评估 Kubernetes 中 Docker 的安全性(+Rancher)
[英]Assessing the security of Docker in Kubernetes (+Rancher)
问题描述
I have assessed the security configuration of Docker containers within a Kubernetes cluster using docker-bench .
我已经使用 docker docker-bench评估了 Kubernetes 集群中 Docker 容器的安全配置。 I have noted that all Kubernetes containers such as我注意到所有 Kubernetes 容器,例如
kube-proxy
kubelet
kube-apiserver
k8s_kube-flannel_canal
k8s_POD_canal
k8s_trident-main_trident-csi
...
run as root .以root身份运行。 Is this necessary?这是必要的吗?
Furthermore, some Kubernetes containers, such as k8s_trident-main_trident , kube-proxy and kubelet ran in privileged mode.此外,一些 Kubernetes 容器,例如k8s_trident-main_trident 、 kube-proxy和kubelet以特权模式运行。 I guess this is necessary for Kubernetes to work properly.我想这是 Kubernetes 正常工作所必需的。
My question is: how do you properly assess the security configuration of Docker in Kubernetes?我的问题是:您如何正确评估 Kubernetes 中 Docker 的安全配置? I understand that most settings are covered by Kubernetes, such as CPU/memory usage, PID cgroup limit and health checks.据我所知,Kubernetes 涵盖了大多数设置,例如 CPU/内存使用、PID cgroup 限制和健康检查。 However, now I don't know if I can say anything about the security configuration of Docker when it's managed through Kubernetes and Rancher (RancherOS is also used).不过现在不知道能不能说一下Docker通过Kubernetes和Rancher(也用RancherOS)管理时的安全配置。 Reframing the previous question: what are steps/controls that should be taken to harden Docker in addition to hardening Kubernetes?重新定义上一个问题:除了强化 Kubernetes 之外,还应该采取哪些步骤/控制来强化 Docker?
1 个解决方案
解决方案1
0 2020-02-14 19:45:02
...run as root.
If some of them do, you can assume there should be quite a good reason for that.如果他们中的一些人这样做,你可以假设应该有很好的理由。 I believe that creators of kubernetes are quite familiar with the concept of least privilege principle .相信kubernetes的创建者对最小权限原则的概念都比较熟悉。 So I would say: yes, most probably it is necessary to be able to perform required operations on the node system.所以我会说:是的,很可能有必要能够在节点系统上执行所需的操作。 However it can be discussed as for example here .然而,它可以作为例子在这里讨论。
Does eg kubeadm really need root privileges ?例如kubeadm真的需要 root 权限吗? Well... to be able to perform all the required operations, yes.嗯...能够执行所有必需的操作,是的。 Compare with this answer.与此答案进行比较。
However ideas about running the whole kubernetes cluster as non-root user also arise.然而,关于以非 root 用户身份运行整个kubernetes集群的想法也出现了。 I found an interesting presentation discussing this concept.我发现一个有趣的演示文稿讨论了这个概念。
You touched really broad topic in your question and it is impossible to provide a single proper answer.您在问题中触及了非常广泛的主题,不可能提供一个正确的答案。 I would say it's rather material for an extensive blog article or even e book (compare with this one ).我会说它对于一篇广泛的博客文章甚至电子书来说都是相当重要的(与这本相比)。
Furthermore, some Kubernetes containers, such as
k8s_trident-main_trident,kube-proxyandkubeletran in privileged mode.k8s_trident-main_trident、kube-proxy和kubelet以特权模式运行。 I guess this is necessary for Kubernetes to work properly.
If you want your containers to be able to perform also certain operations on host system, privileged mode cannot be avoided.如果您希望您的容器也能够在主机系统上执行某些操作,则无法避免特权模式。
You may also want to familiarize with the following articles in official kubernetes documentation:您可能还想熟悉 kubernetes 官方文档中的以下文章:
https://kubernetes.io/docs/concepts/security/overview/ https://kubernetes.io/docs/concepts/security/overview/
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
I hope it helps.我希望它有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.