Kubernetes CKS【18】---Supply Chain Security - Static Analysis(OPA)
Kubernetes --- 18 Security static Analysis Chain OPA
2023-09-11 14:15:45 时间
1. 介绍
static analysis CI/CD
manual check
2. Kubesec
Kubesec官网/
github:https://github.com/shyiko/kubesec
退出2格
3. OPA Conftest
4. OPA Conftest for K8s YAML
root@node1:~/cks/static-analysis/conftest/kubernetes# ls
deploy.yaml policy run.sh
root@node1:~/cks/static-analysis/conftest/kubernetes# cat deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: test
spec:
containers:
- image: httpd
name: httpd
resources: {}
status: {}
root@node1:~/cks/static-analysis/conftest/kubernetes# cat policy/deployment.rego
# from https://www.conftest.dev
package main
deny[msg] {
input.kind = "Deployment"
not input.spec.template.spec.securityContext.runAsNonRoot = true
msg = "Containers must not run as root"
}
deny[msg] {
input.kind = "Deployment"
not input.spec.selector.matchLabels.app
msg = "Containers must provide app label for pod selectors"
}
root@node1:~/cks/static-analysis/conftest/kubernetes# cat run.sh
docker run --rm -v $(pwd):/project openpolicyagent/conftest test deploy.yaml
#报错了
root@node1:~/cks/static-analysis/conftest/kubernetes# bash run.sh
Unable to find image 'openpolicyagent/conftest:latest' locally
latest: Pulling from openpolicyagent/conftest
540db60ca938: Already exists
c348a0913279: Pull complete
634fd801ca52: Pull complete
77bd1e540306: Pull complete
b7a9709315e9: Pull complete
Digest: sha256:209991f4471b8a3cfa3726eca9272d299ca28f9298ca19014d7ec2e6aefe07c8
Status: Downloaded newer image for openpolicyagent/conftest:latest
FAIL - deploy.yaml - main - Containers must not run as root
2 tests, 1 passed, 0 warnings, 1 failure, 0 exceptions
# 修改deploy.yaml文件
root@node1:~/cks/static-analysis/conftest/kubernetes# vim deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
app: test
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: test
spec:
securityContext: #添加此行
runAsNonRoot: true #添加此行
containers:
- image: httpd
name: httpd
resources: {}
status: {}
root@node1:~/cks/static-analysis/conftest/kubernetes# bash run.sh
2 tests, 2 passed, 0 warnings, 0 failures, 0 exceptions
#修改spec.selector.mathLabels.label
root@node1:~/cks/static-analysis/conftest/kubernetes# cat deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: test
name: test
spec:
replicas: 1
selector:
matchLabels:
test: test #修改此行
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: test
spec:
securityContext:
runAsNonRoot: true
containers:
- image: httpd
name: httpd
resources: {}
status: {}
root@node1:~/cks/static-analysis/conftest/kubernetes# bash run.sh
FAIL - deploy.yaml - main - Containers must provide app label for pod selectors
2 tests, 1 passed, 0 warnings, 1 failure, 0 exceptions
5. OPA Conftest for Dockerfile
root@node1:~/cks/static-analysis/conftest/docker# ls
Dockerfile policy/ run.sh
root@node1:~/cks/static-analysis/conftest/docker# ls policy/
base.rego commands.rego
root@node1:~/cks/static-analysis/conftest/docker# cat Dockerfile
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN go build app.go
CMD ["./app"]
root@node1:~/cks/static-analysis/conftest/docker# cat policy/base.rego
# from https://www.conftest.dev
package main
denylist = [
"ubuntu"
]
deny[msg] {
input[i].Cmd == "from"
val := input[i].Value
contains(val[i], denylist[_])
msg = sprintf("unallowed image found %s", [val])
}
root@node1:~/cks/static-analysis/conftest/docker# cat policy/commands.rego
# from https://www.conftest.dev
package commands
denylist = [
"apk",
"apt",
"pip",
"curl",
"wget",
]
deny[msg] {
input[i].Cmd == "run"
val := input[i].Value
contains(val[_], denylist[_])
msg = sprintf("unallowed commands found %s", [val])
}
root@node1:~/cks/static-analysis/conftest/docker# cat run.sh
docker run --rm -v $(pwd):/project openpolicyagent/conftest test Dockerfile --all-namespaces
#test都未通过
root@node1:~/cks/static-analysis/conftest/docker# bash run.sh
FAIL - Dockerfile - commands - unallowed commands found ["apt-get update && apt-get install -y golang-go"]
FAIL - Dockerfile - main - unallowed image found ["ubuntu"]
2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
#修改镜像
root@node1:~/cks/static-analysis/conftest/docker# cat Dockerfile
FROM apline #修改此行
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN go build app.go
CMD ["./app"]
#通过一个
root@node1:~/cks/static-analysis/conftest/docker# bash run.sh
FAIL - Dockerfile - commands - unallowed commands found ["apt-get update && apt-get install -y golang-go"]
2 tests, 1 passed, 0 warnings, 1 failure, 0 exceptions
#修改policy/commonds.rego删除apt
root@node1:~/cks/static-analysis/conftest/docker# cat policy/commands.rego
# from https://www.conftest.dev
package commands
denylist = [
"apk",
"pip",
"curl",
"wget",
]
deny[msg] {
input[i].Cmd == "run"
val := input[i].Value
contains(val[_], denylist[_])
msg = sprintf("unallowed commands found %s", [val])
}
#全部通过
root@node1:~/cks/static-analysis/conftest/docker# bash run.sh
2 tests, 2 passed, 0 warnings, 0 failures, 0 exceptions
相关文章
- 【云原生 | Kubernetes 系列】---CephFS和OSS
- 【云原生 | Kubernetes 系列】--- Zookeeper集群安装手册
- Kubernetes 里的 secret 最基本的用法
- kubernetes的架构
- 【云原生 | Kubernetes 系列】---Ceph Crush
- 【云原生 | Kubernetes 系列】---CephFS和OSS
- 【云原生 | Kubernetes 系列】---Ceph集群安装部署
- 【云原生 | Kubernetes 系列】---Prometheus 监控Java服务
- 【云原生 | Kubernetes 系列】---Prometheus的服务发现机制
- 【云原生 | Kubernetes 系列】---PromQL语句
- kubernetes API 访问控制之:认证
- 【云原生之kubernetes实战】使用docker作为运行时部署Kubernetes集群
- 【云原生之kubernetes实战】Kompose工具的安装使用
- Kubernetes集群Pod资源node主机定向调度策略(十五)
- 【云原生 • Kubernetes】kubernetes 核心技术 - Label 和 Selector
- 【ML on Kubernetes】第 11 章:Kubernetes 上的机器学习
- 【ML on Kubernetes】第 6 章:机器学习工程
- Kubernetes 深入理解kubernetes(一)
- Kubernetes Static Pod (静态Pod)
- Kubernetes 存储架构体系
- 【云原生 | Kubernetes 系列】--Envoy高级路由配置
- 【云原生 | Kubernetes 系列】---Prometheus 数据高可用
- 【云原生 | Kubernetes 系列】---Prometheus监控Nginx
- 【云原生 | Kubernetes 系列】---Prometheus热加载
- s24.基于 Kubernetes v1.25 (二进制) 和 Docker部署高可用集群
- a24.ansible 生产实战案例 -- 基于kubeadm安装kubernetes v1.20 -- 集群部署(一)