Rainbow combines neuvector to practice container safety management

Preface

Rainbond It is a cloud native application management platform , Easy to use , You don't need to understand containers 、Kubernetes And underlying complex technologies , Support management of multiple Kubernetes colony , And manage the whole life cycle of enterprise applications . But with a little progress in the cloud native era , The emergence of endless network container security events , It also makes everyone feel safe about the container , The importance of network security , With further ideas ,Rainbond In order to ensure that users do not have similar container security events in the process of use , Specially adapted to integrate NeuVector.

NeuVector It is the industry's first end-to-end open source container security platform , Provide enterprise class zero trust security solutions for containerized workloads .NeuVector It can provide real-time and in-depth container network visualization 、 East West container network monitoring 、 Active isolation and protection 、 Container host security and container internal security , The container management platform integrates seamlessly and realizes the automation of application level container security , Suitable for various cloud environments 、 Container production environments such as cross cloud or local deployment .

This paper mainly states , be based on Rainbond Installation and deployment NeuVector Steps for container security platform , And cooperation Rainbond Implement best practices in the production environment .

Deploy NeuVector

NeuVector There are many forms of deployment and installation , To simplify installation , choose helm Install in the form of ,Rainbond Also support helm The form of the store , Just in the application market , Add a new store , hold helm In the shop URL Just fill it in .

preparation

Create a team

NeuVector Usually installed in neuvector In the namespace , And in the Rainbond , The concept of team corresponds to kubernetes It's in the library , So pass helm During installation , First, you need to create a corresponding team , The English name of the team corresponds to the namespace of the team in the cluster , Fill in here neuvector, Select the corresponding cluster .

<img src="https://static.goodrain.com/wechat/neuvector/1.png" style="zoom: 50%;" />

docking helm The store

Rainbond Support based on helm Direct deployment of applications , So next docking neuvector official helm Warehouse , Follow up is based on Helm Store deployment neuvector that will do , On the application market page , Click add store , choice helm The store , Enter relevant information to complete docking .

helm Store address ：https://neuvector.github.io/neuvector-helm/

install

stay helm Warehouse found core Click Install to neuvector Just in the team

Modify the default key as well as value

values Configuration item ：

After installation , confirm pod The status of is Running

<img src="https://static.goodrain.com/wechat/neuvector/5.png" style="zoom: 50%;" />

neuvector Provides a visual operation interface , The installation process will automatically create Service, adopt Rainbond The form of platform third-party components can be neuvector The access port is exposed .

<img src="https://static.goodrain.com/wechat/neuvector/6.png" style="zoom: 50%;" />

The following are the options to be configured

And then once you're done , You need to add and open ports for external access （8443）, The default user name and password are admin/admin

Be careful ： At the time of the visit , Need to pass through https In the form of , thus neuvector Installation completed

<img src="https://static.goodrain.com/wechat/neuvector/8.png" style="zoom: 50%;" />

NeuVector Best practices

Network traffic monitoring and management

NeuVector Network activities provided , You can clearly see every pod Network traffic trends between . And the corresponding port , The rules , A clearer view of the direction .

The blue line represents the normal flow direction, which is recorded in the learning mode .

The Yellow flow direction is recorded in the monitoring mode , We need to review the rules manually , Decide whether to pass this traffic .

Red indicates that the record is in protected mode , Rejected trends , It can also be avoided by rules .

learning model , Surveillance mode , Use of protection mode

NeuVector Group support for 3 Patterns ： learning model 、 Monitoring mode and protection mode ; The functions of each mode are as follows ：

learning model

Learning and recording containers 、 Network connection and process execution information between hosts .

Automatically build a white list of network rules , Protect the normal behavior of the application network .

Set a security baseline for the processes running in the container of each service , And create a process profile rule whitelist .

Monitoring mode

NeuVector Monitor the network and process operation of containers and hosts , Encountering behaviors recorded in non learning mode will be in NeuVector Give an alarm in a security event .

Protected mode

NeuVector Monitor the network and process operation of containers and hosts , Refuse directly when encountering behaviors recorded in non learning mode .

For the above three modes , Best practices for production environments can be summarized , When a new business is ready to go online , You can first default to the learning mode , After a period of study , Record container and host rules , Then switch to monitoring mode , Run for a while , Monitor whether there is special network traffic and host process , Help us record special network trends , And give an alarm to confirm whether it is released , Finally, switch to monitoring mode , Avoid unnecessary danger to our environment caused by some malicious operations .

The cluster based image warehouse does vulnerability checking

kubernetes The smallest unit of cluster deployment business is pod however pod The most important part of is the mirror image , NeuVector You can also check vulnerabilities based on images , Avoid injecting special vulnerability mechanisms into the image

docking Rainbond when , Without using an external mirror warehouse ,Rainbond A default warehouse for storing images will be provided goodrain.me , It is used to store through Rainbond Image of all businesses built , So by checking the image inside , It can be clearly seen that there are those vulnerabilities in the image that the business depends on , The impact caused by image vulnerability has been avoided .

If you're docking Rainbond An external image warehouse is used in , And the domain name can be resolved , You can fill in the domain name directly , because goodrain.me Itself cannot be NeuVector Analytic , Therefore, it is necessary to pass the cluster coredns Manually add the corresponding resolution , To make sure that NeuVector Can be connected to .

edit coredns

kubectl edit cm coredns -n kube-system  

<img src="https://static.goodrain.com/wechat/neuvector/10.png" style="zoom:33%;" />

obtain goodrain.me Analytic IP

kubectl get rainbondcluster -n rbd-system -oyaml | egrep -v [A-Za-z{}]

Add the following at the specified location , Pay attention to revision IP

hosts {  192.168.0.1 goodrain.me  fallthrough}

stay NeuVector web Select... On the left side of the interface assets > Image libraries Add warehouse

goodrain.me The default user is admin, The password is obtained by the following command

 kubectl get rainbondcluster -n rbd-system -oyaml | grep password | sed "1d"

After the mirror scan , The image information will be presented below , Click the name of the image you want to view , You can view the details , The following is for reference

At the end

Through this paper , I hope you can base on Rainbond Succeed in putting NeuVector Container security platform deployed , And can be based on best practices , Do the corresponding operation , Of course NeuVector The function of is far more than that , We still need to constantly explore , Constant practice .