010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信© 2018 绿盟科技绿盟科技星云实验室关于绿盟科技北京神州绿盟信息安全科技股份有限公司（以下简称绿盟科技），成立于 2000 年 4 月，总部位于北京。在国内外设有 40 多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在检测防御类、安全评估类、安全平台类、远程安全运维服务、安全 SaaS 服务等领域，为客户提供入侵检测 / 防护、抗拒绝服务攻击、远程安全评估以及 Web 安全防护等产品以及安全运营等专业安全服务。北京神州绿盟信息安全科技股份有限公司于 2014 年 1 月 29 日起在深圳证券交易所创业板上市交易，股票简称：绿盟科技，股票代码：300369 。关于 NeuVectorNeuVector 是最早开发 Docker/Kubernetes 安全产品的公司，是 Kubernetes 网络安全的领导者，是第一也是目前唯一的多矢量容器安全平台发明者。NeuVector 致力于保障企业级容器平台安全，产品适用于各种云环境、跨云或者本地部署等容器生产环境。 NeuVector 提供实时深入的容器网络可视化、东西向容器网络监控、主动隔离和保护、容器主机安全以及容器内部安全。和容器管理平台无缝集成并且实现应用级容器安全的自动化。NeuVector 的客户涵盖了全球各个领域的大型领导企业：金融行业、医疗保险行业、出版业、新兴的互联网企业等等。 NeuVector 的技术以及商业合作伙伴包括： AWS、Docker、Google、IBM、Rancher、Red Hat 、阿里云等等。 NeuVector 拥有丰富经验的创始团队，来自于各个硅谷的知名公司，包括 Fortinet、VMware、Trend Micro、Symantec、Juniper 等等。NeuVector 在行为学习、网络安全、数据安全、容器安全等领域拥有多项美国技术专利。010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信2018 绿盟科技容器安全技术报告绿盟科技星云实验室2018 年 10 月CONTAINER SECURITY2018 绿盟科技容器安全技术报告绿盟科技官方微信010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信B2018 绿盟科技容器安全技术报告目录前言 ························································································································ 11. 概述 ···················································································································· 21.1 容器与虚拟化 ·················································································································· 31.2 容器发展历程 ··················································································································· 41.3 容器安全 ··························································································································· 52. 容器基础 ············································································································ 82.1 容器镜像 ··························································································································· 92.1.1 镜像简介 ·································································································································· 92.1.2 镜像特点 ·································································································································· 92.1.3 镜像的构建 ···························································································································· 102.1.4 镜像仓库 ································································································································ 112.1.5 镜像的使用 ···························································································································· 122.2 容器存储 ························································································································· 132.2.1 镜像元数据 ···························································································································· 132.2.2 存储驱动 ································································································································ 132.2.3 数据卷 ···································································································································· 142.3 容器网络 ························································································································· 152.3.1 容器网络支撑技术 ················································································································ 152.3.2 主机网络 ································································································································ 162.3.3 集群网络 ································································································································ 182.4 容器管理与应用 ············································································································ 222.4.1 容器管理 ································································································································ 222.4.2 容器使用场景 ························································································································ 283. 安全风险和挑战 ······························································································· 323.1 脆弱性和安全风险分析 ································································································ 333.1.1 软件风险 ································································································································ 333.1.2 API 接口安全 ························································································································· 353.1.3 不安全的镜像 ························································································································ 403.1.4 容器隔离失效 ························································································································ 412018 绿盟科技容器安全技术报告绿盟科技官方微信010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信C2018 绿盟科技容器安全技术报告绿盟科技官方微信3.2 安全威胁分析 ·················································································································413.2.1 容器逃逸攻击 ························································································································ 413.2.2 容器网络攻击 ························································································································ 413.2.3 拒绝服务攻击 ························································································································ 423.3 容器应用安全威胁 ········································································································ 433.3.1 微服务安全 ···························································································································· 433.3.2 DevOps 安全 ························································································································· 434. 安全容器防护 ·································································································· 444.1 Linux 内核安全机制 ······································································································ 454.1.1 内核命名空间 ························································································································ 454.1.2 控制组 ···································································································································· 454.1.3 内核功能限制（Capabilities ）机制 ··················································································· 454.1.4 其它内核安全机制 ················································································································ 464.2 容器服务安全 ················································································································ 474.3 主机安全 ························································································································· 484.3.1 主机基本安全加固建议 ········································································································ 484.3.2 容器相关安全加固建议 ········································································································ 494.4 镜像安全 ························································································································· 504.4.1 镜像构建安全 ························································································································ 504.4.2 镜像仓库安全 ························································································································ 514.4.3 镜像扫描 ································································································································ 514.4.4 镜像传输安全 ························································································································ 524.5 容器网络安全 ················································································································ 524.5.1 网络自身安全机制 ················································································································ 524.5.2 容器网络安全防护 ················································································································ 604.6 运行时安全 ····················································································································· 634.6.1 容器启动安全配置 ················································································································ 634.6.2 运行时安全监控与审计 ········································································································ 674.7 编排安全 ························································································································· 714.7.1 Kubernetes 安全防护 ··········································································································· 714.8 应用安全 ························································································································· 744.8.1 微服务安全 ···························································································································· 744.8.2 DevOps 安全 ························································································································· 752018 绿盟科技容器安全技术报告绿盟科技官方微信010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信D2018 绿盟科技容器安全技术报告5. 案例介绍 ·········································································································· 785.1 Kubernetes 开源安全工具 ··························································································· 795.1.1 Kubernetes 原生网络策略 ··································································································· 795.1.2 Istio ·········································································································································795.1.3 Grafeas ·································································································································· 825.1.4 Clair ········································································································································825.1.5 CIS Benchmarks ··················································································································· 845.1.6 TUF & Notary ······················································································································· 865.1.7 Spiffe ······································································································································ 875.1.8 Open Policy Agent（OPA ） ································································································ 875.2 NeuVector ······················································································································885.2.1 云原生容器部署 ···················································································································· 885.2.2 容器环境可视化 ···················································································································· 885.2.3 安全审计 ································································································································ 895.2.4 多维度全面防护 ···················································································································· 905.3 StackRox ························································································································915.3.1 StackRox Prevent（预防检测） ························································································· 915.3.2 StackRox Detect & Respond（监控和响应） ·································································· 936. 总结 ·················································································································· 957. 参考文献 ·········································································································· 96特别声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。2018 绿盟科技容器安全技术报告绿盟科技官方微信010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信12018 绿盟科技容器安全技术报告绿盟科技官方微信前言容器技术通过共享主机操作系统内核，实现轻量的资源虚拟化和隔离，近年来在 DevOps、微服务等领域有着广泛的应用。然而在容器技术被广泛接受和使用的同时，容器以及容器运行环境的安全成为了亟待研究和解决的问题。为了进一步了解容器以及容器环境的安全威胁，为使用容器的用户提供安全防护建议。北京神州绿盟信息安全科技股份有限公司（以下简称“绿盟科技”）携手硅谷知名容器安全公司 NeuVector，联合发布 2018绿盟科技容器安全技术报告。本报告主要包括五个章节。第一章，分别从容器和虚拟化技术的对比、容器技术的发展历史、容器安全问题等几个方面，对全文进行简要概述。第二章，主要介绍了容器的基本技术原理。包括容器镜像、容器的存储、容器以及容器集群的网络、容器的管理编排平台、容器的应用等几个方面。第三章，分别从容器的软件实现、 API 设计、容器镜像、容器应用等几个方面，具体阐述了容器以及容器运行环境存在的安全威胁。第四章，针对前述的安全威胁，本章从 Linux 内核安全机制、容器主机安全、容器镜像安全、容器网络安全以及容器运行时安全等几个方面，详细分析介绍了相应的威胁检测以及安全防护方法。第五章，主要介绍了一些容器安全的工具和产品，包括 Clair、Grafeas 等开源插件工具，以及 NeuVector 和 StackRox 等商业公司标准产品。本报告在编写过程中参考了大量资料，吸取了多方的宝贵意见和建议，在此深表感谢。报告的编写和发布得到了相关单位的大力支持，我们在此表示衷心的感谢！欢迎广大读者批评、指正。2018 绿盟科技容器安全技术报告绿盟科技官方微信010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信22018 绿盟科技容器安全技术报告2018 绿盟科技容器安全技术报告1. 概述1.1 容器与虚拟化 ········································································ 31.2 容器发展历程 ········································································ 41.3 容器安全 ················································································ 52018 绿盟科技容器安全技术报告绿盟科技官方微信010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101012018 绿盟科技容器安全技术报告绿盟科技官方微信32018 绿盟科技容器安全技术报告绿盟科技官方微信近年来，云计算的模式逐渐被业界认可和接受。在国内，包括政府、金融、运营商、能源等众多行业，以及中小企业，均将其业务进行不同程度的云化。但简单地将主机、平台或应用转为虚拟化形态，并不能解决传统应用的升级缓慢、架构臃肿、无法快速迭代等问题，于是云原生（Cloud Native）的概念应运而生。云原生提倡应用的敏捷、可靠、高弹性、易扩展以及持续的更新。在云原生应用和服务平台构建过程中，近年兴起的容器技术凭借其弹性敏捷的特性和活跃强大的社区支持，成为了云原生等应用场景下的重要支撑技术。本章主要介绍容器技术和容器安全的基础概念。1.1 容器与虚拟化虚拟化（Virtualization ）和容器（ Container）都是系统虚拟化的实现技术，可实现系统资源的“一虚多”共享。容器技术是一种“轻量”的虚拟化方式，此处的“轻量”主要是相比于虚拟化技术而言的。例如，虚拟化通常在Hypervisor层实现对硬件资源的虚拟化， Hypervisor为虚拟机提供了虚拟的运行平台，管理虚拟机的操作系统运行，每个虚拟机都有自己的操作系统、系统库以及应用。而容器并没有 Hypervisor 层，每个容器是和主机 共享硬件资源及操作系统1。容器技术在操作系统层面实现了对计算机系统资源的虚拟化，在操作系统中，通过对 CPU、内存和文件系统等资源的隔离、划分和控制，实现进程之间透明的资源使用。图 1.1 展示了虚拟机和容器在实现架构上的区别。图 1.1