container-security-testing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese容器安全测试
Container Security Testing
概述
Overview
容器安全测试是确保容器化应用安全性的重要环节。本技能提供容器安全测试的方法、工具和最佳实践,涵盖Docker、Kubernetes等容器技术。
Container security testing is a critical component to ensure the security of containerized applications. This skill provides methods, tools, and best practices for container security testing, covering container technologies such as Docker and Kubernetes.
测试范围
Testing Scope
1. 镜像安全
1. Image Security
检查项目:
- 基础镜像漏洞
- 依赖包漏洞
- 镜像配置
- 敏感信息
Check Items:
- Base image vulnerabilities
- Dependencies vulnerabilities
- Image configuration
- Sensitive information
2. 运行时安全
2. Runtime Security
检查项目:
- 容器权限
- 资源限制
- 网络隔离
- 文件系统
Check Items:
- Container permissions
- Resource limits
- Network isolation
- File system
3. 编排安全
3. Orchestration Security
检查项目:
- Kubernetes配置
- 服务账户
- RBAC
- 网络策略
Check Items:
- Kubernetes configuration
- Service accounts
- RBAC
- Network policies
Docker安全测试
Docker Security Testing
镜像扫描
Image Scanning
使用Trivy:
bash
undefinedUsing Trivy:
bash
undefined扫描镜像
扫描镜像
trivy image nginx:latest
trivy image nginx:latest
扫描本地镜像
扫描本地镜像
trivy image --input nginx.tar
trivy image --input nginx.tar
只显示高危漏洞
只显示高危漏洞
trivy image --severity HIGH,CRITICAL nginx:latest
**使用Clair:**
```bashtrivy image --severity HIGH,CRITICAL nginx:latest
**Using Clair:**
```bash启动Clair
启动Clair
docker run -d --name clair clair:latest
docker run -d --name clair clair:latest
扫描镜像
扫描镜像
clair-scanner --ip 192.168.1.100 nginx:latest
**使用Docker Bench:**
```bashclair-scanner --ip 192.168.1.100 nginx:latest
**Using Docker Bench:**
```bash运行Docker安全基准测试
运行Docker安全基准测试
docker run --rm --net host --pid host --userns host --cap-add audit_control
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
-v /etc:/etc:ro
-v /usr/bin/containerd:/usr/bin/containerd:ro
-v /usr/bin/runc:/usr/bin/runc:ro
-v /usr/lib/systemd:/usr/lib/systemd:ro
-v /var/lib:/var/lib:ro
-v /var/run/docker.sock:/var/run/docker.sock:ro
--label docker_bench_security
docker/docker-bench-security
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
-v /etc:/etc:ro
-v /usr/bin/containerd:/usr/bin/containerd:ro
-v /usr/bin/runc:/usr/bin/runc:ro
-v /usr/lib/systemd:/usr/lib/systemd:ro
-v /var/lib:/var/lib:ro
-v /var/run/docker.sock:/var/run/docker.sock:ro
--label docker_bench_security
docker/docker-bench-security
undefineddocker run --rm --net host --pid host --userns host --cap-add audit_control
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
-v /etc:/etc:ro
-v /usr/bin/containerd:/usr/bin/containerd:ro
-v /usr/bin/runc:/usr/bin/runc:ro
-v /usr/lib/systemd:/usr/lib/systemd:ro
-v /var/lib:/var/lib:ro
-v /var/run/docker.sock:/var/run/docker.sock:ro
--label docker_bench_security
docker/docker-bench-security
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST
-v /etc:/etc:ro
-v /usr/bin/containerd:/usr/bin/containerd:ro
-v /usr/bin/runc:/usr/bin/runc:ro
-v /usr/lib/systemd:/usr/lib/systemd:ro
-v /var/lib:/var/lib:ro
-v /var/run/docker.sock:/var/run/docker.sock:ro
--label docker_bench_security
docker/docker-bench-security
undefined容器配置检查
Container Configuration Check
检查Dockerfile:
dockerfile
undefinedChecking Dockerfile:
dockerfile
undefined安全问题示例
安全问题示例
FROM ubuntu:latest # 使用latest标签
RUN apt-get update && apt-get install -y curl # 未指定版本
COPY . /app # 可能包含敏感文件
ENV PASSWORD=secret # 硬编码密码
USER root # 使用root用户
**安全最佳实践:**
```dockerfileFROM ubuntu:latest # 使用latest标签
RUN apt-get update && apt-get install -y curl # 未指定版本
COPY . /app # 可能包含敏感文件
ENV PASSWORD=secret # 硬编码密码
USER root # 使用root用户
**Security Best Practices:**
```dockerfile使用特定版本
使用特定版本
FROM ubuntu:20.04
FROM ubuntu:20.04
指定包版本
指定包版本
RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu2.7
RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu2.7
使用非root用户
使用非root用户
RUN useradd -m appuser
USER appuser
RUN useradd -m appuser
USER appuser
最小化镜像
最小化镜像
FROM alpine:3.15
FROM alpine:3.15
多阶段构建
多阶段构建
FROM golang:1.18 AS builder
WORKDIR /app
COPY . .
RUN go build -o app
FROM alpine:3.15
COPY --from=builder /app/app /app
undefinedFROM golang:1.18 AS builder
WORKDIR /app
COPY . .
RUN go build -o app
FROM alpine:3.15
COPY --from=builder /app/app /app
undefined运行时检查
Runtime Check
检查容器权限:
bash
undefinedChecking Container Permissions:
bash
undefined检查特权容器
检查特权容器
docker ps --filter "label=privileged=true"
docker ps --filter "label=privileged=true"
检查挂载的主机目录
检查挂载的主机目录
docker inspect container_name | grep -A 10 Mounts
docker inspect container_name | grep -A 10 Mounts
检查容器网络
检查容器网络
docker network inspect network_name
**检查资源限制:**
```bashdocker network inspect network_name
**Checking Resource Limits:**
```bash检查内存限制
检查内存限制
docker stats container_name
docker stats container_name
检查CPU限制
检查CPU限制
docker inspect container_name | grep -i cpu
undefineddocker inspect container_name | grep -i cpu
undefinedKubernetes安全测试
Kubernetes Security Testing
配置检查
Configuration Check
使用kube-bench:
bash
undefinedUsing kube-bench:
bash
undefined运行kube-bench
运行kube-bench
kube-bench run
kube-bench run
检查特定基准
检查特定基准
kube-bench run --targets master,node,etcd
**使用kube-hunter:**
```bashkube-bench run --targets master,node,etcd
**Using kube-hunter:**
```bash运行kube-hunter
运行kube-hunter
kube-hunter --remote target-ip
kube-hunter --remote target-ip
主动模式
主动模式
kube-hunter --active
undefinedkube-hunter --active
undefinedPod安全
Pod Security
检查Pod安全策略:
yaml
undefinedChecking Pod Security Policies:
yaml
undefined不安全的Pod配置
不安全的Pod配置
apiVersion: v1
kind: Pod
spec:
containers:
- name: app image: nginx securityContext: privileged: true # 特权模式 runAsUser: 0 # root用户
**安全配置:**
```yaml
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICEapiVersion: v1
kind: Pod
spec:
containers:
- name: app image: nginx securityContext: privileged: true # 特权模式 runAsUser: 0 # root用户
**Secure Configuration:**
```yaml
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICERBAC检查
RBAC Check
检查角色权限:
bash
undefinedChecking Role Permissions:
bash
undefined列出所有角色
列出所有角色
kubectl get roles --all-namespaces
kubectl get roles --all-namespaces
检查角色绑定
检查角色绑定
kubectl get rolebindings --all-namespaces
kubectl get rolebindings --all-namespaces
检查集群角色
检查集群角色
kubectl get clusterroles
kubectl get clusterroles
检查用户权限
检查用户权限
kubectl auth can-i --list --as=system:serviceaccount:default:sa-name
**常见问题:**
- 过度权限
- 未使用的角色
- 未使用的服务账户kubectl auth can-i --list --as=system:serviceaccount:default:sa-name
**Common Issues:**
- Excessive permissions
- Unused roles
- Unused service accounts网络策略
Network Policies
检查网络策略:
bash
undefinedChecking Network Policies:
bash
undefined列出所有网络策略
列出所有网络策略
kubectl get networkpolicies --all-namespaces
kubectl get networkpolicies --all-namespaces
检查网络策略配置
检查网络策略配置
kubectl describe networkpolicy policy-name -n namespace
**网络策略示例:**
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egresskubectl describe networkpolicy policy-name -n namespace
**Network Policy Example:**
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress工具使用
Tool Usage
Falco
Falco
运行时安全监控:
bash
undefinedRuntime Security Monitoring:
bash
undefined安装Falco
安装Falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco
检查规则
检查规则
falco -r /etc/falco/rules.d/
undefinedfalco -r /etc/falco/rules.d/
undefinedAqua Security
Aqua Security
bash
undefinedbash
undefined扫描镜像
扫描镜像
aqua image scan nginx:latest
aqua image scan nginx:latest
扫描Kubernetes集群
扫描Kubernetes集群
aqua k8s scan
undefinedaqua k8s scan
undefinedSnyk
Snyk
bash
undefinedbash
undefined扫描Dockerfile
扫描Dockerfile
snyk test --docker nginx:latest
snyk test --docker nginx:latest
扫描Kubernetes配置
扫描Kubernetes配置
snyk iac test k8s/
undefinedsnyk iac test k8s/
undefined测试清单
Testing Checklist
镜像安全
Image Security
- 扫描基础镜像漏洞
- 扫描依赖包漏洞
- 检查Dockerfile配置
- 检查敏感信息泄露
- Scan base image vulnerabilities
- Scan dependencies vulnerabilities
- Check Dockerfile configuration
- Check sensitive information leakage
运行时安全
Runtime Security
- 检查容器权限
- 检查资源限制
- 检查网络隔离
- 检查文件系统挂载
- Check container permissions
- Check resource limits
- Check network isolation
- Check file system mounts
编排安全
Orchestration Security
- 检查Kubernetes配置
- 检查RBAC配置
- 检查网络策略
- 检查Pod安全策略
- Check Kubernetes configuration
- Check RBAC configuration
- Check network policies
- Check Pod security policies
常见安全问题
Common Security Issues
1. 镜像漏洞
1. Image Vulnerabilities
问题:
- 基础镜像包含漏洞
- 依赖包包含漏洞
- 未及时更新
修复:
- 定期扫描镜像
- 及时更新基础镜像
- 使用最小化镜像
Issues:
- Base images contain vulnerabilities
- Dependencies contain vulnerabilities
- Not updated in a timely manner
Fixes:
- Regularly scan images
- Update base images promptly
- Use minimal images
2. 过度权限
2. Excessive Permissions
问题:
- 容器以root运行
- 特权模式
- 挂载敏感目录
修复:
- 使用非root用户
- 禁用特权模式
- 限制文件系统访问
Issues:
- Containers run as root
- Privileged mode enabled
- Sensitive directories mounted
Fixes:
- Use non-root users
- Disable privileged mode
- Restrict file system access
3. 配置错误
3. Misconfiguration
问题:
- 默认配置不安全
- 网络策略缺失
- RBAC配置错误
修复:
- 遵循安全最佳实践
- 实施网络策略
- 正确配置RBAC
Issues:
- Insecure default configurations
- Missing network policies
- Incorrect RBAC configurations
Fixes:
- Follow security best practices
- Implement network policies
- Configure RBAC correctly
4. 敏感信息泄露
4. Sensitive Information Leakage
问题:
- 镜像包含密钥
- 环境变量暴露
- 配置文件泄露
修复:
- 使用密钥管理
- 避免硬编码
- 使用Secret对象
Issues:
- Images contain secrets
- Environment variables exposed
- Configuration files leaked
Fixes:
- Use secret management
- Avoid hardcoding
- Use Secret objects
最佳实践
Best Practices
1. 镜像安全
1. Image Security
- 使用官方基础镜像
- 定期更新镜像
- 扫描镜像漏洞
- 最小化镜像大小
- Use official base images
- Update images regularly
- Scan images for vulnerabilities
- Minimize image size
2. 运行时安全
2. Runtime Security
- 使用非root用户
- 限制容器权限
- 实施资源限制
- 启用安全上下文
- Use non-root users
- Restrict container permissions
- Implement resource limits
- Enable security context
3. 编排安全
3. Orchestration Security
- 配置网络策略
- 实施RBAC
- 使用Pod安全策略
- 启用审计日志
- Configure network policies
- Implement RBAC
- Use Pod security policies
- Enable audit logs
注意事项
Notes
- 仅在授权环境中进行测试
- 避免对生产环境造成影响
- 注意不同容器平台的差异
- 定期进行安全扫描
- Only perform testing in authorized environments
- Avoid impacting production environments
- Note differences between different container platforms
- Conduct regular security scans