Kubernetes – also known as K8s – is an open-source, container-orchestration platform for managing containerized workloads and services. Kubernetes负责容器部署,还管理软件定义的网络层,该网络层允许容器相互通信. The platform is portable and facilitates declarative configuration and automation.
Kubernetes官方网站表示, “The name Kubernetes originates from Greek, 意思是舵手或飞行员. Google open-sourced the Kubernetes project in 2014. Kubernetes结合了Google在大规模运行生产工作负载方面超过15年的经验,以及来自社区的最佳想法和实践.”
Kubernetes通过对运行应用程序的各种容器进行分组和管理,在管理容器化应用程序的规模和复杂性方面发挥着关键作用. Containers are constantly being spun up and replaced, so Kubernetes will immediately swap a container to ensure there is no down time.
但是,容器到底是什么? 根据Gartner, 容器 simplify application packaging and enable rapid application deployment. This enables platform consistency across development, testing, and staging. It also helps to accelerate builds and software releases, leading to more repeatable processes.
Kubernetes很重要,因为它抽象了容器管理和编排,并自动化了人类无法大规模管理的任务. 在很多方面, 它是实现DevOps团队在建立持续集成/持续部署时试图实现的目标的基础组件 (CI / CD)管道.
当人的因素被排除在外时,安全风险就会发挥作用——分析师现在信任一个系统来管理环境, based on a set of declarative policies and commands. 以确保这是安全地完成, 应该在基于kubernetes的应用程序中实施护栏并持续监控操作. 这确保了 合规 drift or anomalous/suspicious behavior is caught and attended to.
因为它的好处, Kubernetes has quickly become a de facto orchestration tool for many enterprise DevOps teams. 结果是, 像AWS这样的云服务提供商, Azure and GCP have released managed versions of Kubernetes (EKS, AKS, and GKE, ),这几乎完全消除了管理和监控kubernetes节点和集群的需要
The practice of integrating security into your DevOps process is known as DevSecOps. 在开发过程中构建安全检查和护栏是非常有益的, 这两方面都允许开发团队在不牺牲安全性和遵从性的情况下快速迭代,并允许团队在到达生产环境之前捕获问题.
Kubernetes operations can be complicated processes to secure. 成功地完成, 它可以以一种不会增加风险的方式安全地加速您的开发过程. 让我们看一下在将安全性转移到Kubernetes操作时可能出现的一些更突出的问题.
此进程在运行时(当应用程序处于生产状态时)监视应用程序,以阻止潜在的恶意活动. The challenge comes in surfacing relevant insights like alerts, and threat findings. 这些调查结果往往缺乏迅速开展调查和满怀信心地进行适当调查所需的许多背景. Automating the process for continuous monitoring can increase a DevSecOps team’s efficiency, but it also forces the relinquishment of some control, 这可能会导致安全问题.
Small misconfigurations can lead to big vulnerabilities. 在一个实例中更改Kubernetes资源可能会导致这些更改在没有跟踪的情况下被覆盖. That can lead to unforeseen vulnerabilities even if security checks are working as they should. 如果检测到漏洞或安全问题,版本控制可以快速恢复到先前的配置状态.
确保Kubernetes 容器 最大的挑战是什么. 当然, 市场上有许多解决方案可以减轻在此过程中可能出现的任何漏洞或攻击. Deploying multiple 容器 at once can be especially difficult to secure. This would be a case for scaling up the deployment, which can also add complexity. 利用单一策略框架跨所有Kubernetes工作负载执行可以确保风险被标记,并保护云部署免受恶意攻击.
Leveraging a container image from a registry can speed along the process, but those images might contain malicious code. Indeed, 在使用Kubernetes容器时,必须在过程中构建漏洞扫描等工具,这些容器存在于公开可用的注册表中.
私有存储容器映像并利用漏洞扫描可以确保开发管道尽可能少地看到公开可用的资源和容器映像. 速度也可能是一个不利因素, 特别是如果团队跳过将映像漏洞与已部署的容器映像关联起来的步骤. This comparison is critical in understanding the risk posed to your network.
那么,什么是最关键的部分 确保Kubernetes操作的安全?
到目前为止,我们所讨论的内容应该传达了一个非常重要的信息:Kubernetes非常有益, but should be leveraged carefully and methodically. 说到这一点, 将最佳实践集成到Kubernetes工作流中是学习流程和提升的关键.
RBACs 允许您配置用户访问,并在数据和用户群的规模和复杂性增长时有效地管理它们. 分配的产品, roles, and resources so that users only have access to the information necessary for their roles. 这鼓励了 最小特权原则,这有助于防止用户访问与其角色无关的敏感数据或信息.
APIs control the types of requests applications make between each other, 这些请求是如何提出的, 以及这些请求的格式. Because a single application can often incorporate the use of many APIs, they add vulnerabilities to the development and deployment process. Therefore, it’s a good idea to limit access to APIs only to personnel that absolutely need it.
安全Shell (SSH) helps to secure a development protocol with cryptographic security. It is essentially a shell that blankets information systems with hardened security checks. If the SSH is not secure and defended properly, it can leave cloud applications and Kubernetes workloads open to vulnerability and attack, especially for public companies and systems open to the internet.
这可能是不言而喻的, 但确保工作负载和部署得到保护和适当容器化的最佳方法是保持Kubernetes的最新状态. In fact, Kubernetes具有滚动更新过程,因此用户可以通过使用新版本增量更新实例来零停机地更新部署.
持续和主动的扫描和监视可以防止意外的漏洞和恶意威胁. In a recent Market Guide for Cloud Workload Protection Platforms, Gartner stated that workloads are becoming more granular, 寿命更短. Sometimes multiple iterations are deployed per week or even per day.
主动方法是保护这些快速变化和短暂工作负载的最佳方法. 部署前漏洞管理和持续的代码扫描有助于从一开始到部署和运行时保护基于云的工作负载.
It's imperative to maintain proper configuration of Kubernetes clusters. 与任何其他运行时工作负载一样, improper configuration could leave a K8s environment vulnerable to breaches. The practice of ensuring correct configuration and security is known as Kubernetes安全 Posture Management (KSPM).
KSPM建立了一个系统,用于建立和维护Kubernetes集群防御的强度,并确保它们符合内部和外部安全标准.
2022 Cloud Misconfigurations Report: Latest 云安全 Breaches and Attack Trends