安全中心的容器安全性Container security in Security Center

Azure 安全中心是用于保护容器安全的 Azure 原生解决方案。Azure Security Center is the Azure-native solution for securing your containers.

安全中心可以保护以下类型的容器资源:Security Center can protect the following container resource types:

资源类型Resource type 安全中心提供的保护Protections offered by Security Center
Kubernetes 服务Kubernetes service
Azure Kubernetes 服务 (AKS) 群集Azure Kubernetes Service (AKS) clusters
- 持续评估 AKS 群集的配置以发现和直观显示错误配置,并提供帮助解决任何发现的问题的指导信息。- Continuous assessment of your AKS clusters' configurations to provide visibility into misconfigurations, and guidelines to help you resolve any discovered issues.
深入了解如何通过安全建议强化环境Learn more about environment hardening through security recommendations.

- 面向 AKS 群集和 Linux 节点的威胁防护。- Threat protection for AKS clusters and Linux nodes. 针对可疑活动的警报由可选的适用于 Kubernetes 的 Azure Defender 提供。Alerts for suspicious activities are provided by the optional Azure Defender for Kubernetes.
深入了解面向 AKS 节点和群集的运行时保护Learn more about run-time protection for AKS nodes and clusters.
容器主机Container host
容器主机Container hosts
(运行 Docker 的 VM)(VMs running Docker)
- 持续评估 Docker 配置以发现和直观显示错误配置,并通过适用于服务器的 Azure Defender 提供帮助解决任何发现的问题的指导信息。- Continuous assessment of your Docker configurations to provide visibility into misconfigurations, and guidelines to help you resolve any discovered issues with the optional Azure Defender for servers.
深入了解如何通过安全建议强化环境Learn more about environment hardening through security recommendations.
容器注册表Container registry
Azure 容器注册表 (ACR) 的注册表Azure Container Registry (ACR) registries
- 通过可选的适用于容器注册表的Azure Defender,提供漏洞评估和管理工具,用于基于 Azure 资源管理器的 ACR 注册表中的映像。- Vulnerability assessment and management tools for the images in your Azure Resource Manager-based ACR registries with the optional Azure Defender for container registries.
详细了解如何扫描容器映像漏洞Learn more about scanning your container images for vulnerabilities.

本文介绍如何将安全中心与适用于容器注册表、服务器和 Kubernetes 的 Azure Defender 计划(可选)结合使用,来改善、监视和维护容器及其应用的安全性。This article describes how you can use Security Center, together with the optional Azure Defender plans for container registries, severs, and Kubernetes, to improve, monitor, and maintain the security of your containers and their apps.

你将了解 Azure 安全中心如何在容器安全性的以下核心方面提供帮助:You'll learn how Security Center helps with these core aspects of container security:

以下屏幕截图显示了“资产清单”页以及受安全中心保护的各种类型的容器资源。The following screenshot shows the asset inventory page and the various container resource types protected by Security Center.

安全中心“资产清单”页中与容器相关的资源

漏洞管理 - 扫描容器映像Vulnerability management - scanning container images

若要监视基于 Azure 资源管理器的 Azure 容器注册表中的映像,请启用适用于容器注册表的 Azure Defender。To monitor images in your Azure Resource Manager-based Azure container registries, enable Azure Defender for container registries. 安全中心扫描在过去 30 天内拉取的、推送到注册表中或导入的任何映像。Security Center scans any images pulled within the last 30 days, pushed to your registry, or imported. 集成扫描程序由业界领先的漏洞扫描供应商 Qualys 提供。The integrated scanner is provided by the industry-leading vulnerability scanning vendor, Qualys.

当 Qualys 或安全中心发现问题时,你将在 Azure Defender 仪表板中收到通知。When issues are found - by Qualys or Security Center - you'll get notified in the Azure Defender dashboard. 安全中心会针对每个漏洞提供可行的建议、严重性分类,以及有关如何修正问题的指南。For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. 若要详细了解安全中心针对容器提供的建议,请参阅建议的参考列表For details of Security Center's recommendations for containers, see the reference list of recommendations.

安全中心会对扫描程序的扫描结果进行筛选和分类。Security Center filters and classifies findings from the scanner. 当映像正常运行时,安全中心会将其标为正常。When an image is healthy, Security Center marks it as such. 安全中心仅为存在待解决问题的映像生成安全建议。Security Center generates security recommendations only for images that have issues to be resolved. 安全中心仅在出现问题时发出通知,这样会降低发送不必要的信息警报的可能性。By only notifying when there are problems, Security Center reduces the potential for unwanted informational alerts.

环境强化Environment hardening

持续监视 Docker 配置Continuous monitoring of your Docker configuration

Azure 安全中心会识别在 IaaS Linux VM 上或其他运行 Docker 容器的 Linux 计算机上承载的非托管容器。Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. 安全中心会持续评估这些容器的配置。Security Center continuously assesses the configurations of these containers. 然后,它会将其与 Internet 安全中心 (CIS) 的 Docker 基准进行比较。It then compares them with the Center for Internet Security (CIS) Docker Benchmark.

安全中心包含 CIS 的 Docker 基准的完整规则集,并会在容器不符合控件标准的情况下发出警报。Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. 在发现错误配置时,安全中心会生成安全建议。When it finds misconfigurations, Security Center generates security recommendations. 使用安全中心的建议页面来查看建议和修正问题。Use Security Center's recommendations page to view recommendations and remediate issues. 不会对 AKS 托管的实例或 Databricks 托管的 VM 运行 CIS 基准检查。The CIS benchmark checks don't run on AKS-managed instances or Databricks-managed VMs.

若要详细了解可能会针对此功能显示的相关的安全中心建议,请参阅建议参考表的容器部分For details of the relevant Security Center recommendations that might appear for this feature, see the container section of the recommendations reference table.

浏览 VM 的安全问题时,安全中心会提供计算机上有关容器的其他信息。When you're exploring the security issues of a VM, Security Center provides additional information about the containers on the machine. 此类信息包括 Docker 版本以及主机上运行的映像数。Such information includes the Docker version and the number of images running on the host.

若要监视 IaaS Linux VM 上承载的非托管容器,请启用可选的适用于服务器的 Azure DefenderTo monitor unmanaged containers hosted on IaaS Linux VMs, enable the optional Azure Defender for servers.

持续监视 Kubernetes 群集Continuous monitoring of your Kubernetes clusters

安全中心可以与 Azure Kubernetes 服务 (AKS) 协同工作,后者是 Microsoft 的托管容器业务流程服务,用于开发、部署和管理容器化应用程序。Security Center works together with Azure Kubernetes Service (AKS), Microsoft's managed container orchestration service for developing, deploying, and managing containerized applications.

AKS 提供安全控制,并且可用于了解群集的安全状况。AKS provides security controls and visibility into the security posture of your clusters. 安全中心使用这些功能来完成以下任务:Security Center uses these features to:

  • 持续监视 AKS 群集的配置Constantly monitor the configuration of your AKS clusters
  • 生成符合行业标准的安全建议Generate security recommendations aligned with industry standards

若要详细了解可能会针对此功能显示的相关的安全中心建议,请参阅建议参考表的容器部分For details of the relevant Security Center recommendations that might appear for this feature, see the container section of the recommendations reference table.

使用 Kubernetes 准入控制实现工作负载保护最佳做法Workload protection best-practices using Kubernetes admission control

安装适用于 Kubernetes 的 Azure Policy 加载项,获取一系列有助于保护 Kubernetes 容器工作负载的建议。For a bundle of recommendations to protect the workloads of your Kubernetes containers, install the Azure Policy add-on for Kubernetes. 还可以根据启用扩展的自动预配中的说明,自动部署此加载项。You can also auto deploy this add-on as explained in Enable auto provisioning of extensions. 将加载项的自动预配设置为“启用”时,默认情况下会在所有现有和未来的群集(满足加载项安装要求)中启用该扩展。When auto provisioning for the add-on is set to "on", the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).

该加载项扩展了 Open Policy Agent 的开源 Gatekeeper v3 许可控制器 Webhook。The add-on extends the open-source Gatekeeper�v3�admission controller webhook�for�Open Policy Agent. Kubernetes 准入控制器是强制实施群集使用方式的插件。Kubernetes admission controllers are plugins that enforce how your clusters are used. 此加载项注册为 Kubernetes 准入控制的 web 挂钩,并使你能够以集中一致的方式在群集上应用大规模强制性操作和安全措施。The add-on registers as a web hook to Kubernetes admission control and makes it possible to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

通过 AKS 群集上的加载项,将按照预先定义的一组最佳做法监视对 Kubernetes API 服务器的每个请求,然后再将其保存到群集。With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. 然后,可以配置为强制实施最佳做法,并规定将其用于未来的工作负载。You can then configure to enforce the best practices and mandate them for future workloads.

例如,可以规定不应创建特权容器,并且阻止以后的任何请求。For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

面向 AKS 节点和群集的运行时保护Run-time protection for AKS nodes and clusters

安全中心为容器化环境提供实时威胁防护,并针对可疑活动生成警报。Security Center provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. 可以使用此信息快速补救安全问题,并提高容器的安全性。You can use this information to quickly remediate security issues and improve the security of your containers.

安全中心在不同的级别提供威胁防护:Security Center provides threat protection at different levels:

  • 主机级别(由适用于服务器的 Azure Defender 提供) - Azure Defender 利用安全中心在其他 VM 上使用的同一 Log Analytics 代理监视你的 Linux AKS 节点中是否存在可疑活动,例如 web shell 检测和与已知的可疑 IP 地址进行连接。Host level (provided by Azure Defender for servers) - Using the same Log Analytics agent that Security Center uses on other VMs, Azure Defender monitors your Linux AKS nodes for suspicious activities such as web shell detection and connection with known suspicious IP addresses. 该代理还会监视特定于容器的分析,例如创建特权容器、以可疑方式访问 API 服务器以及在 Docker 容器内部运行安全外壳 (SSH) 服务器。The agent also monitors for container-specific analytics such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

    重要

    如果你选择不在主机上安装代理,则只能收到一部分威胁防护权益和安全警报。If you choose not to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts. 你仍会收到与网络分析以及与恶意服务器通信相关的警报。You'll still receive alerts related to network analysis and communications with malicious servers.

    有关 AKS 主机级别的警报列表,请参阅警报参考表For a list of the AKS host level alerts, see the Reference table of alerts.

  • AKS 群集级别(由适用于 Kubernetes 的 Azure Defender 提供) - 在群集级别,威胁防护基于对 Kubernetes 审核日志的分析。AKS cluster level (provided by Azure Defender for Kubernetes) - At the cluster level, the threat protection is based on analyzing Kubernetes' audit logs. 要启用此无代理监视,请启用 Azure Defender。To enable this agentless monitoring, enable Azure Defender. 为了在此级别生成警报,安全中心将使用 AKS 检索到的日志来监视 AKS 管理的服务。To generate alerts at this level, Security Center monitors your AKS-managed services using the logs retrieved by AKS. 此级别的事件示例包括公开 Kubernetes 仪表板、创建高特权角色,以及创建敏感的装入点。Examples of events at this level include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.

    备注

    安全中心针对在订阅设置中启用“Kubernetes”选项后发生的 Azure Kubernetes 服务操作和部署生成安全警报。Security Center generates security alerts for Azure Kubernetes Service actions and deployments occurring after the Kubernetes option is enabled on the subscription settings.

    有关 AKS 群集级别的警报列表,请参阅警报参考表For a list of the AKS cluster level alerts, see the Reference table of alerts.

此外,我们的全球安全研究团队会不断监视威胁态势。Also, our global team of security researchers constantly monitor the threat landscape. 一旦发现威胁,他们就会添加容器特定的警报和漏洞。They add container-specific alerts and vulnerabilities as they're discovered.

提示

可以按照此博客文章中的说明来模拟容器警报。You can simulate container alerts by following the instructions in this blog post.

后续步骤Next steps

通过此概述性介绍,你了解了 Azure 安全中心容器安全性的核心元素。In this overview, you learned about the core elements of container security in Azure Security Center. 如需查看相关材料,请参阅:For related material see: