How to automate security compliance using kubernetes?
2021-09-15 04:51:38 【TechWeb】
Container and Kubernetes Brought new 、 Unique safety perspective . They prompt the team to reconsider their traditional security strategy , Get rid of single or waterfall extensive methods , Hope to get rid of safety work “ belated effort ” Passive attribute of expression .
Some people call this trend “ Move left ” thinking model , It means that we will deploy security factors in the software development life cycle or CI/CD The starting point of the pipe . Equally important , This transformation will be highly dependent on Automation , We are required to detect and fix problems as soon as possible and frequently , Instead of waiting until a serious problem occurs to remedy it afterwards .
In this vigorous transformation , The combination of containerization and orchestration tools will help improve safety and compliance .
Stackrox Co founder and chief strategy officer Wei Lien Dang Express ,“ image Kubernetes Such a platform , One of the biggest advantages is the ability to achieve a high degree of automation in the field of security and compliance , Greatly enhance the configuration capability . These automated processes and tools can help IT The team accurately measures... Anytime, anywhere Kubernetes Environmental safety status and overall risk .”
Left shift thinking can also play a role in the implementation of security strategies , This also helps to improve compliance .Dang explains ,“ The execution of the policy will be distributed among checkpoints —— Include CI/CD The Conduit 、 During deployment or operation , The choreography tool provides good scalability and reliability according to the actual requirements .”
below , Let's look at improving security through containerization and orchestration tools / Three key paths to the level of compliance Automation .
Ensure good configuration observation ability
Automation has become a key means to ensure security and compliance , Specific use cases include automatic management of container images stored in the private registry and their security policies , And integrating automated security testing into the process of building or continuous integration .
Kubernetes It comes with a rich set of safety related functions , Covers role-based access control 、 Namespace and other functions . But as mentioned above , Relying blindly on the default configuration is not desirable .Aqua Security Vice president of corporate strategy Rani Osnat Express ,“Kubernetes It's a complex system , Contains a large number of configurations and options . Some of them may have potential safety hazards , Even in the default state, it will cause significant risks .”
Only if these functions are configured correctly , Only with the help of containers and orchestration tools can we achieve security and compliance Automation . For this use case ,Red Hat OpenShift And other business platforms built on open source projects often bring important benefits .
Dang Also pointed out ,“ such , Security best practices will be available throughout Kubernetes Automatically apply... At all levels of the —— Including cluster level 、 Namespace level 、 Deploy / Service levels and pod Hierarchy, etc .”
Improve the ability of detection and policy execution through automation mechanism
With many friends already familiar with the declarative 、 Automation infrastructure operates in the same way , We can also take the same or similar actions in the field of security . As mentioned above , These containers are safe and Kubernetes Safety is also indispensable .
Dang Express ,“ These environments emphasize the use of declarative API To operate , Ability to implement security settings during infrastructure configuration , And always provide security protection in the process of application construction and deployment .”
In other words ,“ Code management mode ” It will be integrated with the field of security .
NeuVector company CTO Gray Duan Think ,“ Hope to achieve Kubernetes An enterprise that automates compliance and security , As far as possible, the security policy, i.e. code and behavior, should also be learned ( Or machine learning ) Combine . This technical strategy helps support security “ Move left ” The mode of thinking , Help us introduce workload security policies early in application development , Based on the whole production process to achieve environmental protection .”
Duan It also shared several in the area of security and compliance “ should ” Case study , The first step is to automatically perform security vulnerability scanning at runtime .Duan mention ,“ In implementation Kubernetes Compliance and security automation , We need to perform vulnerability scanning at runtime —— Not just scanning containers , You also need to scan the host Kubernetes In itself .”
The second point is automatic network segmentation . in fact , Network segmentation is a necessary compliance requirement in some industries , It needs to be enforced .
More and more enterprises need to organize and manage compliance reports , Automated network segmentation has also begun to become the mainstream of compliance standards in many industries . for example , Manage payment processing PCI DSS Security standards require network segmentation and firewall between the traffic inside and outside the cardholder's data environment . stay Duan It seems , We simply can't adjust firewall rules manually , To cope with new 、 The developing container environment threat situation .“ Because of that , Many regulations naturally require automated runtime scanning and compliance checks in business environments .”
Kubernetes Operator is a new tool in the field of security automation .Red Hat Security strategist Kirsten Newcomer Explain to us ,“ The cool thing is , You can use Kubernetes Operator to manage Kubernetes In itself , This makes it easier to deliver and automate security deployments . for example , The operator can efficiently manage configuration drift 、 Use Kubernetes Declare mechanisms to reset and change unsupported configurations .”
Continuous testing against benchmarks , Establish automatic test system
Even if the configuration is correct , You must also remember one thing ： According to the design requirements , The container workload and the infrastructure in which it operates are not static . These environments are highly dynamic , Therefore, security must be regarded as a continuous practice .
Dang mention ,“ Compliance checks can also be automated , Only in this way can we accurately evaluate the compliance of the current environment with various benchmarks and industry standards .”
From the perspective of security and compliance ,Kubernetes The most famous inspection in the environment ( And recheck ) One of the criteria is the number CIS Kubernetes The benchmark . This is a free list , Contains about 200 Item setup and security configuration best practices .
This list is systematic and comprehensive , But it also makes it almost impossible for enterprises to manually check the dynamic environment regularly according to the content requirements . The good news is , At present, the ready-made tools on the market can complete this work automatically and efficiently .
Aqua Developed kube-bench Is a free open source tool , Can be based on CIS Kubernetes Benchmark automatically checks your environment . in fact , at present CIS Guidelines have become an important operational prerequisite ,Red Hat OpenShift Container Platform 4 Select the partner tool for the user according to the items . stay kube-bench With the help of the , Enterprises can continuously check their security status , Ensure that the cluster does not deviate from the compliance requirements .
NeuVector It also provides a set of free open source scripts , Check automatically according to best practices Kubernetes Installation of .
Also from Aqua There is also an open source kube-hunter Tools , A simulated attack can be launched against the cluster based on known vulnerabilities .
Osnat Pointed out that ,“ if CIS Benchmarking focuses on a single setting and its impact on the overall security situation , that kube-hunter Is to launch penetration tests on your cluster through dozens of known attack vectors , So as to realize security supplement . It simulates attacks on your cluster , Verify whether the cluster can resist various known attacks . It also provides suggestions for setting changes , Help everyone quickly remedy the security vulnerabilities found .”
Last , There is another new member of the open source camp —— Also from Aqua Of Starboard, One for Kubernetes Installed security kit .
Osnat In conclusion ,“Starboard Strive to integrate various tools into K8s In my experience , Including vulnerability scanning tools 、 Workload auditors, benchmarks, etc . It's based on K8s CRD( Customized resource definitions ) Realization , And through Kubernetes API Visit . be familiar with kubectl(K8s The native CLI) Users can easily get security information from it , And program accordingly to further improve the automation level .”
- Blue Bridge Cup software provincial competition in April 2021: title + analysis (full version)
- Invitation | réunion Apache Pulsar 2021 - Shenzhen ce samedi
- The Dot Net Application Domain Study
- Trigger study
- Universal code, achieving with action -- Safety code scanning Professional Committee
- N'osez pas vous opposer à l'intervieweur et obtenir des commentaires personnels des stagiaires d'offer Ali après cinq rondes d'entrevue.
- Daniel prend le meilleur résumé de l'année pour rendre votre expérience d'application plus soyeuse.
- Easy to use and convenient development team management tool -- apipost
Comment passer une entrevue avec une entreprise Internet de première ligne, Android Classic Getting started tutoriel
Comment essayer un développeur Android vraiment niveau, 【 résumé de l'entrevue 】
Ad redefines PCB size
[wonderful learning journey of cloud computing] phase I: getting to know cloud computing for the first time
Sf58-asemi high voltage fast recovery diode in-line package
Asp.net quick build application page main framework
Soul painter: cartoon illustration SSH
Special live broadcast of the first anniversary celebration of Hongmeng community · invitation letter
Mathematics Interview Questions (X)
- 程序人生 | 95年男，做了3年销售，能转行IT是我的幸运！
- How does atomicstampedreference solve the ABA problem of CAS
- A buffer queue with extreme performance
- How difficult is it to implement a counter with higher performance than longadder
- What do we talk about when we talk about the registry
- Skywalking memory leak troubleshooting
- Getting started with openresty
- 程序人生 | 95年男，做了3年銷售，能轉行IT是我的幸運！
- Ingénieur de Test logiciel de 35 ans, pourquoi paniquer?
- La vie du programme | 95 ans homme, a fait 3 ans de vente, peut être transféré en it est ma chance!
- 3 minutes pour vous faire comprendre la journée de l'Ingénieur de Test logiciel!
- Venez vous entraîner, un projet d'évaluation en ligne similaire à la boucle de force
- Créer des applications distribuées d'une manière simple
- Inventory development artifact in golang
- Async profiler, a sharp tool for CPU analysis
- Ast, it smells good
- Skyler's actual combat penetration notes (III) - Raven
- Provable safety
- J'ai ri toute la journée.
- Artefact de recherche d'aide - terminal distant en temps réel
- Continuous deployment tools Argo CD - use
- Continuous deployment tools Argo CD - install
- Byte Big God Push thousand pages PDF Learning notes, [Summary of interview]
- Le Grand Dieu des octets pousse des milliers de pages de notes d'apprentissage PDF, Ali Android interview must ask
- A été abusé par la conception du système
- Soul painter: cartoon illustration SSH
- Serial | Internet of things framework serversuper tutorial - 6. Concurrent communication mode development and precautions
- Restore openstack virtual machine using virtual machine backup software
- swagger2 Illegal DefaultValue null for parameter type integer
- Octet Big Bull prend huit mois et travaille dur.
- Comment reconnaître la validité d'une adresse avec une machine à l'état fini?