Qaphela. transl.: Sikwethulela ukunaka kwakho ukuhunyushwa kwe-athikili ngonjiniyela wezokuphepha wesicelo esiphezulu enkampanini yaseBrithani i-ASOS.com. Ngayo, uqala uchungechunge lwezincwadi ezinikezelwe ukuthuthukisa ezokuphepha e-Kubernetes ngokusebenzisa i-seccomp. Uma abafundi bethanda isingeniso, sizolandela umbhali futhi siqhubeke nezincwadi zakhe zesikhathi esizayo ngalesi sihloko.
Lesi sihloko singesokuqala ochungechungeni lokuthunyelwe kokuthi ungawakha kanjani amaphrofayili e-seccomp ngomoya we-SecDevOps, ngaphandle kokusebenzisa umlingo nobuthakathi. Engxenyeni XNUMX, ngizofaka izisekelo nemininingwane yangaphakathi yokusebenzisa i-seccomp ku-Kubernetes.
I-ecosystem ye-Kubernetes inikezela ngezindlela eziningi ezahlukahlukene zokuvikela nokuhlukanisa iziqukathi. I-athikili imayelana Nemodi Yekhompyutha Evikelekile, eyaziwa nangokuthi secomp. Ingqikithi yayo ukuhlunga izingcingo zesistimu ezitholakalayo ukuze zisetshenziswe ngeziqukathi.
Kungani ibalulekile? Isiqukathi siwuhlelo nje olusebenza emshinini othize. Futhi isebenzisa i-kernel njengezinye izinhlelo zokusebenza. Uma iziqukathi zingenza noma yiziphi izingcingo zesistimu, maduze nje uhlelo olungayilungele ikhompuyutha lungathatha ithuba lalokhu ukuze ludlule ukuhlukaniswa kwesiqukathi futhi luthinte ezinye izinhlelo zokusebenza: ukuvimba ulwazi, ukushintsha izilungiselelo zesistimu, njll.
amaphrofayili e-seccomp achaza ukuthi yiziphi izingcingo zesistimu okufanele zivunyelwe noma zivalwe. Isikhathi sokusebenza sesiqukathi sibenza basebenze uma siqala ukuze i-kernel ikwazi ukuqapha ukusebenza kwabo. Ukusebenzisa amaphrofayili anjalo kukuvumela ukuthi ukhawulele i-vector yokuhlasela futhi unciphise umonakalo uma noma yiluphi uhlelo olungaphakathi kwesiqukathi (okungukuthi, ukuncika kwakho, noma ukuncika kwakho) luqala ukwenza okuthile okungavunyelwe ukukwenza.
Ukufinyelela ezintweni eziyisisekelo
Iphrofayili ye-seccomp eyisisekelo ihlanganisa izinto ezintathu: defaultAction
, architectures
(noma archMap
) futhi syscalls
:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
defaultAction
inquma isiphetho esimisiwe sanoma iyiphi ikholi yesistimu engashiwongo esigabeni syscalls
. Ukwenza izinto zibe lula, ake sigxile kumanani amabili amakhulu azosetshenziswa:
-
SCMP_ACT_ERRNO
- ivimbela ukwenziwa kocingo lwesistimu, -
SCMP_ACT_ALLOW
- ivumela.
Esigabeni architectures
izakhiwo eziqondiwe zibaliwe. Lokhu kubalulekile ngoba isihlungi ngokwaso, esisetshenziswa kuleveli ye-kernel, sincike kuzihlonzi zezingcingo zesistimu, futhi hhayi emagameni azo ashiwo kuphrofayela. Isikhathi sokusebenza sesiqukathi sizozifanisa nezihlonzi ngaphambi kokusetshenziswa. Umbono wukuthi izingcingo zesistimu zingaba nama-ID ahluke ngokuphelele kuye ngesakhiwo sesistimu. Isibonelo, ikholi yesistimu recvfrom
(esetshenziselwa ukwamukela ulwazi kusokhethi) ine-ID = 64 kumasistimu e-x64 kanye ne-ID = 517 ku-x86.
Esigabeni syscalls
ibala zonke izingcingo zesistimu futhi icacise ukuthi kufanele wenzeni ngazo. Isibonelo, ungakha uhlu olugunyaziwe ngokusetha defaultAction
on SCMP_ACT_ERRNO
, kanye nezingcingo esigabeni syscalls
yabela SCMP_ACT_ALLOW
. Ngakho, uvumela kuphela izingcingo ezibalulwe esigabeni syscalls
, futhi wenqabele zonke ezinye. Kuhlu oluvinjelwe kufanele uguqule amanani defaultAction
kanye nezenzo eziphambene.
Manje kufanele sisho amagama ambalwa mayelana nama-nuances angabonakali kangako. Sicela uqaphele ukuthi izincomo ezingezansi zithatha ngokuthi usebenzisa ulayini wezicelo zebhizinisi ku-Kubernetes futhi ufuna zisebenze nenani elincane lamalungelo ongakhona.
1. AllowPrivilegeEscalation=amanga
В securityContext
isiqukathi sinepharamitha AllowPrivilegeEscalation
. Uma ifakwe ku false
, iziqukathi zizoqala ngokuthi (on
) kancane no_new_priv
Umthelela oseceleni wale nketho usethelwa ku true
(okuzenzakalelayo) ukuthi isikhathi sokusebenza sesiqukathi sisebenzisa iphrofayela ye-seccomp ekuqaleni kwenqubo yokuqalisa. Ngakho, zonke izingcingo zesistimu ezidingekayo ukuze kuqhutshwe izinqubo zesikhathi sokusebenza (isb. ukusetha ama-ID omsebenzisi/weqembu, ukwehlisa amakhono athile) kufanele kuvulwe kuphrofayela.
Esitsheni esenza izinto ezingasho lutho echo hi
, izimvume ezilandelayo zizodingeka:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"capget",
"capset",
"chdir",
"close",
"execve",
"exit_group",
"fstat",
"fstatfs",
"futex",
"getdents64",
"getppid",
"lstat",
"mprotect",
"nanosleep",
"newfstatat",
"openat",
"prctl",
"read",
"rt_sigaction",
"statfs",
"setgid",
"setgroups",
"setuid",
"stat",
"uname",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
...esikhundleni salokhu:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"close",
"execve",
"exit_group",
"futex",
"mprotect",
"nanosleep",
"stat",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
Kodwa futhi, kungani lokhu kuyinkinga? Ngokwami, ngingagwema ukugunyaza izingcingo zesistimu ezilandelayo (ngaphandle uma kunesidingo sangempela sazo): capset
, set_tid_address
, setgid
, setgroups
и setuid
. Kodwa-ke, inselele yangempela ukuthi ngokuvumela izinqubo ongenakho nhlobo ukulawula, uhlanganisa amaphrofayili ekusetshenzisweni kwesikhathi sokusebenza kwesiqukathi. Ngamanye amazwi, ngolunye usuku ungathola ukuthi ngemva kokubuyekeza imvelo yesikhathi sokusebenza (kungaba nguwe noma, cishe, ngomhlinzeki wesevisi yefu), iziqukathi ziyeka ukusebenza ngokuzumayo.
Ithiphu # 1: Sebenzisa iziqukathi nge AllowPrivilegeEscaltion=false
. Lokhu kuzonciphisa usayizi wamaphrofayili e-seccomp futhi kuwenze angazweli kakhulu ezinguqukweni zemvelo yesikhathi sokusebenza sesiqukathi.
2. Ukusetha amaphrofayili e-seccomp ezingeni lesiqukathi
Iphrofayili ye-seccomp ingasethwa ezingeni le-pod:
annotations:
seccomp.security.alpha.kubernetes.io/pod: "localhost/profile.json"
...noma ezingeni lesiqukathi:
annotations:
container.security.alpha.kubernetes.io/<container-name>: "localhost/profile.json"
Sicela uqaphele ukuthi i-syntax engenhla izoshintsha uma i-Kubernetes seccomp
Bambalwa abantu abazi ukuthi uKubernetes ubelokhu enakho
Inkinga ukuthi lesi sitsha sihlala siqala ngaso AllowPrivilegeEscalation=true
, okuholela ezinkingeni ezivezwe esigabeni 1, futhi lokhu akunakushintshwa.
Ngokusebenzisa amaphrofayili e-seccomp ezingeni lesiqukathi, ugwema lo mgibe futhi ungakha iphrofayela eklanyelwe esitsheni esithile. Lokhu kuzomele kwenziwe kuze kube yilapho abathuthukisi belungisa iphutha futhi inguqulo entsha (mhlawumbe 1.18?) itholakala kuwo wonke umuntu.
Ithiphu # 2: Setha amaphrofayili e-seccomp ezingeni lesiqukathi.
Ngomqondo ongokoqobo, lo mthetho uvame ukusebenza njengempendulo yendawo yonke embuzweni othi: “Kungani iphrofayili yami ye-seccomp isebenza docker run
kodwa ayisebenzi ngemva kokuthunyelwa kuqoqo le-Kubernetes?
3. Sebenzisa isikhathi sokusebenza/okuzenzakalelayo kuphela njengendlela yokugcina
I-Kubernetes inezinketho ezimbili zamaphrofayili akhelwe ngaphakathi: runtime/default
и docker/default
. Zombili zisetshenziswa isikhathi sokusebenza sesiqukathi, hhayi i-Kubernetes. Ngakho-ke, zingahluka kuye ngendawo yesikhathi sokusebenza esetshenzisiwe kanye nenguqulo yayo.
Ngamanye amazwi, ngenxa yoshintsho lwesikhathi sokusebenza, isiqukathi singase sibe nokufinyelela kusethi ehlukile yamakholi wesistimu, esingase siyisebenzise noma singayisebenzisi. Izikhathi eziningi zokugijima ziyasetshenziswa
I-Профиль docker/default
yehlisiwe kusukela ku-Kubernetes 1.11, ngakho-ke gwema ukuyisebenzisa.
Ngokubona kwami, iphrofayili runtime/default
ifaneleke ngokuphelele injongo eyadalelwa yona: ukuvikela abasebenzisi ezingozini ezihlobene nokukhipha umyalo docker run
ezimotweni zabo. Kodwa-ke, uma kukhulunywa ngezicelo zebhizinisi ezisebenza kumaqoqo e-Kubernetes, ngingalokotha ngiphikise ngokuthi iphrofayela enjalo ivuleke kakhulu futhi abathuthukisi kufanele bagxile ekudaleni amaphrofayili wezinhlelo zabo zokusebenza (noma izinhlobo zezinhlelo zokusebenza).
Ithiphu # 3: Dala amaphrofayili e-seccomp ezinhlelo zokusebenza ezithile. Uma lokhu kungenzeki, dala amaphrofayili ezinhlobo zohlelo lokusebenza, isibonelo, dala iphrofayili ethuthukisiwe ehlanganisa wonke ama-API ewebhu ohlelo lokusebenza lwe-Golang. Sebenzisa kuphela isikhathi sokusebenza/okuzenzakalelayo njengendlela yokugcina.
Kokuthunyelwe okuzayo, ngizofaka indlela yokuwakha amaphrofayili e-seccomp aphefumulelwe yi-SecDevOps, ngiwashintshe ngokuzenzakalela, futhi ngiwahlole ngamapayipi. Ngamanye amazwi, ngeke ube nezaba zokungathuthukeli kumaphrofayela aqondene nohlelo lokusebenza.
4. Ukungavaliwe AKUKHO inketho.
Из PodSecurityPolicy
, okuzoyenza ibe yiqoqo, wonke ama-pods lapho iphrofayela ye-seccomp engachazwanga azosebenza kuwo. seccomp=unconfined
.
Ukusebenza kule modi kusho ukuthi kulahleka ungqimba lonke lwe-insulation oluvikela iqoqo. Le ndlela ayinconywa ochwepheshe bezokuphepha.
Ithiphu # 4: Asikho isiqukathi ku-cluster okufanele singene seccomp=unconfined
, ikakhulukazi ezindaweni zokukhiqiza.
5. "Imodi yokuhlola"
Leli phuzu alihlukile ku-Kubernetes, kodwa lisawela esigabeni “sokufanele uzazi ngaphambi kokuthi uqale”.
Njengoba kwenzeka, ukudala amaphrofayili e-seccomp bekulokhu kuyinselele futhi kuncike kakhulu ekuzameni nasephutheni. Iqiniso liwukuthi abasebenzisi bamane bangabi nalo ithuba lokuzivivinya ezindaweni zokukhiqiza ngaphandle kokubeka engcupheni “ukwehlisa” uhlelo lokusebenza.
Ngemva kokukhululwa kwe-Linux kernel 4.14, kube nokwenzeka ukusebenzisa izingxenye zephrofayela kumodi yokuhlola, ukurekhoda ulwazi mayelana nawo wonke amakholi wesistimu ku-syslog, kodwa ngaphandle kokuwavimba. Ungakwazi ukusebenzisa le modi usebenzisa ipharamitha SCMT_ACT_LOG
:
SCMP_ACT_LOG: i-seccomp ngeke ithinte intambo eyenza ikholi yesistimu uma ingahambisani nanoma yimuphi umthetho kusihlungi, kodwa ulwazi mayelana nekholi yesistimu luzongena.
Nali isu elijwayelekile lokusebenzisa lesi sici:
- Vumela amakholi wesistimu adingekayo.
- Vimba izingcingo ezivela ohlelweni owaziyo ukuthi ngeke lube usizo.
- Rekhoda ulwazi mayelana nazo zonke ezinye izingcingo kulogi.
Isibonelo esenziwe lula sibukeka kanje:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"add_key",
"keyctl",
"ptrace"
],
"action": "SCMP_ACT_ERRNO"
}
]
}
Kodwa khumbula ukuthi udinga ukuvimba zonke izingcingo owaziyo ukuthi ngeke zisetshenziswe futhi ezingase zilimaze iqoqo. Isisekelo esihle sokwenza uhlu yisikhulu
Nokho, kukhona catch. Nakuba SCMT_ACT_LOG
isekelwa i-Linux kernel kusukela ekupheleni kuka-2017, ingene ku-Kubernetes ecosystem muva nje. Ngakho-ke, ukusebenzisa le ndlela uzodinga i-Linux kernel 4.14 kanye nenguqulo ye-runC engekho ngaphansi
Ithiphu # 5: Iphrofayela yemodi yokuhlola yokuhlolwa ekukhiqizeni ingadalwa ngokuhlanganisa uhlu olumnyama nolumhlophe, futhi konke okuhlukile kungafakwa.
6. Sebenzisa uhlu olumhlophe
Ukufakwa ohlwini olugunyaziwe kudinga umzamo owengeziwe ngoba kufanele ukhombe zonke izingcingo ezingase zidingwe uhlelo lokusebenza, kodwa le ndlela ithuthukisa kakhulu ukuphepha:
Kunconywa kakhulu ukusebenzisa indlela yokugunyazwa njengoba ilula futhi ithembekile. Uhlu lokuvinjelwa luzodinga ukubuyekezwa noma nini lapho ikholi yesistimu engaba yingozi (noma ifulegi/inketho eyingozi uma isohlwini oluvinjelwe) yengezwa. Ngaphezu kwalokho, ngokuvamile kungenzeka ukushintsha ukumelwa kwepharamitha ngaphandle kokushintsha ingqikithi yayo futhi ngaleyo ndlela kudlule imikhawulo yohlu oluvinjelwe.
Ngezinhlelo zokusebenza ze-Go, ngithuthukise ithuluzi elikhethekile elihambisana nohlelo lokusebenza futhi liqoqa zonke izingcingo ezenziwe ngesikhathi sokushaya. Isibonelo, kuhlelo lokusebenza olulandelayo:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... ake sethule gosystract
Ngakho:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path
... futhi sithola umphumela olandelayo:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",
Okwamanje, lesi yisibonelo nje—imininingwane eyengeziwe mayelana namathuluzi izolandela.
Ithiphu # 6: Vumela kuphela lezo zingcingo ozidingayo ngempela futhi uvimbele zonke ezinye.
7. Beka izisekelo ezifanele (noma lungiselela ukuziphatha okungalindelekile)
I-kernel izophoqelela iphrofayela kungakhathaliseki ukuthi ubhala ini kuyo. Noma kungeyona into obuyifuna. Isibonelo, uma uvimba ukufinyelela kumakholi afana exit
noma exit_group
, isitsha ngeke sikwazi ukuvala kahle ngisho nomyalo olula njengo echo hi
Ezimweni ezinjalo, insiza ingakusiza strace
- izobonisa ukuthi inkinga ingaba yini:
sudo strace -c -p 9331
Qinisekisa ukuthi amaphrofayili aqukethe zonke izingcingo zesistimu ezidingwa uhlelo lokusebenza ngesikhathi sokusebenza.
Ithiphu # 7: Naka imininingwane futhi uqinisekise ukuthi zonke izingcingo zesistimu ezidingekayo zigunyaziwe.
Lokhu kuphetha ingxenye yokuqala yochungechunge lwezihloko zokusebenzisa i-seccomp ku-Kubernetes ngomoya we-SecDevOps. Ezingxenyeni ezilandelayo sizokhuluma ngokuthi kungani lokhu kubalulekile nokuthi ungayenza kanjani inqubo ngokuzenzakalelayo.
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- «
Ukuphepha kweziqukathi ze-Docker "; - «
33+ amathuluzi okuphepha e-Kubernetes "; - «
I-Docker ne-Kubernetes ezindaweni ezizwelayo ezokuphepha "; - «
9 Izindlela Ezinhle Kakhulu Zokuphepha ze-Kubernetes ".
Source: www.habr.com