Azure 容器实例的安全注意事项Security considerations for Azure Container Instances

本文介绍使用 Azure 容器实例运行容器应用时的安全注意事项。This article introduces security considerations for using Azure Container Instances to run container apps. 主题包括:Topics include:

  • 有关管理 Azure 容器实例的映像和机密的安全建议Security recommendations for managing images and secrets for Azure Container Instances
  • 任何容器平台在整个容器生命周期内的容器生态系统注意事项Considerations for the container ecosystem throughout the container lifecycle, for any container platform

有关可帮助你改善部署安全态势的综合建议,请参阅容器实例的 Azure 安全基线For comprehensive recommendations that will help you improve the security posture of your deployment, see the Azure security baseline for Container Instances.

Azure 容器实例的安全建议Security recommendations for Azure Container Instances

使用专用注册表Use a private registry

容器是基于一个或多个存储库中存储的映像构建的。Containers are built from images that are stored in one or more repositories. 这些存储库可以属于公共注册表(例如 Docker Hub),也可以属于专用注册表。These repositories can belong to a public registry, like Docker Hub, or to a private registry. Docker 受信任注册表是专用注册表的例子,它可以安装在本地或者安装在虚拟私有云中。An example of a private registry is the Docker Trusted Registry, which can be installed on-premises or in a virtual private cloud. 还可以使用基于云的专用容器注册表服务,包括 Azure 容器注册表You can also use cloud-based private container registry services, including Azure Container Registry.

公用的容器映像不保证安全性。A publicly available container image does not guarantee security. 容器映像包括多个软件层,每个软件层可能有漏洞。Container images consist of multiple software layers, and each software layer might have vulnerabilities. 为帮助减少攻击风险,应在 Azure 容器注册表或 Docker 受信任注册表等专用注册表中存储和检索映像To help reduce the threat of attacks, you should store and retrieve images from a private registry, such as Azure Container Registry or Docker Trusted Registry. 除了提供托管的专用注册表以外,Azure 容器注册表还支持通过 Azure Active Directory 使用基于服务主体的身份验证执行基本身份验证流。In addition to providing a managed private registry, Azure Container Registry supports service principal-based authentication through Azure Active Directory for basic authentication flows. 此身份验证包括使用只读(提取)、写入(推送)和其他权限进行的基于角色的访问。This authentication includes role-based access for read-only (pull), write (push), and other permissions.

监视和扫描容器映像Monitor and scan container images

利用解决方案来扫描专用注册表中的容器映像并识别潜在漏洞。Take advantage of solutions to scan container images in a private registry and identify potential vulnerabilities. 必须了解不同解决方案提供的威胁检测深度。It's important to understand the depth of threat detection that the different solutions provide.

例如,Azure 容器注册表可以选择与 Azure 安全中心集成,以便自动扫描已推送到注册表的所有 Linux 映像。For example, Azure Container Registry optionally integrates with Azure Security Center to automatically scan all Linux images pushed to a registry. Azure 安全中心的集成 Qualys 扫描程序可以检测映像漏洞、对其进行分类,并提供修正指导。Azure Security Center's integrated Qualys scanner detects image vulnerabilities, classifies them, and provides remediation guidance.

保护凭据Protect credentials

容器可能分散在多个群集和 Azure 区域之间。Containers can spread across several clusters and Azure regions. 因此,必须保护登录或 API 访问所需的凭据,例如密码或令牌。So, you must secure credentials required for logins or API access, such as passwords or tokens. 确保只有特权用户能够在传输中和静态状态下访问这些容器。Ensure that only privileged users can access those containers in transit and at rest. 清点所有凭据机密,并要求开发人员使用专为容器平台设计的新兴机密管理工具。Inventory all credential secrets, and then require developers to use emerging secrets-management tools that are designed for container platforms. 确保解决方案包含加密的数据库、针对传输中机密数据的 TLS 加密,以及最低特权的基于角色的访问控制Make sure that your solution includes encrypted databases, TLS encryption for secrets data in transit, and least-privilege role-based access control. Azure Key Vault 是一种云服务,用于保护容器化应用程序的加密密钥和机密(例如证书、连接字符串和密码)。Azure Key Vault is a cloud service that safeguards encryption keys and secrets (such as certificates, connection strings, and passwords) for containerized applications. 由于这些数据极其机密且对企业至关重要,因此请保护对 Key Vault 的访问,以便只有经过授权的应用程序和用户才能访问它们。Because this data is sensitive and business critical, secure access to your key vaults so that only authorized applications and users can access them.

容器生态系统的注意事项Considerations for the container ecosystem

妥善实施并有效管理以下安全措施有助于保护容器生态系统的安全。The following security measures, implemented well and managed effectively, can help you secure and protect your container ecosystem. 从开发到生产部署的整个容器生命周期内,这些措施都适用于一系列容器业务流程协调程序、主机和平台。These measures apply throughout the container lifecycle, from development through production deployment, and to a range of container orchestrators, hosts, and platforms.

在容器开发生命周期中使用漏洞管理Use vulnerability management as part of your container development lifecycle

在整个容器开发生命周期内使用有效的漏洞管理,可以改善识别到的不利情况,并解决安全隐忧,避免更严重的问题发生。By using effective vulnerability management throughout the container development lifecycle, you improve the odds that you identify and resolve security concerns before they become a more serious problem.

扫描漏洞Scan for vulnerabilities

随时都可能会发现新的漏洞,因此,扫描和识别漏洞是一个持续的过程。New vulnerabilities are discovered all the time, so scanning for and identifying vulnerabilities is a continuous process. 在整个容器生命周期内整合漏洞扫描功能:Incorporate vulnerability scanning throughout the container lifecycle:

  • 在将映像推送到公共或专用注册表之前,作为开发管道中的最后一项检查,应该对容器执行漏洞扫描。As a final check in your development pipeline, you should perform a vulnerability scan on containers before pushing the images to a public or private registry.
  • 持续扫描注册表中的容器映像,以识别在开发过程中疏忽掉的任何缺陷,并解决容器映像使用的代码中可能存在的任何新发现的漏洞。Continue to scan container images in the registry both to identify any flaws that were somehow missed during development and to address any newly discovered vulnerabilities that might exist in the code used in the container images.

将映像漏洞映射到正在运行的容器Map image vulnerabilities to running containers

需通过某种方式,将容器映像中识别到的漏洞映射到正在运行的容器,以便可以缓解或解决安全问题。You need to have a means of mapping vulnerabilities identified in container images to running containers, so security issues can be mitigated or resolved.

确保在环境中仅使用已批准的映像Ensure that only approved images are used in your environment

容器生态系统允许足够的改动和波动幅度,同时不允许未知的容器。There's enough change and volatility in a container ecosystem without allowing unknown containers as well. 仅允许已批准的容器映像。Allow only approved container images. 部署用于监视和阻止使用未经批准的容器映像的工具与流程。Have tools and processes in place to monitor for and prevent the use of unapproved container images.

减小受攻击面并防止开发人员出现严重安全错误的有效方式是控制容器映像流入开发环境An effective way of reducing the attack surface and preventing developers from making critical security mistakes is to control the flow of container images into your development environment. 例如,可以批准将单个 Linux 分发版用作基础映像,最好是精简的映像(Alpine 或 CoreOS,而不是 Ubuntu),以最大程度地减少潜在受攻击面。For example, you might sanction a single Linux distribution as a base image, preferably one that is lean (Alpine or CoreOS rather than Ubuntu), to minimize the surface for potential attacks.

映像签名或指纹可提供监护链,使你能够验证容器的完整性。Image signing or fingerprinting can provide a chain of custody that enables you to verify the integrity of the containers. 例如,Azure 容器注册表支持 Docker 的内容信任模型,使映像发布者能够为推送到注册表的映像签名,并使映像使用者仅提取已签名的映像。For example, Azure Container Registry supports Docker's content trust model, which allows image publishers to sign images that are pushed to a registry, and image consumers to pull only signed images.

仅允许已批准的注册表Permit only approved registries

确保环境仅使用已批准的映像的一种延伸做法是仅允许使用已批准的容器注册表。An extension of ensuring that your environment uses only approved images is to permit only the use of approved container registries. 要求使用已批准的容器注册表可以通过限制引入未知漏洞或安全问题的可能性,来减少风险因素。Requiring the use of approved container registries reduces your exposure to risk by limiting the potential for the introduction of unknown vulnerabilities or security issues.

确保整个生命周期内的映像完整性Ensure the integrity of images throughout the lifecycle

管理整个容器生命周期内的安全性的一部分工作是确保注册表中的容器映像在发生更改或部署到生产环境时的完整性。Part of managing security throughout the container lifecycle is to ensure the integrity of the container images in the registry and as they are altered or deployed into production.

  • 不应该允许在生产环境中运行包含漏洞的映像(即使是轻微的漏洞)。Images with vulnerabilities, even minor, should not be allowed to run in a production environment. 最好是将生产环境中部署的所有映像保存在只有少数人可以访问的专用注册表中。Ideally, all images deployed in production should be saved in a private registry accessible to a select few. 保存少量的生产映像,确保能够有效地对其进行管理。Keep the number of production images small to ensure that they can be managed effectively.

  • 由于公用容器映像中软件的来源很难查明,因此,请从源构建映像,确保能够识别层的来源。Because it's hard to pinpoint the origin of software from a publicly available container image, build images from the source to ensure knowledge of the origin of the layer. 自制容器映像中出现漏洞时,客户可以更快地找到解决途径。When a vulnerability surfaces in a self-built container image, customers can find a quicker path to a resolution. 使用公共映像时,客户需要找到公共映像的根才能修复漏洞,或者需要从发布者获取另一个安全映像。With a public image, customers would need to find the root of a public image to fix it or get another secure image from the publisher.

  • 在生产环境中部署的、经过全面扫描的映像并不能保证在应用程序的生存期内保持最新状态。A thoroughly scanned image deployed in production is not guaranteed to be up-to-date for the lifetime of the application. 系统可能会针对映像的层报告以前并不知道的或者在生产部署后才引入的安全漏洞。Security vulnerabilities might be reported for layers of the image that were not previously known or were introduced after the production deployment.

    定期审核生产环境中部署的映像,以识别过时的映像或有一段时间未更新的映像。Periodically audit images deployed in production to identify images that are out of date or have not been updated in a while. 可以使用蓝绿部署方法和滚动升级机制来更新容器映像,这不会造成停机。You might use blue-green deployment methodologies and rolling upgrade mechanisms to update container images without downtime. 可以使用上一部分所述的工具来扫描映像。You can scan images by using tools described in the preceding section.

  • 使用集成了安全扫描的持续集成 (CI) 管道生成安全映像并将其推送到专用注册表。Use a continuous integration (CI) pipeline with integrated security scanning to build secure images and push them to your private registry. CI 解决方案中内置的漏洞扫描可确保将通过所有测试的映像推送到从中部署了生产工作负荷的专用注册表中。The vulnerability scanning built into the CI solution ensures that images that pass all the tests are pushed to the private registry from which production workloads are deployed.

    CI 管道故障可确保不会将有漏洞的映像推送到用于生产工作负荷部署的专用注册表中。A CI pipeline failure ensures that vulnerable images are not pushed to the private registry that's used for production workload deployments. 如果存在大量的映像,CI 管道还会自动执行映像安全扫描。It also automates image security scanning if there's a significant number of images. 相比之下,在映像中手动审核安全漏洞的过程可能相当繁琐且容易出错。Otherwise, manually auditing images for security vulnerabilities can be painstakingly lengthy and error prone.

在运行时中强制实施最低特权Enforce least privileges in runtime

最低特权的概念是一种基本的安全最佳做法,也适用于容器。The concept of least privileges is a basic security best practice that also applies to containers. 当某个漏洞遭到利用时,它为攻击者提供的访问权限和特权相当于攻击者在遭到入侵的应用程序或进程中获得的权限。When a vulnerability is exploited, it generally gives the attacker access and privileges equal to those of the compromised application or process. 确保容器使用完成工作所需的最低特权和访问权限运行可以减少风险因素。Ensuring that containers operate with the lowest privileges and access required to get the job done reduces your exposure to risk.

通过删除不需要的特权来减小容器的受攻击面Reduce the container attack surface by removing unneeded privileges

还可以通过从容器运行时中删除任何不使用或不必要的进程或特权,来最大程度地减小潜在受攻击面。You can also minimize the potential attack surface by removing any unused or unnecessary processes or privileges from the container runtime. 特权容器以 root 身份运行。Privileged containers run as root. 如果恶意用户或工作负荷侵入某个特权容器,则该容器就会在该系统上以 root 身份运行。If a malicious user or workload escapes in a privileged container, the container will then run as root on that system.

预先批准允许容器访问或运行的文件和可执行文件Preapprove files and executables that the container is allowed to access or run

减少可变因素或未知因素的数量有助于维持稳定可靠的环境。Reducing the number of variables or unknowns helps you maintain a stable, reliable environment. 限制容器以使其只能访问或运行已预先批准的或已加入安全列表的文件和可执行文件,是限制风险因素的已证实方法。Limiting containers so they can access or run only preapproved or safelisted files and executables is a proven method of limiting exposure to risk.

管理从一开始就实施的安全列表要容易得多。It's a lot easier to manage a safelist when it's implemented from the beginning. 安全列表提供控制措施和管理功能,因为你知道正常运行应用程序需要哪些文件和可执行文件。A safelist provides a measure of control and manageability as you learn what files and executables are required for the application to function correctly.

安全列表不仅可以减小受攻击面,而且还能提供异常状况的基线,并防止出现“干扰邻居”和容器入侵情形的用例。A safelist not only reduces the attack surface but can also provide a baseline for anomalies and prevent the use cases of the "noisy neighbor" and container breakout scenarios.

在运行的容器中强制网络分段Enforce network segmentation on running containers

为了防范一个子网中的容器在另一个子网中遇到安全风险,请在运行的容器之间保持网络分段(或 nano 分段)或隔离。To help protect containers in one subnet from security risks in another subnet, maintain network segmentation (or nano-segmentation) or segregation between running containers. 若要在需要满足合规要求的行业中使用容器,可能还需要保持网络分段。Maintaining network segmentation may also be necessary to use containers in industries that are required to meet compliance mandates.

监视容器活动和用户访问Monitor container activity and user access

与使用任何 IT 环境时一样,应始终如一地监视容器生态系统中的活动和用户访问,以快速识别任何可疑或恶意活动。As with any IT environment, you should consistently monitor activity and user access to your container ecosystem to quickly identify any suspicious or malicious activity. Azure 提供容器监视解决方案,包括:Azure provides container monitoring solutions including:

  • 用于容器的 Azure Monitor 监视托管在 Azure Kubernetes 服务 (AKS) 上的 Kubernetes 环境中部署的工作负荷的性能。Azure Monitor for containers monitors the performance of your workloads deployed to Kubernetes environments hosted on Azure Kubernetes Service (AKS). 用于容器的 Azure Monitor 通过 Metrics API 从 Kubernetes 中提供的控制器、节点和容器收集内存和处理器指标,来提供性能可见性。Azure Monitor for containers gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API.

  • Azure 容器监视解决方案可帮助你在单个位置查看和管理其他 Docker 与 Windows 容器主机。The Azure Container Monitoring solution helps you view and manage other Docker and Windows container hosts in a single location. 例如:For example:

    • 查看详细审核信息,其中显示了与容器一起使用的命令。View detailed audit information that shows commands used with containers.
    • 通过查看和搜索集中式日志来排查容器问题,而无需远程查看 Docker 或 Windows 主机。Troubleshoot containers by viewing and searching centralized logs without having to remotely view Docker or Windows hosts.
    • 在主机上查找可能具有干扰性并且占用过多资源的容器。Find containers that may be noisy and consume excess resources on a host.
    • 查看容器的集中式 CPU、内存、存储器、网络使用情况和性能信息。View centralized CPU, memory, storage, and network usage and performance information for containers.

    该解决方案支持容器业务流程协调程序,包括 Docker Swarm、DC/OS、非托管 Kubernetes、Service Fabric 和 Red Hat OpenShift。The solution supports container orchestrators including Docker Swarm, DC/OS, unmanaged Kubernetes, Service Fabric, and Red Hat OpenShift.

监视容器资源活动Monitor container resource activity

监视资源活动,例如,容器访问的文件、网络和其他资源。Monitor your resource activity, like files, network, and other resources that your containers access. 监视资源活动和消耗量对于性能监视非常有用,可用作一种安全措施。Monitoring resource activity and consumption is useful both for performance monitoring and as a security measure.

使用 Azure Monitor 可收集指标、活动日志和诊断日志,为 Azure 服务启用核心监视。Azure Monitor enables core monitoring for Azure services by allowing the collection of metrics, activity logs, and diagnostic logs. 例如,可以通过活动日志了解新资源的创建或修改时间。For example, the activity log tells you when new resources are created or modified.

可通过指标获取不同资源(甚至包括虚拟机中的操作系统)的性能统计信息。Metrics are available that provide performance statistics for different resources and even the operating system inside a virtual machine. 可以使用 Azure 门户中的某个资源管理器查看此数据,还可以基于这些指标创建警报。You can view this data with one of the explorers in the Azure portal and create alerts based on these metrics. Azure Monitor 提供最快的指标管道(5 分钟乃至 1 分钟),因此应将其用于时间关键型警报和通知。Azure Monitor provides the fastest metrics pipeline (5 minutes down to 1 minute), so you should use it for time-critical alerts and notifications.

记录所有容器管理用户访问以用于审核Log all container administrative user access for auditing

维护对容器生态系统(包括 Kubernetes 群集)、容器注册表和容器映像的管理访问的准确审核线索。Maintain an accurate audit trail of administrative access to your container ecosystem, including your Kubernetes cluster, container registry, and container images. 这些日志在审核时可能需要用到,在发生任何安全事件后可用作法庭证据。These logs might be necessary for auditing purposes and will be useful as forensic evidence after any security incident. Azure 解决方案包括:Azure solutions include:

后续步骤Next steps