Kubernetes 检查YAML文件安全配置:kubesec
检查YAML文件安全配置:kubesec
kubesec:
是一个针对K8s资源清单文件进行安全配置评估的工具,根据安全配置最佳实践来验证并给出建议。
官网:https://kubesec.io
项目地址:https://github.com/controlplaneio/kubesec
[root@master ~]# mv kubesec /usr/bin/
下面每个id给你标识了安全建议 ,下面给出了配置的最佳实践
示例:
[root@master k8s]# kubesec scan eureka.yaml
[
{
"object": "Ingress/eureka.ms",
"valid": true,
"fileName": "eureka.yaml",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "Service/eureka.ms",
"valid": true,
"fileName": "eureka.yaml",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "StatefulSet/eureka.ms",
"valid": true,
"fileName": "eureka.yaml",
"message": "Passed with a score of 4 points",
"score": 4,
"scoring": {
"passed": [
{
"id": "LimitsCPU",
"selector": "containers[] .resources .limits .cpu",
"reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
"points": 1
},
{
"id": "RequestsMemory", #强制使用cpu防止DOC攻击
"selector": "containers[] .resources .limits .memory",
"reason": "Enforcing memory limits prevents DOS via resource exhaustion",
"points": 1
},
{
"id": "RequestsCPU", #要求配置request,为了让k8s资源更好的均匀分配
"selector": "containers[] .resources .requests .cpu",
"reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
"points": 1
},
{
"id": "RequestsMemory",
"selector": "containers[] .resources .requests .memory",
"reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
"points": 1
}
],
"advise": [
{
"id": "ApparmorAny",
"selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
"reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
"points": 3
},
{
"id": "ServiceAccountName", #服务账号使用最小特权模式,针对性的去授权
"selector": ".spec .serviceAccountName",
"reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
"points": 3
},
{
"id": "SeccompAny",
"selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
"reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
"points": 1
},
{
"id": "VolumeClaimAccessModeReadWriteOnce",
"selector": ".spec .volumeClaimTemplates[] .spec .accessModes | index(\"ReadWriteOnce\")",
"reason": "",
"points": 1
},
{
"id": "VolumeClaimRequestsStorage",
"selector": ".spec .volumeClaimTemplates[] .spec .resources .requests .storage",
"reason": "",
"points": 1
},
{
"id": "CapDropAny",
"selector": "containers[] .securityContext .capabilities .drop",
"reason": "Reducing kernel capabilities available to a container limits its attack surface",
"points": 1
},
{
"id": "CapDropAll", #配置linux内核的使用能力,删除所有的linux内核能力,只添加使用到的那些
"selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
"reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
"points": 1
},
{
"id": "ReadOnlyRootFilesystem", #只读根文件系统,防止恶意的二进制程序写到系统当中
"selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
"reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
"points": 1
},
{
"id": "RunAsNonRoot", #强制以普通用户去运行
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege",
"points": 1
},
{
"id": "RunAsUser", #高uid,普通用户都是高uid去运行
"selector": "containers[] .securityContext .runAsUser -gt 10000",
"reason": "Run as a high-UID user to avoid conflicts with the host's user table",
"points": 1
}
]
}
}
]
或者使用容器环境执行检查
docker run -i kubesec/kubesec scan /dev/stdin < deployment.yaml
通过这些,可以将你需要配置的都给配置上
kubesec内置一个HTTP服务器,可以直接启用,远程调用
•
二进制
kubesec http 8080 &
[root@master k8s]# kubesec http 8080 &
[1] 28463
[root@master k8s]# {"severity":"info","timestamp":"2021-07-20T21:58:28.905+0800","caller":"server/server.go:41","message":"Starting HTTP server on port 8080"}
• Docker容器
docker run -d -p 8080:8080 kubesec/kubesec http 8080
示例:
curl -sSX POST --data-binary @deployment.yaml http://192.168.31.71:8080/scan
[root@master ingress]# curl -sSX POST --data-binary @ingress-controller.yaml http://localhost:8080/scan
[
{
"object": "Namespace/ingress-nginx.default",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "ConfigMap/nginx-configuration.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "ConfigMap/tcp-services.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "ConfigMap/udp-services.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "ServiceAccount/nginx-ingress-serviceaccount.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "ClusterRole/nginx-ingress-clusterrole.default",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "Role/nginx-ingress-role.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "RoleBinding/nginx-ingress-role-nisa-binding.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "ClusterRoleBinding/nginx-ingress-clusterrole-nisa-binding.default",
"valid": true,
"fileName": "API",
"message": "This resource kind is not supported by kubesec",
"score": 0,
"scoring": {}
},
{
"object": "DaemonSet/nginx-ingress-controller.ingress-nginx",
"valid": true,
"fileName": "API",
"message": "Failed with a score of -11 points",
"score": -11,
"scoring": {
"critical": [
{
"id": "HostNetwork",
"selector": ".spec .hostNetwork == true",
"reason": "Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter",
"points": -9
},
{
"id": "AllowPrivilegeEscalation",
"selector": "containers[] .securityContext .allowPrivilegeEscalation == true",
"reason": "",
"points": -7
}
],
"passed": [
{
"id": "ServiceAccountName",
"selector": ".spec .serviceAccountName",
"reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
"points": 3
},
{
"id": "CapDropAny",
"selector": "containers[] .securityContext .capabilities .drop",
"reason": "Reducing kernel capabilities available to a container limits its attack surface",
"points": 1
},
{
"id": "CapDropAll",
"selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
"reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
"points": 1
}
],
"advise": [
{
"id": "ApparmorAny",
"selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
"reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
"points": 3
},
{
"id": "SeccompAny",
"selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
"reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
"points": 1
},
{
"id": "LimitsCPU",
"selector": "containers[] .resources .limits .cpu",
"reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
"points": 1
},
{
"id": "RequestsMemory",
"selector": "containers[] .resources .limits .memory",
"reason": "Enforcing memory limits prevents DOS via resource exhaustion",
"points": 1
},
{
"id": "RequestsCPU",
"selector": "containers[] .resources .requests .cpu",
"reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
"points": 1
},
{
"id": "RequestsMemory",
"selector": "containers[] .resources .requests .memory",
"reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
"points": 1
},
{
"id": "ReadOnlyRootFilesystem",
"selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
"reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
"points": 1
},
{
"id": "RunAsNonRoot",
"selector": "containers[] .securityContext .runAsNonRoot == true",
"reason": "Force the running image to run as a non-root user to ensure least privilege",
"points": 1
},
{
"id": "RunAsUser",
"selector": "containers[] .securityContext .runAsUser -gt 10000",
"reason": "Run as a high-UID user to avoid conflicts with the host's user table",
"points": 1
}
]
}
}
]
可以看到涉及到的还是deployment当中的安全问题。
目录 返回
首页