33+ Kubernetes izixhobo zokhuseleko

Phawula. transl.: Ukuba uyazibuza malunga nokhuseleko kwi-Kubernetes-based infrastructure, olu mboniso lubalaseleyo lweSysdig sisiqalo esihle sokujonga ngokukhawuleza kwizisombululo zangoku. Ibandakanya zombini iinkqubo ezintsonkothileyo ezivela kubadlali bemarike abaziwayo kunye nezixhobo ezithozamileyo ezisombulula ingxaki ethile. Kwaye kumazwana, njengesiqhelo, siya kuvuya ukuva malunga namava akho usebenzisa ezi zixhobo kwaye sibone amakhonkco kwezinye iiprojekthi.

Kubernetes iimveliso zesoftware yokhuseleko... zininzi kakhulu, nganye ineenjongo zayo, umda, kunye neelayisensi.

Yiyo loo nto sigqibe ekubeni senze olu luhlu kwaye sibandakanye zombini iiprojekthi zomthombo ovulekileyo kunye namaqonga orhwebo avela kubathengisi abahlukeneyo. Siyathemba ukuba iya kukunceda uchonge ezona zinomdla kakhulu kwaye zikukhombe kwicala elifanelekileyo ngokusekwe kwiimfuno zakho zokhuseleko zeKubernetes.

Izigaba

Ukwenza uluhlu lube lula ukuhamba, izixhobo zihlelwe ngumsebenzi oyintloko kunye nesicelo. La macandelo alandelayo afunyenwe:

• I-Kubernetes yokuskena umfanekiso kunye nohlalutyo lwe-static;
• Ukhuseleko lwexesha lokudlala;
• Ukhuseleko lwenethiwekhi yeKubernetes;
• Ukuhanjiswa kwemifanekiso kunye nolawulo lweemfihlo;
• uphicotho lokhuseleko lweKubernetes;
• Iimveliso zorhwebo ezibanzi.

Masingene kwishishini:

Ukuskena imifanekiso yeKubernetes

Ankile

• website: anchore.com
• Ilayisensi: simahla (Apache) kunye nentengiso yorhwebo

I-Anchore ihlalutya imifanekiso yesikhongozeli kwaye ivumela ukuhlolwa kokhuseleko ngokusekelwe kwimigaqo-nkqubo echazwe ngumsebenzisi.

Ukongeza kokuskena okuqhelekileyo kwemifanekiso yesikhongozeli sobuthathaka obaziwayo obusuka kwidathabheyisi ye-CVE, i-Anchore yenza iitshekhi ezongezelelweyo njengenxalenye yomgaqo-nkqubo wokuskena: ijonga iDockerfile, ukuvuza okuvuzayo, iipakethi zeelwimi ezisetyenziswayo (npm, maven, njl. .), iilayisensi zesoftware nokunye okuninzi.

Clair

• website: i-coreos.com/clair (ngoku phantsi koqeqesho lweRed Hat)
• Ilayisensi: simahla (Apache)

UClair wayeyenye yeeprojekthi zokuqala zoMthombo oVulekileyo wokuskena umfanekiso. Yaziwa ngokubanzi njengeskena sokhuseleko emva kobhaliso lomfanekiso weQuay (kwakhona ukusuka kuCoreOS - malunga. inguqulelo). I-Clair inokuqokelela ulwazi lwe-CVE kwimithombo eyahlukeneyo, kuquka uluhlu lwe-Linux yokusabalalisa-ubuthathaka obukhethekileyo obugcinwe yi-Debian, i-Red Hat, okanye amaqela okhuseleko e-Ubuntu.

Ngokungafaniyo ne-Anchore, iClair igxile ikakhulu ekufumaneni ubuthathaka kunye nokudibanisa idatha kwiiCVEs. Nangona kunjalo, imveliso inika abasebenzisi amathuba okwandisa imisebenzi ngokusebenzisa abaqhubi beeplagi.

dagda

• website: github.com/eliasgranderubio/dagda
• Ilayisensi: simahla (Apache)

I-Dagda yenza uhlalutyo olumileyo lwemifanekiso yesikhongozeli malunga nokuba semngciphekweni okwaziwayo, iiTrojani, iintsholongwane, i-malware kunye nezinye izoyikiso.

Iimpawu ezimbini eziphawulekayo zahlula i-Dagda kwezinye izixhobo ezifanayo:

• Idibanisa ngokugqibeleleyo kunye ClamAV, engasebenzi kuphela njengesixhobo sokuskena imifanekiso yesikhongozeli, kodwa njenge-antivirus.
• Ikwabonelela ngokhuseleko lwexesha lokubaleka ngokufumana iminyhadala yexesha lokwenyani kwi-Docker daemon kunye nokudibanisa neFalco (bona ngezantsi) ukuqokelela iziganeko zokhuseleko ngelixa isikhongozeli sisebenza.

KubeXray

• website: github.com/jfrog/kubexray
• Ilayisensi: Mahala (i-Apache), kodwa ifuna idatha esuka kwi-JFrog Xray (imveliso yorhwebo)

I-KubeXray iphulaphule iziganeko ezivela kwi-server ye-Kubernetes API kwaye, isebenzisa imethadatha esuka kwi-JFrog Xray, iqinisekisa ukuba kuphela iipods ezihambelana nomgaqo-nkqubo wangoku ziqaliswe.

I-KubeXray ayiphicothi kuphela izikhongozeli ezitsha okanye ezihlaziyiweyo kwi-deployments (efana nomlawuli wokwamkelwa kwi-Kubernetes), kodwa iphinda ihlolisise izikhongozeli eziqhubayo ukuthotyelwa kwemigaqo-nkqubo yokhuseleko emitsha, ukususa izixhobo ezibhekiselele kwimifanekiso esengozini.

ISnyk

• website: snyk.io
• Ilayisensi: simahla (Apache) kunye neenguqulelo zorhwebo

I-Snyk sisikena esingaqhelekanga sobuthathaka kuba sijolise ngokukodwa kwinkqubo yophuhliso kwaye sikhuthazwa "njengesisombululo esibalulekileyo" kubaphuhlisi.

I-Snyk idibanisa ngokuthe ngqo kwiindawo zokugcina ikhowudi, ihlalutya imbonakalo yeprojekthi kwaye ihlalutya ikhowudi engeniswe ngaphandle kunye nokuxhomekeka ngokuthe ngqo kunye nokungathanga ngqo. I-Snyk ixhasa iilwimi ezininzi ezithandwayo zeprogram kwaye inokuchonga imingcipheko yelayisensi efihliweyo.

I-Trivy

• website: github.com/knqyf263/trivy
• Ilayisensi: simahla (AGPL)

I-Trivy sisikena esilula kodwa esinamandla sobuthathaka kwizikhongozeli ezidityaniswa ngokulula kumbhobho we-CI/CD. Isici sayo esiphawulekayo kukulula ukufakela kunye nokusebenza: isicelo siquka ibhinari enye kwaye ayifuni ukufakela isiseko sedatha okanye iilayibrari ezongezelelweyo.

Icala elisezantsi kubulula be-Trivy kukuba kufuneka ufumanise indlela yokwahlulahlula kwaye udlulise iziphumo kwifomathi ye-JSON ukuze ezinye izixhobo zokhuseleko ze-Kubernetes zikwazi ukuzisebenzisa.

Ukhuseleko lwexesha lokuqhuba eKubernetes

Falco

• website: falco.org
• Ilayisensi: simahla (Apache)

I-Falco yiseti yezixhobo zokukhusela imo yexesha lokusebenza kwifu. Inxalenye yosapho lweprojekthi I-CNCF.

Usebenzisa i-Sysdig's Linux kernel-level tooling kunye nenkqubo yokufowuna, i-Falco ikuvumela ukuba ungene nzulu kwindlela yokuziphatha. I-injini yayo yemigaqo yexesha lokusebenza iyakwazi ukubona umsebenzi okrokrelayo kwizicelo, kwizikhongozeli, umamkeli ongaphantsi, kunye ne-orchestrator ye-Kubernetes.

I-Falco ibonelela ngokungafihlisi ngokupheleleyo ngexesha lokubaleka kunye nokubhaqwa kwesoyikiso ngokuthumela iiarhente ezikhethekileyo kwiinodi zeKubernetes ngezi njongo. Ngenxa yoko, akukho mfuneko yokuguqula izikhongozeli ngokuzisa ikhowudi yomntu wesithathu kuzo okanye ukongeza izikhongozeli zeemoto ezisecaleni.

Izakhelo zokhuseleko zeLinux zexesha lokusebenza

Ezi zikhokelo zendalo ze-Linux kernel azikho "izixhobo zokhuseleko ze-Kubernetes" ngokwengqiqo yendabuko, kodwa zifanelekile ukukhankanya kuba ziyinto ebalulekileyo kumxholo wokhuseleko lwexesha lokuqhuba, olufakwe kwi-Kubernetes Pod Security Policy (PSP).

Isixhobo incamathela iprofayile yokhuseleko kwiinkqubo ezisebenza kwisikhongozeli, ichaza amalungelo enkqubo yefayile, imithetho yofikelelo kuthungelwano, ukudibanisa amathala eencwadi, njl. Le yinkqubo esekwe kuLawulo loFikelelo oluMandatory (MAC). Ngamanye amazwi, ithintela izenzo ezingavumelekanga ukuba zenziwe.

ILinux eyomelezwe ngokhuseleko (SELinux) yimodyuli yokhuseleko oluphambili kwi-Linux kernel, efanayo kweminye imiba kwiAppArmor kwaye ihlala ithelekiswa nayo. I-SELinux iphezulu kwi-AppArmor ngamandla, ukuguquguquka kunye nokwenza ngokwezifiso. Ukungalungi kwayo kukufunda ixesha elide kunye nokwanda kobunzima.

Seccomp kunye ne-seccomp-bpf ikuvumela ukuba ucofe iifowuni zesixokelelwano, uthintele ukuphunyezwa kwezo zinokuba yingozi kwisiseko se-OS kwaye azifuneki ekusebenzeni okuqhelekileyo kwezicelo zomsebenzisi. I-Seccomp ifana ne-Falco ngandlela-thile, nangona ingayazi into ecacileyo yezikhongozeli.

Umthombo ovulekileyo weSysdig

• website: www.sysdig.com/opensource
• Ilayisensi: simahla (Apache)

I-Sysdig sisixhobo esipheleleyo sokuhlalutya, ukuxilonga kunye nokulungisa iinkqubo zeLinux (ikwasebenza kwiiWindows kunye ne-macOS, kodwa kunye nemisebenzi elinganiselwe). Ingasetyenziselwa ukuqokelela ulwazi oluneenkcukacha, ukuqinisekiswa kunye nohlalutyo lwasenkundleni. (i-forensics) inkqubo yesiseko kunye naziphi na izikhongozeli ezisebenza kuyo.

I-Sysdig ikwaxhasa ngokwemveli amaxesha okuqhutywa kwesikhongozeli kunye ne-Kubernetes metadata, yongeza imilinganiselo eyongezelelweyo kunye neelebhile kulo lonke ulwazi lwenkqubo yokuziphatha eyiqokelelayo. Kukho iindlela ezininzi zokuhlalutya iqela le-Kubernetes usebenzisa i-Sysdig: unokwenza inqaku-ngexesha lokubamba ngokusebenzisa kubectl capture okanye uqalise i-ncurses-based interactive interface usebenzisa i-plugin kubectl dig.

UKhuseleko lweNethiwekhi yeKubernetes

Aporeto

• website: www.aporeto.com
• Ilayisensi: yorhwebo

I-Aporeto inikezela "ukhuseleko olwahlulwe kwinethiwekhi kunye neziseko." Oku kuthetha ukuba iinkonzo ze-Kubernetes azifumani kuphela isazisi sendawo (okt. I-ServiceAccount kwi-Kubernetes), kodwa kunye ne-ID yendalo yonke/iminwe enokusetyenziswa ukunxibelelana ngokukhuselekileyo kunye nayo nayiphi na enye inkonzo, umzekelo kwi-OpenShift cluster.

I-Aporeto iyakwazi ukuvelisa i-ID ekhethekileyo kungekhona kuphela kwi-Kubernetes / izitya, kodwa kunye nemikhosi, imisebenzi yefu kunye nabasebenzisi. Ngokuxhomekeke kwezi zichongi kunye nesethi yemithetho yokhuseleko yenethiwekhi ebekwe ngumlawuli, unxibelelwano luya kuvunyelwa okanye luvalwe.

Calico

• website: www.projectcalico.org
• Ilayisensi: simahla (Apache)

I-Calico iqhele ukubekwa ngexesha lofakelo lweokhestra yesikhongozeli, ikuvumela ukuba wenze inethiwekhi yenyani edibanisa izikhongozeli. Ukongeza kulo msebenzi womnatha osisiseko, iprojekthi yeCalico isebenza kunye ne-Kubernetes Network Policies kunye nesethi yayo yeeprofayili zokhuseleko lwenethiwekhi, ixhasa i-endpoint ACLs (uluhlu lolawulo lokufikelela) kunye nemithetho yokhuseleko lwenethiwekhi esekelwe kwi-annotation ye-Ingress kunye ne-Egress traffic.

icilium

• website: www.cilium.io
• Ilayisensi: simahla (Apache)

I-Cilium isebenza njenge-firewall yezikhongozeli kwaye ibonelela ngeempawu zokhuseleko zenethiwekhi ezilungiselelwe ngokwendalo kwi-Kubernetes kunye ne-microservices imithwalo yomsebenzi. I-Cilium isebenzisa iteknoloji entsha ye-Linux kernel ebizwa ngokuba yi-BPF (i-Berkeley Packet Filter) ukucoca, ukubeka iliso, ukuqondisa kwakhona kunye nokulungisa idatha.

I-Cilium iyakwazi ukuhambisa imigaqo-nkqubo yokufikelela kwinethiwekhi esekelwe kwii-ID zekhonteyina usebenzisa i-Docker okanye i-Kubernetes iilebhile kunye nemethadatha. I-Cilium iphinda iqonde kwaye ihluze iiprothokholi ezahlukeneyo ze-Layer 7 ezifana ne-HTTP okanye i-gRPC, ekuvumela ukuba uchaze isethi yeefowuni ze-REST eziza kuvunyelwa phakathi kwee-deployments ezimbini ze-Kubernetes, umzekelo.

Istio

• website: istio.io
• Ilayisensi: simahla (Apache)

I-Istio yaziwa ngokubanzi ngokuphumeza i-paradigm ye-mesh yenkonzo ngokuhambisa inqwelomoya yolawulo oluzimeleyo kunye nokuhambisa yonke i-traffic yenkonzo elawulwayo ngokusebenzisa i-proxies yoMthunywa olungelelanisiweyo. I-Istio ithatha ithuba lombono ophambili wazo zonke ii-microservices kunye nezikhongozeli ukuphumeza izicwangciso ezahlukeneyo zokhuseleko lwenethiwekhi.

Izakhono zokhuseleko lwenethiwekhi ye-Istio zibandakanya ukubethelwa kwe-TLS ecacileyo ukuze kuphuculwe ngokuzenzekelayo unxibelelwano phakathi kwe-microservices ukuya kwi-HTTPS, kunye nokuchongwa kwe-RBAC yobunikazi kunye nenkqubo yokugunyazisa ukuvumela / ukukhanyela unxibelelwano phakathi kwemisebenzi eyahlukeneyo kwiqela.

Phawula. transl.: Ukuze ufunde okungakumbi malunga nezakhono ezijoliswe kukhuseleko ze-Istio, funda eli nqaku.

iTigera

• website: www.tigera.io
• Ilayisensi: yorhwebo

Ebizwa ngokuba yi "Kubernetes Firewall," esi sisombululo sigxininisa indlela yokuthembela kwi-zero kukhuseleko lwenethiwekhi.

Ngokufana nezinye izisombululo zothungelwano lwe-Kubernetes, iTigera ixhomekeke kwimethadatha ukuchonga iinkonzo ezahlukeneyo kunye nezinto kwiqela kwaye ibonelele ngokuchongwa komcimbi wexesha lokubaleka, ukujonga ukuthotyelwa okuqhubekayo, kunye nokubonakala kwenethiwekhi kwiziseko ezingundoqo ezinamafu amaninzi okanye i-hybrid monolithic-containerized.

Trireme

• website: www.aporeto.com/opensource
• Ilayisensi: simahla (Apache)

I-Trireme-Kubernetes kukuphunyezwa okulula kunye nokuthe ngqo kwe-Kubernetes Network Policies inkcazo. Eyona nto iphawuleka kakhulu kukuba - ngokungafaniyo neemveliso zokhuseleko zenethiwekhi ye-Kubernetes - ayifuni inqwelomoya yolawulo oluphakathi ukulungelelanisa i-mesh. Oku kwenza ukuba isisombululo sikhule kancinci. E-Trireme, oku kuphunyezwa ngokufaka i-arhente kwindawo nganye eqhagamshela ngokuthe ngqo kwisitaki se-TCP/IP somninimzi.

Ukusasazwa koMfanekiso kunye noLawulo lweeMfihlo

IiGrafeas

• website: grafeas.io
• Ilayisensi: simahla (Apache)

I-Grafeas yi-API yomthombo ovulekileyo wophicotho kunye nolawulo lonikezelo lwesoftware. Kwinqanaba elisisiseko, iGrafeas sisixhobo sokuqokelela imetadata kunye neziphumo zophicotho. Ingasetyenziselwa ukulandelela ukuthotyelwa kweendlela ezilungileyo zokhuseleko ngaphakathi kwintlangano.

Lo mthombo wenyaniso usembindini unceda ekuphenduleni imibuzo efana nale:

• Ngubani oqokelele waza watyikitya kwisikhongozeli esithile?
• Ngaba idlulise zonke iiskena zokhuseleko kunye neetshekhi ezifunwa ngumgaqo-nkqubo wokhuseleko? Nini? Yaba yintoni imiphumo?
• Ngubani othunyelwe kwimveliso? Ziziphi iiparameters ezithile ezisetyenzisiweyo ngexesha lokusasazwa?

Kwi-toto

• website: kwi-toto.github.io
• Ilayisensi: simahla (Apache)

I-In-toto sisikhokelo esiyilelwe ukunika imfezeko, uqinisekiso kunye nophicotho lwenkqubo yonikezelo lwesoftware. Xa uhambisa i-In-toto kwiziseko ezingundoqo, isicwangciso sichazwa kuqala esichaza amanyathelo ahlukeneyo kumbhobho (indawo yokugcina, izixhobo ze-CI / CD, izixhobo ze-QA, abaqokeleli be-artifact, njl. njl.) kunye nabasebenzisi (abantu abanoxanduva) abavunyelwe ukuba baqalise.

I-In-toto ibeka iliso ekuqhutyweni kwesicwangciso, iqinisekisa ukuba umsebenzi ngamnye kwikhonkco lenziwa ngokufanelekileyo ngabasebenzi abagunyazisiweyo kuphela kwaye akukho kuguqulwa okungagunyaziswanga okwenziweyo kunye nemveliso ngexesha lokunyakaza.

Porteris

• website: github.com/IBM/porteris
• Ilayisensi: simahla (Apache)

UPorteris ngumlawuli wokwamkelwa kweKubernetes; isetyenziselwa ukunyanzelisa ukuhlolwa kwentembeko yesiqulatho. UPorteris usebenzisa iseva I-Notary (sabhala ngaye ekugqibeleni Oku kubhaliwe - malunga. inguqulelo) njengomthombo wenyaniso wokuqinisekisa izinto zakudala ezithembekileyo nezisayiniweyo (oko kukuthi imifanekiso yesikhongozeli evunyiweyo).

Xa umsebenzi wenziwa okanye uguqulwe kwi-Kubernetes, i-Porteris ikhuphela ulwazi lokusayina kunye nomgaqo-nkqubo wokuthemba umxholo wemifanekiso yesikhongozeli esiceliwe kwaye, ukuba kuyimfuneko, yenza utshintsho kwi-fly-fly kwi-JSON API into ukuqhuba iinguqulelo ezisayiniweyo zaloo mifanekiso.

igumbi elinqatyisiweyo lokugcina imali nezinto zexabiso

• website: www.vaultproject.io
• Ilayisensi: simahla (MPL)

I-Vault sisisombululo esikhuselekileyo sokugcina ulwazi lwabucala: iiphasiwedi, iithokheni ze-OAuth, izatifikethi ze-PKI, ii-akhawunti zokufikelela, iimfihlo ze-Kubernetes, njl. I-Vault ixhasa izinto ezininzi eziphambili, ezinje ngokuqeshisa iithokheni zokhuseleko ze-ephemeral okanye ukulungelelanisa ujikelezo oluphambili.

Ukusebenzisa itshathi yeHelm, iVault inokuthunyelwa njengokusasazwa okutsha kwiqela le-Kubernetes kunye ne-Consul njengokugcina umva. Ixhasa izixhobo zomthonyama zeKubernetes ezinje ngeethokheni zeServiceAccount kwaye inokusebenza njengevenkile engagqibekanga yeemfihlo zeKubernetes.

Phawula. transl.: Ngendlela, izolo nje inkampani iHashiCorp, ephuhlisa iVault, ibhengeze uphuculo oluthile lokusebenzisa iVault eKubernetes, kwaye ngokukodwa ihambelana netshathi yeHelm. Funda ngakumbi kwi ibhlog yomphuhlisi.

UPhicotho loKhuseleko lweKubernetes

Kube-ibhentshi

• website: github.com/aquasecurity/kube-bench
• Ilayisensi: simahla (Apache)

IKube-bench sisicelo sokuGo esijonga ukuba iKubernetes ibekwe ngokukhuselekileyo ngokuqhuba iimvavanyo kuluhlu. CIS Kubernetes Benchmark.

I-Kube-bench ijonge ukusetwa koqwalaselo olungakhuselekanga phakathi kwamacandelo eqela (etcd, API, umphathi wolawulo, njl.njl.), amalungelo okufikelela efayile athandabuzekayo, iiakhawunti ezingakhuselwanga okanye amazibuko avulekileyo, iiquotas zezibonelelo, useto lokunciphisa inani leefowuni ze-API ukukhusela kuhlaselo lwe-DoS. , njl.

Kube-mzingeli

• website: github.com/aquasecurity/kube-hunter
• Ilayisensi: simahla (Apache)

U-Kube-hunter uzingela ubuthathaka obunokwenzeka (njengokwenziwa kwekhowudi ekude okanye ukuvezwa kwedatha) kumaqela e-Kubernetes. I-Kube-hunter inokuqhutywa njenge-scanner ekude - apho iya kuvavanya i-cluster ukusuka kwindawo yokujonga umhlaseli wesithathu-okanye njenge-pod ngaphakathi kweqela.

Uphawu olwahlukileyo lwe-Kube-hunter yimowudi "yokuzingela okusebenzayo", apho ingaxeli kuphela iingxaki, kodwa iphinde izame ukuthatha ithuba lobuthathaka obufunyenwe kwiqela ekujoliswe kulo elinokuthi lenzakalise ukusebenza kwalo. Ngoko sebenzisa ngononophelo!

Kubeaudit

• website: github.com/Shopify/kubeaudit
• Ilayisensi: simahla (MIT)

IKubeaudit sisixhobo sekhonsoli esaphuhliswa kwaShopify ukuphicotha uqwalaselo lweKubernetes kwimiba eyahlukeneyo yokhuseleko. Umzekelo, inceda ukuchonga izikhongozeli ezisebenza ngokungathintelwanga, zisebenza njengengcambu, ukusebenzisa kakubi amalungelo, okanye ukusebenzisa iServiceAccount engagqibekanga.

I-Kubeaudit inezinye iimpawu ezinomdla. Umzekelo, inokuhlalutya iifayile ze-YAML zasekhaya, ichonge iziphene zoqwalaselo ezinokukhokelela kwiingxaki zokhuseleko, kwaye izilungise ngokuzenzekelayo.

Kubesec

• website: kubesec.io
• Ilayisensi: simahla (Apache)

I-Kubesec sisixhobo esikhethekileyo kuba ihlola ngokuthe ngqo iifayile ze-YAML ezichaza izixhobo ze-Kubernetes, zijonge iiparamitha ezibuthathaka ezinokuchaphazela ukhuseleko.

Umzekelo, inokubona amalungelo agqithisileyo kunye neemvumelwano ezinikezelweyo kwipod, iqhuba isikhongozeli esinengcambu njengomsebenzisi ongagqibekanga, iqhagamshela kwindawo yegama lomnatha womnatha, okanye ukunyuswa okuyingozi njenge /proc umphathi okanye i-Docker socket. Olunye uphawu olunomdla lweKubesec yinkonzo yedemo ekhoyo kwi-intanethi, onokuthi ulayishe kuyo i-YAML kwaye uyihlalutye kwangoko.

Vula i-Arhente yePolisi

• website: www.openpolicagent.org
• Ilayisensi: simahla (Apache)

Ingqikelelo ye-OPA (i-Agent yoMgaqo-nkqubo oVulekileyo) kukuqhawula imigaqo-nkqubo yokhuseleko kunye neendlela ezingcono zokhuseleko ukusuka kwiqonga elithile lexesha lokusebenza: i-Docker, i-Kubernetes, i-Mesosphere, i-OpenShift, okanye nayiphi na indibaniselwano yayo.

Umzekelo, unokusebenzisa i-OPA njenge-backend yomlawuli wokwamkelwa kwe-Kubernetes, unikezela izigqibo zokhuseleko kuyo. Ngale ndlela, i-arhente ye-OPA inokuqinisekisa, yale, kwaye ide iguqule izicelo kubhabho, iqinisekisa ukuba iiparamitha zokhuseleko ezikhankanyiweyo ziyafezekiswa. Imigaqo-nkqubo yokhuseleko ye-OPA ibhalwe ngolwimi lwayo lwe-DSL, iRego.

Phawula. transl.: Sibhale ngakumbi malunga ne-OPA (kunye ne-SPIFFE) kwi esi sixhobo.

Izixhobo ezibanzi zorhwebo zohlalutyo lokhuseleko lwe-Kubernetes

Sigqibe ekubeni senze udidi olwahlukileyo lwamaqonga orhwebo kuba ahlala egubungela iindawo ezininzi zokhuseleko. Umbono jikelele wamandla abo unokufumaneka kwitafile:

* Uvavanyo oluphezulu kunye nohlalutyo olupheleleyo lokufa inkqubo call ukuqweqwediswa.

Ukhuseleko lwe-Aqua

• website: www.aquasec.com
• Ilayisensi: yorhwebo

Esi sixhobo sorhwebo senzelwe izikhongozeli kunye nomsebenzi wamafu. Ibonelela:

• Ukuskena umfanekiso okudityaniswe nerejista yesikhongozeli okanye umbhobho weCI/CD;
• Ukhuseleko lwexesha lokubaleka ngokukhangela utshintsho kwizikhongozeli kunye neminye imisebenzi ekrokrisayo;
• I-firewall yesikhongozeli;
• Ukhuseleko lomncedisi kwiinkonzo zefu;
• Uvavanyo lokuthobela kunye nophicotho oludityaniswe nokuloga kwemisitho.

Phawula. transl.: Kwakhona kubalulekile ukuqaphela ukuba kukho icandelo free imveliso ebizwa MicroSkena, ekuvumela ukuba uhlole imifanekiso yesikhongozeli sobuthathaka. Uthelekiso lwezakhono zalo kunye neenguqulelo ezihlawulweyo zinikezelwe le tafile.

I-capsule8

• website: capsule8.com
• Ilayisensi: yorhwebo

I-Capsule8 idibanisa kwi-infrastructure ngokufaka i-detector kwi-cluster yendawo okanye yefu ye-Kubernetes. Le detector iqokelela i-host kunye ne-telemetry yenethiwekhi, idibanisa neentlobo ezahlukeneyo zohlaselo.

Iqela leCapsule8 libona umsebenzi walo njengokubona kwangoko kunye nokuthintela uhlaselo kusetyenziswa olutsha (0-usuku) ubuthathaka. I-Capsule8 inokukhuphela imithetho ehlaziyiweyo yokhuseleko ngokuthe ngqo kwii-detectors ukuphendula kwizoyikiso ezisanda kufunyanwa kunye nokuba semngciphekweni kwesoftware.

Cavirin

• website: www.cavirin.com
• Ilayisensi: yorhwebo

I-Cavirin isebenza njengekontraka yecala lenkampani kwii-arhente ezahlukeneyo ezibandakanyekayo kwimigangatho yokhuseleko. Ayinako nje ukuskena imifanekiso, kodwa inokudibanisa kumbhobho we-CI/CD, ivalele imifanekiso engeyiyo eyomgangatho phambi kokuba ingene kwiindawo zokugcina ezivaliweyo.

I-suite yokhuseleko ye-Cavirin isebenzisa umatshini wokufunda ukuvavanya ukuma kwakho kwe-cybersecurity, inika iingcebiso zokuphucula ukhuseleko kunye nokuphucula ukuthotyelwa kwemigangatho yokhuseleko.

IZiko lomyalelo woKhuseleko kwiLifu likaGoogle

• website: cloud.google.com/security-command-center
• Ilayisensi: yorhwebo

I-Cloud Security Command Centre inceda amaqela okhuseleko aqokelele idatha, achonge izoyikiso, kwaye azisuse ngaphambi kokuba zonakalise inkampani.

Njengoko igama libonisa, i-Google Cloud SCC yiphaneli yokulawula edibeneyo enokudibanisa kunye nokulawula iindidi zeengxelo zokhuseleko, ii-injini ze-asethi ze-asethi, kunye neenkqubo zokhuseleko lomntu wesithathu ukusuka kumthombo omnye, ophakathi.

I-API esebenzisanayo enikezelwa yi-Google Cloud SCC yenza kube lula ukudibanisa imicimbi yokhuseleko evela kwimithombo eyahlukeneyo, efana ne-Sysdig Secure (i-container security ye-cloud-native applications) okanye i-Falco (i-Open Source runtime security).

Ukuqonda okuLayered (Qualys)

• website: layeredinsight.com
• Ilayisensi: yorhwebo

ILayered Insight (ngoku eyinxalenye yeQualys Inc) yakhelwe kuluvo "lokhuseleko oluzinzisiweyo." Emva kokuskena umfanekiso wokuqala wobuthathaka usebenzisa uhlalutyo lwamanani kunye nokuhlolwa kwe-CVE, iLayered Insight ithatha indawo yawo ngomfanekiso onesixhobo esibandakanya iarhente njengebinary.

Le arhente iqulethe iimvavanyo zokhuseleko lwexesha lokusebenza ukuhlalutya i-traffic yenethiwekhi yesikhongozeli, ukuhamba kwe-I/O kunye nomsebenzi wesicelo. Ukongeza, inokwenza iitshekhi ezongezelelweyo zokhuseleko ezichazwe ngumlawuli weziseko zophuhliso okanye amaqela e-DevOps.

NeuVector

• website: neuvector.com
• Ilayisensi: yorhwebo

I-NeuVector ijonga ukhuseleko lwesikhongozeli kwaye ibonelela ngokhuseleko lwexesha lokubaleka ngokuhlalutya umsebenzi wenethiwekhi kunye nokuziphatha kwesicelo, ukwenza iprofayile yokhuseleko lomntu kwisikhongozeli ngasinye. Inokuthi ithintele izoyikiso ngokwayo, ihlukanise umsebenzi okrokrisayo ngokutshintsha imithetho yendawo yokucima umlilo.

Ukudityaniswa kwenethiwekhi yeNeuVector, eyaziwa ngokuba yiSecurity Mesh, iyakwazi ukuhlalutya ipakethe enzulu kunye nohluzo lwesi-7 kulo lonke uqhagamshelo lwenethiwekhi kumnatha wenkonzo.

StackRox

• website: www.stackrox.com
• Ilayisensi: yorhwebo

Iqonga lokhuseleko lesikhongozeli seStackRox lizama ukugubungela umjikelo wobomi bonke bezicelo zeKubernetes kwiqela. Njengamanye amaqonga orhwebo kolu luhlu, i-StackRox ivelisa iprofayile yexesha lokubaleka esekwe kwindlela yokuziphatha yesikhongozeli kwaye inyuse ngokuzenzekelayo i-alam yayo nakuphi na ukutenxa.

Ukongeza, iStackRox ihlalutya ulungelelwaniso lweKubernetes isebenzisa iKubernetes CIS kunye nezinye iincwadi zomthetho ukuvavanya ukuthotyelwa kwesikhongozeli.

Sysdig Khusela

• website: sysdig.com/products/secure
• Ilayisensi: yorhwebo

I-Sysdig Secure ikhusela usetyenziso kuyo yonke i-container kunye ne-Kubernetes lifecycle. Yena iskena imifanekiso izitya, zibonelela ukhuseleko lwexesha ngokwedatha yokufunda koomatshini, yenza ukhilimu. ubuchule bokuchonga ubuthathaka, ukuvala izoyikiso, ukubeka iliso ukuthotyelwa kwemigangatho emiselweyo kunye nomsebenzi wophicotho kwiinkonzo ezincinci.

I-Sysdig Secure idibanisa kunye ne-CI / CD izixhobo ezifana ne-Jenkins kunye nokulawula imifanekiso elayishwe kwii-Docker registries, ukukhusela imifanekiso eyingozi ukuba ibonakale kwimveliso. Ikwabonelela ngokhuseleko olubanzi lwexesha lokusebenza, kubandakanya:

• I-ML-based runtime profiling kunye nokufunyanwa okungaqhelekanga;
• imigaqo-nkqubo yexesha elisebenzayo esekelwe kwiziganeko zenkqubo, i-K8s-audit API, iiprojekthi zoluntu ezidibeneyo (FIM - ifayile esweni intembeko yefayile; cryptojacking) kunye nesakhelo MITER AT&CK;
• impendulo kunye nesisombululo sezehlo.

UKhuseleko lwesikhongozelo esiFunakayo

• website: www.tenable.com/products/tenable-io/container-security
• Ilayisensi: yorhwebo

Phambi kokufika kwezikhongozeli, iTenable yayisaziwa ngokubanzi kwishishini njengenkampani engasemva kweNessus, isixhobo esidumileyo sokuzingela kunye nokuhlola ukhuseleko.

UKhuseleko lweKhoneji eSebenzayo lukhulisa ubuchwephesha bokhuseleko lwekhompyuter yenkampani ukudibanisa umbhobho we-CI/CD kunye nogcino-lwazi olusemngciphekweni, iipakethe ezikhethekileyo zokubona i-malware, kunye neengcebiso zokusombulula izoyikiso zokhuseleko.

Twistlock (Palo Alto Networks)

• website: www.twistlock.com
• Ilayisensi: yorhwebo

I-Twistlock izikhuthaza njengeqonga eligxile kwiinkonzo zamafu kunye nezikhongozeli. I-Twistlock ixhasa ababoneleli belifu abahlukeneyo (i-AWS, i-Azure, i-GCP), ii-orchestrators zeekhonteyina (Kubernetes, Mesospehere, OpenShift, Docker), amaxesha okusebenza angenasiphelo, i-mesh frameworks kunye ne-CI / CD izixhobo.

Ukongeza kwiindlela eziqhelekileyo zokhuseleko loshishino olufana nokuhlanganiswa kwemibhobho yeCI/CD okanye ukuskena umfanekiso, iTwistlock isebenzisa umatshini wokufunda ukuvelisa iipatheni zokuziphatha ezikhethekileyo kunye nemithetho yenethiwekhi.

Ngexesha elidlulileyo, i-Twistlock yathengwa yi-Palo Alto Networks, ephethe iiprojekthi ze-Evident.io kunye ne-RedLock. Akukaziwa ukuba la maqonga mathathu aya kudityaniswa njani na PRISMA ukusuka ePalo Alto.

Nceda ukwakha eyona khathalogu yezixhobo zokhuseleko zeKubernetes!

Sizama ukwenza le khathalogu iphelele kangangoko, kwaye ngenxa yoko sifuna uncedo lwakho! Qhagamshelana nathi (@sysdig) ukuba unesixhobo esipholileyo engqondweni esifanele ukuqukwa kolu luhlu, okanye ufumana impazamo/ulwazi oluphelelwe lixesha.

Ungabhalisa kwakhona yethu Ileta yeendaba yenyanga ngeendaba ezivela kwi-cloud-native ecosystem kunye namabali malunga neeprojekthi ezinomdla ezivela kwihlabathi le-Kubernetes yokhuseleko.

PS evela kumguquleli

Funda nakwibhlog yethu:

• «Intshayelelo ye-Kubernetes Network Policies kuBasebenzi boKhuseleko";
• «I-Docker kunye ne-Kubernetes kwiindawo ezikhuselekileyo zokhuseleko";
• «Iindlela ezi-9 ezilungileyo zoKhuseleko lweKubernetes";
• «Iindlela ezili-11 zoku (Hayi) ukuba lixhoba le-Kubernetes Hack";
• «I-OPA kunye ne-SPIFFE ziiprojekthi ezimbini ezintsha kwi-CNCF yokhuseleko lwesicelo sefu».

umthombo: www.habr.com