Kubernetes Security(Falco)
CVE漏洞(“Common Vulnerabilities & Exposures”,公共漏洞和暴露)
A Secret _is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a Pod specification or in an image; putting it in a Secret object allows for more control over how it is used, and reduces the risk of accidental exposure.
Roles define what can be done, while bindings define who can do it
A certificate is a file that contains a public key which is bound to a record of its owner. 证书是包含绑定到其所有者记录的公钥的文件。 Tls allows for the communication to be encrypted and decrypted using secure keys and certificates --- TLS允许使用安全密钥和证书对通信进行加密和解密。
Each certificate which are generated with a intermediate ca will have references to the root, so the trust of the root will be handed down in the “trust chain”. --- 使用中间CA生成的每个证书都将引用根,因此对root的信任将在“信任链”中传递。
Certificate types which are used inside Container Linux
client certificate is used to authenticate client by server. For example etcdctl, etcd proxy, or docker clients. the client certificate is used by any service that needs to be able to communicate with the servers.
server certificate is used by server and verified by client for server identity. For example docker server or kube-apiserver. The server certificate should be able to sign, encrypt, decrypt and authenticate the other certificates, the server certificate is used by the server services that expect connections over TLS
peer certificate is used by etcd cluster members as they communicate with each other in both ways. The peer certificates are used for the services (that uses the server certificate) to communicate with each other
A network policy is a specification(a set of network traffic rules) of how groups of pods are allowed to communicate with each other and other network endpoints. implemented by Kubernetes Network Plugins, such as Calico,Weave (like security groups/ACLs for pods)
openssl certificate distinguished name (DN);The distinguished_name section in the OpenSSL configuration file is a required section of options when using OpenSSL "req -new" or "req -newkey" commands to generate a new CSR or self-signed certificate. Distinguished_name sections provides options to control the behavior of the following two groups of DN (Distinguished Name) fields.
Standard DN fields:
commonName (or CN) - Common name of the subject.
countryName (or C) - ISO2 code of the country where the subject is located.
stateOrProvinceName (or ST) - State or province name where the subject is located.
localityName (or L) - Locality, like city, name where the subject is located.
organizationName (or O) - Organization name which the subject belongs to.
organizationalUnitName (or OU) - Organization unit name which the subject belongs to.
Additional DN fields:
name - Name of the subject.
surname - Last name of the subject.
givenName - First name of the subject.
initials - Intitials of the subject.
emailAddress - Email address of the subject.
dnQualifier - Distinguished Name Qualifier of the subject.
PKI: Public Key Infrastructure/CSR stands for ‘Certificate Signing Request’, that is generated on the server where the certificate will be used on. A CSR contains information about to your organization and domain name, locality, and country and a public key that will be included in your certificate.
TLS has two primary purposes: encrypting connection traffic and providing a way to verify that the peer can be trusted (e.g. signed by a trusted Certificate Authority) to mitigate against Man-in-the-Middle attacks, a class of attacks where an attacker impersonates a legitimate trusted client
cfssl / cfssljon 工具集/authority owner:权限所有者/Issuer distinguished name: 发行人专有名称
user and group specified in X509 client certificates;In the case of X509 client certificates, Kubernetes verifies that the provided client certificate is in fact signed by the cluster’s certificate authority. Once Kubernetes has verified the certificate, it will treat the “Common Name” as the username and the “Organization” as the group of the user. Using this information one can then give a group or a user specific permission, using RBAC.
What is a SAN Certificate? A Subject Alternate Name (or SAN) certificate is a digital security certificate which allows multiple hostnames to be protected by a single certificate. The entries in any SSL.com SAN certificate:
Can be a Fully Qualified Domain Name (FQDN).
Can be a “common name” (a single-worded server name)
Can be a wildcard domain name (i.e. *.domain.com or *.store.domain.com) but NOT a multiple-level wildcard (like *.*.domain.com).
另外 Facebook 开源了一个 TLS 1.3 协议实现软件 Fizz,仅仅支持 TLS 1.3版本 / TLS handshake
With the HTTP/2 protocol update in late 2015, and now TLS 1.3 in 2018, encrypted connections are now more secure and faster than ever.
There is a critical need for training and introductory material on Kubernetes security : 迫切需要有关Kubernetes安全的培训和入门资料。
Hardening Kubernetes deployments : 加强Kubernetes的部署
Related Blogs
- Using Kubernetes Secrets
- Kubernetes Network Policy Recipes
- Kubernetes Security---Are your Container Doors Open?
- Configuring Certificate-Based Mutual Authentication with Kubernetes Ingress-Nginx
- Serving Certificates, Authentication, and Authorization
- X.509 Certificate
- Generate self-signed certificates (Certificate types which are used inside Container Linux)
- Certificate Authority with CFSSL
- Openssl openssl.cnf file documentation
- OpenSSL commands to check and verify your SSL certificate, key and CSR
- 使用Wireshark解密TLS 1.3流量
我写了一本书《深入浅出HTTPS:从原理的实战》
- https://cybervadis.com/assess-your-vendors/ 安全扫描工具
Openssl Blog
Kubernetes TLS bootstrapping
Kubernetes TLS bootstrapping(Kubernetes Doc)
Kubernetes Authenticating with Bootstrap Tokens(Kubernetes Doc)