Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to use KubeXray to protect the environment and application of K8s. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Introduction

Most security measures are designed to prevent vulnerabilities from escaping, and before that, we also shared some articles about third-party security scans (please move to the history article). Identifying the risks of an application early means that you can prevent or limit its deployment to your system (security left policy). With this knowledge or tools, any vulnerabilities in the container that could cause damage can be safely left behind by your security policy fence.

But what can we do when these loopholes have escaped? How do you ensure that containers and applications that are already running in Kubernetes pods comply with your current risks and strategies?

Background (runtime security control)

Because most applications rely heavily on package managers and open source repositories, they are vulnerable to malicious or unsafe code from these sources. Imagine that the software Application we delivered is a pie, and our own code accounts for only a small part of it, as shown in the following figure:

Recently, when the Javascript community learned that the popular event stream package in npm module had been updated by a malicious packet aimed at the Bitcoin wallet platform, they were furious. In the three months before it was discovered and reported, the package was downloaded nearly 8 million times.

Although such events from community package managers are not common, they are not uncommon. A year ago, npm discovered and deleted 39 malicious packages. So many packages may have entered the production environment before our security policy is discovered.

Solution

Before I introduce how to control the security of the runtime, let's review the principles of common vulnerability scanning tools: take JFrog Xray as an example:

JFrog Xray, a general binary analysis tool and policy engine, scans container images, war packages, Npm module and other binary artifacts in Artifactory product library in real time, performs deep recursive scanning, checks all components of the application layer by layer, and compares them with multiple vulnerability data sources (known vulnerability database) to determine whether there are known vulnerabilities or License license policy problems, and to determine whether there are scanned files (Docker images). Npm Module) add relevant metadata.

Analysis of Xray vulnerability scanning platform

DevOps administrators can configure policies to restrict or prevent Kubernetes from deploying these Docker images based on the level of risk discovered by the Xray scanning platform. However, it can be found that using only Xray can only limit the vulnerability to before the runtime.

To solve this problem, JFrog provides KubeXray components, an open source software project that extends the security of the general binary security analysis tool Xray to the Kubernetes pods runtime.

Using Xray to scan the metadata generated by container images, KubeXray can exercise security policy control over what has been deployed (container images, etc.)

KubeXray monitors all active Kubernetes Pod resources to help you:

1. Capture newly reported risks or vulnerabilities in applications currently running in all Kubernetes pods

two。 Enforce current policies on running applications, even if you have changed them

3. Enforce policies for running applications that are not scanned by Xray and whose risks are unknown

In this way, KubeXray can help you secure control of escaping vulnerabilities.

What is KubeXray?

Before Kubernetes deploys the container image to pods, Xray detects the risk and applies the policy to the container image, and KubeXray detects the risk and applies the policy to Kubernetes pod that is already running or is about to run.

KubeXray monitors security events from the Kubernetes server and Xray and enforces the current security policy for all pods running by Kubernetes. KubeXray listens for these event streams:

1. Deploy new services (Pod)

two。 Upgrade existing services

3. New license policies, such as a License license type that does not allow use at run time

4. A new security issue

When a problem is detected, KubeXray responds according to the current policy you set. You can choose one of the following possible actions:

^ Scaledown is up to 0. The required service status is updated to 0, making it inactive while it can still be queried

Delete the corresponding Kubernetes resources of the vulnerability container image

Ignore it and let pod continue to run

KubeXray also understands the differences between different Kubernetes resources (state sets and deployments) and allows different policy actions to be applied to each resource.

Although KubeXray mainly extends the deep scan security of Xray to running Kubernetes pods, it also provides some policy controls for pods that is not scanned by Xray, such as container images deployed from repositories rather than Artifactory. For pod that is not x-ray scanned, so the risk is unknown, you can specify individual policy actions to take.

How KubeXray works

KubeXray listens on every pod running in the Kubernetes cluster and uses Xray metadata (when and whether it is available) to determine security policy controls.

1. For each pod (running or scheduled to run) on Kubernetes, KubeXray checks the Xray metadata for vulnerabilities or License license policy issues. If any risks are found, KubeXray will take appropriate control actions.

two。 If any container image in Kubernetes pod (running or scheduled) is not recognized by Xray-- because it is not scanned, or because it is not downloaded from Artifactory-- then KubeXray will apply the current policy set at unknown risk.

Whenever a new policy is added or updated or a new vulnerability is reported on the Xray, KubeXray detects the change and checks for problems with the existing pod. If any risks are found, KubeXray will immediately exercise security control in accordance with the current security policy.

As shown in the figure below: shows each policy action process (ignore / delete / scale down) for the vulnerability pod.

As mentioned above: KubeXray applies policy actions based on discovered risks and policies configured by the DevOps administrator.

The policy action is set in a values.yaml file. You can configure policy actions (downsizing, deleting, or ignoring) for the following conditions:

Not scanned-- not scanned by Xray deployments, you can also specify a whitelist of namespaces; deployments that uses these namespaces will not apply security policy actions.

Security-deployments with security issues due to vulnerabilities.

·License license-the license does not comply with the policy's deployments.

Each of the above conditions provides separate policy action settings for Deployments and StatefulSets.

KubeXray installation and use

The KubeXray tool is an open source software project that can be found and installed in the Github repository (https://github.com/jfrog/kubexray).

To use KubeXray, you must have:

An Artifactory service is authorized and running

A Xray service is authorized and running

A running Kubernetes cluster

Resolver client Kubectl

@ Helm client and Helm server configuration (Tiler)

Quickly install KubeXray:

A Helm Chart provided in the JFrog Helm repository allows you to quickly install or upgrade JFrog KubeXray to a running Kubernetes cluster. To customize the configuration of KubeXray, refer to the Github Readme documentation.

After installing KubeXray, you can set the policy actions mentioned earlier in values.yaml. Let JFrog KubeXray monitor your Kubernetes pod to control security vulnerabilities or License license issues when the Kubernetes cluster is running.

Common third-party vulnerability security regulatory tools generally carry out security control only before controlling the runtime, and fail to achieve the corresponding regulatory control at run time. KubeXray can help us to quickly manage the security of runtime resources, and as an open source software project, we look forward to continuing to enhance KubeXray for more robust operations and features, and welcome developers to put forward improvements and submit code in the community.

The above is the editor for you to share how to use KubeXray to protect the K8s environment and applications, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.