vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/cce/umn/cce_bestpractice_0319.html
Dong, Qiu Jian 6157284549 CCE UMN update -20240401 version 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-04-15 14:42:22 +00:00

86 lines
15 KiB
HTML
Raw Blame History

<a name="cce_bestpractice_0319"></a><a name="cce_bestpractice_0319"></a>
<h1 class="topictitle1">Container Security</h1>
<div id="body8662426"><div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section33548184212"><h4 class="sectiontitle">Controlling the Pod Scheduling Scope</h4><p class="msonormal" id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1217894319312">The nodeSelector or nodeAffinity is used to limit the range of nodes to which applications can be scheduled, preventing the entire cluster from being threatened due to the exceptions of a single application. </p>
</div>
<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section9957027632"><h4 class="sectiontitle">Suggestions on Container Security Configuration</h4><ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul41585571516"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8158145795119">Set the computing resource limits (<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b17893201319579">request</strong> and <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1373971695720">limit</strong>) of a container. This prevents the container from occupying too many resources and affecting the stability of the host and other containers on the same node.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li215885745115">Unless necessary, do not mount sensitive host directories to containers, such as <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b141203032451659">/</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b183322389551659">/boot</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b57887466051659">/dev</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b77225877051659">/etc</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b88598197751659">/lib</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b213844612151659">/proc</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b152215198251659">/sys</strong>, and <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b124051750451659">/usr</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li18158557195120">Do not run the sshd process in containers unless necessary.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11158175795118">Unless necessary, it is not recommended that containers and hosts share the network namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1415885795117">Unless necessary, it is not recommended that containers and hosts share the process namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1415825775116">Unless necessary, it is not recommended that containers and hosts share the IPC namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11158057155119">Unless necessary, it is not recommended that containers and hosts share the UTS namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1615835735113">Unless necessary, do not mount the sock file of Docker to any container.</li></ul>
</div>
<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section19516391833"><h4 class="sectiontitle">Container Permission Access Control</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p59421020105220">When using a containerized application, comply with the minimum privilege principle and properly set securityContext of Deployments or StatefulSets.</p>
<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul9942132020520"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li39421020175218">Configure runAsUser to specify a non-root user to run a container.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li69421020195211">Configure privileged to prevent containers being used in scenarios where privilege is not required.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li494272085219">Configure capabilities to accurately control the privileged access permission of containers.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li16491224125218">Configure allowPrivilegeEscalation to disable privilege escape in scenarios where privilege escalation is not required for container processes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li51923552117">Configure seccomp to restrict the container syscalls. For details, see <a href="https://kubernetes.io/docs/tutorials/security/seccomp/" target="_blank" rel="noopener noreferrer">Restrict a Container's Syscalls with seccomp</a> in the official Kubernetes documentation.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1550815525214">Configure ReadOnlyRootFilesystem to protect the root file system of a container.<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p12216113113328"><a name="cce_bestpractice_0319__en-us_topic_0000001181182498_li1550815525214"></a><a name="en-us_topic_0000001181182498_li1550815525214"></a>Example YAML for a Deployment:</p>
<pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen17607650143219">apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-example
namespace: security-example
spec:
replicas: 1
selector:
matchLabels:
app: security-context-example
label: security-context-example
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: security-context-example
label: security-context-example
spec:
containers:
- image: ...
imagePullPolicy: Always
name: security-context-example
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b85281014566">securityContext:</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b89191944185520">allowPrivilegeEscalation:</strong> false
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b5413135317556">readOnlyRootFilesystem</strong>: true
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1040875714552">runAsUser</strong>: 1000
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1341410114565">capabilities:</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b2034013845512">add:</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b939033475520">- NET_BIND_SERVICE</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b19870172810559">drop:</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b11633122475512">- all</strong>
volumeMounts:
- mountPath: /etc/localtime
name: localtime
readOnly: true
- <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b166591545550">mountPath</strong>: <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b16668819555">/opt/write-file-dir</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b10331161315511">name:</strong> <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b175921217165516">tmpfs-example-001</strong>
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b450683811543">securityContext</strong>:
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b11661742105413">seccompProfile</strong>:
<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b694725075415">type:</strong> <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b93592554547">RuntimeDefault</strong>
volumes:
- hostPath:
path: /etc/localtime
type: ""
name: localtime
- <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b6625143214546">emptyDir</strong>: {}
name: tmpfs-example-001 </pre>
</li></ul>
</div>
<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section4598201610719"><h4 class="sectiontitle">Restricting the Access of Containers to the Management Plane</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p96815188353">If application containers on a node do not need to access Kubernetes, you can perform the following operations to disable containers from accessing kube-apiserver:</p>
<ol id="cce_bestpractice_0319__en-us_topic_0000001181182498_ol345485831912"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li92971066014"><span>Query the container CIDR block and private API server address.</span><p><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p188112716215">On the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b9183440101218">Clusters</strong> page of the CCE console, click the name of the cluster to find the information on the details page.</p>
<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1655182952116"></p>
</p></li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1315175383514"><span>Configure access rules.</span><p><ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul5714615363"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li0714510362">CCE cluster: Log in to each node in the cluster as user <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1154145944310">root</strong> and run the following command:<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul2206102094315"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11206820114310">VPC network:<pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen1826691752418">iptables -I OUTPUT -s {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i17492042294">container_cidr</em>} -d {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i349212421792">Private API server IP</em>} -j REJECT</pre>
</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li82061820194315">Container tunnel network:<pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen1857421916242">iptables -I FORWARD -s {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i134061451191213">container_cidr</em>} -d {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i124061510122">Private API server IP</em>} -j REJECT</pre>
</li></ul>
<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p8208153174219"><em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i15254153715117">{container_cidr}</em> indicates the container CIDR of the cluster, for example, 10.0.0.0/16.</p>
<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p5208185310428">To ensure configuration persistence, you are advised to write the command to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b0858451111319">/etc/rc.local</strong> script.</p>
</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li733435163615">CCE Turbo cluster: Add an outbound rule to the ENI security group of the cluster.<ol type="a" id="cce_bestpractice_0319__en-us_topic_0000001181182498_ol123861440174012"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li918013301419">Log in to the VPC console.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li2818950104114">In the navigation pane, choose <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b91461011173920">Access Control</strong> &gt; <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b5146141173916">Security Groups</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li63861940144014">Locate the ENI security group corresponding to the cluster and name it in the format of <em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i10839114974011">{Cluster name}</em><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b499875215402">-cce-eni-</strong><em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i34781256154010">{Random ID}</em>. Click the security group name and configure rules.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li13675153018426">Click the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b4216203274119">Outbound Rules</strong> tab and click <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1955812384412">Add Rule</strong> to add an outbound rule for the security group.<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul73315409442"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li19331194034410"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b683713449419">Priority</strong>: Set it to <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b383815449413">1</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1112454664411"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b32151523420">Action</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1354197174212">Deny</strong>, indicating that the access to the destination address is denied.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li117055284415"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b398410139421">Type</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1034131516424">IPv4</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1031585754411"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b9967023124218">Protocol &amp; Port</strong>: Enter <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b193881126174217">5443</strong> based on the port in the intranet API server address.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li105282124517"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1818453554214">Destination</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1391014144218">IP address</strong> and enter the IP address of the internal API server.</li></ul>
</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8174161724713">Click <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b17639451153810">OK</strong>.</li></ol>
</li></ul>
</p></li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8454105818194"><span>Run the following command in the container to access kube-apiserver and check whether the request is intercepted:</span><p><pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen198782045205215">curl -k https://<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i0393123151412">{Private API server IP}</em>:5443</pre>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_bestpractice_0315.html">Security</a></div>
</div>
</div>
View Git Blame Copy Permalink