{"id":239,"date":"2023-08-28T22:19:00","date_gmt":"2023-08-28T22:19:00","guid":{"rendered":"http:\/\/blog.firatyasar.com\/?p=239"},"modified":"2024-03-17T22:26:15","modified_gmt":"2024-03-17T22:26:15","slug":"aks-cluster-security-apparmor-seccomp","status":"publish","type":"post","link":"https:\/\/blog.firatyasar.com\/?p=239","title":{"rendered":"AKS Cluster Security (AppArmor , Seccomp)"},"content":{"rendered":"\n

API Sunucusu ve D\u00fc\u011f\u00fcm G\u00fcvenli\u011fi<\/strong><\/p>\n\n\n\n

Microsoft Entra Id ve Kubernetes RBAC Kullan\u0131m\u0131: Microsoft Entra Id ve Kubernetes’in Rol Tabanl\u0131 Eri\u015fim Kontrol\u00fc (RBAC), API sunucusuna eri\u015fim i\u00e7in g\u00fc\u00e7l\u00fc bir g\u00fcvenlik katman\u0131 sa\u011flar. Bu entegrasyon, kimlik do\u011frulama ve yetkilendirme i\u015flemlerini merkezi olarak y\u00f6netmeye olanak tan\u0131r.<\/p>\n\n\n\n

D\u00fc\u011f\u00fcm G\u00fcvenli\u011fi: AKS k\u00fcmenizdeki d\u00fc\u011f\u00fcmleri g\u00fcvenli tutmak i\u00e7in, d\u00fczenli olarak g\u00fcvenlik yamalar\u0131 ve g\u00fcncellemelerini uygulay\u0131n. Azure, bu s\u00fcreci otomatize etmek i\u00e7in y\u00f6netilen kimlikler ve otomatik yama y\u00f6netimi sunar.<\/p>\n\n\n\n

A\u011f G\u00fcvenli\u011fi ve \u0130zolasyon<\/strong><\/p>\n\n\n\n

A\u011f Politikalar\u0131: AKS’de, –network-policy parametresi kullan\u0131larak a\u011f izolasyonu ve g\u00fcvenli\u011fi sa\u011flanabilir. Bu, belirli trafi\u011fi k\u0131s\u0131tlamak ve yaln\u0131zca g\u00fcvenli ileti\u015fimi m\u00fcmk\u00fcn k\u0131lmak i\u00e7in \u00f6nemlidir.
A\u011f \u0130lkesi’ni uygulamak i\u00e7in AKS k\u00fcmesini olu\u015ftururken \u00f6zniteli\u011fini –network-policy azure ekleyin. K\u00fcmeyi olu\u015fturmak i\u00e7in a\u015fa\u011f\u0131daki komutu kullan\u0131n: az aks create -g myResourceGroup -n myManagedCluster –enable-managed-identity –network-plugin azure –network-policy azure Meta Veri API’sine Eri\u015fimi K\u0131s\u0131tlama: K\u00fcme i\u00e7i bile\u015fenlerin Azure meta veri API’sine eri\u015fimini s\u0131n\u0131rlamak, potansiyel g\u00fcvenlik risklerini azalt\u0131r. \u00d6zel a\u011f politikalar\u0131 bu eri\u015fimi k\u0131s\u0131tlayabilir.<\/p>\n\n\n\n

apiVersion: networking.k8s.io\/v1\r\nkind: NetworkPolicy\r\nmetadata:\r\n  name: restrict-instance-metadata\r\nspec:\r\n  podSelector:\r\n    matchLabels: {}\r\n  policyTypes:\r\n  - Egress\r\n  egress:\r\n  - to:\r\n    - ipBlock:\r\n        cidr: 10.10.0.0\/0#example\r\n        except:\r\n        - 169.254.169.254\/32\r\n<\/code><\/pre>\n\n\n\n
Kapsay\u0131c\u0131 G\u00fcvenli\u011fi<\/strong><\/p>\n\n\n\n
Kapsay\u0131c\u0131lar\u0131n kaynaklara eri\u015fiminin g\u00fcvenli\u011fini sa\u011flamak i\u00e7in, en iyi uygulama k\u0131lavuzunda belirtildi\u011fi gibi, en az ayr\u0131cal\u0131k ilkesini uygulay\u0131n. Kapsay\u0131c\u0131lar\u0131n yaln\u0131zca gereksinim duyduklar\u0131 eylemleri ger\u00e7ekle\u015ftirmelerine izin vererek, k\u00f6k eri\u015fimi ve ayr\u0131cal\u0131kl\u0131 y\u00fckseltmeyi s\u0131n\u0131rlay\u0131n. allowPrivilegeEscalation: false ayar\u0131, pod bildirimlerinde kullan\u0131larak, bu g\u00fcvenlik \u00f6nlemini peki\u015ftirebilir. Ek olarak, AppArmor ve seccomp gibi Linux g\u00fcvenlik \u00f6zellikleri, kapsay\u0131c\u0131 ve d\u00fc\u011f\u00fcm d\u00fczeyinde ek g\u00fcvenlik katmanlar\u0131 sa\u011flayarak detayl\u0131 denetimler sunar. Ancak, Kubernetes ortamlar\u0131n\u0131n \u00e7ok kirac\u0131l\u0131 tehditlere tamamen dayan\u0131kl\u0131 olmad\u0131\u011f\u0131n\u0131 ve ek g\u00fcvenlik \u00f6zelliklerinin, bu t\u00fcr riskleri etkili bir \u015fekilde azaltmak i\u00e7in \u00f6nem ta\u015f\u0131d\u0131\u011f\u0131n\u0131 unutmay\u0131n. Ger\u00e7ek g\u00fcvenlik i\u00e7in, fiziksel olarak yal\u0131t\u0131lm\u0131\u015f k\u00fcmeler kullan\u0131lmal\u0131 ve g\u00fcvenlik, k\u00fcmenin tamam\u0131n\u0131 kapsayacak \u015fekilde ele al\u0131nmal\u0131d\u0131r.<\/p>\n\n\n\n
Uygulama Korumas\u0131<\/strong><\/p>\n\n\n\n
AppArmor <\/strong>ile Kapsay\u0131c\u0131 G\u00fcvenli\u011fi AKS’de, AppArmor profilleri kullanarak kapsay\u0131c\u0131 g\u00fcvenli\u011fini art\u0131rabilirsiniz. AppArmor, belirli operasyonlar\u0131 k\u0131s\u0131tlayarak kapsay\u0131c\u0131lar\u0131 izole eder ve g\u00fcvenlik seviyesini y\u00fckseltir. A\u015fa\u011f\u0131da, yazma i\u015flemlerini engelleyen bir AppArmor profilinin nas\u0131l olu\u015fturulaca\u011f\u0131 ve uygulanaca\u011f\u0131na dair bir \u00f6rne\u011fi bulabilirsiniz:<\/p>\n\n\n\n
Profil Olu\u015fturma: SSH ile AKS d\u00fc\u011f\u00fcm\u00fcne ba\u011flan\u0131n ve deny-write.profile ad\u0131nda bir dosya olu\u015fturun. \u0130\u00e7eri\u011fi a\u015fa\u011f\u0131daki gibi olmal\u0131d\u0131r:<\/p>\n\n\n\n
#include <tunables\/global>\r\nprofile k8s-apparmor-example-deny-write flags=(attach_disconnected) {\r\n  #include <abstractions\/base>\r\n\r\n  file,\r\n  # Deny all file writes.\r\n  deny \/** w,\r\n}\r<\/code><\/pre>\n\n\n\n
Profilin Uygulanmas\u0131: Olu\u015fturdu\u011funuz profili AppArmor’a eklemek i\u00e7in a\u015fa\u011f\u0131daki komutu kullan\u0131n:<\/p>\n\n\n\n
sudo apparmor_parser -r -W deny-write.profile<\/code><\/pre>\n\n\n\n
Kubernetes’te Uygulama: Bir pod \u00fczerinde bu profilin kullan\u0131lmas\u0131 i\u00e7in, pod tan\u0131m\u0131nda a\u015fa\u011f\u0131daki annotasyonu ekleyin:<\/p>\n\n\n\n
apiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n  name: hello-apparmor\r\n  annotations:\r\n    container.apparmor.security.beta.kubernetes.io\/hello: localhost\/k8s-apparmor-example-deny-write\r\nspec:\r\n  containers:\r\n  - name: hello\r\n    image: mcr.microsoft.com\/dotnet\/runtime-deps:6.0\r\n    command: [ \"sh\", \"-c\", \"echo 'Hello AppArmor!' && sleep 1h\" ]\r<\/code><\/pre>\n\n\n\n
G\u00fcvenli Bilgi \u0130\u015flem<\/strong><\/p>\n\n\n\n
seccomp<\/strong> ile Sistem \u00c7a\u011fr\u0131lar\u0131n\u0131 K\u0131s\u0131tlama Seccomp, sistem \u00e7a\u011fr\u0131lar\u0131n\u0131 k\u0131s\u0131tlayarak kapsay\u0131c\u0131 i\u015flemlerinin g\u00fcvenli\u011fini art\u0131r\u0131r. Bu, belirli tehlikeli \u00e7a\u011fr\u0131lar\u0131 engelleyerek potansiyel sald\u0131r\u0131 y\u00fczeylerini azalt\u0131r. A\u015fa\u011f\u0131da, dosya izinlerinin de\u011fi\u015ftirilmesini engelleyen bir seccomp profili \u00f6rne\u011fi ve bunun Kubernetes pod’unda nas\u0131l kullan\u0131laca\u011f\u0131 g\u00f6sterilmektedir:<\/p>\n\n\n\n
Seccomp Profili Olu\u015fturma:<\/p>\n\n\n\n
AKS d\u00fc\u011f\u00fcm\u00fcnde, a\u015fa\u011f\u0131daki i\u00e7eri\u011fe sahip bir prevent-chmod.json dosyas\u0131 olu\u015ftural\u0131m.<\/p>\n\n\n\n
{\r\n\"defaultAction\": \"SCMP_ACT_ALLOW\",\r\n\"syscalls\": [\r\n{\r\n\"names\": [\"chmod\", \"fchmodat\", \"chmodat\"],\r\n\"action\": \"SCMP_ACT_ERRNO\"\r\n}\r\n]\r\n}\r<\/code><\/pre>\n\n\n\n
Kubernetes’te Uygulama: Bu profilin bir poda uygulanmas\u0131 i\u00e7in, pod tan\u0131m\u0131nda a\u015fa\u011f\u0131daki annotasyonu ekleyin:<\/p>\n\n\n\n
apiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n  name: chmod-prevented\r\n  annotations:\r\n    seccomp.security.alpha.kubernetes.io\/pod: localhost\/prevent-chmod\r\nspec:\r\n  containers:\r\n  - name: chmod\r\n    image: mcr.microsoft.com\/dotnet\/runtime-deps:6.0\r\n    command: [\"sh\", \"-c\", \"chmod 777 \/etc\/hostname && sleep 1h\"]\r\n  restartPolicy: Never\r<\/code><\/pre>\n\n\n\n
Bu ad\u0131mlar ve \u00f6rnekler, AKS’de uygulama korumas\u0131 ve g\u00fcvenli bilgi i\u015fleminin nas\u0131l sa\u011flanaca\u011f\u0131na dair temel bir rehber sunmaktad\u0131r. G\u00fcvenlik, bir Kubernetes ortam\u0131n\u0131 y\u00f6netirken s\u00fcrekli bir s\u00fcre\u00e7tir; bu y\u00fczden en iyi uygulamalar\u0131 takip etmek ve g\u00fcncel g\u00fcvenlik ara\u00e7lar\u0131n\u0131 kullanmak \u00f6nemlidir.<\/p>\n\n\n\n
G\u00fcncellemeler ve Y\u00fckseltmeler<\/strong><\/p>\n\n\n\n
Kubernetes ve D\u00fc\u011f\u00fcm G\u00fcncellemeleri: AKS k\u00fcmelerini g\u00fcncel tutmak, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 minimize eder ve yeni \u00f6zelliklere eri\u015fim sa\u011flar. az aks upgrade komutu ile k\u00fcmenizi en son Kubernetes s\u00fcr\u00fcm\u00fcne y\u00fckseltin.<\/p>\n\n\n\n
D\u00fc\u011f\u00fcm G\u00f6r\u00fcnt\u00fcs\u00fc Y\u00fckseltmeleri: D\u00fc\u011f\u00fcm g\u00f6r\u00fcnt\u00fcs\u00fc y\u00fckseltmeleri, i\u015fletim sistemi d\u00fczeyinde g\u00fcvenlik ve performans iyile\u015ftirmeleri sa\u011flar. D\u00fczenli olarak bu y\u00fckseltmeleri uygulayarak, g\u00fcvenli\u011fi maksimize edin.<\/p>\n\n\n\n
Sonu\u00e7<\/strong> Azure Kubernetes Service (AKS) k\u00fcmelerini y\u00f6netirken, g\u00fcvenlik \u00f6ncelikli bir yakla\u015f\u0131m gerektirir. Microsoft Entra Id ve Kubernetes RBAC ile API g\u00fcvenli\u011fi, a\u011f politikalar\u0131, kapsay\u0131c\u0131 g\u00fcvenlik \u00f6nlemleri ve d\u00fczenli g\u00fcncellemeler, g\u00fc\u00e7l\u00fc bir g\u00fcvenlik duru\u015fu olu\u015fturman\u0131n temel ta\u015flar\u0131d\u0131r. Bu rehberde sunulan ad\u0131mlar ve y\u00f6nergeler, AKS k\u00fcmelerinizi g\u00fcvende tutman\u0131za yard\u0131mc\u0131 olacakt\u0131r.<\/p>\n","protected":false},"excerpt":{"rendered":"
API Sunucusu ve D\u00fc\u011f\u00fcm G\u00fcvenli\u011fi Microsoft Entra Id ve Kubernetes RBAC Kullan\u0131m\u0131: Microsoft Entra Id ve Kubernetes’in Rol Tabanl\u0131 Eri\u015fim Kontrol\u00fc (RBAC), API sunucusuna eri\u015fim i\u00e7in g\u00fc\u00e7l\u00fc bir g\u00fcvenlik katman\u0131 sa\u011flar. Bu entegrasyon, kimlik do\u011frulama ve yetkilendirme i\u015flemlerini merkezi olarak y\u00f6netmeye olanak tan\u0131r. D\u00fc\u011f\u00fcm G\u00fcvenli\u011fi: AKS k\u00fcmenizdeki d\u00fc\u011f\u00fcmleri g\u00fcvenli tutmak i\u00e7in, d\u00fczenli olarak g\u00fcvenlik yamalar\u0131\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":227,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[5,71,82,85,84,83],"_links":{"self":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/239"}],"collection":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=239"}],"version-history":[{"count":1,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/239\/revisions"}],"predecessor-version":[{"id":240,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/posts\/239\/revisions\/240"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=\/wp\/v2\/media\/227"}],"wp:attachment":[{"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.firatyasar.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}