Kubernetes安全风险和防护方法

Kubernetes are tools that organizations can implement into their containers to automate a wide range of app deployments. However, being able to deploy these applications so effectively and efficiently comes with the downside of potential risks.

Kubernetes是组织可以在其容器中实现的工具，以自动化各种应用程序部署。 但是，能够如此高效地部署这些应用程序会带来潜在风险。

These risks are often in the form of attacks from hackers who are looking to steal data, mine cryptocurrencies, disrupt services, and more. These attacks will continue to be attempted which has caused organizations to look for viable solutions.

这些风险通常以黑客的攻击形式出现，这些黑客希望窃取数据，挖掘加密货币，破坏服务等。 将继续尝试这些攻击，这已导致组织寻找可行的解决方案。

Kubernetes解释 (Kubernetes Explained)

Kubernetes is an orchestration tool used for containers that automate the processes involved with deploying, updating, and monitoring the containers. It’s a tool that is widely supported on cloud platforms as it can be used with Rancher, Docker EE, IBM Cloud, Google Cloud, and many more.

Kubernetes是用于容器的编排工具，可自动执行与部署，更新和监视容器有关的过程。 它是一种可在Rancher，Docker EE，IBM Cloud，Google Cloud等平台上广泛使用的云平台上广泛支持的工具。

One of the key aspects of Kubernetes is the master node. This is the server responsible for managing the Kubernetes cluster and worker node to deploy nodes and pods. The worker node (A.K.A minions/slaves) are servers that run the app for containers, as well as other elements of Kubernetes, like proxies.

主节点是Kubernetes的关键方面之一。 这是负责管理Kubernetes集群和工作程序节点以部署节点和Pod的服务器。 工作者节点(又名奴隶/奴隶)是为容器以及Kubernetes的其他元素(例如代理)运行应用程序的服务器。

Pods have a separate IP address and tend to have just one container inside. However, it’s also possible for pods to have multiple containers. You also have service functions that work similarly to proxies.

窗格具有单独的IP地址，并且内部往往只有一个容器。 但是，吊舱也可以有多个容器。 您还具有与代理类似的服务功能。

Services can take requests from pods where it can then take these loads and balance them across pods that have been replicated.

服务可以从Pod接收请求，然后再从中接收这些负载并在已复制的Pod之间平衡它们。

The final main component of Kubernetes is the system components. These are used to manage clusters and involve Kubelet, etcd, and Kubelet. These are all elements that can be vulnerable to attacks.

Kubernetes的最终主要组件是系统组件。 这些用于管理集群，涉及Kubelet，etcd和Kubelet。 这些都是容易受到攻击的元素。

Kubernetes风险 (Kubernetes Risks)

When Kubernetes containers that are associated with pods come under attack, it can be due to insiders or external points. A compromised container can be vulnerable to attacks because of misconfigurations.

与Pod关联的Kubernetes容器受到攻击时，可能是由于内部人员或外部人员造成的。 由于配置错误，受损的容器可能容易受到攻击。

Attackers take the opportunity to gain access to a container to start trying to find more weaknesses within the network, file system, or process controls which is where Kubernetes security risks can increase.

攻击者借此机会获得对容器的访问权，开始尝试在网络，文件系统或过程控制中发现更多弱点，而这正是Kubernetes可能增加安全风险的地方。

Pods that have been connected without the proper authorization can be more prone to attacks. Containers that are compromised can try to connect with pods that are running in an attempt to start an attack.

未经适当授权连接的Pod可能更容易受到攻击。 受到威胁的容器可以尝试与正在运行的Pod连接，以尝试发起攻击。

Layer 7 network filtering is the only way that you can detect these attacks when it’s happening over trusted IP addresses. Attackers also commonly steal data through data exfiltration from pods.

第7层网络过滤是您在受信任的IP地址上进行攻击时检测到这些攻击的唯一方法。 攻击者通常还通过从Pod渗透数据来窃取数据。

They can also try to network tunnel to keep confidential data hidden, as well as reverse the shells within a pod and connect to a control server or command.

他们还可以尝试建立网络隧道以隐藏机密数据，以及反转Pod中的外壳并连接到控制服务器或命令。

Kubernetes基础架构攻击 (Kubernetes Infrastructure Attacks)

When hackers are attempting to have access to containers or resources, they have to cause disruptions to applications or disable them altogether. In addition to this, hackers try to gain access to Kubernetes resources via Kubelets or API servers.

当黑客试图访问容器或资源时，他们必须引起应用程序中断或完全禁用它们。 除此之外，黑客还尝试通过Kubelets或API服务器访问Kubernetes资源。

If an API server token is compromised or stolen, the ID can be used to have access to the database. Hackers can use the API server data to impersonate as an authorized user which can lead them to disable applications or deploy malicious content into your containers.

如果API服务器令牌遭到破坏或被盗，则可以使用该ID来访问数据库。 黑客可以使用API​​服务器数据模拟为授权用户，这可能导致他们禁用应用程序或将恶意内容部署到您的容器中。

When hackers target the orchestration tool, they’re not only able to disable the applications that you currently have running. They can also have control of the resources that you’re using to run your containers.

当黑客将业务流程工具作为目标时，他们不仅能够禁用您当前正在运行的应用程序。 他们还可以控制您用于运行容器的资源。

Kubernetes安全挑战 (Kubernetes Security Challenges)

One of the great benefits of Kubernetes is that you can deploy containers across various clouds and hosts. However, this also means that all the containers you send out must be monitored to identify and prevent attacks.

Kubernetes的一大优点是您可以跨各种云和主机部署容器。 但是，这也意味着必须监视您发出的所有容器，以识别和防止攻击。

The various containers that you have may include various attack surfaces that come with their own set of vulnerable spots for attackers to take advantage of.

您拥有的各种容器可能包括各种攻击面，这些攻击面带有它们自己的易受攻击的位置集，攻击者可以利用它们。

If you’re still running old models and tools, your security is likely compromised. In today’s climate, those security tools simply cannot keep up with the modern-day threats from hackers. So, it’s an area that organizations won’t want to skimp on.

如果您仍在运行旧模型和工具，则可能会损害您的安全性。 在当今的气候下，这些安全工具根本无法跟上来自黑客的现代威胁。 因此，这是组织不愿错过的领域。

保护Kubernetes (Protecting Kubernetes)

Kubernetes can be open to attacks if the proper security measures aren’t taken. Unprotected Kubernetes can cause hackers to find areas in your container deployment system to attack that they previously wouldn’t have had access to.

如果不采取适当的安全措施，Kubernetes可能会受到攻击。 未经保护的Kubernetes可能会导致黑客在您的容器部署系统中找到要攻击的区域，而这些区域以前是他们无法访问的。

To keep your Kubernetes system protected, configuring RBAC and reviewing the proper areas for access controls should be a priority.

为了保护您的Kubernetes系统，配置RBAC并检查适当的访问控制区域应该是当务之急。

When it comes to keeping the API server protected, be sure that you’ve configured RBAC for the server. You could also implement firewalls manually to stop unauthorized users from gaining access.

当要保护API服务器受到保护时，请确保已为服务器配置了RBAC。 您也可以手动实施防火墙，以阻止未经授权的用户获得访问权限。

Keeping your Kubelet permissions limited can be done by configuring the RBAC for Kuebelts. Ensure that the certification for rotation is properly managed to keep the Kuebelt secured.

可以通过为Kuebelts配置RBAC来限制Kubelet权限。 确保正确管理旋转证书以保持Kuebelt的安全。

Setting an authentication process for external ports will reduce vulnerabilities. Make sure that you’ve reviewed all of the external ports and got rid of any ports that you don’t need. For the external ports that you do need, create an authentication process for people to gain access. When it comes to the services that aren’t authenticated, you can keep the access restricted with a whitelist source.

为外部端口设置身份验证过程将减少漏洞。 确保您已检查所有外部端口，并清除了所有不需要的端口。 对于您确实需要的外部端口，创建一个身份验证过程以使人们获得访问权限。 对于未经身份验证的服务，您可以使用白名单源限制访问。

Reducing overall console access is a superb way to reduce Kubernetes security risks. Prevent proxy and console access being granted until user logins have been made with stronger passwords and more secure authentication processes.

减少总体控制台访问权限是减少Kubernetes安全风险的绝佳方法。 在使用更强大的密码和更安全的身份验证过程进行用户登录之前，请防止授予代理和控制台访问权限。

In addition to the security measures mentioned above, you may also want to use tools for monitoring. These tools can help you identify the areas where there are attacks or unauthorized access points.

除了上述安全措施外，您可能还需要使用监视工具。 这些工具可以帮助您确定存在攻击或未经授权的访问点的区域。

结论 (Conclusion)

Kubernetes allows organizations to deploy applications with incredible speed. You’re also provided with the benefit of being able to deploy these applications across a wide spectrum of cloud-based services.

Kubernetes使组织能够以惊人的速度部署应用程序。 还为您提供了能够在各种基于云的服务中部署这些应用程序的好处。

This can also leave your applications more vulnerable to attacks. So, if you are going to use orchestration tools for your containers, such as Kubernetes, be sure that you’ve taken the appropriate security measures and continue to do so to prevent and minimize the risk of attacks.

这也会使您的应用程序更容易受到攻击。 因此，如果您打算对容器使用编排工具(例如Kubernetes)，请确保已采取适当的安全措施并继续这样做以防止和最大程度降低攻击风险。

翻译自: https://www.thecrazyprogrammer.com/2020/09/kubernetes-security-risks-and-protection-methods.html