Kubernetes 检查YAML文件安全配置：kubesec

Kubernetes 检查YAML文件安全配置：kubesec

检查YAML文件安全配置：kubesec

kubesec： 是一个针对K8s资源清单文件进行安全配置评估的工具，根据安全配置最佳实践来验证并给出建议。

官网：~]# mv kubesec /usr/bin/

下面每个id给你标识了安全建议 ，下面给出了配置的最佳实践

示例：

[root@master k8s]# kubesec scan eureka.yaml [ { "object": "Ingress/eureka.ms", "valid": true, "fileName": "eureka.yaml", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "Service/eureka.ms", "valid": true, "fileName": "eureka.yaml", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "StatefulSet/eureka.ms", "valid": true, "fileName": "eureka.yaml", "message": "Passed with a score of 4 points", "score": 4, "scoring": { "passed": [ { "id": "LimitsCPU", "selector": "containers[] .resources .limits .cpu", "reason": "Enforcing CPU limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsMemory", #强制使用cpu防止DOC攻击 "selector": "containers[] .resources .limits .memory", "reason": "Enforcing memory limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsCPU", #要求配置request，为了让k8s资源更好的均匀分配 "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .requests .memory", "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster", "points": 1 } ], "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 }, { "id": "ServiceAccountName", #服务账号使用最小特权模式，针对性的去授权 "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege", "points": 3 }, { "id": "SeccompAny", "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"", "reason": "Seccomp profiles set minimum privilege and secure against unknown threats", "points": 1 }, { "id": "VolumeClaimAccessModeReadWriteOnce", "selector": ".spec .volumeClaimTemplates[] .spec .accessModes | index(\"ReadWriteOnce\")", "reason": "", "points": 1 }, { "id": "VolumeClaimRequestsStorage", "selector": ".spec .volumeClaimTemplates[] .spec .resources .requests .storage", "reason": "", "points": 1 }, { "id": "CapDropAny", "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "points": 1 }, { "id": "CapDropAll", #配置linux内核的使用能力，删除所有的linux内核能力，只添加使用到的那些 "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")", "reason": "Drop all capabilities and add only those required to reduce syscall attack surface", "points": 1 }, { "id": "ReadOnlyRootFilesystem", #只读根文件系统，防止恶意的二进制程序写到系统当中 "selector": "containers[] .securityContext .readOnlyRootFilesystem == true", "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", "points": 1 }, { "id": "RunAsNonRoot", #强制以普通用户去运行 "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege", "points": 1 }, { "id": "RunAsUser", #高uid，普通用户都是高uid去运行 "selector": "containers[] .securityContext .runAsUser -gt 10000", "reason": "Run as a high-UID user to avoid conflicts with the host's user table", "points": 1 } ] } }]

或者使用容器环境执行检查

docker run -i kubesec/kubesec scan /dev/stdin < deployment.yaml

通过这些，可以将你需要配置的都给配置上

kubesec内置一个HTTP服务器，可以直接启用，远程调用

• 二进制

kubesec 8080 &

[root@master k8s]# kubesec 8080 &[1] 28463[root@master k8s]# {"severity":"info","timestamp":"2021-07-20T21:58:28.905+0800","caller":"server/server.go:41","message":"Starting HTTP server on port 8080"}

• Docker容器

docker run -d -p 8080:8080 kubesec/kubesec 8080

示例：

curl -sSX POST --data-binary @deployment.yaml ingress]# curl -sSX POST --data-binary @ingress-controller.yaml { "object": "Namespace/ingress-nginx.default", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ConfigMap/nginx-configuration.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ConfigMap/tcp-services.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ConfigMap/udp-services.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ServiceAccount/nginx-ingress-serviceaccount.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ClusterRole/nginx-ingress-clusterrole.default", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "Role/nginx-ingress-role.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "RoleBinding/nginx-ingress-role-nisa-binding.ingress-nginx", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "ClusterRoleBinding/nginx-ingress-clusterrole-nisa-binding.default", "valid": true, "fileName": "API", "message": "This resource kind is not supported by kubesec", "score": 0, "scoring": {} }, { "object": "DaemonSet/nginx-ingress-controller.ingress-nginx", "valid": true, "fileName": "API", "message": "Failed with a score of -11 points", "score": -11, "scoring": { "critical": [ { "id": "HostNetwork", "selector": ".spec .hostNetwork == true", "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter", "points": -9 }, { "id": "AllowPrivilegeEscalation", "selector": "containers[] .securityContext .allowPrivilegeEscalation == true", "reason": "", "points": -7 } ], "passed": [ { "id": "ServiceAccountName", "selector": ".spec .serviceAccountName", "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege", "points": 3 }, { "id": "CapDropAny", "selector": "containers[] .securityContext .capabilities .drop", "reason": "Reducing kernel capabilities available to a container limits its attack surface", "points": 1 }, { "id": "CapDropAll", "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")", "reason": "Drop all capabilities and add only those required to reduce syscall attack surface", "points": 1 } ], "advise": [ { "id": "ApparmorAny", "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"", "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY", "points": 3 }, { "id": "SeccompAny", "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"", "reason": "Seccomp profiles set minimum privilege and secure against unknown threats", "points": 1 }, { "id": "LimitsCPU", "selector": "containers[] .resources .limits .cpu", "reason": "Enforcing CPU limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .limits .memory", "reason": "Enforcing memory limits prevents DOS via resource exhaustion", "points": 1 }, { "id": "RequestsCPU", "selector": "containers[] .resources .requests .cpu", "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "RequestsMemory", "selector": "containers[] .resources .requests .memory", "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster", "points": 1 }, { "id": "ReadOnlyRootFilesystem", "selector": "containers[] .securityContext .readOnlyRootFilesystem == true", "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", "points": 1 }, { "id": "RunAsNonRoot", "selector": "containers[] .securityContext .runAsNonRoot == true", "reason": "Force the running image to run as a non-root user to ensure least privilege", "points": 1 }, { "id": "RunAsUser", "selector": "containers[] .securityContext .runAsUser -gt 10000", "reason": "Run as a high-UID user to avoid conflicts with the host's user table", "points": 1 } ] } }]

可以看到涉及到的还是deployment当中的安全问题。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。