33+ Kubernetes zida zachitetezo

Zindikirani. transl.: Ngati mukuganiza za chitetezo pazida za Kubernetes, chithunzithunzi chabwino kwambiri cha Sysdig ndi poyambira kwambiri kuti muwone mwachangu mayankho apano. Zimaphatikizapo machitidwe onse ovuta kuchokera kwa osewera odziwika bwino pamsika ndi zina zambiri zochepetsetsa zomwe zimathetsa vuto linalake. Ndipo mu ndemanga, monga nthawi zonse, tidzakhala okondwa kumva za zomwe mwakumana nazo pogwiritsa ntchito zidazi ndikuwona maulalo azinthu zina.

Zogulitsa zamapulogalamu achitetezo a Kubernetes... zilipo zambiri, chilichonse chili ndi zolinga zake, kuchuluka kwake, komanso zilolezo.

Ichi ndichifukwa chake tinaganiza zopanga mndandandawu ndikuphatikiza mapulojekiti otseguka komanso nsanja zamalonda kuchokera kwa ogulitsa osiyanasiyana. Tikukhulupirira kuti ikuthandizani kuzindikira omwe ali ndi chidwi kwambiri ndikulozerani njira yoyenera kutengera zosowa zanu zachitetezo cha Kubernetes.

Zigawo

Kuti mndandanda ukhale wosavuta kuyendamo, zidazo zimakonzedwa ndi ntchito yayikulu ndikugwiritsa ntchito. Magawo otsatirawa anali:

• Kubernetes kujambula zithunzi ndi kusanthula static;
• Chitetezo cha nthawi yothamanga;
• Kubernetes network chitetezo;
• Kugawa zithunzi ndi kasamalidwe ka zinsinsi;
• Kubernetes chitetezo kufufuza;
• Comprehensive malonda malonda.

Tiyeni tipite ku bizinesi:

Kusanthula zithunzi za Kubernetes

Nangula

• Website: anchore.com
• License: yaulere (Apache) ndi zotsatsa zamalonda

Anchore amasanthula zithunzi zotengera ndipo amalola macheke achitetezo potengera mfundo zofotokozedwa ndi ogwiritsa ntchito.

Kuphatikiza pa kusanthula kwanthawi zonse kwa zithunzi zokhala ndi zovuta zomwe zimadziwika kuchokera ku nkhokwe ya CVE, Anchore imachitanso macheke ambiri monga gawo la ndondomeko yake yosanthula: imayang'ana Dockerfile, kutayikira kwaumboni, mapaketi azilankhulo zomwe zimagwiritsidwa ntchito (npm, maven, etc. .), zilolezo zamapulogalamu ndi zina zambiri.

Clair

• Website: coreos.com/clair (tsopano motsogozedwa ndi Red Hat)
• License: yaulere (Apache)

Clair inali imodzi mwama projekiti oyamba a Open Source pakusanthula zithunzi. Imadziwika kwambiri ngati scanner yachitetezo kuseri kwa registry ya Quay image (komanso kuchokera ku CoreOS - pafupifupi. kumasulira)Clair amatha kusonkhanitsa zambiri za CVE kuchokera ku magwero osiyanasiyana, kuphatikizapo mndandanda wa CVE. Linux- kugawa kwa ziwopsezo zomwe zimasungidwa ndi magulu achitetezo Debian, Chipewa Chofiira kapena Ubuntu.

Mosiyana ndi Anchore, Clair imayang'ana kwambiri pakupeza zofooka ndikufanizira deta ndi ma CVE. Komabe, mankhwalawa amapatsa ogwiritsa ntchito mwayi wowonjezera ntchito pogwiritsa ntchito madalaivala a plug-in.

dagda

• Website: github.com/eliasgranderubio/dagda
• License: yaulere (Apache)

Dagda amasanthula mosasunthika zithunzi za chidebe zomwe zimadziwika kuti ndizowopsa, Trojans, ma virus, pulogalamu yaumbanda ndi ziwopsezo zina.

Zinthu ziwiri zodziwika bwino zimasiyanitsa Dagda ndi zida zina zofananira:

• Zimagwirizanitsa mwangwiro ndi ClamAV, osangokhala ngati chida chowunikira zithunzi za chidebe, komanso ngati antivayirasi.
• Imaperekanso chitetezo chanthawi yothamanga polandila zochitika zenizeni kuchokera ku daemon ya Docker ndikuphatikiza ndi Falco (Onani pansipa) kusonkhanitsa zochitika zachitetezo pamene chidebe chikuyenda.

KubeXray

• Website: github.com/jfrog/kubexray
• License: Yaulere (Apache), koma imafuna zambiri kuchokera ku JFrog Xray (zamalonda)

KubeXray amamvetsera zochitika kuchokera ku seva ya Kubernetes API ndipo amagwiritsa ntchito metadata kuchokera ku JFrog Xray kuti atsimikizire kuti ma pods okha omwe akufanana ndi ndondomeko yamakono akuyambitsidwa.

KubeXray sikuti imangoyang'ana zotengera zatsopano kapena zosinthidwa zomwe zatumizidwa (zofanana ndi wowongolera ovomerezeka ku Kubernetes), komanso imayang'ananso zotengera zomwe zikuyenda kuti zitsatire ndondomeko zatsopano zachitetezo, kuchotsa zinthu zomwe zikuwonetsa zithunzi zomwe zili pachiwopsezo.

Snyk

• Website: snyk.io
• License: yaulere (Apache) ndi mitundu yamalonda

Snyk ndi sikani yachiwopsezo yachilendo chifukwa imayang'ana kwambiri zachitukuko ndipo imalimbikitsidwa ngati "yankho lofunikira" kwa opanga.

Snyk imalumikizana mwachindunji ndi nkhokwe zosungira, kuwonetsa chiwonetsero cha polojekiti ndikusanthula ma code omwe atumizidwa kunja limodzi ndi kudalira kwachindunji ndi kosalunjika. Snyk imathandizira zilankhulo zambiri zodziwika bwino ndipo imatha kuzindikira zoopsa zobisika.

Amayesetsa

• Website: github.com/knqyf263/trivy
• License: yaulere (AGPL)

Trivy ndi sikani yachiwopsezo yophweka koma yamphamvu ya zotengera zomwe zimalumikizana mosavuta ndi mapaipi a CI/CD. Chodziwika bwino ndikuyika kwake kosavuta komanso kugwiritsa ntchito kwake: kugwiritsa ntchito kumakhala ndi binary imodzi ndipo sikufuna kuyika nkhokwe kapena malaibulale owonjezera.

Choyipa pa kuphweka kwa Trivy ndikuti muyenera kudziwa momwe mungasinthire ndi kutumiza zotsatira mumtundu wa JSON kuti zida zina zachitetezo za Kubernetes zizigwiritsa ntchito.

Chitetezo cha Runtime ku Kubernetes

Chimphamba

• Website: falco.org
• License: yaulere (Apache)

Falco ndi gulu la zida zotetezera malo othamanga pamtambo. Gawo la banja la polojekitiyi Zamgululi.

Kugwiritsa ntchito zida za Sysdig kuti zigwire ntchito pamlingo wa kernel Linux Ndi kusanthula ndi kuyang'anira mafoni a dongosolo, Falco imalola kufufuza mozama za machitidwe a dongosolo. Injini yake ya malamulo a nthawi yogwirira ntchito imatha kuzindikira zochitika zokayikitsa mu mapulogalamu, makontena, wolandila woyambira, ndi wotsogolera wa Kubernetes.

Falco imapereka kuwonekera kwathunthu mu nthawi yothamanga komanso kuzindikira ziwopsezo potumiza othandizira apadera pa Kubernetes node pazifukwa izi. Zotsatira zake, palibe chifukwa chosinthira zotengera polowetsamo ma code ena kapena kuwonjezera zotengera zam'mbali.

Mafelemu achitetezo Linux nthawi yogwirira ntchito

Izi ndi zachikhalidwe chapakati Linux Ma Framework si "zida zachitetezo za Kubernetes" m'njira yachikhalidwe, koma ndi ofunika kutchula chifukwa ndi chinthu chofunikira kwambiri pankhani ya chitetezo cha nthawi yogwiritsira ntchito, chomwe chili mu Kubernetes Pod Security Policy (PSP).

Zithunzi za AppArmor imaphatikiza mbiri yachitetezo pamachitidwe omwe akuyendetsa mu chidebe, kufotokozera mwayi wamafayilo, malamulo ofikira pamaneti, kulumikiza malaibulale, ndi zina. Iyi ndi dongosolo lozikidwa pa Mandatory Access Control (MAC). Mwa kuyankhula kwina, zimalepheretsa zochita zoletsedwa kuti zichitike.

Chitetezo Chowonjezera Linux (SELinux) ndi gawo lachitetezo chowonjezera mu kernel. Linux, yofanana m'njira zina ndi AppArmor ndipo nthawi zambiri imayerekezeredwa nayo. SELinux Imaposa AppArmor pa mphamvu, kusinthasintha, komanso njira zosinthira. Zoyipa zake zimaphatikizapo kuphunzira kwa nthawi yayitali komanso zovuta zambiri.

Seccomp ndi seccomp-bpf amakulolani kusefa mafoni amtundu, kuletsa kuphedwa kwa omwe ali owopsa kwa OS yoyambira ndipo sizofunikira kuti mugwiritse ntchito bwino ntchito za ogwiritsa ntchito. Seccomp ndi yofanana ndi Falco m'njira zina, ngakhale sadziwa zenizeni za nkhokwe.

Sysdig gwero lotseguka

• Website: www.sysdig.com/opensource
• License: yaulere (Apache)

Sysdig ndi chida chathunthu chowunikira, kuzindikira, ndi kukonza zolakwika. Linux-machitidwe (amagwiranso ntchito pa Windows и macOS, koma ndi ntchito yochepa). Ingagwiritsidwe ntchito posonkhanitsa zambiri, kutsimikizira, komanso kufufuza milandu. (zofufuza) maziko ndi zotengera zilizonse zomwe zikuyenda pamenepo.

Sysdig imathandiziranso nthawi yoyendetsera chidebe ndi metadata ya Kubernetes, ndikuwonjezera miyeso ndi zolemba pazambiri zonse zamachitidwe zomwe zimasonkhanitsa. Pali njira zingapo zowunikira gulu la Kubernetes pogwiritsa ntchito Sysdig: mutha kujambula nthawi-nthawi kudzera. kubectl kugwidwa kapena yambitsani mawonekedwe ochezera a ncurses pogwiritsa ntchito pulogalamu yowonjezera kubectl dig.

Kubernetes Network Security

Aporeto

• Website: www.aporeto.com
• License: malonda

Aporeto imapereka "chitetezo chosiyana ndi maukonde ndi zomangamanga." Izi zikutanthauza kuti mautumiki a Kubernetes samangolandira ID yakumaloko (ie ServiceAccount ku Kubernetes), komanso ID/chala chapadziko lonse chomwe chingagwiritsidwe ntchito kulumikizana motetezeka komanso mogwirizana ndi ntchito ina iliyonse, mwachitsanzo pagulu la OpenShift.

Aporeto imatha kupanga chizindikiritso chapadera osati cha Kubernetes / zotengera zokha, komanso zokhala ndi makamu, ntchito zamtambo ndi ogwiritsa ntchito. Kutengera zozindikiritsa izi komanso malamulo otetezedwa pamaneti omwe amakhazikitsidwa ndi woyang'anira, kulumikizana kudzaloledwa kapena kutsekedwa.

Kalico

• Website: www.projectcalico.org
• License: yaulere (Apache)

Calico nthawi zambiri imayikidwa pakuyika kwa orchestrator, kukulolani kuti mupange netiweki yomwe imalumikiza zotengera. Kuphatikiza pa magwiridwe antchito apaintaneti, pulojekiti ya Calico imagwira ntchito ndi Kubernetes Network Policies ndi mbiri yake yachitetezo chapaintaneti, imathandizira ma endpoint ACLs (mindandanda yowongolera zofikira) ndi malamulo okhudzana ndi chitetezo pamaneti a Ingress ndi Egress traffic.

cilium

• Website: www.cilium.io
• License: yaulere (Apache)

Cilium imagwira ntchito ngati chotchingira moto cha makontena ndipo imapereka chitetezo cha netiweki chomwe chimapangidwira ntchito za Kubernetes ndi microservices. Cilium imagwiritsa ntchito ukadaulo watsopano. Linux yotchedwa BPF (Berkeley Packet Filter) yothandiza kusefa, kuyang'anira, kutumiza deta ndi kuikonza.

Cilium imatha kuyika mfundo zofikira pamaneti kutengera ma ID a chidebe pogwiritsa ntchito zilembo za Docker kapena Kubernetes ndi metadata. Cilium imamvetsetsanso ndikusefa ma protocol osiyanasiyana a Layer 7 monga HTTP kapena gRPC, kukulolani kufotokozera mafoni a REST omwe adzaloledwa pakati pa Kubernetes kutumizidwa, mwachitsanzo.

Istio

• Website: istio.io
• License: yaulere (Apache)

Istio imadziwika kwambiri pokhazikitsa ma mesh paradigm potumiza ndege yodziyimira pawokha papulatifomu ndikuwongolera magalimoto onse omwe amayendetsedwa kudzera pa ma proxies osinthika a Envoy. Istio amapezerapo mwayi pakuwona kwapamwamba kwa ma microservices onse ndi zotengera kuti agwiritse ntchito njira zosiyanasiyana zotetezera maukonde.

Kuthekera kwachitetezo cha netiweki ya Istio kumaphatikizapo kubisa kwa TLS yowonekera kuti ingokulitsa kulumikizana pakati pa ma microservices kupita ku HTTPS, komanso chizindikiritso cha RBAC ndi chilolezo chololeza / kukana kulumikizana pakati pa ntchito zosiyanasiyana mgululi.

Zindikirani. transl.: Kuti mudziwe zambiri zachitetezo chokhazikika cha Istio, werengani nkhaniyi.

Matigari

• Website: www.tigera.io
• License: malonda

Wotchedwa "Kubernetes Firewall," yankholi likugogomezera njira yodalirika ya chitetezo cha intaneti.

Mofanana ndi mayankho ena amtundu wa Kubernetes, Tigera imadalira metadata kuti izindikire ntchito zosiyanasiyana ndi zinthu zomwe zili mgululi ndipo imapereka kuzindikira kwa nthawi yothamanga, kuyang'ana mosalekeza, komanso kuwonekera kwa netiweki kwamitundu yambiri yamtambo kapena yosakanizidwa yokhala ndi monolithic-containerized.

Trireme

• Website: www.aporeto.com/opensource
• License: yaulere (Apache)

Trireme-Kubernetes ndi njira yosavuta komanso yosavuta yogwiritsira ntchito mfundo za Kubernetes Network Policies. Chinthu chake chodziwika bwino ndichakuti—mosiyana ndi zinthu zofananira zachitetezo cha maukonde a Kubernetes—sichifuna malo olamulira pakati kuti agwirizanitse maukonde. Izi zimapangitsa kuti yankho likhale losavuta kukulitsa. Trireme imakwaniritsa izi poyika wothandizira pa node iliyonse yomwe imalumikizana mwachindunji ndi TCP/IP-gulu la wolandila.

Kufalitsa Zithunzi ndi Kuwongolera Zinsinsi

Grafeas

• Website: grafeas.io
• License: yaulere (Apache)

Grafeas ndi API yotseguka yowunikira ndi kuyang'anira mapulogalamu. Pamlingo woyambira, Grafeas ndi chida chosonkhanitsira metadata ndi zofufuza. Itha kugwiritsidwa ntchito kutsata kutsatira njira zabwino zachitetezo mkati mwa bungwe.

Gwero lapakati la chowonadi limathandizira kuyankha mafunso monga:

• Ndani adatolera ndikusaina chotengera china chake?
• Kodi yadutsa masikelo onse achitetezo ndi macheke omwe amafunidwa ndi mfundo zachitetezo? Liti? Kodi zotsatira zake zinali zotani?
• Ndani adazitumiza kukapanga? Ndi magawo ati omwe adagwiritsidwa ntchito potumiza?

Mu-toto

• Website: mu-toto.github.io
• License: yaulere (Apache)

In-toto ndi chimango chopangidwa kuti chipereke kukhulupirika, kutsimikizika ndi kuwunika kwa pulogalamu yonse yopereka mapulogalamu. Potumiza In-toto muzomangamanga, dongosolo limatanthauzidwa koyamba lomwe limafotokoza njira zosiyanasiyana zapaipi (zosungira, zida za CI / CD, zida za QA, otolera zinthu zakale, ndi zina zotero) ndi ogwiritsa ntchito (anthu omwe ali ndi udindo) omwe amaloledwa yambitsani iwo.

In-toto imayang'anira kukwaniritsidwa kwa dongosololi, kutsimikizira kuti ntchito iliyonse mu unyolo imachitidwa moyenera ndi ogwira ntchito ovomerezeka okha komanso kuti palibe kusintha kosaloledwa komwe kwachitika ndi mankhwalawa panthawi yoyenda.

Porteris

• Website: github.com/IBM/porteris
• License: yaulere (Apache)

Porteris ndi wolamulira wovomerezeka wa Kubernetes; amagwiritsidwa ntchito kulimbikitsa macheke a trust trust. Porteris amagwiritsa ntchito seva Notary (tidalemba za iye kumapeto Nkhani iyi - pafupifupi. kumasulira) monga gwero la chowonadi chotsimikizira zinthu zakale zodalirika ndi zosainidwa (ie zithunzi zovomerezeka zamabokosi).

Ntchito ikapangidwa kapena kusinthidwa ku Kubernetes, Porteris amatsitsa zidziwitso zosayina ndi mfundo zodalirika zazithunzi zomwe zafunsidwa ndipo, ngati kuli kofunikira, amasintha powuluka ku chinthu cha JSON API kuti agwiritse ntchito zithunzizo.

m'chipinda chotetezeka

• Website: www.vaultproject.io
• License: yaulere (MPL)

Vault ndi njira yotetezeka yosungira zinsinsi: mapasiwedi, ma tokeni a OAuth, satifiketi ya PKI, maakaunti olowera, zinsinsi za Kubernetes, ndi zina zambiri. Vault imathandizira zinthu zambiri zapamwamba, monga kubwereketsa ma tokeni achitetezo a ephemeral kapena kukonza makiyi.

Pogwiritsa ntchito tchati cha Helm, Vault ikhoza kutumizidwa ngati kutumizidwa kwatsopano mgulu la Kubernetes ndi Consul ngati malo osungira kumbuyo. Imathandizira zida zamtundu wa Kubernetes ngati zizindikiro za ServiceAccount ndipo zimatha kukhala ngati sitolo yosungira zinsinsi za Kubernetes.

Zindikirani. transl.: Mwa njira, dzulo dzulo kampani ya HashiCorp, yomwe imapanga Vault, inalengeza zosintha zina zogwiritsira ntchito Vault ku Kubernetes, ndipo makamaka zikugwirizana ndi tchati cha Helm. Werengani zambiri mu woyambitsa blog.

Kubernetes Security Audit

Kube-bench

• Website: github.com/aquasecurity/kube-bench
• License: yaulere (Apache)

Kube-bench ndi pulogalamu ya Go yomwe imayang'ana ngati Kubernetes atumizidwa mosatekeseka poyesa mayeso pamndandanda. CIS Kubernetes Benchmark.

Kube-bench imayang'ana masinthidwe osatetezeka pakati pamagulu amgulu (ndi zina, API, woyang'anira wowongolera, ndi zina), ufulu wokayikitsa wamafayilo, maakaunti osatetezedwa kapena madoko otseguka, magawo azinthu, zoikamo zochepetsera kuchuluka kwa mafoni a API kuti atetezedwe ku DoS. , ndi zina.

Kube-hunter

• Website: github.com/aquasecurity/kube-hunter
• License: yaulere (Apache)

Kube-hunter amasaka zovuta zomwe zingachitike (monga kuyika ma code akutali kapena kuwulula deta) m'magulu a Kubernetes. Kube-hunter ikhoza kuyendetsedwa ngati chojambulira chakutali - pomwe icho chidzawunika gululo kuchokera pakuwona kwa wowukira wachitatu - kapena ngati pod mkati mwa tsango.

Chodziwika bwino cha Kube-hunter ndi "kusaka mwachangu", komwe sikungonena za zovuta zokha, komanso kuyesa kugwiritsa ntchito mwayi womwe wapezeka mgulu lomwe lingawononge ntchito yake. Choncho gwiritsani ntchito mosamala!

Kubeaudit

• Website: github.com/Shopify/kubeaudit
• License: yaulere (MIT)

Kubeaudit ndi chida chothandizira chomwe chidapangidwa ku Shopify kuti muwunike kasinthidwe ka Kubernetes pazinthu zosiyanasiyana zachitetezo. Mwachitsanzo, imathandizira kuzindikira zotengera zomwe zikuyenda mopanda malire, zomwe zikuyenda ngati muzu, kugwiritsa ntchito mwanzeru mwayi, kapena kugwiritsa ntchito ServiceAccount yokhazikika.

Kubeaudit ili ndi zinthu zina zosangalatsa. Mwachitsanzo, imatha kusanthula mafayilo amtundu wa YAML, kuzindikira zolakwika zomwe zingabweretse mavuto achitetezo, ndikuzikonza zokha.

Kubesec

• Website: kubesec.io
• License: yaulere (Apache)

Kubesec ndi chida chapadera chifukwa imayang'ana mwachindunji mafayilo a YAML omwe amafotokoza za Kubernetes, kufunafuna magawo ofooka omwe angakhudze chitetezo.

Mwachitsanzo, imatha kuzindikira mwayi wochulukirapo ndi zilolezo zoperekedwa ku pod, kuyendetsa chidebe chokhala ndi mizu ngati chogwiritsa ntchito, kulumikiza malo amtaneti omwe ali nawo, kapena zokwera zoopsa ngati. /proc host kapena Docker socket. Chinthu chinanso chosangalatsa cha Kubesec ndi ntchito yachiwonetsero yomwe ikupezeka pa intaneti, momwe mutha kuyikamo YAML ndikuyisanthula nthawi yomweyo.

Open Policy Agent

• Website: www.openpolicagent.org
• License: yaulere (Apache)

Lingaliro la OPA (Open Policy Agent) ndikuchotsa mfundo zachitetezo ndi njira zabwino zachitetezo papulatifomu inayake: Docker, Kubernetes, Mesosphere, OpenShift, kapena kuphatikiza kulikonse.

Mwachitsanzo, mutha kutumiza OPA ngati kumbuyo kwa woyang'anira kuvomereza Kubernetes, kugawa zisankho zachitetezo kwa iwo. Mwanjira iyi, wothandizira wa OPA amatha kutsimikizira, kukana, ngakhale kusintha zopempha pa ntchentche, kuwonetsetsa kuti magawo otetezedwa akwaniritsidwa. Ndondomeko zachitetezo za OPA zimalembedwa m'chinenero chake cha DSL, Rego.

Zindikirani. transl.: Tinalemba zambiri za OPA (ndi SIFFE) mu nkhaniyi.

Zida zamalonda za Kubernetes zowunikira chitetezo

Tinaganiza zopanga gulu lapadera la nsanja zamalonda chifukwa nthawi zambiri zimaphimba madera ambiri achitetezo. Lingaliro lonse la kuthekera kwawo litha kupezeka patebulo:

* Kuwunika kwapamwamba komanso kusanthula kwa postmortem kwathunthu system call hijacking.

Chitetezo cha Aqua

• Website: alquase.com
• License: malonda

Chida ichi chamalonda chimapangidwira zotengera ndi ntchito zamtambo. Imapereka:

• Kusanthula kwazithunzi kuphatikizidwe ndi kaundula wa chidebe kapena mapaipi a CI/CD;
• Chitetezo cha nthawi yothamanga posaka zosintha m'mitsuko ndi zinthu zina zokayikitsa;
• Chowotcha chowotcha chamoto;
• Chitetezo cha seva yopanda ntchito mumtambo;
• Kuyesa kutsata ndi kuwunika kuphatikizira ndi kudula kwa zochitika.

Zindikirani. transl.: Ndizofunikanso kudziwa kuti zilipo ufulu chigawo chimodzi cha mankhwala otchedwa MicroScanner, zomwe zimakupatsani mwayi kuti musanthule zithunzi zamabokosi kuti zikhale zosatetezeka. Kuyerekeza kwa kuthekera kwake ndi mitundu yolipira kumawonetsedwa tebulo ili.

Kapsule 8

• Website: capsule8.com
• License: malonda

Capsule8 imaphatikizana ndi zomangamanga ndikuyika chowunikira pagulu lapafupi kapena lamtambo la Kubernetes. Chowunikira ichi chimasonkhanitsa telemetry yolandila ndi netiweki, ndikuyilumikiza ndi mitundu yosiyanasiyana yazowukira.

Gulu la Capsule8 likuwona ntchito yake ngati kuzindikira msanga komanso kupewa kuukira pogwiritsa ntchito zatsopano (0-tsiku) zofooka. Capsule8 imatha kutsitsa malamulo otetezedwa omwe asinthidwa mwachindunji kwa zowunikira poyankha zowopseza zomwe zapezeka kumene komanso kuwonongeka kwa mapulogalamu.

Cavirin

• Website: www.cavirin.com
• License: malonda

Cavirin amagwira ntchito ngati kontrakitala wapakampani m'mabungwe osiyanasiyana okhudzidwa ndi chitetezo. Sikuti imatha kusanthula zithunzi zokha, komanso imatha kuphatikiza mapaipi a CI/CD, kutsekereza zithunzi zosakhala zanthawi zonse zisanalowe m'malo otsekedwa.

Gulu lachitetezo la Cavirin limagwiritsa ntchito kuphunzira pamakina kuwunika momwe mumakhalira pachitetezo cha pa intaneti, ndikukupatsani malangizo opititsa patsogolo chitetezo ndikuwongolera kutsata miyezo yachitetezo.

Google Cloud Security Command Center

• Website: cloud.google.com/security-command-center
• License: malonda

Cloud Security Command Center imathandizira magulu achitetezo kusonkhanitsa zidziwitso, kuzindikira zowopseza, ndikuzichotsa zisanawononge kampaniyo.

Monga momwe dzinalo likusonyezera, Google Cloud SCC ndi gulu lolamulira logwirizana lomwe lingaphatikizepo ndikuyang'anira malipoti osiyanasiyana a chitetezo, injini zowerengera katundu, ndi machitidwe a chitetezo cha chipani chachitatu kuchokera ku gwero limodzi, lapakati.

Interoperable API yoperekedwa ndi Google Cloud SCC imapangitsa kuti zikhale zosavuta kuphatikiza zochitika zachitetezo zochokera kuzinthu zosiyanasiyana, monga Sysdig Secure (chitetezo cham'thumba la mapulogalamu amtundu wamtambo) kapena Falco (Open Source runtime security).

Layered Insight (Qualys)

• Website: layeredinsight.com
• License: malonda

Layered Insight (yomwe tsopano ndi gawo la Qualys Inc) idamangidwa pa lingaliro la "chitetezo chophatikizidwa." Pambuyo poyang'ana chithunzi choyambirira kuti chikhale pachiwopsezo pogwiritsa ntchito kusanthula mawerengero ndi macheke a CVE, Layered Insight m'malo mwake ndi chithunzi chojambulidwa chomwe chimaphatikizapo wothandizira ngati binary.

Wothandizirayu ali ndi zoyeserera zachitetezo chanthawi yake kuti athe kusanthula kuchuluka kwa magalimoto pamanetiweki, mayendedwe a I/O ndi zochitika zamapulogalamu. Kuphatikiza apo, imatha kuchita macheke owonjezera otetezedwa omwe amafotokozedwa ndi oyang'anira zomangamanga kapena magulu a DevOps.

NeuVector

• Website: neuvector.com
• License: malonda

NeuVector imayang'ana chitetezo cha chidebe ndikupereka chitetezo cha nthawi yothamanga posanthula zochitika zapaintaneti ndi machitidwe akugwiritsa ntchito, ndikupanga mbiri yachitetezo cha chidebe chilichonse. Ithanso kuletsa ziwopsezo palokha, kupatula zochitika zokayikitsa posintha malamulo am'deralo zozimitsa moto.

Kuphatikiza kwa NeuVector, komwe kumadziwika kuti Security Mesh, kumatha kusanthula mapaketi akuya ndikusefa kwa 7 pazolumikizana zonse pamaneti.

Zithunzi za StackRox

• Website: www.stackrox.com
• License: malonda

Pulatifomu yachitetezo chotengera StackRox imayesetsa kuphimba moyo wonse wa Kubernetes ntchito mgulu. Monga nsanja zina zamalonda pamndandandawu, StackRox imapanga mbiri yothamanga kutengera machitidwe omwe amawonedwa ndipo imangotulutsa alamu pakupatuka kulikonse.

Kuphatikiza apo, StackRox imasanthula masinthidwe a Kubernetes pogwiritsa ntchito Kubernetes CIS ndi mabuku ena olamulira kuti awone ngati akutsata zotengera.

Sysdig Safe

• Website: sysdig.com/products/secure
• License: malonda

Sysdig Secure imateteza mapulogalamu mu chidebe chonse komanso moyo wa Kubernetes. Iye sikani zithunzi zotengera, amapereka chitetezo chanthawi yayitali malinga ndi makina ophunzirira deta, amachita zonona. ukatswiri wozindikira zofooka, zotchinga zowopseza, zowunikira kutsatira miyezo yokhazikitsidwa ndikuwunika ntchito mu microservices.

Sysdig Secure imagwirizanitsa ndi zida za CI / CD monga Jenkins ndikuyang'anira zithunzi zojambulidwa kuchokera ku zolembera za Docker, kuteteza zithunzi zoopsa kuti zisawonekere pakupanga. Imaperekanso chitetezo chokwanira cha nthawi yothamanga, kuphatikizapo:

• ML-based runtime profiles and anomaly kuzindikira;
• ndondomeko zoyendetsera nthawi yotengera zochitika zamakina, K8s-audit API, mapulojekiti ogwirizana ammudzi (FIM - kuyang'anira kukhulupirika kwa mafayilo; cryptojacking) ndi chimango MITER AT&CK;
• kuyankha ndi kuthetsa zochitika.

Tenable Container Security

• Website: www.tenable.com/products/tenable-io/container-security
• License: malonda

Zotengera zisanachitike, Tenable adadziwika kwambiri pamsika ngati kampani yomwe ili kumbuyo kwa Nessus, chida chodziwika bwino chosaka komanso kuwunikira chitetezo.

Tenable Container Security imathandizira ukadaulo wachitetezo pamakompyuta wa kampaniyo kuti aphatikizire payipi ya CI/CD yokhala ndi nkhokwe, maphukusi apadera ozindikira pulogalamu yaumbanda, ndi malingaliro othetsera ziwopsezo zachitetezo.

Twistlock (Palo Alto Networks)

• Website: www.twistlock.com
• License: malonda

Twistlock imadzikweza ngati nsanja yomwe imayang'ana kwambiri ntchito zamtambo ndi zotengera. Twistlock imathandizira operekera mitambo osiyanasiyana (AWS, Azure, GCP), oimba ziwiya (Kubernetes, Mesospehere, OpenShift, Docker), nthawi zothamanga, ma mesh frameworks ndi zida za CI/CD.

Kuphatikiza pa njira zodzitetezera zamabizinesi monga kuphatikiza mapaipi a CI/CD kapena kusanthula zithunzi, Twistlock imagwiritsa ntchito kuphunzira pamakina kuti ipange machitidwe okhudzana ndi chidebe ndi malamulo apaintaneti.

Kale, Twistlock idagulidwa ndi Palo Alto Networks, yemwe ali ndi ma projekiti a Evident.io ndi RedLock. Sizikudziwikabe kuti nsanja zitatuzi zidzaphatikizidwa bwanji PRISMA kuchokera Palo Alto.

Thandizani kupanga mndandanda wabwino kwambiri wa zida zachitetezo za Kubernetes!

Timayesetsa kuti kabukhuli likhale lathunthu momwe tingathere, ndipo chifukwa cha izi tikufuna thandizo lanu! Lumikizanani nafe (@sysdig) ngati muli ndi chida chabwino m'maganizo chomwe chili choyenera kuphatikizidwa pamndandandawu, kapena mupeza zolakwika/zachikale.

Mukhozanso kulembetsa ku wathu kalata yamwezi uliwonse ndi nkhani zochokera kumtambo wachilengedwe komanso nkhani zamapulojekiti osangalatsa ochokera kudziko lachitetezo cha Kubernetes.

PS kuchokera kwa womasulira

Werenganinso pa blog yathu:

• «Chiyambi cha Kubernetes Network Policies for Security Professionals";
• «Docker ndi Kubernetes m'malo osatetezeka";
• «9 Njira Zabwino Zachitetezo cha Kubernetes";
• «Njira 11 Zoti (Osati) Mukhale Wozunzidwa ndi Kubernetes Hack";
• «OPA ndi SPIFFE ndi mapulojekiti awiri atsopano ku CNCF oteteza chitetezo chamtambo".

Source: www.habr.com