Shulou(Shulou.com)06/02 Report--

Click to download "different double 11 Technologies: cloud Native practice in Alibaba economy"

This article is excerpted from the book "different double 11 Technologies: cloud Native practice in Alibaba economy". Click on the picture above to download it!

Author

Tang Zhimin Ali Cloud Container Services Senior Technical expert

Senior Security expert of Wang Shengping Ali Yunyun platform

Guide: from Docker image to Helm, from internal deployment to global application distribution, as developers, how to ensure the security of application delivery. Starting with the * * scenario of the software supply chain, this article introduces the evolution of application delivery standards in the cloud native era and the best practices on Aliyun.

Without containers, there would be no globalization. In the software industry, Docker and Kubernetes also play a similar role, accelerating the social division of labor and the efficiency of delivery operation and maintenance in the software industry. In 2013, Docker proposed the container application packaging specification Docker Image, which helps developers package applications and dependencies into a portable image. In 2015, Google donated Kubernetes to CNCF, further popularizing the standard for large-scale container scheduling.

With a declarative container choreography and management system, Kubernetes shields the differences in the underlying infrastructure and makes software delivery more and more standardized. With the large-scale application of cloud native technology represented by K8s, more and more containerized applications are distributed to IDC, public cloud, edge and other parts of the world.

In 2019, the monthly image downloads of Alibaba Cloud's container image service ACR exceeded 300 million times. In October of the same year, the container image category of Ali Yunyun Market was released, and more and more enterprises put their software on the shelves and sold in the way of containers. In November, all core systems of Tmall double 11 are on the cloud. Apart from supporting internal image hosting of double 11, container image service ACR also exposes internal capabilities on the cloud to support more double 11 ecological companies.

Next, let's take a look at how to ensure the security of the software supply chain under container and Kubernetes, and first familiarize ourselves with the common scenarios of the software supply chain.

Software supply chain * * and typical * * scenarios

The software supply chain usually consists of three stages:

Software development phase, software delivery phase, software usage phase.

The faces at different stages are as follows:

The famous APPLE Xcode IDE tool in history is the one that happened in the stage of software development. By injecting malicious backdoors into Xcode and providing downloads on unofficial websites, all APP compiled by developers using this Xcode will be infected with backdoors. Equally famous is the Prism Gate incident in the United States, which also implanted backdoor programs in a large number of software to carry out malicious operations such as data acquisition.

The software supply chain in Kubernetes is also included in the above scope. Take the software use phase as an example. This year's RunC vulnerability CVE-2019-5736, the vulnerability itself is related to the operational design principle of RunC. The dynamic compilation Runc outside Container will reference the dynamic library inside Conainer when it is triggered, causing RunC itself to be maliciously injected to run malicious programs. * users only need to put malicious dynamic libraries and malicious programs in a Container image to induce the victim to download and run maliciously and blur *. Once the recipient's Container environment meets the requirements, it can be completed.

The same aspect also exists in Kubernetes's own service components. The vulnerabilities HTTP2 CVE-2019-9512 and CVE-2019-9514 exposed some time ago are a very good example of vulnerability in the software development phase. The vulnerabilities exist in the basic LIB library of the GO language, and any vulnerabilities that rely on the GO version (

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.