntchito zilembo za Docker kapena Kubernetes ndi metadata. Cilium imamvetsetsanso ndikusefa ma protocol osiyanasiyana a Layer 7 monga HTTP kapena gRPC, kukulolani kufotokozera mafoni a REST omwe adzaloledwa pakati pa Kubernetes kutumizidwa, mwachitsanzo.
Istio imadziwika kwambiri pokhazikitsa ma mesh paradigm potumiza ndege yodziyimira pawokha papulatifomu ndikuwongolera magalimoto onse omwe amayendetsedwa kudzera pa ma proxies osinthika a Envoy. Istio amapezerapo mwayi pakuwona kwapamwamba kwa ma microservices onse ndi zotengera kuti agwiritse ntchito njira zosiyanasiyana zotetezera maukonde.
Kuthekera kwachitetezo cha netiweki ya Istio kumaphatikizapo kubisa kwa TLS yowonekera kuti ingokulitsa kulumikizana pakati pa ma microservices kupita ku HTTPS, komanso chizindikiritso cha RBAC ndi chilolezo chololeza / kukana kulumikizana pakati pa ntchito zosiyanasiyana mgululi.
Grafeas ndi API yotseguka yowunikira ndi kuyang'anira mapulogalamu. Pamlingo woyambira, Grafeas ndi chida chosonkhanitsira metadata ndi zofufuza. Itha kugwiritsidwa ntchito kutsata kutsatira njira zabwino zachitetezo mkati mwa bungwe.
Gwero lapakati la chowonadi limathandizira kuyankha mafunso monga:
Ndani adatolera ndikusaina chotengera china chake?
Kodi yadutsa masikelo onse achitetezo ndi macheke omwe amafunidwa ndi mfundo zachitetezo? Liti? Kodi zotsatira zake zinali zotani?
Ndani adazitumiza kukapanga? Ndi magawo ati omwe adagwiritsidwa ntchito potumiza?
Porteris ndi wolamulira wovomerezeka wa Kubernetes; amagwiritsidwa ntchito kulimbikitsa macheke a trust trust. Porteris amagwiritsa ntchito seva Notary(tidalemba za iye kumapeto Nkhani iyi - pafupifupi. kumasulira) monga gwero la chowonadi chotsimikizira zinthu zakale zodalirika ndi zosainidwa (ie zithunzi zovomerezeka zamabokosi).
Ntchito ikapangidwa kapena kusinthidwa ku Kubernetes, Porteris amatsitsa zidziwitso zosayina ndi mfundo zodalirika zazithunzi zomwe zafunsidwa ndipo, ngati kuli kofunikira, amasintha powuluka ku chinthu cha JSON API kuti agwiritse ntchito zithunzizo.
Vault ndi njira yotetezeka yosungira zinsinsi: mapasiwedi, ma tokeni a OAuth, satifiketi ya PKI, maakaunti olowera, zinsinsi za Kubernetes, ndi zina zambiri. Vault imathandizira zinthu zambiri zapamwamba, monga kubwereketsa ma tokeni achitetezo a ephemeral kapena kukonza makiyi.
Pogwiritsa ntchito tchati cha Helm, Vault ikhoza kutumizidwa ngati kutumizidwa kwatsopano mgulu la Kubernetes ndi Consul ngati malo osungira kumbuyo. Imathandizira zida zamtundu wa Kubernetes ngati zizindikiro za ServiceAccount ndipo zimatha kukhala ngati sitolo yosungira zinsinsi za Kubernetes.
Zindikirani. transl.: Mwa njira, dzulo dzulo kampani ya HashiCorp, yomwe imapanga Vault, inalengeza zosintha zina zogwiritsira ntchito Vault ku Kubernetes, ndipo makamaka zikugwirizana ndi tchati cha Helm. Werengani zambiri mu woyambitsa blog.
Monga momwe dzinalo likusonyezera, Google Cloud SCC ndi gulu lolamulira logwirizana lomwe lingaphatikizepo ndikuyang'anira malipoti osiyanasiyana a chitetezo, injini zowerengera katundu, ndi machitidwe a chitetezo cha chipani chachitatu kuchokera ku gwero limodzi, lapakati.
Interoperable API yoperekedwa ndi Google Cloud SCC imapangitsa kuti zikhale zosavuta kuphatikiza zochitika zachitetezo zochokera kuzinthu zosiyanasiyana, monga Sysdig Secure (chitetezo cham'thumba la mapulogalamu amtundu wamtambo) kapena Falco (Open Source runtime security).
Layered Insight (yomwe tsopano ndi gawo la Qualys Inc) idamangidwa pa lingaliro la "chitetezo chophatikizidwa." Pambuyo poyang'ana chithunzi choyambirira kuti chikhale pachiwopsezo pogwiritsa ntchito kusanthula mawerengero ndi macheke a CVE, Layered Insight m'malo mwake ndi chithunzi chojambulidwa chomwe chimaphatikizapo wothandizira ngati binary.
Wothandizirayu ali ndi zoyeserera zachitetezo chanthawi yake kuti athe kusanthula kuchuluka kwa magalimoto pamanetiweki, mayendedwe a I/O ndi zochitika zamapulogalamu. Kuphatikiza apo, imatha kuchita macheke owonjezera otetezedwa omwe amafotokozedwa ndi oyang'anira zomangamanga kapena magulu a DevOps.
Sysdig Secure imateteza mapulogalamu mu chidebe chonse komanso moyo wa Kubernetes. Iye sikani zithunzi zotengera, amapereka chitetezo chanthawi yayitali malinga ndi makina ophunzirira deta, amachita zonona. ukatswiri wozindikira zofooka, zotchinga zowopseza, zowunikira kutsatira miyezo yokhazikitsidwa ndikuwunika ntchito mu microservices.
Sysdig Secure imagwirizanitsa ndi zida za CI / CD monga Jenkins ndikuyang'anira zithunzi zojambulidwa kuchokera ku zolembera za Docker, kuteteza zithunzi zoopsa kuti zisawonekere pakupanga. Imaperekanso chitetezo chokwanira cha nthawi yothamanga, kuphatikizapo:
ML-based runtime profiles and anomaly kuzindikira;
Twistlock imadzikweza ngati nsanja yomwe imayang'ana kwambiri ntchito zamtambo ndi zotengera. Twistlock imathandizira operekera mitambo osiyanasiyana (AWS, Azure, GCP), oimba ziwiya (Kubernetes, Mesospehere, OpenShift, Docker), nthawi zothamanga, ma mesh frameworks ndi zida za CI/CD.
Kuphatikiza pa njira zodzitetezera zamabizinesi monga kuphatikiza mapaipi a CI/CD kapena kusanthula zithunzi, Twistlock imagwiritsa ntchito kuphunzira pamakina kuti ipange machitidwe okhudzana ndi chidebe ndi malamulo apaintaneti.
Kale, Twistlock idagulidwa ndi Palo Alto Networks, yemwe ali ndi ma projekiti a Evident.io ndi RedLock. Sizikudziwikabe kuti nsanja zitatuzi zidzaphatikizidwa bwanji PRISMA kuchokera Palo Alto.
Thandizani kupanga mndandanda wabwino kwambiri wa zida zachitetezo za Kubernetes!