Kubernetes 检查YAML文件安全配置:kubesec
Kubernetes 检查YAML文件安全配置:kubesec
检查YAML文件安全配置:kubesec
kubesec: 是一个针对K8s资源清单文件进行安全配置评估的工具,根据安全配置最佳实践来验证并给出建议。
官网:~]# mv kubesec /usr/bin/
下面每个id给你标识了安全建议 ,下面给出了配置的最佳实践
示例:
[root@master k8s]# kubesec scan eureka.yaml [ { "object": "Ingress/eureka.ms", "valid": true, "fileName": "eureka.yaml", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "Service/eureka.ms", "valid": true, "fileName": "eureka.yaml", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "StatefulSet/eureka.ms", "valid": true, "fileName": "eureka.yaml", "message": "Passed with a score of 4 points", "score": 4, "scoring": { "passed": [ { "id": "LimitsCPU", "selector": "containers[] .resources .limits .cpu", "reason": "Enforcing CPU limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsMemory", #强制使用cpu防止DOC攻击 "selector": "containers[] .resources .limits .memory", "reason": "Enforcing memory limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsCPU", #要求配置request,为了让k8s资源更好的均匀分配 "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .requests .memory", "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster", "points": 1 } ], "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 }, { "id": "ServiceAccountName", #服务账号使用最小特权模式,针对性的去授权 "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege", "points": 3 }, { "id": "SeccompAny", "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"", "reason": "Seccomp profiles set minimum privilege and secure against unknown threats", "points": 1 }, { "id": "VolumeClaimAccessModeReadWriteOnce", "selector": ".spec .volumeClaimTemplates[] .spec .accessModes | index(\"ReadWriteOnce\")", "reason": "", "points": 1 }, { "id": "VolumeClaimRequestsStorage", "selector": ".spec .volumeClaimTemplates[] .spec .resources .requests .storage", "reason": "", "points": 1 }, { "id": "CapDropAny", "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "points": 1 }, { "id": "CapDropAll", #配置linux内核的使用能力,删除所有的linux内核能力,只添加使用到的那些 "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")", "reason": "Drop all capabilities and add only those required to reduce syscall attack surface", "points": 1 }, { "id": "ReadOnlyRootFilesystem", #只读根文件系统,防止恶意的二进制程序写到系统当中 "selector": "containers[] .securityContext .readOnlyRootFilesystem == true", "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", "points": 1 }, { "id": "RunAsNonRoot", #强制以普通用户去运行 "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege", "points": 1 }, { "id": "RunAsUser", #高uid,普通用户都是高uid去运行 "selector": "containers[] .securityContext .runAsUser -gt 10000", "reason": "Run as a high-UID user to avoid conflicts with the host's user table", "points": 1 } ] } }]
或者使用容器环境执行检查
docker run -i kubesec/kubesec scan /dev/stdin < deployment.yaml
通过这些,可以将你需要配置的都给配置上
kubesec内置一个HTTP服务器,可以直接启用,远程调用
• 二进制
kubesec 8080 &
[root@master k8s]# kubesec 8080 &[1] 28463[root@master k8s]# {"severity":"info","timestamp":"2021-07-20T21:58:28.905+0800","caller":"server/server.go:41","message":"Starting HTTP server on port 8080"}
• Docker容器
docker run -d -p 8080:8080 kubesec/kubesec 8080
示例:
curl -sSX POST --data-binary @deployment.yaml ingress]# curl -sSX POST --data-binary @ingress-controller.yaml { "object": "Namespace/ingress-nginx.default", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ConfigMap/nginx-configuration.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ConfigMap/tcp-services.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ConfigMap/udp-services.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ServiceAccount/nginx-ingress-serviceaccount.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ClusterRole/nginx-ingress-clusterrole.default", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "Role/nginx-ingress-role.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "RoleBinding/nginx-ingress-role-nisa-binding.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ClusterRoleBinding/nginx-ingress-clusterrole-nisa-binding.default", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "DaemonSet/nginx-ingress-controller.ingress-nginx", "valid": true, "fileName": "API", "message": "Failed with a score of -11 points", "score": -11, "scoring": { "critical": [ { "id": "HostNetwork", "selector": ".spec .hostNetwork == true", "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter", "points": -9 }, { "id": "AllowPrivilegeEscalation", "selector": "containers[] .securityContext .allowPrivilegeEscalation == true", "reason": "", "points": -7 } ], "passed": [ { "id": "ServiceAccountName", "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege", "points": 3 }, { "id": "CapDropAny", "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "points": 1 }, { "id": "CapDropAll", "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")", "reason": "Drop all capabilities and add only those required to reduce syscall attack surface", "points": 1 } ], "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 }, { "id": "SeccompAny", "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"", "reason": "Seccomp profiles set minimum privilege and secure against unknown threats", "points": 1 }, { "id": "LimitsCPU", "selector": "containers[] .resources .limits .cpu", "reason": "Enforcing CPU limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .limits .memory", "reason": "Enforcing memory limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsCPU", "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .requests .memory", "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "ReadOnlyRootFilesystem", "selector": "containers[] .securityContext .readOnlyRootFilesystem == true", "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", "points": 1 }, { "id": "RunAsNonRoot", "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege", "points": 1 }, { "id": "RunAsUser", "selector": "containers[] .securityContext .runAsUser -gt 10000", "reason": "Run as a high-UID user to avoid conflicts with the host's user table", "points": 1 } ] } }]
可以看到涉及到的还是deployment当中的安全问题。
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~