Kubernetes Security Best PracticesContainers give developers the ability to isolate applications from one another, but that’s not enough. Resource isolation is much different that securi…
Kubernetesã®Secretã¯æœ¬å½“ã«å®‰å…¨ã‹ - Qiita
ã“ã®è¨˜äº‹ã¯Kubernetes Advent Calendar 12日目ã®è¨˜äº‹ã«ãªã‚Šã¾ã™ã€‚ Overview Kubernetesã®Podã«ãƒ‘スワードやトークンを指定ã™ã‚‹éš›ã«ã¯Secretを使ã„ã¾ã™ã€‚(ã£ã¦ã‚†ã†ã‹ä½¿ã£ã¦ãã ã•ã„) コンテナ内ã«ç§˜å¯†æƒ…å ±ã‚’å…¥ã‚ŒãŸã¾ã¾DockerHubç‰ã«ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã—ã¦ã—ã¾ã„大変ãªäº‹æ…‹ã«ãƒ»ãƒ»ãƒ»ã£ã¦ã“ã¨ã«ã¯æ³¨æ„ã—ã¾ã—ょã†ã€‚ ã•ã¦ã€ã“ã®è¨˜äº‹ã®æœ¬é¡Œã§ã™ãŒ"Kubernetesã®Secretã¯æœ¬å½“ã«å®‰å…¨ã‹"ã§ã™ã€‚ 確ã‹ã«Kubernetes上ã«æ©Ÿèƒ½ã¨ã—ã¦å˜åœ¨ã—ã¾ã™ãŒã€æœ¬å½“ã«å®‰å…¨æ€§ã¯ç¢ºä¿ã•ã‚Œã¦ã„ã‚‹ã®ã§ã—ょã†ã‹ï¼Ÿ ã¾ãŸã€ã‚‚ã—ノードãŒæ”»æ’ƒã•ã‚ŒãŸå ´åˆã€ã©ã®ç¨‹åº¦ã¾ã§Secretã®ãƒ‡ãƒ¼ã‚¿ã‚’守れるã®ã§ã—ょã†ã‹ï¼Ÿ ã“ã®è¨˜äº‹ã§ã¯å…¬å¼ãƒ‰ã‚ュメントをå‚考ã«ç¾åœ¨ã®Secretã«ã¤ã„ã¦ç´¹ä»‹ã§ãã‚Œã°ã¨æ€ã„ã¾ã™ã€‚ ※著者ã¯ã¾ã ã¾ã 未熟者ゆãˆé–“é•ã„ç‰ã‚‚ã‚ã‚‹ã‹ã¨æ€ã„ã¾ã™ãŒã€æ¸©ã‹ã„ç›®&ãŠæ‰‹æŸ”らã‹ãªã‚³ãƒ¡ãƒ³
Kubernetes: Pod Security Policy ã«ã‚ˆã‚‹ã‚»ã‚ュリティã®è¨å®š - Qiita
ã“ã®è¨˜äº‹ã¯ Pod Security Policy (PodSecurityPolicy)ã«ã‚ˆã‚‹ã‚»ã‚ュリティã®è¨å®šã«ã¤ã„㦠Kubernetes v1.9 ã§ç¢ºèªã—ãŸå†…容ã«ãªã‚Šã¾ã™ã€‚v1.9 未満ã§ã¯ RBAC 周りã§å¤§ããªé•ã„ãŒã‚ã‚‹ã®ã§ã”注æ„ãã ã•ã„。 PodSecurityPolicy ã¨ã¯ PodSecurityPolicy ã¨ã¯ã‚¯ãƒ©ã‚¹ã‚¿å…¨ä½“ã®ã‚»ã‚ュリティ上ã®ãƒãƒªã‚·ãƒ¼ã‚’定義ã™ã‚‹æ©Ÿèƒ½ã§ã™ã€‚ホストã«å½±éŸ¿ã‚’与ãˆã‚‹å¯èƒ½æ€§ãŒã‚ã‚‹ 特権 (privileged) ã‚„ HostIPC ãªã©ã®æ©Ÿèƒ½ã‚’制é™ã— Pod ã«è„†å¼±æ€§ãŒã‚ã£ãŸå ´åˆã«ã‚¯ãƒ©ã‚¹ã‚¿ã‚’守るã“ã¨ãŒã§ãã¾ã™ã€‚ãƒãƒªã‚·ãƒ¼ã®åˆ¶é™ã¯ Admission Control ã¨ã—ã¦å®Ÿè£…ã•ã‚Œã¦ãŠã‚Šã€ãƒãƒªã‚·ãƒ¼ã‚’満ãŸã—ã¦ã„ãªã„ Pod ã®å®Ÿè¡Œã‚’æ‹’å¦ã™ã‚‹ã“ã¨ãŒã§ãるよã†ã«ãªã‚Šã¾ã™ã€‚Design Proposal を見るã¨ãƒžãƒ«ãƒãƒ†ãƒŠãƒ³ãƒˆã§ã®åˆ©ç”¨ã‚’想定ã—ãŸæ©Ÿèƒ½ã®ã‚ˆã†ã§
Pod Security Policies
Removed featurePodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using either or both: Pod Security Admissiona 3rd party admission plugin, that you deploy and configure yourselfFor a migration guide, see Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Cont
Kubernetesã®ã‚»ã‚ュリティã®ãƒ™ã‚¹ãƒˆãƒ—ラクティス by Ian Lewis
Japan Container Days v18.04 ã§è¡¨é¡Œã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ã‚’èžã„ãŸã®ã§ã€ã¾ã¨ã‚ã¾ã—ãŸã€‚ スライド資料Kubernetesã®ã‚»ã‚ュリティã®ãƒ™ã‚¹ãƒˆãƒ—ラクティス(SpeakerDeck) APIサーãƒã¸ã®æ”»æ’ƒã‚’防ãRBACã§Podã«ä»˜ä¸Žã•ã‚Œã‚‹æ¨©é™ã‚’絞るPodã«ã¯ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆãŒè‡ªå‹•ã§ãƒžã‚¦ãƒ³ãƒˆã•ã‚Œã‚‹ãŸã‚ã€ä¸æ£ã‚¢ã‚¯ã‚»ã‚¹ã«ã‚ˆã‚Šèªã¿è¾¼ã¾ã‚Œã¦ã—ã¾ã†ã¨å±ãªã„ Firewallã§APIサーãƒã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«ã¤ã„ã¦IP制é™ã‚’付与ã™ã‚‹ã„ã–ã€ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆãŒæ¼ã‚ŒãŸå ´åˆã§ã‚‚ã€APIサーãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã•ã‚Œã¦ã—ã¾ã‚ãªã„よã†ã«ã€ãƒ•ã‚¡ã‚¤ã‚¢ã‚¦ã‚©ãƒ¼ãƒ«ã§IP制é™ã‚’ã‹ã‘ã¦ãŠãã¨è‰¯ã„ NetworkPolicyã§DBã¸ã®æŽ¥ç¶šãŒè¨±å¯ã•ã‚Œã‚‹Podを制é™ã™ã‚‹å¤§ä½“ã®å ´åˆã€é‡è¦ãªãƒ‡ãƒ¼ã‚¿ã¯DBã«æœ‰ã‚‹ãŸã‚ã€DBã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’絞るã“ã¨ã§å®‰å…¨æ€§ã‚’上ã’ã‚‹ example: kind: NetworkPolicy apiVersion: netwo
1
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
{{#tags}}- {{label}}
{{/tags}}