k8s部署NeuVector指南

开源云原生安全产品现状开源项目列表项目厂商链接Star类型开源时间clairQuayhttps://github.com/quay/clair8.4k镜像扫描2015-11-13trivyAquahttps://github.com/aquasecurity/trivy10.1k镜像扫描2019-04-11kube-h...

青 nih

714人浏览 · 2024-03-24 23:43:24

青 nih · 2024-03-24 23:43:24 发布

开源云原生安全产品现状

开源项目列表

项目	厂商	链接	Star	类型	开源时间
clair	Quay	https://github.com/quay/clair	8.4k	镜像扫描	2015-11-13
trivy	Aqua	https://github.com/aquasecurity/trivy	10.1k	镜像扫描	2019-04-11
kube-hunter	Aqua	https://github.com/aquasecurity/kube-hunter	3.4k	漏洞扫描	2018-07-18
kube-bench	Aqua	https://github.com/aquasecurity/kube-bench	4.5k	CIS 安全基线	2017-06-19
starboard	Aqua	https://github.com/aquasecurity/starboard	968	Dashboard	2020-03-17
tracee	Aqua	https://github.com/aquasecurity/tracee	1.5k	基于 eBPF 的系统事件追踪	2019-09-18
anchore-engine	anchore	https://github.com/anchore/anchore-engine	1.4k	漏洞扫描	2017-09-06
kyverno	kyverno.io	https://github.com/kyverno/kyverno	1.8k	Kubernetes 策略与审计	2019-02-04
GateKeeper	OPA (sysdig)	https://github.com/open-policy-agent/gatekeeper	1.3k	Kubernetes 策略与审计	2018-10-26
falco	falcosecurity(sysdig)	https://github.com/falcosecurity/falco	4.4k	基于内核模块的系统事件追踪、警告	2016-01-19
terrascan	accurics.com	https://github.com/accurics/terrascan	2.7k	通用的 IaS 配置扫描	2017-09-11
Kubei	portshift	https://github.com/cisco-open-source/Kubei	489	镜像扫描(带面板)	2020-03-22
Polaris	Fairwinds	https://github.com/FairwindsOps/Polaris	2.4k	配置扫描与策略	2018-11-15
kubesec	controlplaneio	https://github.com/controlplaneio/kubesec	667	Kubernetes 配置扫描	2017-10-10
KubeEye	KubeSphere	https://github.com/kubesphere/KubeEye	424	基于策略的 Kubernetes 集群配置扫描	2020-11-07
kube-linter	Stackrox(RedHat)	https://github.com/stackrox/kube-linter	1.8k	Kubernetes 配置扫描	2020-08-13

从上表中可以看出,目前开源安全软件集中在四大类别:

镜像漏洞扫描
合规、基线扫描
Kubernetes 安全策略、配置管理
威胁检测

NeuVector 介绍

NeuVector 成为了业界首个端到端的开源容器安全平台,唯一为容器化工作负载提供企业级零信任安全的解决方案。

NeuVector 致力于保障企业级容器平台安全,可以提供实时深入的容器网络可视化、东西向容器网络监控、主动隔离和保护、容器主机安全以及容器内部安全,容器管理平台无缝集成并且实现应用级容器安全的自动化,适用于各种云环境、跨云或者本地部署等容器生产环境。

Kubernetes 部署 NeuVector

创建命名空间

部署 CRD

NeuVector 安全规则创建自定义资源 (CRD)。对于 Kubernetes 1.19+:

kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/waf-crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/dlp-crd-k8s-1.19.yaml
kubectl apply -f https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/admission-crd-k8s-1.19.yaml

配置 RBAC

添加读取权限以访问 Kubernetes API。Kubernetes 1.8+ 正式支持 RBAC。Kubernetes 1.9+ 支持准入控制。

kubectl create clusterrole neuvector-binding-app --verb=get,list,watch,update --resource=nodes,pods,services,namespaces
kubectl create clusterrole neuvector-binding-rbac --verb=get,list,watch --resource=rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io
kubectl create clusterrolebinding neuvector-binding-app --clusterrole=neuvector-binding-app --serviceaccount=neuvector:default
kubectl create clusterrolebinding neuvector-binding-rbac --clusterrole=neuvector-binding-rbac --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-admission --verb=get,list,watch,create,update,delete --resource=validatingwebhookconfigurations,mutatingwebhookconfigurations
kubectl create clusterrolebinding neuvector-binding-admission --clusterrole=neuvector-binding-admission --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-customresourcedefinition --verb=watch,create,get,update --resource=customresourcedefinitions
kubectl create clusterrolebinding  neuvector-binding-customresourcedefinition --clusterrole=neuvector-binding-customresourcedefinition --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvsecurityrules --verb=list,delete --resource=nvsecurityrules,nvclustersecurityrules
kubectl create clusterrolebinding neuvector-binding-nvsecurityrules --clusterrole=neuvector-binding-nvsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrolebinding neuvector-binding-view --clusterrole=view --serviceaccount=neuvector:default
kubectl create rolebinding neuvector-admin --clusterrole=admin --serviceaccount=neuvector:default -n neuvector
kubectl create clusterrole neuvector-binding-nvwafsecurityrules --verb=list,delete --resource=nvwafsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvwafsecurityrules --clusterrole=neuvector-binding-nvwafsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvadmissioncontrolsecurityrules --verb=list,delete --resource=nvadmissioncontrolsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvadmissioncontrolsecurityrules --clusterrole=neuvector-binding-nvadmissioncontrolsecurityrules --serviceaccount=neuvector:default
kubectl create clusterrole neuvector-binding-nvdlpsecurityrules --verb=list,delete --resource=nvdlpsecurityrules
kubectl create clusterrolebinding neuvector-binding-nvdlpsecurityrules --clusterrole=neuvector-binding-nvdlpsecurityrules --serviceaccount=neuvector:default

检测 RBAC 对象

运行以下命令检查 neuvector/default 服务账号是否添加成功:

kubectl get clusterrolebinding  | grep neuvector
kubectl get rolebinding -n neuvector | grep neuvector

底层 Runtime 为 Docker

对于带有 docker 运行时的 5.0.0 预览版,为 Manager 启用 HTTP:

image: neuvector/manager.preview:5.0.0-preview.3
env:
  - name: CTRL_SERVER_IP
    value: neuvector-svc-controller.neuvector
  - name: MANAGER_SSL # 添加关 SSL
    value: 'off'
restartPolicy: Always

定时任务 (Kubernetes 版本更新)

问题: error: unable to recognize " https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-docker-k8s.yaml": no matches for kind "CronJob" in version "batch/v1"

运行部署

wget https://raw.githubusercontent.com/neuvector/manifests/main/kubernetes/5.0.0/neuvector-docker-k8s.yaml
vi neuvector-docker-k8s.yaml
kubectl apply -f neuvector-docker-k8s.yaml