本文主要基于Kubernetes1.22.2和Linux操作系統(tǒng)Ubuntu 18.04�����。
|
服務(wù)器版本
|
docker軟件版本
|
Kubernetes(k8s)集群版本
|
CPU架構(gòu)
|
|
Ubuntu 18.04.5 LTS
|
Docker version 20.10.14
|
v1.22.2
|
x86_64
|
Kubernetes集群架構(gòu):k8scludes1作為master節(jié)點(diǎn)��,k8scludes2����,k8scludes3作為worker節(jié)點(diǎn)。
|
服務(wù)器
|
操作系統(tǒng)版本
|
CPU架構(gòu)
|
進(jìn)程
|
功能描述
|
|
k8scludes1/192.168.110.128
|
Ubuntu 18.04.5 LTS
|
x86_64
|
docker��,kube-apiserver�,etcd,kube-scheduler��,kube-controller-manager�,kubelet,kube-proxy��,coredns,calico
|
k8s master節(jié)點(diǎn)
|
|
k8scludes2/192.168.110.129
|
Ubuntu 18.04.5 LTS
|
x86_64
|
docker��,kubelet���,kube-proxy�����,calico
|
k8s worker節(jié)點(diǎn)
|
|
k8scludes3/192.168.110.130
|
Ubuntu 18.04.5 LTS
|
x86_64
|
docker����,kubelet�����,kube-proxy����,calico
|
k8s worker節(jié)點(diǎn)
|
前言
在當(dāng)今的云計算時代�����,Kubernetes已經(jīng)成為容器化應(yīng)用部署和管理的事實標(biāo)準(zhǔn)�����。然而,隨著Kubernetes集群的規(guī)模不斷擴(kuò)大�,如何確保集群的安全性成為了一個重要的問題。YAML文件是Kubernetes配置的主要載體���,因此���,檢查YAML文件的安全性對于確保Kubernetes集群的安全至關(guān)重要。本文將介紹如何使用Kubesec工具來檢查YAML文件的安全性��。
使用Kubesec檢查YAML文件安全的
前提
是已經(jīng)有一套可以正常運(yùn)行的Kubernetes集群�����,關(guān)于Kubernetes(k8s)集群的安裝部署��,可以查看博客《Ubuntu 安裝部署Kubernetes(k8s)集群》
https://www.cnblogs.com/renshengdezheli/p/17632858.html
���。
Kubesec簡介
Kubesec是一個開源的Kubernetes安全評估工具�,由controlplaneio公司開發(fā)��。它可以幫助用戶發(fā)現(xiàn)和修復(fù)Kubernetes配置文件中的安全問題���,從而提高集群的安全性��。Kubesec通過分析YAML文件中的配置信息�,識別潛在的安全風(fēng)險,并提供修復(fù)建議���。Kubesec官網(wǎng)為:
https://kubesec.io/
����,在github上的網(wǎng)址為:
https://github.com/controlplaneio/kubesec
��,Kubesec安裝包下載網(wǎng)址為:
https://github.com/controlplaneio/kubesec/releases
���。
Kubesec基于一組安全最佳實踐和規(guī)則��,對YAML文件進(jìn)行深度分析。它采用了多種技術(shù)手段�,包括正則表達(dá)式、字符串匹配和模式匹配等�,來識別不安全配置。Kubesec還對Kubernetes API進(jìn)行監(jiān)控�����,以確保配置文件與API的兼容性。
使用Kubesec檢查YAML文件安全
使用--dry-run=client生成一份創(chuàng)建pod的yaml文件���,--dry-run 表示模擬運(yùn)行�,并不會真的創(chuàng)建一個pod ��, --dry-run=client輸出信息少 ��,--dry-run=server輸出信息多�����, -o yaml表示以yaml文件的格式輸出���。
生成的pod yaml文件是最基本的yaml文件��,很多安全設(shè)置并沒有設(shè)置���。
root@k8scludes1:~# kubectl run podyamlsafe --image=hub.c.163.com/library/centos:latest --image-pull-policy=IfNotPresent --dry-run=client -o yaml >podyamlsafe.yaml
下載好kubesec安裝包。
root@k8scludes1:~# ll -h kubesec_linux_amd64.tar.gz
-rw-r--r-- 1 root root 3.9M Jun 18 22:27 kubesec_linux_amd64.tar.gz
解壓安裝包�。
root@k8scludes1:~# tar xf kubesec_linux_amd64.tar.gz
root@k8scludes1:~# ll -h kubesec*
-rwxr-xr-x 1 1001 docker 11M Sep 22 2021 kubesec*
-rw-r--r-- 1 root root 3.9M Jun 18 22:27 kubesec_linux_amd64.tar.gz
移動kubesec可執(zhí)行文件到/usr/local/bin/目錄下。
root@k8scludes1:~# mv kubesec /usr/local/bin/
使用kubesec掃描yaml文件���,顯示出來的就是提高pod安全性的意見���。
可以看到給出了很多安全建議�,比如設(shè)置AppArmor策略��,配置ServiceAccount����,還有Seccomp系統(tǒng)調(diào)用等等。
root@k8scludes1:~# kubesec scan podyamlsafe.yaml
[
{
"object": "Pod/podyamlsafe.default",
"valid": true,
"fileName": "podyamlsafe.yaml",
"message": "Passed with a score of 0 points",
"score": 0,
"scoring": {
"advise": [
{
"id": "ApparmorAny",
"selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
"reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
"points": 3
},
{
"id": "ServiceAccountName",
"selector": ".spec .serviceAccountName",
"reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
"points": 3
},
{
"id": "SeccompAny",
"selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
"reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
"points": 1
},
{
"id": "LimitsCPU",
"selector": "containers[] .resources .limits .cpu",
"reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
"points": 1
},
{
"id": "LimitsMemory",
"selector": "containers[] .resources .limits .memory",
"reason": "Enforcing memory limits prevents DOS via resource exhaustion",
"points": 1
},
{
"id": "RequestsCPU",
"selector": "containers[] .resources .requests .cpu",
"reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
"points": 1
},
{
"id": "RequestsMemory",
"selector": "containers[] .resources .requests .memory",
"reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
"points": 1
},
{
"id": "CapDropAny",
"selector": "containers[] .securityContext .capabilities .drop",
"reason": "Reducing kernel capabilities available to a container limits its attack surface",
"points": 1
},
{
"id": "CapDropAll",
"selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
"reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
"points": 1
},
{
"id": "ReadOnlyRootFilesystem",
"selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
"reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
"points": 1
},
{
"id": "RunAsNonRoot",
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege",
"points": 1
},
{
"id": "RunAsUser",
"selector": "containers[] .securityContext .runAsUser -gt 10000",
"reason": "Run as a high-UID user to avoid conflicts with the host's user table",
"points": 1
}
]
}
}
]
總結(jié)
使用Kubesec檢查YAML文件安全性是一個簡單而有效的方法�,可以幫助識別和修復(fù)潛在的安全問題。通過遵循Kubesec的修復(fù)建議���,可以顯著提高Kubernetes集群的安全性����。
小編推薦閱讀
