【Elasticsearch】ElasticSearch 7.8 多字段权重排序

MCS-51单片机指令系统总结(自学笔记)

  返回  

Kubernetes 检查YAML文件安全配置:kubesec

2021/7/20 22:16:38 浏览:
检查YAML文件安全配置:kubesec
kubesec: 是一个针对K8s资源清单文件进行安全配置评估的工具,根据安全配置最佳实践来验证并给出建议。
官网:https://kubesec.io
项目地址:https://github.com/controlplaneio/kubesec
[root@master ~]# mv kubesec /usr/bin/

下面每个id给你标识了安全建议 ,下面给出了配置的最佳实践

示例:

[root@master k8s]# kubesec scan eureka.yaml 
[
  {
    "object": "Ingress/eureka.ms",
    "valid": true,
    "fileName": "eureka.yaml",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "Service/eureka.ms",
    "valid": true,
    "fileName": "eureka.yaml",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "StatefulSet/eureka.ms",
    "valid": true,
    "fileName": "eureka.yaml",
    "message": "Passed with a score of 4 points",
    "score": 4,
    "scoring": {
      "passed": [
        {
          "id": "LimitsCPU",
          "selector": "containers[] .resources .limits .cpu",
          "reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "RequestsMemory",  #强制使用cpu防止DOC攻击
          "selector": "containers[] .resources .limits .memory",
          "reason": "Enforcing memory limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "RequestsCPU",  #要求配置request,为了让k8s资源更好的均匀分配
          "selector": "containers[] .resources .requests .cpu",
          "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "RequestsMemory",
          "selector": "containers[] .resources .requests .memory",
          "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
          "points": 1
        }
      ],
      "advise": [
        {
          "id": "ApparmorAny",
          "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
          "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
          "points": 3
        },
        {
          "id": "ServiceAccountName",   #服务账号使用最小特权模式,针对性的去授权
          "selector": ".spec .serviceAccountName",
          "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
          "points": 3
        },
        {
          "id": "SeccompAny",
          "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
          "reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
          "points": 1
        },
        {
          "id": "VolumeClaimAccessModeReadWriteOnce",
          "selector": ".spec .volumeClaimTemplates[] .spec .accessModes | index(\"ReadWriteOnce\")",
          "reason": "",
          "points": 1
        },
        {
          "id": "VolumeClaimRequestsStorage",
          "selector": ".spec .volumeClaimTemplates[] .spec .resources .requests .storage",
          "reason": "",
          "points": 1
        },
        {
          "id": "CapDropAny",
          "selector": "containers[] .securityContext .capabilities .drop",
          "reason": "Reducing kernel capabilities available to a container limits its attack surface",
          "points": 1
        },
        {
          "id": "CapDropAll",  #配置linux内核的使用能力,删除所有的linux内核能力,只添加使用到的那些
          "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
          "reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
          "points": 1
        },
        {
          "id": "ReadOnlyRootFilesystem", #只读根文件系统,防止恶意的二进制程序写到系统当中
          "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
          "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
          "points": 1
        },
        {
          "id": "RunAsNonRoot",  #强制以普通用户去运行
          "selector": "containers[] .securityContext .runAsNonRoot == true",
          "reason": "Force the running image to run as a non-root user to ensure least privilege",
          "points": 1
        },
        {
          "id": "RunAsUser",  #高uid,普通用户都是高uid去运行
          "selector": "containers[] .securityContext .runAsUser -gt 10000",
          "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
          "points": 1
        }
      ]
    }
  }
]

 或者使用容器环境执行检查

docker run -i kubesec/kubesec scan /dev/stdin < deployment.yaml

通过这些,可以将你需要配置的都给配置上

kubesec内置一个HTTP服务器,可以直接启用,远程调用


二进制
kubesec http 8080 &
[root@master k8s]# kubesec http 8080 &
[1] 28463
[root@master k8s]# {"severity":"info","timestamp":"2021-07-20T21:58:28.905+0800","caller":"server/server.go:41","message":"Starting HTTP server on port 8080"}

Docker容器

docker run -d -p 8080:8080 kubesec/kubesec http 8080

示例:
curl -sSX POST --data-binary @deployment.yaml http://192.168.31.71:8080/scan
[root@master ingress]# curl -sSX POST --data-binary @ingress-controller.yaml http://localhost:8080/scan
[
  {
    "object": "Namespace/ingress-nginx.default",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "ConfigMap/nginx-configuration.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "ConfigMap/tcp-services.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "ConfigMap/udp-services.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "ServiceAccount/nginx-ingress-serviceaccount.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "ClusterRole/nginx-ingress-clusterrole.default",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "Role/nginx-ingress-role.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "RoleBinding/nginx-ingress-role-nisa-binding.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "ClusterRoleBinding/nginx-ingress-clusterrole-nisa-binding.default",
    "valid": true,
    "fileName": "API",
    "message": "This resource kind is not supported by kubesec",
    "score": 0,
    "scoring": {}
  },
  {
    "object": "DaemonSet/nginx-ingress-controller.ingress-nginx",
    "valid": true,
    "fileName": "API",
    "message": "Failed with a score of -11 points",
    "score": -11,
    "scoring": {
      "critical": [
        {
          "id": "HostNetwork",
          "selector": ".spec .hostNetwork == true",
          "reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
          "points": -9
        },
        {
          "id": "AllowPrivilegeEscalation",
          "selector": "containers[] .securityContext .allowPrivilegeEscalation == true",
          "reason": "",
          "points": -7
        }
      ],
      "passed": [
        {
          "id": "ServiceAccountName",
          "selector": ".spec .serviceAccountName",
          "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
          "points": 3
        },
        {
          "id": "CapDropAny",
          "selector": "containers[] .securityContext .capabilities .drop",
          "reason": "Reducing kernel capabilities available to a container limits its attack surface",
          "points": 1
        },
        {
          "id": "CapDropAll",
          "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
          "reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
          "points": 1
        }
      ],
      "advise": [
        {
          "id": "ApparmorAny",
          "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
          "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
          "points": 3
        },
        {
          "id": "SeccompAny",
          "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
          "reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
          "points": 1
        },
        {
          "id": "LimitsCPU",
          "selector": "containers[] .resources .limits .cpu",
          "reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "RequestsMemory",
          "selector": "containers[] .resources .limits .memory",
          "reason": "Enforcing memory limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "RequestsCPU",
          "selector": "containers[] .resources .requests .cpu",
          "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "RequestsMemory",
          "selector": "containers[] .resources .requests .memory",
          "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "ReadOnlyRootFilesystem",
          "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
          "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
          "points": 1
        },
        {
          "id": "RunAsNonRoot",
          "selector": "containers[] .securityContext .runAsNonRoot == true",
          "reason": "Force the running image to run as a non-root user to ensure least privilege",
          "points": 1
        },
        {
          "id": "RunAsUser",
          "selector": "containers[] .securityContext .runAsUser -gt 10000",
          "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
          "points": 1
        }
      ]
    }
  }
]

 可以看到涉及到的还是deployment当中的安全问题。

联系我们

如果您对我们的服务有兴趣,请及时和我们联系!

服务热线:18288888888
座机:18288888888
传真:
邮箱:888888@qq.com
地址:郑州市文化路红专路93号