ACK security enhancement-阿里云开发者社区

开发者社区> 阿里云容器服务 ACK> 正文
登录阅读全文

ACK security enhancement

简介: Brief introduction on some security enhancement for ACK, including BYOK, AD/LDAP support, and collaboration with Vault and NeuVector

BYOK

https://github.com/AliyunContainerService/ack-kms-plugin

This is KMS provider plugin for Alibaba Cloud - Enable encryption at rest of Kubernetes secret backed by Alibaba Cloud Key Management Service

Here let us verify the secret encryption on ACK cluster.

Firstly create one ACK cluster on Alibaba Cloud Container Service console, refine the apiserver configuration and install the ack-kms-plugin successfully:

image

then create a test secret and use etcdctl to fetch and check if the secret data is encrypted as below:

image

also the secret data should be decode when an authorized user using kubectl to get the secret value as:

image

 

AD/LDAP

Alibaba Cloud RAM user can upload the metadata file provided by external IdP and enable SAML-based Single Sign-On. It supports SAML 2.0 standard and enables you to log on to Alibaba Cloud from the local account system of your enterprise. Here we give Microsoft AD as an example:

image

then enable sso status and upload the target metadata xml file:

image

config the AD FS to trust RAM as SAML SP

image

add claim rules:

image

then user can login from Alibaba Cloud RAM page and the browser would auto skip to the target AD login page as:

image
image

after AD auth the user success, it would redirect back to Alibaba Cloud console as:

image

 
Besides, Alibaba Cloud Container Service support to deploy KeyCloak with helm charts, which comes with a built-in LDAP/AD provider in user application side.

image

 

NeuVector

NeuVector, the leader in Kubernetes security delivering the first and only multi-vector container firewall, had annouced the partnership with Alibaba Cloud to strengthen Kubernetes security for enterprise customers. see https://neuvector.com/cloud-security/neuvector-alibaba-cloud/

NeuVector’s platform includes these key features:

  • Support throughout the entire DevOps container deployment lifecycle, from build to ship to run.
  • Security automation, starting with a Jenkins plug-in for vulnerability scanning during the build process.
  • Container registries such as the Alibaba Cloud Container Registry can be configured so that any new images in a repository will be automatically scanned by NeuVector.
  • Kubernetes and Docker CIS benchmarks will test host and container configurations before and after production deployments.
  • Run-time security is delivered by the unique, cloud-native Layer-7 container firewall that combines deep packet inspection (DPI) of east-west traffic with container inspection and host security to detect and prevent attacks at multiple points in the kill chain.

the detail please refer to https://yq.aliyun.com/articles/62411

 

Vault

Vault is a famous open-source product for manage secret and protect sensitive secret, and Alibaba Cloud has also integrated into its dynamic infrastructure.
image

Vault treats AliCloud as a Trusted Third Party and uses a special Alibaba Cloud request signed with private credentials for its auth system: https://www.vaultproject.io/docs/auth/alicloud.html

also it support dynamic generate, store and encrypt Alibaba Cloud access tokens based on RAM policies as https://www.vaultproject.io/docs/secrets/alicloud/index.html

Besides, Alibaba Cloud Container Service support to deploy Vault in app-catalog, which help customers friendly deploy it based on official helm charts.

image

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
阿里云容器服务 ACK
使用钉钉扫一扫加入圈子
+ 订阅

云端最佳容器应用运行环境,安全、稳定、极致弹性

官方博客
官网链接