当前位置:网站首页>Rainbow combines neuvector to practice container safety management
Rainbow combines neuvector to practice container safety management
2022-07-07 08:19:00 【Rainbond】
Preface
Rainbond It is a cloud native application management platform , Easy to use , You don't need to understand containers 、Kubernetes And underlying complex technologies , Support management of multiple Kubernetes colony , And manage the whole life cycle of enterprise applications . But with a little progress in the cloud native era , The emergence of endless network container security events , It also makes everyone feel safe about the container , The importance of network security , With further ideas ,Rainbond In order to ensure that users do not have similar container security events in the process of use , Specially adapted to integrate NeuVector.
NeuVector It is the industry's first end-to-end open source container security platform , Provide enterprise class zero trust security solutions for containerized workloads .NeuVector It can provide real-time and in-depth container network visualization 、 East West container network monitoring 、 Active isolation and protection 、 Container host security and container internal security , The container management platform integrates seamlessly and realizes the automation of application level container security , Suitable for various cloud environments 、 Container production environments such as cross cloud or local deployment .
This paper mainly states , be based on Rainbond Installation and deployment NeuVector Steps for container security platform , And cooperation Rainbond Implement best practices in the production environment .
Deploy NeuVector
NeuVector There are many forms of deployment and installation , To simplify installation , choose helm Install in the form of ,Rainbond Also support helm The form of the store , Just in the application market , Add a new store , hold helm In the shop URL Just fill it in .
preparation
Create a team
NeuVector Usually installed in neuvector In the namespace , And in the Rainbond , The concept of team corresponds to kubernetes It's in the library , So pass helm During installation , First, you need to create a corresponding team , The English name of the team corresponds to the namespace of the team in the cluster , Fill in here neuvector, Select the corresponding cluster .
<img src="https://static.goodrain.com/wechat/neuvector/1.png" style="zoom: 50%;" />
docking helm The store
Rainbond Support based on helm Direct deployment of applications , So next docking neuvector official helm Warehouse , Follow up is based on Helm Store deployment neuvector that will do , On the application market page , Click add store , choice helm The store , Enter relevant information to complete docking .
helm Store address :https://neuvector.github.io/neuvector-helm/
install
stay helm Warehouse found core Click Install to neuvector Just in the team
Modify the default key as well as value
values Configuration item :
key | value |
---|---|
registry | docker.io |
tag | 5.0.0-preview.1 |
controller.image.repository | neuvector/controller.preview |
enforcer.image.repository | neuvector/enforcer.preview |
manager.image.repository | neuvector/manager.preview |
cve.scanner.image.repository | neuvector/scanner.preview |
cve.updater.image.repository | neuvector/updater.preview |
manager.svc.type | ClusterIP |
After installation , confirm pod The status of is Running
<img src="https://static.goodrain.com/wechat/neuvector/5.png" style="zoom: 50%;" />
neuvector Provides a visual operation interface , The installation process will automatically create Service, adopt Rainbond The form of platform third-party components can be neuvector The access port is exposed .
<img src="https://static.goodrain.com/wechat/neuvector/6.png" style="zoom: 50%;" />
The following are the options to be configured
Component name | neuvector-web |
---|---|
English name of the component | neuvector |
How to register components | kubernetes |
Namespace | neuvector |
Service | neuvector-service-webui |
And then once you're done , You need to add and open ports for external access (8443), The default user name and password are admin/admin
Be careful : At the time of the visit , Need to pass through https In the form of , thus neuvector Installation completed
<img src="https://static.goodrain.com/wechat/neuvector/8.png" style="zoom: 50%;" />
NeuVector Best practices
Network traffic monitoring and management
NeuVector Network activities provided , You can clearly see every pod Network traffic trends between . And the corresponding port , The rules , A clearer view of the direction .
The blue line represents the normal flow direction, which is recorded in the learning mode .
The Yellow flow direction is recorded in the monitoring mode , We need to review the rules manually , Decide whether to pass this traffic .
Red indicates that the record is in protected mode , Rejected trends , It can also be avoided by rules .
learning model , Surveillance mode , Use of protection mode
NeuVector Group support for 3 Patterns : learning model 、 Monitoring mode and protection mode ; The functions of each mode are as follows :
learning model
Learning and recording containers 、 Network connection and process execution information between hosts .
Automatically build a white list of network rules , Protect the normal behavior of the application network .
Set a security baseline for the processes running in the container of each service , And create a process profile rule whitelist .
Monitoring mode
NeuVector Monitor the network and process operation of containers and hosts , Encountering behaviors recorded in non learning mode will be in NeuVector Give an alarm in a security event .
Protected mode
NeuVector Monitor the network and process operation of containers and hosts , Refuse directly when encountering behaviors recorded in non learning mode .
For the above three modes , Best practices for production environments can be summarized , When a new business is ready to go online , You can first default to the learning mode , After a period of study , Record container and host rules , Then switch to monitoring mode , Run for a while , Monitor whether there is special network traffic and host process , Help us record special network trends , And give an alarm to confirm whether it is released , Finally, switch to monitoring mode , Avoid unnecessary danger to our environment caused by some malicious operations .
The cluster based image warehouse does vulnerability checking
kubernetes The smallest unit of cluster deployment business is pod however pod The most important part of is the mirror image , NeuVector You can also check vulnerabilities based on images , Avoid injecting special vulnerability mechanisms into the image
docking Rainbond when , Without using an external mirror warehouse ,Rainbond A default warehouse for storing images will be provided goodrain.me , It is used to store through Rainbond Image of all businesses built , So by checking the image inside , It can be clearly seen that there are those vulnerabilities in the image that the business depends on , The impact caused by image vulnerability has been avoided .
If you're docking Rainbond An external image warehouse is used in , And the domain name can be resolved , You can fill in the domain name directly , because goodrain.me Itself cannot be NeuVector Analytic , Therefore, it is necessary to pass the cluster coredns Manually add the corresponding resolution , To make sure that NeuVector Can be connected to .
edit coredns
kubectl edit cm coredns -n kube-system
<img src="https://static.goodrain.com/wechat/neuvector/10.png" style="zoom:33%;" />
obtain goodrain.me Analytic IP
kubectl get rainbondcluster -n rbd-system -oyaml | egrep -v [A-Za-z{}]
Add the following at the specified location , Pay attention to revision IP
hosts { 192.168.0.1 goodrain.me fallthrough}
stay NeuVector web Select... On the left side of the interface assets > Image libraries Add warehouse
goodrain.me The default user is admin, The password is obtained by the following command
kubectl get rainbondcluster -n rbd-system -oyaml | grep password | sed "1d"
After the mirror scan , The image information will be presented below , Click the name of the image you want to view , You can view the details , The following is for reference
At the end
Through this paper , I hope you can base on Rainbond Succeed in putting NeuVector Container security platform deployed , And can be based on best practices , Do the corresponding operation , Of course NeuVector The function of is far more than that , We still need to constantly explore , Constant practice .
边栏推荐
猜你喜欢
Notes on PHP penetration test topics
解析创新教育体系中的创客教育
Jmeter 的使用
电池、电机技术受到很大关注,反而电控技术却很少被提及?
Give full play to the wide practicality of maker education space
在Rainbond中实现数据库结构自动化升级
PVTV2--Pyramid Vision TransformerV2学习笔记
[quick start of Digital IC Verification] 12. Introduction to SystemVerilog testbench (svtb)
The zblog plug-in supports the plug-in pushed by Baidu Sogou 360
发挥创客教育空间的广泛实用性
随机推荐
DeiT学习笔记
Leetcode medium question my schedule I
Openjudge noi 2.1 1752: chicken and rabbit in the same cage
Transformation function map and flatmap in kotlin
Rainbond 5.7.1 支持对接多家公有云和集群异常报警
Réplication de vulnérabilité - désrialisation fastjson
Interview questions (CAS)
Call pytorch API to complete linear regression
解析机器人科技发展观对社会研究论
Complex network modeling (II)
通俗易懂单点登录SSO
Vulnerability recurrence easy_ tornado
Detailed explanation of apply, also, let, run functions and principle analysis of internal source code in kotlin
Application of slip ring of shipborne radar antenna
船载雷达天线滑环的使用
解析创新教育体系中的创客教育
IELTS review progress and method use [daily revision]
Zcmu--1396: queue problem (2)
Kotlin combines flatmap for filtering and zip merge operators
单元测试报告成功率低