33+ Zvishandiso zveKubernetes Chengetedzo

Cherechedza. transl.+ Inosanganisira ese ari maviri masisitimu akaomarara kubva kune vanozivikanwa musika vatambi uye zvimwe zvine mwero zvishandiso zvinogadzirisa rimwe dambudziko. Uye mune zvakataurwa, senguva dzose, isu tichafara kunzwa nezve chiitiko chako uchishandisa aya maturusi uye kuona zvinongedzo kune mamwe mapurojekiti.

Kubernetes kuchengetedza software zvigadzirwa... kune akawanda kwazvo, imwe neimwe iine zvinangwa zvayo, chiyero, uye marezinesi.

Ndosaka takafunga kugadzira iyi runyorwa uye inosanganisira ese akavhurika sosi mapurojekiti uye mapuratifomu ekutengesa kubva kune vakasiyana vatengesi. Isu tinovimba ichakubatsira iwe kuona ayo anonyanya kufarira uye anonongedza iwe munzira kwayo zvichienderana neyako chaiyo Kubernetes chengetedzo yaunoda.

Zvikwata

Kuita kuti runyoro ruve nyore kufamba, zvishandiso zvinorongwa nebasa guru uye kushandiswa. Zvikamu zvinotevera zvakawanikwa:

• Kubernetes mufananidzo wekutarisa uye static ongororo;
• Runtime security;
• Kubernetes network kuchengetedza;
• Kugoverwa kwemifananidzo uye kutungamira zvakavanzika;
• Kubernetes security audit;
• Comprehensive commercial products.

Ngatiburuke kune bhizinesi:

Kutsvaga Kubernetes mifananidzo

Anchor

• Website: anchore.com
• License: yemahara (Apache) uye yekushambadzira inopa

Anchore inoongorora mifananidzo yemidziyo uye inobvumira cheki chekuchengetedza zvichienderana nemashandisi-akatsanangurwa marongero.

Pamusoro peyakajairwa kutariswa kwemifananidzo yemidziyo yekusagadzikana inozivikanwa kubva kuCVE dhatabhesi, Anchore inoita akawanda ekuwedzera cheki sechikamu chegwaro rekuongorora: inotarisa iyo Dockerfile, inovuza, mapakeji emitauro yepurogiramu inoshandiswa (npm, maven, nezvimwe, nezvimwewo). .), marezinesi esoftware nezvimwe zvakawanda.

Clair

• Website: coreos.com/clair (ikozvino ari pasi pekudzidziswa kweRed Hat)
• Rezinesi: yemahara (Apache)

Clair yaive imwe yekutanga Open Source mapurojekiti ekutarisa mufananidzo. Iyo inozivikanwa zvakanyanya seyekuchengetedza scanner kuseri kweQuay mufananidzo registry (zvakare kubva kuCoreOS - approx. shanduro). Clair inogona kuunganidza ruzivo rweCVE kubva kwakasiyana siyana masosi, kusanganisira zvinyorwa zveLinux kugovera-chaiyo kusagadzikana kunochengetwa neDebian, Red Hat, kana Ubuntu zvikwata zvekuchengetedza.

Kusiyana neAnchore, Clair inonyanya kutarisisa kutsvaga kusagadzikana uye kuenzanisa data kumaCVE. Nekudaro, chigadzirwa chinopa vashandisi mikana yekuwedzera mabasa vachishandisa plug-in madhiraivha.

dagda

• Website: github.com/eliasgranderubio/dagda
• Rezinesi: yemahara (Apache)

Dagda inoita static ongororo yemifananidzo yemidziyo yekusagadzikana inozivikanwa, Trojans, mavhairasi, malware uye kumwe kutyisidzira.

Zvinhu zviviri zvinozivikanwa zvinosiyanisa Dagda kubva kune mamwe maturusi akafanana:

• Inobatanidza zvakakwana ne ClamAV, ichiita kwete sechishandiso chekutarisa mifananidzo yemidziyo, asiwo seantivirus.
• Inopawo runtime dziviriro nekugamuchira chaiyo-nguva zviitiko kubva kuDocker daemon uye kubatanidza neFalco (ona pazasi) kuunganidza zviitiko zvekuchengetedza apo mudziyo uri kushanda.

KubeXray

• Website: github.com/jfrog/kubexray
• Rezinesi: Yemahara (Apache), asi inoda data kubva kuJFrog Xray (chigadzirwa chekutengesa)

KubeXray inoteerera kuzviitiko kubva kuKubernetes API server uye inoshandisa metadata kubva kuJFrog Xray kuona kuti mapodhi chete anofanana nepolicy yazvino anotangwa.

KubeXray haingotaridzi midziyo mitsva kana yakagadziridzwa mumidziyo (yakafanana neyekubvumidzwa controller muKubernetes), asi zvakare inotarisa zvine simba midziyo inomhanya kuti itevedze marongero matsva ekuchengetedza, kubvisa zviwanikwa zvinotaridza mifananidzo isina njodzi.

Snyk

• Website: snyk.io
• Rezinesi: yemahara (Apache) uye shanduro dzekutengesa

Snyk isingawanzo kuchengetedzwa kwengozi scanner pakuti inonyatso kunanga maitiro ekusimudzira uye inosimudzirwa se "yakakosha mhinduro" kune vanogadzira.

Snyk inobatanidza zvakananga kune kodhi repositori, inoburitsa ratidziro yeprojekiti uye inoongorora iyo kodhi inotengeswa kunze kwenyika pamwe chete neakananga uye asina kunanga kutsamira. Snyk inotsigira mitauro yakawanda yakakurumbira yekuronga uye inogona kuona njodzi dzakavanzika rezinesi.

Trivy

• Website: github.com/knqyf263/trivy
• Rezinesi: yemahara (AGPL)

Trivy iri nyore asi ine simba vulnerability scanner yemidziyo inobatana zviri nyore kuita CI/CD pombi. Chinhu chayo chinonyanya kukosha ndechekuita kwayo kugadzika uye kushanda: iyo application ine imwechete bhinari uye haidi kuisirwa dhatabhesi kana mamwe maraibhurari.

Iyo yakadzikira kune kupusa kwaTrivy ndeyekuti iwe unofanirwa kufunga nzira yekuparura nekuendesa mhedzisiro muJSON fomati kuitira kuti mamwe maturusi ekuchengetedza eKubernetes azvishandise.

Runtime chengetedzo muKubernetes

Falco

• Website: falco.org
• Rezinesi: yemahara (Apache)

Falco seti yezvishandiso zvekuchengetedza makore ekumhanya nharaunda. Chikamu chemhuri yeprojekiti CNCF.

Uchishandisa Sysdig's Linux kernel-level tooling uye system call profiling, Falco inokutendera kuti unyure zvakadzika mumaitiro ehurongwa. Injini yayo yenguva yekumhanya inokwanisa kuona chiitiko chekufungidzira mumashandisirwo, midziyo, ari pasi pemuiti, uye Kubernetes orchestrator.

Falco inopa kujeka kwakazara munguva yekumhanya uye kutyisidzira kutariswa nekuisa akakosha vamiririri paKubernetes node nekuda kweizvi. Nekuda kweizvozvo, hapana chikonzero chekugadzirisa midziyo nekuunza yechitatu-bato kodhi mairi kana kuwedzera sidecar midziyo.

Linux kuchengetedza masisitimu enguva yekumhanya

Aya masikirwo emasikirwo eLinux kernel haasi "Kubernetes chengetedzo maturusi" mupfungwa yechinyakare, asi anofanirwa kutaurwa nekuti chinhu chakakosha mumamiriro ekuchengetedza nguva, iyo inosanganisirwa muKubernetes Pod Security Policy (PSP).

AppArmor inonamatira mbiri yekuchengetedza kune maitiro ari mumudziyo, kutsanangura mafaera system ropafadzo, network yekuwana mitemo, kubatanidza maraibhurari, nezvimwe. Iyi isystem yakavakirwa paMandatory Access Control (MAC). Mune mamwe mazwi, inodzivirira zviito zvinorambidzwa kuti zviitwe.

Chengetedzo-Yakawedzerwa Linux (SELinux) ndeyeyepamusoro yekuchengetedza module muLinux kernel, yakafanana mune zvimwe zvinhu kuAppArmor uye inowanzoenzaniswa nayo. SELinux yakakwirira kune AppArmor musimba, kushanduka uye kugadzirisa. Kuipa kwayo inguva yekudzidza kwenguva refu uye kuwedzera kuoma.

Seccomp uye seccomp-bpf inobvumidza iwe kusefa masisitimu mafoni, kuvharira kuurayiwa kweaya angangove nengozi kune base OS uye asingadiwe kune yakajairika mashandiro evashandisi. Seccomp yakafanana neFalco mune dzimwe nzira, kunyangwe isingazive iwo chaiwo emidziyo.

Sysdig open source

• Website: www.sysdig.com/opensource
• Rezinesi: yemahara (Apache)

Sysdig chishandiso chakazara chekuongorora, kuongorora uye kugadzirisa Linux masisitimu (inoshandawo paWindows uye macOS, asi iine mashoma mabasa). Inogona kushandiswa kune yakadzama yekuunganidza ruzivo, simbisa uye forensic ongororo. (forensics) iyo base system uye chero midziyo inomhanya pairi.

Sysdig zvakare natively inotsigira mudziyo runtimes uye Kubernetes metadata, ichiwedzera mamwe mativi uye mavara kune ese system maitiro eruzivo rwaanounganidza. Pane nzira dzinoverengeka dzekuongorora Kubernetes cluster uchishandisa Sysdig: unogona kuita poindi-mu-nguva kutora kuburikidza. kubectl capture kana kuvhura ncurses-based interactive interface uchishandisa plugin kubectl dig.

Kubernetes Network Security

Aporeto

• Website: www.aporeto.com
• Rezinesi: zvekutengesa

Aporeto inopa "kuchengetedzwa kwakaparadzaniswa netiweki uye zvivakwa." Izvi zvinoreva kuti masevhisi eKubernetes haangogamuchire ID yemuno chete (kureva ServiceAccount muKubernetes), asiwo ID yepasirese/zvigunwe zvinogona kushandiswa kutaurirana zvakachengeteka uye pamwe chete nemamwe masevhisi, semuenzaniso mune OpenShift cluster.

Aporeto inokwanisa kugadzira ID yakasarudzika kwete chete yeKubernetes / midziyo, asiwo yevanotambira, makore mabasa uye vashandisi. Zvichienderana nezviziviso izvi uye seti yemitemo yekuchengetedza network yakaiswa nemutungamiriri, kutaurirana kunobvumidzwa kana kuvharwa.

Calico

• Website: www.projectcalico.org
• Rezinesi: yemahara (Apache)

Calico inowanzoiswa panguva yekumisikidzwa kwemudziyo orchestrator, ichikubvumidza iwe kugadzira chaiyo network inobatanidza midziyo. Kuwedzera kune iyi yakakosha network kushanda, iyo Calico purojekiti inoshanda neKubernetes Network Policies uye yayo seti yetiweki kuchengetedza profiles, inotsigira endpoint ACLs (access control lists) uye annotation-based network kuchengetedza mitemo yeIngress uye Egress traffic.

cilium

• Website: www.cilium.io
• Rezinesi: yemahara (Apache)

Cilium inoshanda senge firewall yemidziyo uye inopa network kuchengetedza maficha akarongedzerwa kuKubernetes uye microservices mitoro yebasa. Cilium inoshandisa itsva Linux kernel tekinoroji inonzi BPF (Berkeley Packet Filter) kusefa, kutarisa, kutungamira uye kugadzirisa data.

Cilium inokwanisa kuendesa network yekuwana marongero zvichienderana nemidziyo ID uchishandisa Docker kana Kubernetes mavara uye metadata. Cilium inonzwisisawo uye kusefa akasiyana Layer 7 mapuroteni akadai seHTTP kana gRPC, achikubvumidza kuti utsanangure seti yeREST mafoni anotenderwa pakati peKubernetes deployments, semuenzaniso.

Istio

• Website: istio.io
• Rezinesi: yemahara (Apache)

Istio inozivikanwa zvakanyanya nekuita sevhisi mesh paradigm nekuisa chikuva-yakazvimirira kudzora ndege uye kuendesa ese anofambiswa sevhisi traffic kuburikidza neakasimba configurable Envoy proxies. Istio inotora mukana wekuona kwepamberi kwese microservices uye midziyo kuita akasiyana siyana ekuchengetedza network.

Istio's network kuchengetedza masimba anosanganisira akajeka TLS encryption kuti agadzirise otomatiki kutaurirana pakati pemicroservices kuHTTPS, uye yevaridzi RBAC yekuzivikanwa uye mvumo system yekubvumidza / kuramba kutaurirana pakati peakasiyana mabasa musumbu.

Cherechedza. transl.: Kuti udzidze zvakawanda nezveIstio's chengetedzo-yakatarisana nehunyanzvi, verenga ichi chinyorwa.

Tigera

• Website: www.tigera.io
• Rezinesi: zvekutengesa

Inonzi "Kubernetes Firewall," iyi mhinduro inosimbisa zero-ruvimbo nzira kune network kuchengetedza.

Zvakafanana nemamwe maKubernetes networking mhinduro, Tigera inovimba nemetadata kuona akasiyana masevhisi uye zvinhu musumbu uye inopa runtime nyaya yekuona, kuenderera mberi kwekutarisa kutevedza, uye kuoneka kwetiweki kune akawanda-makore kana hybrid monolithic-containerized masisitimu.

Trireme

• Website: www.aporeto.com/opensource
• Rezinesi: yemahara (Apache)

Trireme-Kubernetes iri nyore uye rakatwasuka kuita kweKubernetes Network Policies yakatarwa. Chinhu chinonyanya kukosha ndechekuti - kusiyana neKubernetes network kuchengetedza zvigadzirwa - haidi ndege yepakati inodzora kurongedza mesh. Izvi zvinoita kuti mhinduro ive zvishoma scalable. MuTrireme, izvi zvinowanikwa nekuisa mumiririri pane imwe neimwe node inobatanidza zvakananga kune iyo host's TCP/IP stack.

Image Propagation uye Zvakavanzika Management

Grafeas

• Website: grafeas.io
• Rezinesi: yemahara (Apache)

Grafeas ndeye yakavhurika sosi API yesoftware yekugovera cheni yekuongorora uye manejimendi. Padanho rekutanga, Grafeas chishandiso chekuunganidza metadata uye zvakawanikwa zvekuongorora. Inogona kushandiswa kutevedzera kutevedzera chengetedzo yakanakisa maitiro mukati mesangano.

Iri tsime repakati rechokwadi rinobatsira kupindura mibvunzo yakaita seiyi:

• Ndiani akaunganidza uye akasaina kune imwe mudziyo?
• Yakapfuura zvese zvekuchengetedza scans uye cheki inodiwa nemutemo wekuchengetedza? Rini? Zvakaguma nei?
• Ndiani akazviendesa kugadzirwa? Ndeapi maparamita chaiwo akashandiswa panguva yekutumirwa?

In-toto

• Website: in-toto.github.io
• Rezinesi: yemahara (Apache)

In-toto chimiro chakagadzirirwa kupa kutendeseka, kutendeseka uye kuongororwa kwese software yekugovera cheni. Pakuisa In-toto mune zvivakwa, chirongwa chinotanga kutsanangurwa chinotsanangura matanho akasiyana-siyana mupombi (repository, CI/CD zvishandiso, QA maturusi, artifact collectors, nezvimwewo) uye vashandisi (vanhu vane basa) vanobvumidzwa vatange ivo.

In-toto inotarisisa kuitwa kwechirongwa ichi, ichiratidza kuti basa rega rega riri mucheni rinoitwa nemazvo nevashandi vane mvumo chete uye kuti hapana manipulations asina kubvumidzwa akaitwa nechigadzirwa panguva yekufamba.

Porteris

• Website: github.com/IBM/porteris
• Rezinesi: yemahara (Apache)

Porteris mutongi wekubvuma weKubernetes; inoshandiswa kumanikidza cheki chekutenda chemukati. Porteris anoshandisa sevha Notary (takanyora nezvake pakupedzisira chinyorwa ichi - approx. shanduro) sesosi yechokwadi yekusimbisa zvinhu zvinovimbwa uye zvakasainwa (kureva mifananidzo yakabvumidzwa yemidziyo).

Kana basa ragadzirwa kana kugadziridzwa muKubernetes, Porteris anodhawunirodha ruzivo rwekusaina uye yemukati trust policy yemifananidzo yakakumbirwa yemidziyo uye, kana zvichidikanwa, inochinja-chinja kuchinhu cheJSON API kuti ishandise shanduro dzakasainwa dzemifananidzo iyoyo.

rakatenderera

• Website: www.vaultproject.io
• Rezinesi: yemahara (MPL)

Vault mhinduro yakachengeteka yekuchengetedza ruzivo rwakavanzika: mapassword, OAuth tokens, PKI zvitupa, maaccount account, Kubernetes zvakavanzika, nezvimwe. Vault inotsigira akawanda epamberi maficha, akadai sekurenda ephemeral kuchengetedza tokens kana kuronga kiyi kutenderera.

Uchishandisa iyo Helm chati, Vault inogona kuiswa sechinhu chitsva muKubernetes cluster ine Consul sebackend kuchengetedza. Inotsigira zviwanikwa zveKubernetes zvakaita seServiceAccount tokens uye inogona kutoita sechitoro chekare cheKubernetes zvakavanzika.

Cherechedza. transl.: Nenzira, nezuro chete kambani HashiCorp, iyo inogadzira Vault, yakazivisa mamwe magadzirirwo ekushandisa Vault muKubernetes, uye kunyanya iwo ane chekuita neHelm chati. Verenga zvakawanda mu developer blog.

Kubernetes Security Audit

Kube-bench

• Website: github.com/aquasecurity/kube-bench
• Rezinesi: yemahara (Apache)

Kube-bhenji ndeye Go application inotarisa kana Kubernetes akaiswa zvakachengeteka nekumhanya bvunzo kubva pane rondedzero. CIS Kubernetes Benchmark.

Kube-bhenji rinotarisa kusachengeteka zvigadziriso zvigadziriso pakati pezvikamu zvemasumbu (etcd, API, controller maneja, nezvimwewo), kodzero dzekuwana faira dzisina kudzivirirwa, maakaunti asina kudzivirirwa kana madoko akavhurika, zviwanikwa zviwanikwa, zvigadziriso zvekudzikamisa nhamba yeAPI mafoni kudzivirira kubva kuDoS kurwiswa. , nezvimwewo.

Kube-muvhimi

• Website: github.com/aquasecurity/kube-hunter
• Rezinesi: yemahara (Apache)

Kube-muvhimi anovhima zvingango kanganisa (sekure kure kodhi kuuraya kana kuburitswa kwedata) mumasumbu eKubernetes. Kube-muvhimi anogona kumhanyiswa senge kure scanner - mune iyo nyaya inoongorora sumbu kubva pakuona kweanorwisa wechitatu-kana sepodhi mukati mesumbu.

Chinhu chakasiyana cheKube-hunter ndeye "kuvhima kwakasimba" maitiro, panguva iyo isingangotauri matambudziko, asi inoedzawo kutora mukana wekusagadzikana kwakawanikwa muboka rechinangwa izvo zvinogona kukuvadza kushanda kwayo. Saka shandisa nekuchenjerera!

Kubeaudit

• Website: github.com/Shopify/kubeaudit
• Rezinesi: yemahara (MIT)

Kubeaudit chishandiso chekoni chakagadzirwa paShopify kuongorora Kubernetes kumisikidzwa kwezvinhu zvakasiyana chengetedzo. Semuenzaniso, inobatsira kuona midziyo inomhanya isina kurambidzwa, ichimhanya semudzi, kushandisa zvisizvo ropafadzo, kana kushandisa iyo default ServiceAccount.

Kubeaudit ine zvimwe zvinonakidza maficha. Semuenzaniso, inogona kuongorora mafaera emunharaunda YAML, kuona kukanganisa kwekugadzirisa kunogona kutungamirira kumatambudziko ekuchengetedza, uye kugadzirisa otomatiki.

Kubesec

• Website: kubesec.io
• Rezinesi: yemahara (Apache)

Kubesec chishandiso chakakosha pakuti chinotarisisa zvakananga YAML mafaera anotsanangura Kubernetes zviwanikwa, achitsvaga asina kusimba ma paramita anogona kukanganisa chengetedzo.

Semuyenzaniso, inogona kuona yakawandisa ropafadzo uye mvumo inopihwa kune podhi, ichimhanyisa mudziyo une mudzi semushandisi wekare, ichibatanidza netiweki nzvimbo yezita, kana makomo ane ngozi senge. /proc host kana Docker socket. Chimwe chinonakidza chimiro cheKubesec idemo sevhisi inowanikwa online, maunogona kurodha YAML uye nekukasika kuiongorora.

Vhura Policy Agent

• Website: www.openpolicagent.org
• Rezinesi: yemahara (Apache)

Pfungwa yeOPA (Open Policy Agent) ndeyekubvisa mitemo yekuchengetedza uye kuchengetedza maitiro akanakisa kubva kune yakatarwa nguva yekumhanya: Docker, Kubernetes, Mesosphere, OpenShift, kana chero musanganiswa wayo.

Semuenzaniso, unogona kuendesa OPA semushure meKubernetes admission controller, uchipa sarudzo dzekuchengetedza kwairi. Nenzira iyi, mumiriri weOPA anogona kusimbisa, kuramba, uye kunyange kushandura zvikumbiro panhunzi, kuve nechokwadi chekuti zvakatemwa zvekuchengetedza zvinosangana. Mitemo yekuchengetedza yeOPA yakanyorwa mumutauro wayo weDSL, Rego.

Cherechedza. transl.: Takanyora zvimwe nezve OPA (uye SIFFE) mukati zvinhu izvi.

Yakakwana yekutengesa maturusi eKubernetes chengetedzo yekuongorora

Isu takasarudza kugadzira chikamu chakasiyana chekutengesa mapuratifomu nekuti ivo vanowanzovhara nzvimbo dzakawanda dzekuchengetedza. Pfungwa yakajairika yekugona kwavo inogona kuwanikwa kubva patafura:

* Yepamberi bvunzo uye post mortem ongororo ine yakazara system call hijacking.

Kuchengetedzwa kweAca

• Website: www.airwal.com
• Rezinesi: zvekutengesa

Ichi chishandiso chekutengesa chakagadzirirwa midziyo uye makore emabasa. Inopa:

• Image scanning yakabatanidzwa neregistry yemidziyo kana CI/CD pombi;
• Runtime dziviriro nekutsvaga kwekuchinja mumidziyo uye zvimwe zvinofungidzirwa chiitiko;
• Container-yekuzvarwa firewall;
• Chengetedzo ye serverless mu cloud services;
• Kutevedzwa kuyedzwa uye kuongororwa kwakasanganiswa nekutema chiitiko.

Cherechedza. transl.: Zvakakoshawo kuziva kuti kune chikamu chemahara chechigadzirwa chinonzi MicroScanner, iyo inokutendera kuti utarise mifananidzo yemidziyo yekusagadzikana. Kuenzanisa kwekugona kwayo neshanduro dzakabhadharwa kunoratidzwa mukati tafura iyi.

Capsule8

• Website: capsule8.com
• Rezinesi: zvekutengesa

Capsule8 inosanganisa mune zvivakwa nekuisa iyo detector pane yemunharaunda kana gore Kubernetes cluster. Iyi detector inounganidza host uye network telemetry, ichiibatanidza nemhando dzakasiyana dzekurwiswa.

Chikwata cheCapsule8 chinoona basa rayo sekukurumidza kuona uye kudzivirira kurwiswa uchishandisa nyowani (0-zuva) vulnerabilities. Capsule8 inogona kudhawunirodha yakagadziridzwa mitemo yekuchengetedza yakananga kune madetectors mukupindura kuchangobva kuwanikwa kutyisidzira uye kusashanda kwesoftware.

Cavirin

• Website: www.cavirin.com
• Rezinesi: zvekutengesa

Cavirin anoshanda sekambani-parutivi kontrakta kune akasiyana masangano ane chekuita nekuchengetedza zviyero. Kwete chete inogona kuongorora mifananidzo, asi inogona zvakare kusanganisa muCI/CD pombi, ichivharira mifananidzo isiri-yakajairwa isati yapinda yakavharwa repositori.

Cavirin's chengetedzo suite inoshandisa muchina kudzidza kuongorora yako cybersecurity mamiriro, ichipa matipi ekuvandudza kuchengetedzeka uye kunatsiridza kuteerana nemitemo yekuchengetedza.

Google Cloud Security Command Center

• Website: cloud.google.com/security-command-center
• Rezinesi: zvekutengesa

Cloud Security Command Center inobatsira zvikwata zvekuchengetedza kuunganidza data, kuona kutyisidzira, uye kubvisa izvo zvisati zvakuvadza kambani.

Sezvinoratidzwa nezita racho, Google Cloud SCC inzvimbo yakabatana yekutonga iyo inogona kubatanidza nekugadzirisa zvakasiyana-siyana zvekuchengetedza mishumo, asset accounting injini, uye yechitatu-bato rekuchengetedza masisitimu kubva kune imwechete, yepakati sosi.

Iyo interoperable API inopihwa neGoogle Cloud SCC inoita kuti zvive nyore kubatanidza zviitiko zvekuchengetedza zvinobva kwakasiyana siyana, seSysdig Secure (mudziyo chengetedzo yegore-yekuzvarwa maapplication) kana Falco (Open Source runtime chengetedzo).

Layered Insight (Qualys)

• Website: layeredinsight.com
• Rezinesi: zvekutengesa

Layered Insight (ikozvino chikamu cheQualys Inc) yakavakirwa pane pfungwa ye "chengetedzo yakadzikwa." Mushure mekutarisa mufananidzo wepakutanga wekusagadzikana uchishandisa nhamba yekuongorora uye CVE cheki, Layered Insight inoitsiva nemufananidzo wakagadzirwa unosanganisira mumiririri sebhinari.

Uyu mumiririri ane runtime chengetedzo bvunzo yekuongorora mudziyo network traffic, I/O inoyerera uye application chiitiko. Pamusoro pezvo, inogona kuita mamwe macheki ekuchengetedza anotsanangurwa nemukuru wezvivakwa kana zvikwata zveDevOps.

NeuVector

• Website: neuvector.com
• Rezinesi: zvekutengesa

NeuVector inotarisa chengetedzo yemudziyo uye inopa runtime dziviriro nekuongorora network chiitiko uye maitiro ekushandisa, kugadzira iyo yega yekuchengetedza mbiri kune yega yega. Inogonawo kuvhara kutyisidzira pachayo, kuparadzanisa chiitiko chekufungidzira nekuchinja mitemo yemuno firewall.

NeuVector's network yekubatanidza, inozivikanwa seSecurity Mesh, inokwanisa kudzika pakiti kuongorora uye layer 7 kusefa kune ese mambure ekubatanidza mune mesh sevhisi.

StackRox

• Website: www.stackrox.com
• Rezinesi: zvekutengesa

Iyo StackRox mudziyo yekuchengetedza chikuva inoyedza kuvhara iyo yese lifecycle yeKubernetes application muchikwata. Kufanana nemamwe mapuratifomu ekutengesa pane iyi runyorwa, StackRox inogadzira iyo yekumhanyisa profil yakavakirwa pane yakacherechedzwa midziyo maitiro uye inosimudza otomatiki alarm kune chero kutsauka.

Pamusoro pezvo, StackRox inoongorora magadzirirwo eKubernetes ichishandisa Kubernetes CIS uye mamwe mabhuku emitemo kuti aongorore kutevedza kwemidziyo.

Sysdig Secure

• Website: sysdig.com/products/secure
• Rezinesi: zvekutengesa

Sysdig Chengetedza inochengetedza zvikumbiro mumudziyo wese uye Kubernetes lifecycle. Iye anoongorora mifananidzo midziyo, inopa Runtime protection zvinoenderana nemuchina wekudzidza data, inoita kirimu. hunyanzvi hwekuona kusasimba, kudzivirira kutyisidzira, monitors kutevedzera mitemo yakagadzwa uye yekuongorora chiitiko mumamicroservices.

Sysdig Secure inobatanidza neCI / CD zvishandiso seJenkins uye inodzora mifananidzo yakatakurwa kubva kuDocker registries, kudzivirira mifananidzo ine ngozi kubva pakuonekwa mukugadzirwa. Inopawo yakazara runtime chengetedzo, kusanganisira:

• ML-based runtime profiling uye anomaly kuona;
• Runtime marongero anoenderana nezviitiko zvehurongwa, K8s-audit API, mapurojekiti emunharaunda akabatana (FIM - faira rekutarisa kuvimbika; cryptojacking) uye chimiro MITER AT&CK;
• mhinduro uye kugadziriswa kwezviitiko.

Tenable Container Security

• Website: www.tenable.com/products/tenable-io/container-security
• Rezinesi: zvekutengesa

Pamberi pekuuya kwemidziyo, Tenable yaizivikanwa zvakanyanya muindasitiri iyi sekambani iri kuseri kweNessus, yakakurumbira yekuvhima nekuchengetedzeka kwekuchengetedza chishandiso.

Tenable Container Security inokwirisa hunyanzvi hwekuchengetedza komputa yekambani kubatanidza pombi yeCI/CD ine dhatabhesi renjodzi, mapeji ekuona malware, uye kurudziro yekugadzirisa kutyisidzira.

Twistlock (Palo Alto Networks)

• Website: www.twistlock.com
• Rezinesi: zvekutengesa

Twistlock inozvisimudzira sepuratifomu yakatarisana nemasevhisi emakore uye midziyo. Twistlock inotsigira vakasiyana siyana vanopa makore (AWS, Azure, GCP), midziyo orchestrators (Kubernetes, Mesospehere, OpenShift, Docker), serverless runtimes, mesh masisitimu uye CI/CD maturusi.

Kuwedzera kune akajairwa bhizinesi-giredhi ekuchengetedza maitiro akadai seCI/CD pombi yekubatanidza kana mufananidzo scanning, Twistlock inoshandisa muchina kudzidza kugadzira mudziyo-chaiyo maitiro maitiro uye network mitemo.

Imwe nguva yapfuura, Twistlock yakatengwa naPalo Alto Networks, iyo ine Evident.io uye RedLock mapurojekiti. Hazvisati zvazivikanwa kuti mapuratifomu matatu aya achabatanidzwa sei PRISMA kubva kuPalo Alto.

Batsira kuvaka yakanakisa katalogi yeKubernetes kuchengetedza maturusi!

Isu tinoedza kuita iyi catalog izere sezvinobvira, uye nekuda kweizvi tinoda rubatsiro rwako! Taura nesu (@sysdig) kana iwe uine chishandiso chinotonhorera mupfungwa chakakodzera kuverengerwa mune iyi runyorwa, kana iwe ukawana mhosho/ruzivo rwechinyakare.

Iwe unogona zvakare kunyorera kune yedu tsamba yemwedzi nenhau kubva kumakore-native ecosystem uye nyaya dzemapurojekiti anonakidza kubva munyika yeKubernetes chengetedzo.

PS kubva kumushanduri

Verenga zvakare pablog yedu:

• «Nhanganyaya yeKubernetes Network Policies yeChengetedzo Nyanzvi";
• «Docker uye Kubernetes munzvimbo dzekuchengetedza-dzinonzwa";
• «9 Yakanakisa Maitiro eKubernetes Chengetedzo";
• «11 Nzira dzeku (Kwete) Kuve Mubatwa weKubernetes Hack";
• «OPA neSPIFFE mapurojekiti maviri matsva kuCNCF ekuchengetedza kwegore application".

Source: www.habr.com