一种面向大数据平台容器的轻量化安全防护方法

A Lightweight Security Protection Method for Container on Big Data Platform

周鑫 ¹夏雨潇 ¹王海峰 ¹邓进²

扫码查看

作者信息

1. 国网大数据中心,北京 100052
2. 南京南瑞信息通信科技有限公司,江苏,南京 210037
折叠

摘要

容器又称Container,是一种基于轻量化的虚拟技术.轻量化特性使其在大数据平台中有广阔的应用前景,尤其在分布式机器学习方向,以Kubernetes和容器为核心的机器学习系统已逐渐成为行业标准.然而容器本身的安全问题,逐渐成为公众所关注的焦点.尤其如容器镜像安全、容器逃逸及提权、容器漏洞攻击及利用等问题成为了运营及维护人员在实际容器化过程中不得不面对的技术挑战.文章将系统分析容器技术在大数据平台中落地过程中所面临的具体安全问题,并结合实际的环境提供相应的轻量化安全防护技术.并设计了针对大量容器的镜像轻量化扫描方案,将容器镜像的扫描过程降到秒级;同时,针对大规模数据平台的容器监控方案,将监控的计算资源损耗(如CPU消耗)控制生产环境要求的10％以内;最后,这里设计的针对数据平台的容器网络监控方案,在不影响生产环境的业务条件下,能实现轻量化全流量监控.

Abstract

Container is a lightweight solution to deploy complex big-data application.Especially when Kubernetes,a novel con-tainer orchestrator,is involved,it makes possible to run a distributed big data application in a lightweight fashion.However,the security of containerized application becomes the focus of public,especially a set of container-targeted attacks have e-merged.These attacks include container escape,privilege escalation and remote exploits.It poses great challenges for all secur-ity practitioners.In this paper,we discuss the real-world challenges in deploying security tools along with big data application,and the method to make these tools run lightly in our production system.In particular,we design a lightweight container image scanning technique which reduces the scanning time to seconds-level.Also,we deploy a system monitoring scheme which limits the CPU usage down to～10％.Lastly,we propose a scheme for lightweight traffic monitoring.

关键词

容器安全/大数据平台安全技术/攻击检测/容器镜像安全

Key words

container security/security practice in big data system/intrusion detection/container image security

引用本文复制引用

基金项目

国家电网大数据中心面向大数据平台容器的轻量化安全防护技术研究专项(52999020002Y)

出版年

2024

微型电脑应用

上海市微型电脑应用学会

微型电脑应用

CSTPCD

影响因子：0.359

ISSN：1007-757X

参考文献量7

段落导航