kubernetes 上的有很多开源安全工具,它们具有不同的用途、范围。
There are many open source security tools on kubernetes that have different used and scopes.
基于以下方面选择的kube安全工具做简单介绍:
Based on following classification introduce kubernetes security tool :
软件更新安全
Software update security
TUF:
TUF was launched almost a decade ago as a way to build system resilience against key compromises and other attacks that can spread malware or compromise a repository
to provide a framework (a set of libraries, file formats, and utilities) that can be used to secure new and existing software update systems.
to provide the means to minimize the impact of key compromises.
to be flexible enough to meet the needs of a wide variety of software update systems.
to be easy to integrate with existing software update systems.
镜像扫描:
image scan
Anchore:
Anchore引擎可分析容器镜像并使用用户定义的策略来实现安全检查。
The Anchore engine can analyzes the container images and implement security checks using custom policies.
除了针对CVE数据库上已知漏洞的常规容器镜像扫描之外,还有许多附加条件可以配置为使用Anchore扫描策略的一部分:Dockerfile检查、凭证泄漏、特定于语言的包(npm、maven等)、软件许可证。
not only scan container images for known vulnerabilities on the CVE database, also can configure the following scanning policies:
Dockerfile check, credential leaks check, language packages (NPM, maven, etc.) check, software licenses check.
病毒查杀:
virus checking and killing
Dagda可对已知的漏洞、木马、病毒、恶意软件和容器镜像中的其他恶意威胁进行静态分析。
Dagda provides static analysis of known vulnerabilities, trojans, viruses, malware, and other malicious threats in container images
有两个显著的特性使得Dagda不同于类似的Kubernetes安全工具:
There are two significant features make Dagda different from other Kubernetes security tools:
它与ClamAV集成在一起,不仅可以作为一个容器镜像扫描器,还可以作为杀毒软件。
It is integrated with ClamAV as a container images scanner, also as antivirus software.
Dagda提供了运行时保护功能,从Docker守护进程收集实时事件,还可以和CNCF的Falco集成来收集运行时容器安全事件。
Dagda provides runtime protection ,it can collect real-time events from the Docker daemon ,also integrates with CNCF's Falco to collect runtime container security events.
网络安全:
network security
Nmap:Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).:
对生态的好处
Cloud native security has become enterprise security focus point
云原生安全已经成为企业安全的焦点
Cloud native security assessment recommendations from Gartner
Gartner 云原生安全评估建议
“Add Layer 7 network segmentation for operational containers that require defense in depth.”
为需要深度保护的运行容器添加第 7 层网络保护。
“Secure containers holistically through integrating controls at key steps in the CI/CD pipeline. ”
需要通过在 CI/CD 持续集成/持续交付的整个关键环节中全面保护容器安全
传统安全工具缺点:
无法检测容器漏洞
无法看到东西向容器流量
无法识别容器运行时攻击
安全边界模糊