{"id":261028,"date":"2023-01-18T09:00:16","date_gmt":"2023-01-18T01:00:16","guid":{"rendered":"https:\/\/lrxjmw.cn\/?p=261028"},"modified":"2023-01-07T22:30:38","modified_gmt":"2023-01-07T14:30:38","slug":"vesta-docker-kubernetes","status":"publish","type":"post","link":"https:\/\/lrxjmw.cn\/vesta-docker-kubernetes.html","title":{"rendered":"\u4e00\u6b3e\u539f\u751f\u57fa\u7ebf\u5b89\u5168\u68c0\u67e5\u5de5\u5177Vesta v1.0.2\u53d1\u5e03\uff01"},"content":{"rendered":"\n\n\n
\u5bfc\u8bfb<\/td>\nVesta \u662f\u4e00\u6b3e\u5b9e\u7528\u3001\u65b9\u4fbf\u7684\u955c\u50cf\u626b\u63cf\u4ee5\u53ca Docker\u3001Kubernetes \u57fa\u7ebf\u5b89\u5168\u68c0\u67e5\u5de5\u5177\u3002 \u81f4\u529b\u68c0\u67e5\u56e0\u4e3a Docker \u6216 Kubernetes \u9519\u8bef\u914d\u7f6e\u800c\u5bfc\u81f4\u7684\u5404\u79cd\u6f5c\u5728\u5b89\u5168\u95ee\u9898\u7684\u53d1\u751f\u3002<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Vesta v1.0.2 \u66f4\u65b0\u5185\u5bb9\u5982\u4e0b:<\/p>\n

\u65b0\u529f\u80fd<\/strong><\/div>\n
    \n
  • \u589e\u52a0 cilium \u7248\u672c\u6f0f\u6d1e\u68c0\u6d4b<\/li>\n
  • \u589e\u52a0 kubelet read-only-port \u53c2\u6570\u4ee5\u53ca kubectl proxy \u7684\u9519\u8bef\u4f7f\u7528\u7684\u68c0\u6d4b<\/li>\n
  • \u589e\u52a0 etcd \u5b89\u5168\u914d\u7f6e\u7684\u68c0\u6d4b<\/li>\n
  • \u589e\u52a0 RoleBinding \u5b89\u5168\u914d\u7f6e\u7684\u68c0\u6d4b<\/li>\n
  • \u955c\u50cf\u626b\u63cf\u589e\u52a0 go \u4e8c\u8fdb\u5236\u68c0\u6d4b<\/li>\n<\/ul>\n
    \u6539\u8fdb<\/strong><\/div>\n
      \n
    • \u4f18\u5316 Layers \u6574\u5408\u7684\u65b9\u6cd5\uff0c\u955c\u50cf\u626b\u63cf\u901f\u5ea6\u52a0\u5feb<\/li>\n<\/ul>\n

      \u76ee\u524d vesta \u652f\u6301\u7684 Kubernets \u5b89\u5168\u68c0\u67e5\u914d\u7f6e\u5217\u8868\u4e3a<\/p>\n

       <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      Supported<\/th>\nCheck Item<\/th>\nDescription<\/th>\nSeverity<\/th>\n<\/tr>\n<\/thead>\n
      \u221a<\/td>\nPrivilegeAllowed<\/td>\n\u5371\u9669\u7684\u7279\u6743\u6a21\u5f0f<\/td>\ncritical<\/td>\n<\/tr>\n
      \u221a<\/td>\nCapabilities<\/td>\n\u5371\u9669 capabilities \u88ab\u8bbe\u7f6e<\/td>\ncritical<\/td>\n<\/tr>\n
      \u221a<\/td>\nPV and PVC<\/td>\nPV \u88ab\u6302\u8f7d\u5230\u654f\u611f\u76ee\u5f55\u5e76\u4e14\u72b6\u6001\u4e3a active<\/td>\ncritical\/medium<\/td>\n<\/tr>\n
      \u221a<\/td>\nRBAC<\/td>\nK8s \u6743\u9650\u5b58\u5728\u5371\u9669\u914d\u7f6e<\/td>\nhigh\/medium<\/td>\n<\/tr>\n
      \u221a<\/td>\nKubernetes-dashborad<\/td>\n\u68c0\u67e5\u00a0-enable-skip-login\u00a0\u4ee5\u53ca dashborad \u7684\u8d26\u6237\u6743\u9650<\/td>\ncritical\/high\/low<\/td>\n<\/tr>\n
      \u221a<\/td>\nKernel version (k8s versions is less than v1.24)<\/td>\n\u5f53\u524d\u5185\u6838\u7248\u672c\u5b58\u5728\u9003\u9038\u6f0f\u6d1e<\/td>\ncritical<\/td>\n<\/tr>\n
      \u221a<\/td>\nDocker Server version (k8s versions is less than v1.24)<\/td>\nDocker Server \u7248\u672c\u5b58\u5728\u6f0f\u6d1e<\/td>\ncritical\/high\/medium\/low<\/td>\n<\/tr>\n
      \u221a<\/td>\nKubernetes certification expiration<\/td>\n\u8bc1\u4e66\u5230\u671f\u65f6\u95f4\u5c0f\u4e8e 30 \u5929<\/td>\nmedium<\/td>\n<\/tr>\n
      \u221a<\/td>\nConfigMap and Secret check<\/td>\nConfigMap \u6216\u8005 Secret \u662f\u5426\u5b58\u5728\u5f31\u5bc6\u7801<\/td>\nhigh\/medium<\/td>\n<\/tr>\n
      \u221a<\/td>\nAuto Mount ServiceAccount Token<\/td>\nPod \u9ed8\u8ba4\u6302\u8f7d\u00a0\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token.<\/td>\nlow<\/td>\n<\/tr>\n
      \u221a<\/td>\nNoResourceLimits<\/td>\n\u6ca1\u6709\u9650\u5236\u8d44\u6e90\u7684\u4f7f\u7528\uff0c\u4f8b\u5982 CPU,Memory, \u5b58\u50a8<\/td>\nlow<\/td>\n<\/tr>\n
      \u221a<\/td>\nJob and Cronjob<\/td>\nJob \u6216 CronJob \u6ca1\u6709\u8bbe\u7f6e seccomp \u6216 seLinux \u5b89\u5168\u7b56\u7565<\/td>\nlow<\/td>\n<\/tr>\n
      \u221a<\/td>\nEnvoy admin<\/td>\nEnvoy admin \u88ab\u914d\u7f6e\u4ee5\u53ca\u76d1\u542c\u00a00.0.0.0.<\/td>\nhigh\/medium<\/td>\n<\/tr>\n
      \u221a<\/td>\nCVE-2022-29179<\/td>\n\u68c0\u6d4b CVE-2022-29179 \u662f\u5426\u5b58\u5728<\/td>\nhigh<\/td>\n<\/tr>\n
      \u221a<\/td>\nKubelet 10255 and Kubectl proxy<\/td>\n10255 port \u6253\u5f00\u6216 Kubectl proxy \u5f00\u542f<\/td>\nhigh\/medium\/low<\/td>\n<\/tr>\n
      \u221a<\/td>\nEtcd configuration<\/td>\nEtcd \u5b89\u5168\u914d\u7f6e\u68c0\u67e5<\/td>\nhigh\/medium<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

      Vesta v1.0.2 \u66f4\u65b0\u5185\u5bb9\u5982\u4e0b: \u589e\u52a0 cilium \u7248\u672c\u6f0f\u6d1e\u68c0\u6d4b \u589e\u52a0 kubelet read-o […]<\/p>\n","protected":false},"author":323,"featured_media":247266,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[21],"tags":[],"class_list":["post-261028","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts\/261028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/users\/323"}],"replies":[{"embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/comments?post=261028"}],"version-history":[{"count":2,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts\/261028\/revisions"}],"predecessor-version":[{"id":261198,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts\/261028\/revisions\/261198"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/media\/247266"}],"wp:attachment":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/media?parent=261028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/categories?post=261028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/tags?post=261028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}