33+ amathuluzi okuphepha e-Kubernetes

Qaphela. transl.: Uma uzibuza ngokuphepha kungqalasizinda esekwe ku-Kubernetes, lokhu kubuka konke okuhle kakhulu okuvela ku-Sysdig kuyisiqalo esihle sokubheka ngokushesha izisombululo zamanje. Kuhlanganisa kokubili amasistimu ayinkimbinkimbi avela kubadlali bemakethe abaziwayo kanye nezinsiza ezinesizotha ezixazulula inkinga ethile. Futhi kumazwana, njengenjwayelo, sizojabula ukuzwa mayelana nolwazi lwakho usebenzisa lawa mathuluzi futhi sibone izixhumanisi kwamanye amaphrojekthi.

Imikhiqizo yesofthiwe yezokuphepha ye-Kubernetes... miningi kakhulu, ngayinye inemigomo yayo, ububanzi, namalayisense.

Yingakho sinqume ukudala lolu hlu futhi sifake kokubili amaphrojekthi omthombo ovulekile nezinkundla zentengiso ezivela kubathengisi abahlukene. Sithemba ukuthi izokusiza ukuhlonza lezo ozithakaselayo kakhulu futhi zikukhombise indlela efanele ngokusekelwe ezidingweni zakho zokuphepha ezithile ze-Kubernetes.

Isigaba

Ukwenza uhlu lube lula ukuzulazula, amathuluzi ahlelwa umsebenzi oyinhloko kanye nokusetshenziswa. Kutholwe izigaba ezilandelayo:

• ukuskena kwesithombe se-Kubernetes nokuhlaziya okumile;
• Ukuphepha kwesikhathi sokusebenza;
• Ukuphepha kwenethiwekhi ye-Kubernetes;
• Ukusatshalaliswa kwezithombe nokuphathwa kwezimfihlo;
• ukuhlolwa kwezokuphepha kwe-Kubernetes;
• Imikhiqizo yezohwebo ephelele.

Ake sehlele ebhizinisini:

Iskena izithombe ze-Kubernetes

Ihange

• Iwebhusayithi: anchore.com
• Ilayisensi: mahhala (i-Apache) kanye nesipho sokuthengisa

I-Anchore ihlaziya izithombe zesiqukathi futhi ivumela ukuhlolwa kokuphepha okusekelwe kuzinqubomgomo ezichazwe umsebenzisi.

Ngaphezu kokuskena okujwayelekile kwezithombe zeziqukathi ngobungozi obaziwayo kusizindalwazi se-CVE, i-Anchore yenza ukuhlola okwengeziwe njengengxenye yenqubomgomo yayo yokuskena: ihlola i-Dockerfile, ukuvuza kwemininingwane, amaphakheji ezilimi zokuhlela ezisetshenzisiwe (npm, maven, njll. .), amalayisensi esofthiwe nokunye okuningi.

Clair

• Iwebhusayithi: coreos.com/clair (manje ngaphansi kokuqeqeshwa kweRed Hat)
• Ilayisensi: mahhala (Apache)

I-Clair ibingomunye wamaphrojekthi Womthombo Ovulekile wokuqala wokuskena isithombe. Yaziwa kabanzi njengesikena sokuvikela ngemuva kokubhaliswa kwesithombe se-Quay (futhi kusuka ku-CoreOS - cishe. ukuhumusha). I-Clair ingaqoqa ulwazi lwe-CVE emithonjeni ebanzi ehlukahlukene, okuhlanganisa uhlu lobungozi obukhethekile bokusabalalisa i-Linux olugcinwe yithimba lezokuphepha le-Debian, Red Hat, noma Ubuntu.

Ngokungafani ne-Anchore, i-Clair igxile kakhulu ekutholeni ubungozi kanye nokuqhathanisa idatha nama-CVE. Kodwa-ke, umkhiqizo unikeza abasebenzisi amathuba athile okwandisa imisebenzi besebenzisa izishayeli ze-plug-in.

I-Dagda

• Iwebhusayithi: github.com/eliasgranderubio/dagda
• Ilayisensi: mahhala (Apache)

I-Dagda yenza ukuhlaziya okumile kwezithombe zesiqukathi ngobungozi obaziwayo, amaTrojani, amagciwane, uhlelo olungayilungele ikhompuyutha nezinye izinsongo.

Izici ezimbili eziphawulekayo zihlukanisa i-Dagda kwamanye amathuluzi afanayo:

• Ihlanganisa ngokuphelele ne I-ClamAV, engasebenzi nje njengethuluzi lokuskena izithombe zesitsha, kodwa futhi njenge-antivirus.
• Iphinde inikeze ukuvikelwa kwesikhathi sokusebenza ngokuthola imicimbi yesikhathi sangempela evela ku-docker daemon futhi ihlanganiswe ne-Falco (bona ngezansi) ukuqoqa imicimbi yezokuphepha ngenkathi isiqukathi sisebenza.

KubeXray

• Iwebhusayithi: github.com/jfrog/kubexray
• Ilayisensi: Mahhala (Apache), kodwa idinga idatha evela ku-JFrog Xray (umkhiqizo wezentengiso)

I-KubeXray ilalela imicimbi evela kuseva ye-Kubernetes API futhi isebenzisa imethadatha evela ku-JFrog Xray ukuze iqinisekise ukuthi kuqaliswa kuphela ama-pods afana nenqubomgomo yamanje.

I-KubeXray ayihloli kuphela iziqukathi ezintsha noma ezibuyekeziwe ekusetshenzisweni (okufana nesilawuli sokwamukelwa ku-Kubernetes), kodwa futhi ihlola ngamandla iziqukathi ezisebenzayo ukuthi ziyahambisana yini nezinqubomgomo zokuphepha ezintsha, isusa izinsiza ezibhekisela ezithombeni ezisengozini.

I-Snyk

• Iwebhusayithi: snyk.io
• Ilayisensi: mahhala (Apache) nezinguqulo zezentengiso

I-Snyk iyiskena esingavamile sokuba sengozini ngoba siqondise ngokuqondile inqubo yokuthuthukisa futhi siphromothwa "njengesixazululo esibalulekile" sonjiniyela.

I-Snyk ixhuma ngokuqondile kumakhosombe ekhodi, ihlaziya i-manifest yephrojekthi futhi ihlaziye ikhodi engenisiwe kanye nokuncika okuqondile nokungaqondile. I-Snyk isekela izilimi eziningi zokuhlela ezidumile futhi ingabona ubungozi belayisensi obufihliwe.

I-Trivy

• Iwebhusayithi: github.com/knqyf263/trivy
• Ilayisensi: mahhala (AGPL)

I-Trivy iyiskena esilula kodwa esinamandla sokuba sengozini seziqukathi ezihlangana kalula zibe yipayipi le-CI/CD. Isici salo esiphawulekayo ukulula kwalo ukufaka nokusebenza: uhlelo lokusebenza luqukethe kanambambili eyodwa futhi aludingi ukufakwa kwesizindalwazi noma imitapo yolwazi eyengeziwe.

Okubi ekubalula kwe-Trivy ukuthi kufanele uthole ukuthi ungayihlaziya kanjani futhi uyidlulise kanjani imiphumela ngefomethi ye-JSON ukuze amanye amathuluzi okuphepha akwa-Kubernetes akwazi ukuwasebenzisa.

Ukuphepha kwesikhathi sokusebenza e-Kubernetes

Falco

• Iwebhusayithi: falco.org
• Ilayisensi: mahhala (Apache)

I-Falco isethi yamathuluzi okuvikela izindawo zesikhathi sokusebenza zamafu. Ingxenye yomndeni wephrojekthi I-CNCF.

Isebenzisa ithuluzi lezinga le-Sysdig's Linux kernel-level kanye nephrofayili yekholi yesistimu, i-Falco ikuvumela ukuthi ungene ujule ekuziphatheni kohlelo. Injini yayo yemithetho yesikhathi sokusebenza iyakwazi ukubona umsebenzi osolisayo ezinhlelweni zokusebenza, ezitsheni, kumsingathi oyisisekelo, kanye ne-orchestrator ye-Kubernetes.

I-Falco ihlinzeka ngokusobala okuphelele ngesikhathi sokusebenza kanye nokutholwa kosongo ngokuthumela ama-agent akhethekile kumanodi e-Kubernetes ngalezi zinhloso. Ngenxa yalokho, asikho isidingo sokushintsha iziqukathi ngokwethula ikhodi yenkampani yangaphandle kuzo noma ngokungeza iziqukathi ze-sidecar.

Izinhlaka zokuphepha ze-Linux zesikhathi sokusebenza

Lezi zinhlaka zomdabu ze-Linux kernel aziwona “amathuluzi okuvikela e-Kubernetes” ngomqondo wendabuko, kodwa kufanele zishiwo ngoba ziyisici esibalulekile kumongo wokuphepha kwesikhathi sokusebenza, esifakwe ku-Kubernetes Pod Security Policy (PSP).

I-AppArmor inamathisela iphrofayela yokuvikeleka ezinqubweni ezisebenza esitsheni, ukuchaza amalungelo esistimu yefayela, imithetho yokufinyelela kunethiwekhi, ukuxhuma amalabhulali, njll. Lolu uhlelo olusekelwe ku-Mandatory Access Control (MAC). Ngamanye amazwi, ivimbela izenzo ezinqatshelwe ukuba zenziwe.

I-Linux Ethuthukisiwe Kwezokuphepha (SELinux) iyimojula yezokuphepha ethuthukisiwe ku-Linux kernel, efana kwezinye izici ne-AppArmor futhi evame ukuqhathaniswa nayo. I-SELinux iphakeme kune-AppArmor ngamandla, ukuguquguquka kanye nokwenza ngokwezifiso. Ububi bayo ijika lokufunda isikhathi eside kanye nobunzima obukhulayo.

Secomp futhi i-seccomp-bpf ikuvumela ukuthi uhlunge izingcingo zesistimu, uvimbele ukwenziwa kwalezo ezingaba yingozi ku-base OS futhi ezingadingeki ekusebenzeni okuvamile kwezinhlelo zokusebenza zabasebenzisi. I-Seccomp ifana ne-Falco ngezindlela ezithile, nakuba ingayazi imininingwane yeziqukathi.

Umthombo ovulekile we-Sysdig

• Iwebhusayithi: www.sysdig.com/opensource
• Ilayisensi: mahhala (Apache)

I-Sysdig iyithuluzi eliphelele lokuhlaziya, ukuhlonza kanye nokulungisa amaphutha ezinhlelo ze-Linux (isebenza futhi ku-Windows ne-macOS, kodwa ngemisebenzi elinganiselwe). Ingasetshenziselwa ukuqoqwa kolwazi oluningiliziwe, ukuqinisekiswa nokuhlaziywa kwe-forensic. (i-forensics) isistimu yesisekelo nanoma yiziphi iziqukathi ezisebenza kuyo.

I-Sysdig futhi ngokwendabuko isekela izikhathi zokusebenza zesiqukathi kanye nemethadatha ye-Kubernetes, yengeza ubukhulu namalebula ongeziwe kulo lonke ulwazi lokuziphatha kwesistimu eluqoqayo. Kunezindlela ezimbalwa zokuhlaziya iqoqo le-Kubernetes usebenzisa i-Sysdig: ungathatha i-point-in-time capture usebenzisa kubectl capture noma uqalise isixhumi esibonakalayo esisekelwe ku-ncurses usebenzisa i-plugin kubectl dig.

I-Kubernetes Network Security

I-Aporeto

• Iwebhusayithi: www.aporeto.com
• Ilayisensi: commercial

I-Aporeto inikeza "ukuphepha okuhlukaniswe nenethiwekhi nengqalasizinda." Lokhu kusho ukuthi izinsiza ze-Kubernetes azitholi kuphela i-ID yendawo (okungukuthi, i-ServiceAccount ku-Kubernetes), kodwa futhi ne-ID/izigxivizo zeminwe zomhlaba wonke ezingasetshenziswa ukuxhumana ngokuphephile nangokuhambisana nanoma iyiphi enye isevisi, isibonelo kuqoqo le-OpenShift.

I-Aporeto iyakwazi ukukhiqiza i-ID ehlukile hhayi eye-Kubernetes/container kuphela, kodwa futhi neyabasingathi, imisebenzi yamafu nabasebenzisi. Ngokuya ngalezi zihlonzi kanye nesethi yemithetho yezokuphepha yenethiwekhi ebekwe umlawuli, ukuxhumana kuzovunyelwa noma kuvinjwe.

UCalico

• Iwebhusayithi: www.projectcalico.org
• Ilayisensi: mahhala (Apache)

I-Calico ivamise ukusetshenziswa ngesikhathi sokufakwa kwe-orchestrator yesiqukathi, okukuvumela ukuthi udale inethiwekhi ebonakalayo exhuma iziqukathi. Ngokungeziwe kulokhu kusebenza kwenethiwekhi okuyisisekelo, iphrojekthi ye-Calico isebenza ne-Kubernetes Network Policies kanye nesethi yayo yamaphrofayela okuphepha enethiwekhi, isekela ama-endpoint ACLs (uhlu lokulawula ukufinyelela) kanye nemithetho yokuphepha yenethiwekhi esekelwe esichasiselweni yethrafikhi ye-Ingress ne-Egress.

I-Cilium

• Iwebhusayithi: www.cilium.io
• Ilayisensi: mahhala (Apache)

I-Cilium isebenza njengendawo yokuvikela iziqukathi futhi inikeza izici zokuphepha zenethiwekhi ezenzelwe i-Kubernetes nemithwalo yemisebenzi emincane. I-Cilium isebenzisa ubuchwepheshe obusha be-Linux kernel obubizwa nge-BPF (Berkeley Packet Filter) ukuze ihlunge, igade, iqondise kabusha futhi ilungise idatha.

I-Cilium iyakwazi ukusebenzisa izinqubomgomo zokufinyelela kunethiwekhi ezisuselwe kuma-ID wesiqukathi isebenzisa amalebula e-Docker noma e-Kubernetes kanye nemethadatha. I-Cilium iphinde iqonde futhi ihlunge izivumelwano ezihlukene ze-Layer 7 njenge-HTTP noma i-gRPC, ekuvumela ukuthi uchaze isethi yamakholi we-REST azovunyelwa phakathi kokuthunyelwa kwe-Kubernetes okubili, isibonelo.

Istio

• Iwebhusayithi: istio.io
• Ilayisensi: mahhala (Apache)

I-Istio yaziwa kabanzi ngokusebenzisa i-paradigm ye-mesh yesevisi ngokukhipha indiza yokulawula ezimele yesikhulumi futhi iqondise yonke ithrafikhi yesevisi ephethwe ngama-proxi Ezithunywa ezilungisekayo. I-Istio isebenzisa lokhu kubuka okuthuthukile kwawo wonke ama-microservices neziqukathi ukuze kusetshenziswe amasu ahlukahlukene okuphepha kwenethiwekhi.

Amandla okuphepha enethiwekhi ye-Istio ahlanganisa ukubethela kwe-TLS okusobala ukuze kuthuthukiswe ngokuzenzakalelayo ukuxhumana phakathi kwama-microservices kuya ku-HTTPS, kanye nokuhlonza i-RBAC yokuphathelene nohlelo lokugunyaza ukuze kuvunyelwe/ukwenqabele ukuxhumana phakathi kwemithwalo yemisebenzi ehlukene kuqoqo.

Qaphela. transl.: Ukuze ufunde kabanzi mayelana namakhono e-Istio agxile kwezokuvikela, funda lesi sihloko.

I-Tigera

• Iwebhusayithi: www.tigera.io
• Ilayisensi: commercial

Ibizwa nge-“Kubernetes Firewall,” lesi sixazululo sigcizelela indlela yokungathembi lutho ekuvikelekeni kwenethiwekhi.

Ngokufanayo nezinye izixazululo zokuxhumana ze-Kubernetes zomdabu, i-Tigera ithembele kumethadatha ukuze ihlonze amasevisi nezinto ezihlukahlukene ku-cluster futhi inikeza ukutholwa kwenkinga yesikhathi sokusebenza, ukuhlola okuqhubekayo ukuthobela umthetho, nokubonakala kwenethiwekhi kwengqalasizinda enamafu amaningi noma i-hybrid monolithic-containerized.

I-Treme

• Iwebhusayithi: www.aporeto.com/opensource
• Ilayisensi: mahhala (Apache)

I-Trireme-Kubernetes iwukuqaliswa okulula nokuqondile kokucaciswa kwezinqubomgomo ze-Kubernetes Network. Isici esiphawuleka kakhulu ukuthi - ngokungafani nemikhiqizo yezokuphepha yenethiwekhi ye-Kubernetes - ayidingi indiza yokulawula emaphakathi ukuze ixhumanise i-mesh. Lokhu kwenza isixazululo sikhule kancane. E-Trireme, lokhu kufinyelelwa ngokufaka i-ejenti endaweni ngayinye exhuma ngokuqondile kusitaki se-TCP/IP sosokhaya.

Ukusakazwa Kwesithombe Nokuphathwa Kwezimfihlo

Ama-Grafeas

• Iwebhusayithi: grafeas.io
• Ilayisensi: mahhala (Apache)

I-Grafeas iwumthombo ovulekile we-API wokuhlolwa nokuphathwa kwe-software supply chain. Ezingeni eliyisisekelo, i-Grafeas iyithuluzi lokuqoqa imethadatha nokutholwe kokucwaninga. Ingasetshenziselwa ukulandelela ukuthobela imikhuba emihle yokuvikela ngaphakathi kwenhlangano.

Lo mthombo weqiniso omaphakathi usiza ukuphendula imibuzo efana nalena:

• Ubani owaqoqa futhi wasayina isitsha esithile?
• Ingabe iphumelele zonke izikena zokuphepha nokuhlola okudingekayo kwinqubomgomo yezokuphepha? Nini? Yaba yini imiphumela?
• Ubani oyithumele ekukhiqizeni? Yimaphi amapharamitha athile asetshenzisiwe ngesikhathi sokuthunyelwa?

Ku-toto

• Iwebhusayithi: ku-toto.github.io
• Ilayisensi: mahhala (Apache)

I-In-toto iwuhlaka oluklanyelwe ukuhlinzeka ngobuqotho, ukufakazela ubuqiniso kanye nokucwaninga kwawo wonke uchungechunge lokunikezwa kwesofthiwe. Lapho kuthunyelwa i-In-toto engqalasizinda, uhlelo luqala luchazwe oluchaza izinyathelo ezihlukahlukene zepayipi (inqolobane, amathuluzi e-CI/CD, amathuluzi e-QA, abaqoqi bezinto zokwenziwa, njll.) kanye nabasebenzisi (abantu abanomthwalo wemfanelo) abavunyelwe baqale.

I-In-toto iqapha ukwenziwa kohlelo, iqinisekisa ukuthi umsebenzi ngamunye ochungechungeni lwenziwa ngendlela efanele ngabasebenzi abagunyaziwe kuphela nokuthi akukho ukukhohlisa okungagunyaziwe okwenziwe ngomkhiqizo ngesikhathi sokunyakaza.

Ama-Porteris

• Iwebhusayithi: github.com/IBM/porteris
• Ilayisensi: mahhala (Apache)

U-Porteris uyisilawuli sokungena se-Kubernetes; esetshenziselwa ukuphoqelela ukuhlolwa kokuthenjwa kokuqukethwe. U-Porteris usebenzisa iseva Ukuqokwa (sabhala ngaye ekugcineni Lesi sihloko - cishe. ukuhumusha) njengomthombo weqiniso wokuqinisekisa ama-artifact athembekile nasayindiwe (okungukuthi izithombe zesiqukathi ezigunyaziwe).

Lapho umthwalo wokusebenza udalwa noma ulungiswa ku-Kubernetes, u-Porteris ulanda ulwazi lokusayina kanye nenqubomgomo yokwethenjwa kokuqukethwe kwezithombe zesiqukathi esiceliwe, futhi, uma kudingeka, yenza izinguquko ezitholakala lapho undiza entweni ye-JSON API ukuze aqalise izinguqulo ezisayiniwe zalezo zithombe.

I-Vault

• Iwebhusayithi: www.vaultproject.io
• Ilayisensi: mahhala (MPL)

I-Vault iyisixazululo esivikelekile sokugcina imininingwane eyimfihlo: amaphasiwedi, amathokheni e-OAuth, izitifiketi ze-PKI, ama-akhawunti okufinyelela, izimfihlo ze-Kubernetes, njll. I-Vault isekela izici eziningi ezithuthukile, njengokuqasha amathokheni okuvikela ephemeral noma ukuhlela ukuzungezisa ukhiye.

Kusetshenziswa ishadi le-Helm, i-Vault ingafakwa njengomsebenzi omusha kuqoqo le-Kubernetes ne-Consul njengesitoreji esingemuva. Isekela izinsiza zomdabu ze-Kubernetes njengamathokheni we-ServiceAccount futhi ingasebenza njengesitolo esizenzakalelayo sezimfihlo ze-Kubernetes.

Qaphela. transl.: Nokho, izolo nje inkampani i-HashiCorp, ethuthukisa i-Vault, imemezele ukuthuthukiswa okuthile kokusebenzisa i-Vault ku-Kubernetes futhi ikakhulukazi ihlobene neshadi le-Helm. Funda okungakumbi ngo- ibhulogi yonjiniyela.

I-Kubernetes Security Audit

Kube-bench

• Iwebhusayithi: github.com/aquasecurity/kube-bench
• Ilayisensi: mahhala (Apache)

I-Kube-bench iwuhlelo lokusebenza lwe-Go oluhlola ukuthi i-Kubernetes isetshenziswa ngokuphephile ngokwenza izivivinyo ezivela ohlwini. I-CIS Kubernetes Benchmark.

I-Kube-bench ibheka izilungiselelo zokucushwa ezingavikelekile phakathi kwezingxenye zeqoqo (njll, i-API, isilawuli somphathi, njll.), amalungelo okufinyelela amafayela angabazekayo, ama-akhawunti angavikelekile noma izimbobo ezivulekile, izilinganiso zensiza, izilungiselelo zokukhawulela inani lamakholi we-API ukuze avikeleke ekuhlaselweni kwe-DoS. , njll.

Kube-hunter

• Iwebhusayithi: github.com/aquasecurity/kube-hunter
• Ilayisensi: mahhala (Apache)

I-Kube-hunter izingela ubungozi obungaba khona (njengokusebenzisa ikhodi yesilawuli kude noma ukudalulwa kwedatha) kumaqoqo e-Kubernetes. I-Kube-hunter ingaqhutshwa njengesikena esikude - lapho izohlola iqoqo ngokombono womhlaseli weqembu lesithathu - noma njenge-pod ngaphakathi kweqoqo.

Isici esihlukile se-Kube-hunter imodi yayo "yokuzingela okusebenzayo", lapho ingagcini nje ngokubika izinkinga, kodwa futhi izama ukusizakala ngokukhubazeka okutholwe kuqoqo eliqondiwe okungase kulimaze ukusebenza kwayo. Ngakho sebenzisa ngokuqapha!

Kubeaudit

• Iwebhusayithi: github.com/Shopify/kubeaudit
• Ilayisensi: mahhala (MIT)

I-Kubeaudit iyithuluzi le-console elasungulwa kwa-Shopify ukuze lihlole ukucushwa kwe-Kubernetes ngezindaba ezihlukahlukene zokuphepha. Isibonelo, isiza ukukhomba iziqukathi ezisebenza ngokungakhawulelwe, ezisebenza njengempande, ukuhlukumeza amalungelo, noma ukusebenzisa i-ServiceAccount ezenzakalelayo.

I-Kubeaudit inezinye izici ezithakazelisayo. Isibonelo, ingahlaziya amafayela endawo ye-YAML, ihlonze amaphutha okulungiselela angaholela ezinkingeni zokuphepha, futhi iwalungise ngokuzenzakalelayo.

Kubesec

• Iwebhusayithi: kubesec.io
• Ilayisensi: mahhala (Apache)

I-Kubesec iyithuluzi elikhethekile ngoba iskena ngokuqondile amafayela e-YAML achaza izinsiza ze-Kubernetes, ibheka amapharamitha abuthakathaka angathinta ukuphepha.

Isibonelo, ingathola amalungelo amaningi nezimvume ezinikezwe i-pod, isebenzisa isiqukathi esinempande njengomsebenzisi ozenzakalelayo, ixhuma endaweni yamagama yenethiwekhi yomsingathi, noma izikhwebu eziyingozi njenge /proc umsingathi noma isokhethi le-Docker. Esinye isici esijabulisayo se-Kubesec insiza yedemo etholakala ku-inthanethi, ongalayisha kuyo i-YAML futhi uyihlaziye ngokushesha.

Vula Umenzeli Wenqubomgomo

• Iwebhusayithi: www.openpolicagent.org
• Ilayisensi: mahhala (Apache)

Umqondo we-OPA (Umenzeli Wenqubomgomo Evulekile) uwukuhlukanisa izinqubomgomo zokuphepha nezinqubo ezihamba phambili zokuphepha kusukela kunkundla ethile yesikhathi sokusebenza: I-Docker, i-Kubernetes, i-Mesosphere, i-OpenShift, nanoma iyiphi inhlanganisela yakho.

Isibonelo, ungasebenzisa i-OPA njenge-backend yesilawuli sokwamukelwa kwe-Kubernetes, unikeze izinqumo zokuphepha kuso. Ngale ndlela, umenzeli we-OPA angaqinisekisa, anqabe, futhi aguqule izicelo ngokushesha, aqinisekise ukuthi imingcele yokuvikela ecacisiwe iyahlangatshezwana nayo. Izinqubomgomo zokuphepha ze-OPA zibhalwe ngolimi lwayo lobunikazi lwe-DSL, i-Rego.

Qaphela. transl.: Sibhale okwengeziwe nge-OPA (kanye ne-SPIFFE) ku le nto.

Amathuluzi okuthengisa aphelele okuhlaziya ukuphepha kwe-Kubernetes

Sinqume ukudala isigaba esihlukile sezinkundla zentengiso ngoba zivamise ukumboza izindawo eziningi zokuphepha. Umbono ojwayelekile wamakhono abo ungatholakala etafuleni:

* Ukuhlolwa okuthuthukisiwe nokuhlaziywa kokuhlolwa kwesidumbu okuphelele uhlelo call ukudunwa.

Ukuphepha kwe-Aqua

• Iwebhusayithi: www.aquasec.com
• Ilayisensi: commercial

Leli thuluzi lezohwebo lenzelwe iziqukathi kanye nemithwalo yemisebenzi yamafu. Ihlinzeka:

• Ukuskena kwesithombe kuhlanganiswe nerejista yesitsha noma ipayipi le-CI/CD;
• Ukuvikelwa kwesikhathi sokusebenza ngokusesha izinguquko ezitsheni kanye nomunye umsebenzi osolisayo;
• I-firewall yesitsha;
• Ukuphepha kokungenasiphakeli kumasevisi wamafu;
• Ukuhlolwa kokuthobela kanye nokucwaninga kuhlanganiswe nokuloga komcimbi.

Qaphela. transl.: Kuyaphawuleka futhi ukuthi zikhona ingxenye yamahhala yomkhiqizo ebizwa ngokuthi I-MicroSkena, okukuvumela ukuthi uskene izithombe zesiqukathi ngobungozi. Ukuqhathaniswa kwamakhono ayo nezinguqulo ezikhokhelwayo kuvezwa ku lelitafula.

I-capsule8

• Iwebhusayithi: capsule8.com
• Ilayisensi: commercial

I-Capsule8 ihlanganisa nengqalasizinda ngokufaka umtshina kuqoqo lendawo noma lefu le-Kubernetes. Lo mtshina uqoqa i-telemetry yomsingathi nenethiwekhi, ihlobanise nezinhlobo ezahlukene zokuhlasela.

Ithimba le-Capsule8 libona umsebenzi walo njengokuthola kusenesikhathi kanye nokuvimbela ukuhlasela lisebenzisa okusha (0-izinsuku) ubuthakathaka. I-Capsule8 ingadawuniloda imithetho yokuphepha ebuyekeziwe ngokuqondile kuzitholi ngokuphendula izinsongo ezisanda kutholwa kanye nokuba sengozini kwesofthiwe.

I-Cavirin

• Iwebhusayithi: www.cavirin.com
• Ilayisensi: commercial

UCavirin usebenza njengosonkontileka oseceleni kwenkampani kuma-ejensi ahlukahlukene abandakanyeka kumazinga okuphepha. Akukona nje kuphela ukuthi ikwazi ukuskena izithombe, kodwa futhi ingahlanganisa nepayipi le-CI/CD, ivimbe izithombe ezingajwayelekile ngaphambi kokuthi zingene ezindaweni zokugcina ezivaliwe.

Isuite yezokuphepha ye-Cavirin isebenzisa ukufunda komshini ukuhlola ukuma kwakho kwe-cybersecurity, ikunikeza amathiphu okuthuthukisa ukuvikeleka nokuthuthukisa ukuthobela izindinganiso zokuphepha.

I-Google Cloud Security Command Center

• Iwebhusayithi: cloud.google.com/security-command-center
• Ilayisensi: commercial

I-Cloud Security Command Center isiza amaqembu ezokuphepha aqoqe idatha, ahlonze izinsongo, futhi aziqede ngaphambi kokuthi alimaze inkampani.

Njengoba igama liphakamisa, i-Google Cloud SCC iyiphaneli yokulawula ehlanganisiwe engahlanganisa futhi iphathe imibiko ehlukahlukene yokuphepha, izinjini zokubala kwempahla, kanye nezinhlelo zokuphepha zenkampani yangaphandle kusukela kumthombo owodwa, omaphakathi.

I-API esebenzisanayo ehlinzekwa i-Google Cloud SCC yenza kube lula ukuhlanganisa imicimbi yezokuphepha evela emithonjeni ehlukahlukene, njenge-Sysdig Secure (ukuphepha kwesitsha sezinhlelo zokusebenza ezitholakala efwini) noma i-Falco (ukuphepha kwesikhathi sokusebenza komthombo ovulekile).

I-Layered Insight (Ama-Qualys)

• Iwebhusayithi: layeredinsight.com
• Ilayisensi: commercial

I-Layered Insight (manje eyingxenye ye-Qualys Inc) yakhelwe phezu komqondo "wokuphepha okugxilile." Ngemva kokuskena isithombe sangempela ukuze kutholwe ubungozi kusetshenziswa ukuhlaziya kwezibalo nokuhlola kwe-CVE, I-Layered Insight ithatha indawo yaso ngesithombe esisetshenziswayo esihlanganisa i-ejenti njengekanambambili.

Lo menzeli uqukethe ukuhlolwa kokuvikela kwesikhathi sokusebenza ukuze kuhlaziye ithrafikhi yenethiwekhi yesiqukathi, ukugeleza kwe-I/O nomsebenzi wohlelo lokusebenza. Ngaphezu kwalokho, ingenza ukuhlola okungeziwe kokuvikela okucaciswe umlawuli wengqalasizinda noma amathimba e-DevOps.

I-NeuVector

• Iwebhusayithi: neuvector.com
• Ilayisensi: commercial

I-NeuVector ihlola ukuphepha kwesiqukathi futhi inikeza ukuvikelwa kwesikhathi sokusebenza ngokuhlaziya umsebenzi wenethiwekhi nokuziphatha kohlelo lokusebenza, idale iphrofayela yokuphepha ngayinye yesiqukathi ngasinye. Ingase futhi ivimbele izinsongo ngokwayo, ihlukanise umsebenzi osolisayo ngokushintsha imithetho yendawo yokuvikela umlilo.

Ukuhlanganiswa kwenethiwekhi ye-NeuVector, okwaziwa ngokuthi I-Security Mesh, iyakwazi ukuhlaziya iphakethe elijulile kanye nokuhlunga kwesendlalelo sesi-7 kukho konke ukuxhumana kwenethiwekhi kumeshi yesevisi.

I-StackRox

• Iwebhusayithi: www.stackrox.com
• Ilayisensi: commercial

Inkundla yezokuphepha kweziqukathi ze-StackRox ilwela ukumboza wonke umjikelezo wempilo wezinhlelo zokusebenza ze-Kubernetes kuqoqo. Njengezinye izinkundla zentengiso kulolu hlu, i-StackRox ikhiqiza iphrofayili yesikhathi sokusebenza esuselwe ekuziphatheni kweziqukathi eziqashiwe futhi iphakamisa ngokuzenzakalelayo i-alamu nganoma yikuphi ukuchezuka.

Ukwengeza, i-StackRox ihlaziya ukulungiselelwa kwe-Kubernetes isebenzisa i-Kubernetes CIS namanye ama-rulebooks ukuze ahlole ukuthotshelwa kwesiqukathi.

I-Sysdig Secure

• Iwebhusayithi: sysdig.com/products/secure
• Ilayisensi: commercial

I-Sysdig Secure ivikela izinhlelo zokusebenza kuso sonke isitsha kanye nomjikelezo wempilo ka-Kubernetes. Yena ihlola izithombe iziqukathi, inikeza ukuvikelwa kwesikhathi sokusebenza ngokusho kwedatha yokufunda komshini, yenza ukhilimu. ubungcweti bokuhlonza ubuthakathaka, vimba izinsongo, abaqaphi ukuhambisana namazinga amisiwe kanye nomsebenzi wokucwaninga kuma-microservices.

I-Sysdig Secure ihlanganisa namathuluzi e-CI/CD afana ne-Jenkins futhi ilawula izithombe ezilayishwa kusukela kubabhalisi be-Docker, ivimbela izithombe eziyingozi ukuthi zingaveli ekukhiqizweni. Iphinde inikeze ukuphepha okuphelele kwesikhathi sokusebenza, okuhlanganisa:

• Iphrofayili yesikhathi sokusebenza esekwe ku-ML kanye nokutholwa okudidayo;
• izinqubomgomo zesikhathi sokusebenza ezisekelwe ezenzakalweni zesistimu, i-K8s-audit API, amaphrojekthi omphakathi ahlanganyelwe (i-FIM - ukuqapha ubuqotho befayela; ukuntshontshwa kwemali) kanye nohlaka I-MITER ATT&CK;
• impendulo kanye nokuxazululwa kwezigameko.

Ukuphepha Kwesitsha Esikhokhelwayo

• Iwebhusayithi: www.tenable.com/products/tenable-io/container-security
• Ilayisensi: commercial

Ngaphambi kokufika kweziqukathi, i-Tenable yaziwa kabanzi embonini njengenkampani elandela i-Nessus, ithuluzi elidumile lokuzingela nokuhlola ukuphepha.

I-Tenable Container Security isebenzisa ubuchwepheshe bokuphepha bekhompuyutha yenkampani ukuhlanganisa ipayipi le-CI/CD nezizindalwazi zobungozi, amaphakheji akhethekile okuthola uhlelo olungayilungele ikhompuyutha, kanye nezincomo zokuxazulula izinsongo zokuphepha.

I-Twistlock (Palo Alto Networks)

• Iwebhusayithi: www.twistlock.com
• Ilayisensi: commercial

I-Twistlock izithuthukisa njengenkundla egxile kumasevisi wamafu neziqukathi. I-Twistlock isekela abahlinzeki bamafu abahlukahlukene (i-AWS, i-Azure, i-GCP), ama-orchestrator weziqukathi (Kubernetes, Mesospehere, OpenShift, Docker), izikhathi zokugijima ezingenasiphakeli, izinhlaka zemeshi namathuluzi e-CI/CD.

Ngokungeziwe kumasu okuphepha avamile ebanga lebhizinisi afana nokuhlanganiswa kwepayipi le-CI/CD noma ukuskena kwesithombe, i-Twistlock isebenzisa ukufundwa komshini ukuze ikhiqize amaphethini okuziphatha aqondene nesitsha nemithetho yenethiwekhi.

Esikhathini esedlule, i-Twistlock yathengwa yi-Palo Alto Networks, engumnikazi wephrojekthi ye-Evident.io kanye ne-RedLock. Okwamanje akwaziwa ukuthi lezi zinkundla ezintathu zizohlanganiswa kanjani nazo PRISMA kusuka kuPalo Alto.

Siza ukwakha ikhathalogi engcono kakhulu yamathuluzi okuphepha e-Kubernetes!

Silwela ukwenza le khathalogi iphelele ngangokunokwenzeka, futhi ngenxa yalokhu sidinga usizo lwakho! Xhumana nathi (@sysdig) uma unethuluzi elipholile engqondweni elifanele ukufakwa kulolu hlu, noma uthola iphutha/ulwazi oluphelelwe yisikhathi.

Ungakwazi futhi ukubhalisela yethu iphephandaba lenyanga ngezindaba ezivela ku-ecosystem ye-cloud-native kanye nezindaba mayelana namaphrojekthi athakazelisayo avela emhlabeni wokuphepha we-Kubernetes.

I-PS evela kumhumushi

Funda futhi kubhulogi yethu:

• «Isingeniso se-Kubernetes Network Policies for Security Professionals";
• «I-Docker ne-Kubernetes ezindaweni ezizwelayo ezokuphepha";
• «9 Izindlela Ezinhle Kakhulu Zokuphepha ze-Kubernetes";
• «Izindlela Eziyi-11 Zokuba (Hhayi) Ukuba yisisulu Se-Kubernetes Hack";
• «I-OPA ne-SPIFFE amaphrojekthi amasha amabili e-CNCF okuphepha kwesicelo samafu".

Source: www.habr.com