OSSでセキュリティをCI/CDパイプラインに透過的に取込む方法

Transcript

1. Copyright © SUSE 2023 OSSͰηΩϡϦςΟΛCI/CDύΠϓϥΠϯ ʹಁաతʹऔࠐΉํ๏ 2 0 M ARCH

   2 0 2 3 Jianqiang Cheng - SUSE

2. Copyright © SUSE 2023 2 Who am I? Jianqiang Cheng

   Sales Engineer SUSE Japan

3. Copyright © SUSE 2023 3 CI/CD͸ॏཁͰʮ౰ͨΓલʯ

4. Copyright © SUSE 2023 4 ੬ऑੑʹૂ͏߈ܸ΍ඃ֐ࣄྫ͕ଟ͍ ੜ࢈ੑ޲্ͷಉ࣌ʹηΩϡϦςΟΛ͓๨Εͳ͘

5. Copyright © SUSE 2023 5 OSSͰίετ࡟ݮɺࣗಈԽͰ࣌ؒ୹ॖ ηΩϡϦςΟνΣοΫ΋ࣗಈԽ

6. Copyright © SUSE 2023 6 CI/CDύΠϓϥΠϯʹऔΓࠐΉ߲໨ CI/CD のʮηΩϡϦςΟରࡦʯ カテゴリ テクノロジー概要

   ιʔείʔυ੩తղੳ ιʔείʔυΛ੩తʹղੳ͠ɺίʔυͷόάɺ$PEF
   4NFMM ਂ͍໰୊Λൃੜ ͢ΔՄೳੑ͕͋Δίʔυ ɺηΩϡϦςΟ੬ऑੑΛݕग़ Πϝʔδͷ੬ऑੑ εΩϟϯ ίϯςφΠϝʔδʹજΉط஌ͷ੬ऑੑΛࣝผ ΠϝʔδͷίϯϓϥΠΞ ϯεεΩϟϯ ίϯςφΠϝʔδʹCIS Benchmarksʹ४ڌ͠ͳ͍ઃఆ͕͋Δ͔ΛνΣοΫ Ξυϛογϣϯ੍ޚ ର৅ͷΞϓϦͷσϓϩΠઃఆɺεΩϟϯͷ݁ՌͳͲΛݩʹɺݕূʗຊ൪؀ڥʹ ΞϓϦέʔγϣϯͷσϓϩΠՄ൱ͷࣗಈ੍ޚ Security Policy as Code ωοτϫʔΫϧʔϧɺϑΝΠϧΞΫηεϧʔϧͳͲͷηΩϡϦςΟ ϙϦγʔΛίʔυԽ

7. Copyright © SUSE 2023 Copyright © SUSE 2023 Roll Up

   Your Sleeves and Get Started! Demo؀ڥͷπʔϧ঺հ 7

8. Copyright © SUSE 2023 8 Demo؀ڥͷπʔϧҰཡ πʔϧ ໾ׂ AWS VM؀ڥ(AWS

   Lightsail) Github ιʔείʔυ(Java)ɺHelm Chart RKE2 K8sσΟετϦϏϡʔγϣϯ Harbor ίϯςφϦϙδτϦ Jenkins CI/CDύΠϓϥΠϯ Rancher Gitops(fleet)、k8sΫϥελʔ؅ཧ NeuVector Πϝʔδͷ੬ऑੑεΩϟϯɺίϯϓϥΠΞϯεεΩϟϯɺ Ξυϛογϣϯ੍ޚͳͲ SonarQube ιʔείʔυ੩తղੳ Longhorn ίϯςφӬଓԽετϨʔδιϦϡʔγϣϯ

9. Copyright © SUSE 2023 Demo؀ڥ  πʔϧؒͷ࿈ܞਤ CIύΠϓϥΠϯʢϏϧυˠςετˠϓογϡˠεΩϟϯʣ ։ൃऀ Webhook

   τϦΨʔ Commit ίʔυ੩తղੳ Πϝʔδ֨ೲ Πϝʔδ εΩϟϯ ϚχϑΣετߋ৽ *NBHF
   5BH ϚχϑΣετ ؂ࢹɾऔಘ σϓϩΠ Ξυϛογϣϯ੍ޚ ϥϯλΠϜηΩϡϦςΟ CI GITOPS ӡ༻ Cloud Native Security Kubernetes IaaS Cloud Native Storage

10. Copyright © SUSE 2023 10 πʔϧͷ؆୯঺հ πʔϧ ໾ׂ AWS VM؀ڥ(AWS

    Lightsail) Github ιʔείʔυ(Java)ɺHelm Chart RKE2 K8sσΟετϦϏϡʔγϣϯ Harbor ίϯςφϦϙδτϦ Jenkins CI/CDύΠϓϥΠϯ Rancher Gitops(fleet)、k8sΫϥελʔ؅ཧ NeuVector Πϝʔδͷ੬ऑੑεΩϟϯɺίϯϓϥΠΞϯεεΩϟϯɺ Ξυϛογϣϯ੍ޚͳͲ SonarQube ιʔείʔυ੩తղੳ Longhorn ίϯςφӬଓԽετϨʔδιϦϡʔγϣϯ

11. Copyright © SUSE 2023 RKE2 - K8sσΟετϦϏϡʔγϣϯ — ηΩϡϦςΟཁ݅ –

    FIPS-enabled – SELinux Support — CIS Benchmark Certification — Containerd ͕σϑΥϧτͷϥϯλΠϜ — γϯάϧόΠφϦͰΠϯετʔϧ΍ӡ༻΋؆୯

12. Copyright © SUSE 2023 ෳ਺ͷKubernetesΫϥελ͸ɺଟ༷ͳσΟετϦϏϡʔγϣϯͰ͋ΓɺҟͳΔϓϥοτϑΥʔϜͰ࣮ߦ ͞Ε͍ͯ·͕͢ɺRancherʹΑΓҰݩ؅ཧΛ࣮ݱͰ͖·͢ɻ Rancher - ෳ਺KubernetesΫϥελͷҰݩ؅ཧ 12

13. Copyright © SUSE 2023 13 Rancher - ௚ײతͳ6*ͱ౷Ұ͞Εͨૢ࡞ Container Container

    Container Grafana [Add Cluster] [Cluster Usage] [Graphical Monitoring with Prometheus and Grafana] [Service Catalog] [Import YAML file] [Network traffic statistics wit Istio] Prometheus

14. Copyright © SUSE 2023 14 Longhorn — ίϯςφӬଓԽετϨʔδιϦϡʔγϣϯ — ܰྔɺߴཔੑɺߴՄ༻ੑͷӬଓϒϩοΫετϨʔδ

    — Rancherʹ؆୯ʹ౷߹ – Rancher UI͔Βone clickͰσϓϩΠ — Backend ετϨʔδʹґଘ͠ͳ͍ x86 ARM

15. Copyright © SUSE 2023 脆弱性とコンプライアンスの管理 ビルドスキャン リポジトリ スキャン CIS ベンチマーク

    コンプライアンス PCI, GDPR, NIST 実⾏時のスキャン Container, Host, Platform ランライムセキュリティ保護 アドミッション コントロール コンテナフファイアー ウォール DPI/DLPによるレイヤー 7セキュリティ コンテナワークロード セキュリティ プロセス、ファイルシステム ブロック 警報と フォレンジック Security Policy as Code セキュリティ設定の ⾃動化 動作に基づく学習 運⽤ NeuVector - ίϯςφηΩϡϦςΟ ։ൃ͔Βӡ༻ʹ͔͚ͯ ビルド テスト ステージング 運⽤

16. Copyright © SUSE 2023 Automated Build Phase Scanning Scanning Public

    Cloud Registries, Private Registries, 3rd Party Registries Layered Image Vulnerability Analysis CI/CD INTEGRATION

17. Copyright © SUSE 2023 circleci.com/orbs CI/CD INTEGRATION

18. Copyright © SUSE 2023 CVE Database Sources NeuVector CVE Database

    is Updated via 17 Security Sources Nightly Updated nightly

19. Copyright © SUSE 2023 ΠϝʔδͷίϯϓϥΠΞϯε Checklist

20. Copyright © SUSE 2023 SECURITY AS CODE

21. Copyright © SUSE 2023 ü KubernetesͷCRD yamlͰΞϓϦέʔγϣϯͷಈ࡞Λ੍ݶ üNetwork Connections and

    Protocols üIngress/egress controls üProcesses & File System Protection ü Security Policiesͷόʔδϣϯ؅ཧ ü ଞͷ؀ڥʹಉ͡ͷSecurity PolicyΛ؆୯ʹڞ༗ ü NeuVector͔Βࣗಈੜ੒Մೳ SECURITY AS CODE

22. Copyright © SUSE 2023 Copyright © SUSE 2023 Roll Up

    Your Sleeves and Get Started! Demo 22

23. Copyright © SUSE 2023 Demo؀ڥ  πʔϧͷ࿈ܞ CIύΠϓϥΠϯʢϏϧυˠςετˠϓογϡˠεΩϟϯʣ ։ൃऀ Webhook

    τϦΨʔ Commit ίʔυ੩తղੳ Πϝʔδ֨ೲ Πϝʔδ εΩϟϯ ϚχϑΣετߋ৽ *NBHF
    5BH ϚχϑΣετ ؂ࢹɾऔಘ σϓϩΠ Ξυϛογϣϯ੍ޚ ϥϯλΠϜηΩϡϦςΟ CI GITOPS ӡ༻ Cloud Native Security Kubernetes IaaS Cloud Native Storage εΫϦϓτͰࣗಈߏங εΫϦϓτͰࣗಈ ߏங

24. Copyright © SUSE 2023 Demo環境の⾃動構築スクリプトGithub https://github.com/qiang1981cn/devsecops-neuvector.git

25. Copyright © SUSE 2023 Demo環境 - ツールの連携 CIύΠϓϥΠϯʢϏϧυˠςετˠϓογϡˠεΩϟϯʣ ։ൃऀ Webhook

    τϦΨʔ Commit ίʔυ੩తղੳ Πϝʔδ֨ೲ Πϝʔδ εΩϟϯ ϚχϑΣετߋ৽ *NBHF
    5BH ϚχϑΣετ ؂ࢹɾऔಘ σϓϩΠ Ξυϛογϣϯ੍ޚ ϥϯλΠϜηΩϡϦςΟ CI GITOPS ӡ༻ Cloud Native Security Kubernetes IaaS Cloud Native Storage

26. Copyright © SUSE 2023 ·ͱΊ — OSSͰ΋ηΩϡΞͳCI/CDύΠϓϥΠϯΛߏஙͰ͖Δ — NeuVector͸ԼهͷػೳΛఏڙ –

    ੬ऑੑͱίϯϓϥΠΞϯεͷεΩϟϯ – Security policy as CodeͰϙϦγʔઃఆͷࣗಈԽ – ෆਖ਼ͳσϓϩΠͷࣗಈ્ࢭʢΞυϛογϣϯ੍ޚʣ

27. Copyright © SUSE 2023 NeuVector - ίϯςφηΩϡϦςΟ ։ൃ͔Βӡ༻ʹ͔͚ͯ αϓϥΠνΣʔϯ ηΩϡϦςΟ

    ϥϯλΠϜ ηΩϡϦςΟ ੬ऑੑεΩϟϯ ίϯϓϥΠΞϯεεΩϟϯ Ξυϛογϣϯ ੍ޚ ϥϯλΠϜεΩϟϯ ڴҖϕʔεͷݕग़ θϩτϥετ੍ޚ

28. Copyright © SUSE 2023 28 さらに学びたい⽅に・・・ 4⽉13⽇開催 NeuVectorオンラインセミナー 4⽉20⽇開催 Rancherオンラインセミナー

    お⼿元のアンケートのご回答へのご協⼒もお願いします☺

29. Copyright © SUSE 2023 For more information, contact SUSE at:

    03-6625-5578(Japan) https://www.suse.com/ja-jp/contact/ Thank you