Seccomp ku Kubernetes: Zinthu 7 zomwe muyenera kudziwa kuyambira pachiyambi
Zindikirani. transl.: Tikukudziwitsani zomasulira nkhani yolembedwa ndi injiniya wamkulu wachitetezo pakampani yaku Britain ASOS.com. Ndi izo, akuyamba mndandanda wa zofalitsa zoperekedwa pofuna kukonza chitetezo ku Kubernetes pogwiritsa ntchito seccomp. Ngati owerenga amakonda mawu oyamba, tidzatsatira wolembayo ndikupitiliza ndi zida zake zamtsogolo pamutuwu.
Nkhaniyi ndi yoyamba pamndandanda wazomwe mungapangire mbiri ya seccomp mu mzimu wa SecDevOps, osagwiritsa ntchito zamatsenga ndi ufiti. Mu Gawo XNUMX, ndifotokoza zoyambira ndi zamkati zakugwiritsa ntchito seccomp ku Kubernetes.
Ecosystem ya Kubernetes imapereka njira zingapo zotetezera ndikupatula zotengera. Nkhaniyi ikukhudza Secure Computing Mode, yomwe imadziwikanso kuti gawo. Cholinga chake ndikusefa mafoni omwe akupezeka kuti aphedwe ndi zotengera.
gawo architectures Zomangamanga zomwe mukufuna zalembedwa. Izi ndizofunikira chifukwa fyuluta yokhayo, yogwiritsidwa ntchito pamlingo wa kernel, imadalira zozindikiritsa zoyimba foni, osati pa mayina awo omwe atchulidwa mumbiri. Nthawi yogwiritsira ntchito chidebe idzawafananiza ndi zozindikiritsa musanagwiritse ntchito. Chowonadi ndi chakuti mafoni amachitidwe amatha kukhala ndi ma ID osiyanasiyana kutengera kapangidwe kake. Mwachitsanzo, kuyimba foni recvfrom (omwe amagwiritsidwa ntchito polandila zambiri kuchokera pa socket) ali ndi ID = 64 pa x64 machitidwe ndi ID = 517 pa x86. ndi mutha kupeza mndandanda wamayitanidwe onse amachitidwe a x86-x64.
Mu gawo syscalls imatchula mafoni onse amtundu uliwonse ndikufotokozera zoyenera kuchita nawo. Mwachitsanzo, mutha kupanga whitelist pokhazikitsa defaultAction pa SCMP_ACT_ERRNO, ndi kuyimba mu gawo syscalls perekani SCMP_ACT_ALLOW. Chifukwa chake, mumangolola mafoni omwe afotokozedwa mgawoli syscalls, ndi kuletsa ena onse. Kwa mndandanda wakuda muyenera kusintha zikhalidwe defaultAction ndi zochita zosiyana.
Tsopano tiyenera kunena mawu ochepa okhudza ma nuances omwe sali owonekera. Chonde dziwani kuti malingaliro omwe ali pansipa akuganiza kuti mukutumiza mzere wamabizinesi ku Kubernetes ndipo mukufuna kuti ayende ndi mwayi wocheperako.
1. AllowPrivilegeEscalation=zabodza
В securityContext chidebe chili ndi parameter AllowPrivilegeEscalation. Ngati imayikidwa mu false, zotengera zidzayamba ndi (on) pang'ono no_new_priv. Tanthauzo la parameter iyi ndi lodziwikiratu kuchokera ku dzina: limalepheretsa chidebecho kuyambitsa njira zatsopano ndi mwayi wochulukirapo kuposa womwe uli nawo.
Zotsatira za chisankho ichi zikukhazikitsidwa true (zosasintha) ndikuti nthawi yogwiritsira ntchito chidebe imagwiritsa ntchito mbiri ya seccomp koyambirira koyambira. Chifukwa chake, mafoni onse amachitidwe ofunikira kuti agwiritse ntchito nthawi yoyendetsera mkati (monga kukhazikitsa ma ID a gulu, kusiya kuthekera kwina) kuyenera kuyatsidwa mumbiri.
Koma kachiwiri, chifukwa chiyani ili ndi vuto? Inemwini, ndingapewe kuyitanitsa ma foni otsatirawa (pokhapokha pakufunika): capset, set_tid_address, setgid, setgroups и setuid. Komabe, vuto lenileni ndiloti polola njira zomwe simungathe kuzilamulira, mumangiriza mbiri ndikukhazikitsa nthawi yoyendetsera chidebe. Mwa kuyankhula kwina, tsiku lina mudzapeza kuti mutatha kukonzanso malo ogwiritsira ntchito chidebe (mwina ndi inu kapena, mwinamwake, ndi wothandizira mtambo), zotengerazo zimasiya kugwira ntchito.
Mfundo # 1: Thamangani zotengera ndi AllowPrivilegeEscaltion=false. Izi zichepetsa kukula kwa mbiri za seccomp ndikupangitsa kuti asamavutike kwambiri ndi kusintha kwa nthawi yoyendetsera chidebe.
2. Kukhazikitsa mbiri za seccomp pamlingo wa chidebe
Mbiri ya seccomp ikhoza kukhazikitsidwa pamlingo wa pod:
Kubernetes ali ndi njira ziwiri zopangira mbiri: runtime/default и docker/default. Zonsezi zimayendetsedwa ndi nthawi yoyendetsera chidebe, osati Kubernetes. Chifukwa chake, zitha kusiyanasiyana kutengera malo omwe akugwiritsidwa ntchito komanso mtundu wake.
Mwa kuyankhula kwina, chifukwa cha kusintha kwa nthawi yothamanga, chidebecho chikhoza kukhala ndi mwayi wopita kumayendedwe osiyanasiyana, omwe angagwiritse ntchito kapena osagwiritsa ntchito. Nthawi zambiri amagwiritsa ntchito Kukhazikitsa kwa Docker. Ngati mukufuna kugwiritsa ntchito mbiriyi, chonde onetsetsani kuti ndiyoyenera.
Malingaliro anga, mbiri runtime/default oyenerera bwino cholinga chomwe adapangidwira: kuteteza ogwiritsa ntchito ku zoopsa zomwe zimagwirizanitsidwa ndi kulamula docker run pa magalimoto awo. Komabe, zikafika pazantchito zamabizinesi zomwe zikuyenda pamagulu a Kubernetes, ndingayerekeze kunena kuti mbiri yotereyi ndi yotseguka kwambiri ndipo opanga akuyenera kuyang'ana kwambiri kupanga mbiri ya mapulogalamu awo (kapena mitundu ya mapulogalamu).
Mfundo # 3: Pangani mbiri za seccomp zamapulogalamu apadera. Ngati izi sizingatheke, pangani mbiri yamitundu yamapulogalamu, mwachitsanzo, pangani mbiri yapamwamba yomwe ili ndi ma API onse apa intaneti a pulogalamu ya Golang. Gwiritsani ntchito nthawi yothamanga/yosasinthika ngati njira yomaliza.
M'zolemba zamtsogolo, ndifotokoza momwe mungapangire mbiri ya SecDevOps-inspired seccomp, kuwasintha, ndikuyesa pamapaipi. Mwanjira ina, simudzakhala ndi chowiringula kuti musakweze ma profailo okhudzana ndi pulogalamuyo.
4. Kusatsekeredwa SI njira.
Kuchokera Kufufuza koyamba kwa chitetezo cha Kubernetes zidapezeka kuti mwachisawawa seccomp wolumala. Izi zikutanthauza kuti ngati mulibe kukhazikitsa PodSecurityPolicy, zomwe zipangitsa kuti zikhale mgulu, ma pod onse omwe mbiri ya seccomp sinafotokozedwe idzagwira ntchito seccomp=unconfined.
Kugwira ntchito motere kumatanthauza kuti gawo lonse la insulation limatayika lomwe limateteza masango. Njirayi sivomerezedwa ndi akatswiri achitetezo.
Mfundo iyi si ya Kubernetes yokha, koma ikugwerabe m'gulu la "zinthu zomwe muyenera kuzidziwa musanayambe".
Zomwe zimachitika, kupanga mbiri za seccomp nthawi zonse kumakhala kovuta ndipo kumadalira kwambiri kuyesa ndi zolakwika. Chowonadi ndi chakuti ogwiritsa ntchito sakhala ndi mwayi wowayesa m'malo opanga popanda kuyika pachiwopsezo "kusiya" pulogalamuyo.
Pambuyo pa kutulutsidwa kwa Linux kernel 4.14, zinakhala zotheka kuyendetsa magawo a mbiri mumayendedwe owerengera, kujambula zambiri zama foni onse mu syslog, koma osawaletsa. Mutha kuyambitsa izi pogwiritsa ntchito parameter SCMT_ACT_LOG:
SCMP_ACT_LOG: seccomp sichidzakhudza ulusi womwe umayimba foni ngati sukugwirizana ndi lamulo lililonse mu fyuluta, koma zambiri zokhudza kuyimba foni zidzalowetsedwa.
Koma kumbukirani kuti muyenera kuletsa mafoni onse omwe mukudziwa kuti sadzagwiritsidwa ntchito ndipo zomwe zingawononge gululo. Maziko abwino olembera mndandanda ndi wovomerezeka Zolemba za Docker. Imalongosola mwatsatanetsatane mafoni amtundu wanji omwe amatsekedwa mu mbiri yokhazikika komanso chifukwa chake.
Komabe, pali kupha kumodzi. Ngakhale SCMT_ACT_LOG mothandizidwa ndi Linux kernel kuyambira kumapeto kwa 2017, idalowa mu Kubernetes ecosystem posachedwa. Chifukwa chake, kuti mugwiritse ntchito njirayi mudzafunika Linux kernel 4.14 ndi mtundu wa runC wocheperako v1.0.0-rc9.