はじめに
Trivyを使用して、KubernetesのAPIサーバなどのコンテナイメージの脆弱性を診断します。
使用方法
こちらからバイナリをダウンロードしたり、yumなどでインストールすることで、trivyコマンドが利用できるようになります。
今回はこちらを参考にdockerでやってみます。
脆弱性診断
今回使用するKubernetesはv1.23.3です。
$ kubectl get node
NAME STATUS ROLES AGE VERSION
master03 Ready control-plane,master 16d v1.23.3
worker03 Ready <none> 16d v1.23.3
APIサーバ
APIサーバのイメージを確認します。
$ kubectl -n kube-system get pod kube-apiserver-master03 -o yaml |grep image
image: k8s.gcr.io/kube-apiserver:v1.23.5
imagePullPolicy: IfNotPresent
image: k8s.gcr.io/kube-apiserver:v1.23.5
imageID: docker-pullable://k8s.gcr.io/kube-apiserver@sha256:ddf5bf7196eb534271f9e5d403f4da19838d5610bb5ca191001bde5f32b5492e
確認したイメージを指定して、診断します。
$ sudo docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/kube-apiserver:v1.23.5
2022-04-14T13:36:17.993Z INFO Need to update DB
2022-04-14T13:36:17.993Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-14T13:36:17.993Z INFO Downloading DB...
24.22 MiB / 31.19 MiB [----------------------------------------------->_____________] 77.66% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 11.60 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 11.60 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 11.60 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [-------------------------------------------------] 100.00% 26.84 MiB p/s 1.4s2022-04-14T13:36:21.446Z INFO Detected OS: debian
2022-04-14T13:36:21.446Z INFO Detecting Debian vulnerabilities...
2022-04-14T13:36:21.446Z INFO Number of language-specific files: 2
k8s.gcr.io/kube-apiserver:v1.23.5 (debian 11.2)
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
脆弱性はありませんでした。
古いバージョン(v1.18.0)を指定すると、以下のように脆弱性が検出されました。
$ sudo docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/kube-apiserver:v1.18.0
2022-04-14T13:38:17.430Z INFO Need to update DB
2022-04-14T13:38:17.431Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-14T13:38:17.431Z INFO Downloading DB...
23.22 MiB / 31.19 MiB [--------------------------------------------->_______________] 74.45% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 13.27 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 13.27 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 13.27 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [-------------------------------------------------] 100.00% 27.16 MiB p/s 1.3s2022-04-14T13:38:21.074Z INFO Detected OS: debian
2022-04-14T13:38:21.074Z INFO Detecting Debian vulnerabilities...
2022-04-14T13:38:21.080Z INFO Number of language-specific files: 1
k8s.gcr.io/kube-apiserver:v1.18.0 (debian 10.1)
===============================================
Total: 137 (UNKNOWN: 0, LOW: 63, MEDIUM: 23, HIGH: 39, CRITICAL: 12)
+---------------+------------------+----------+-------------------+-------------------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------+------------------+----------+-------------------+-------------------------+-----------------------------------------+
| apt | CVE-2020-27350 | MEDIUM | 1.8.2 | 1.8.2.2 | apt: integer overflows and underflows |
| | | | | | while parsing .deb packages |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 |
+ +------------------+ + +-------------------------+-----------------------------------------+
---- 省略 ----
etcd
同様にイメージを確認して、診断します。
$ sudo docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/etcd:3.5.1-0
2022-04-14T13:40:29.936Z INFO Need to update DB
2022-04-14T13:40:29.936Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-14T13:40:29.936Z INFO Downloading DB...
25.50 MiB / 31.19 MiB [------------------------------------------------->___________] 81.77% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 9.47 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 9.47 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 9.47 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [-------------------------------------------------] 100.00% 27.17 MiB p/s 1.3s2022-04-14T13:40:36.264Z INFO Detected OS: debian
2022-04-14T13:40:36.264Z INFO Detecting Debian vulnerabilities...
2022-04-14T13:40:36.264Z INFO Number of language-specific files: 6
2022-04-14T13:40:36.264Z INFO Detecting gobinary vulnerabilities...
k8s.gcr.io/etcd:3.5.1-0 (debian 11.1)
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/local/bin/etcd (gobinary)
=============================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.5 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
usr/local/bin/etcd-3.5.1 (gobinary)
===================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.5 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
usr/local/bin/etcdctl (gobinary)
================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.5 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
usr/local/bin/etcdctl-3.5.1 (gobinary)
======================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| golang.org/x/text | CVE-2021-38561 | UNKNOWN | v0.3.5 | 0.3.7 | Due to improper index calculation, |
| | | | | | an incorrectly formatted |
| | | | | | language tag can cause... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38561 |
+-------------------+------------------+----------+-------------------+---------------+---------------------------------------+
コンテナイメージには脆弱性は検出されませんでしたが、gobinaryに一つ不明のものがあるようです。
ここでは、詳細までは確認していません。
Controller-manager
$ sudo docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/kube-controller-manager:v1.23.5
2022-04-14T13:47:41.688Z INFO Need to update DB
2022-04-14T13:47:41.688Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-14T13:47:41.688Z INFO Downloading DB...
28.81 MiB / 31.19 MiB [-------------------------------------------------------->____] 92.39% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 3.96 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 3.96 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 3.96 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [-------------------------------------------------] 100.00% 28.27 MiB p/s 1.3s2022-04-14T13:47:45.076Z INFO Detected OS: debian
2022-04-14T13:47:45.076Z INFO Detecting Debian vulnerabilities...
2022-04-14T13:47:45.076Z INFO Number of language-specific files: 2
k8s.gcr.io/kube-controller-manager:v1.23.5 (debian 11.2)
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
脆弱性は検出されませんでした。
Proxy server
$ sudo docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/kube-proxy:v1.23.5
2022-04-14T13:48:27.800Z INFO Need to update DB
2022-04-14T13:48:27.800Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-14T13:48:27.800Z INFO Downloading DB...
24.53 MiB / 31.19 MiB [----------------------------------------------->_____________] 78.66% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 11.09 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 11.09 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [---------------------------------------------->] 100.00% 11.09 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [-------------------------------------------------] 100.00% 27.64 MiB p/s 1.3s2022-04-14T13:48:31.060Z INFO Detected OS: debian
2022-04-14T13:48:31.060Z INFO Detecting Debian vulnerabilities...
2022-04-14T13:48:31.069Z INFO Number of language-specific files: 2
k8s.gcr.io/kube-proxy:v1.23.5 (debian 11.0)
===========================================
Total: 86 (UNKNOWN: 0, LOW: 58, MEDIUM: 10, HIGH: 11, CRITICAL: 7)
+------------------+------------------+----------+-------------------+-------------------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------------+------------------+----------+-------------------+-------------------------+-----------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key in apt, |
| | | | | | all versions, do not correctly... |
| | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 |
+------------------+------------------+----------+-------------------+-------------------------+-----------------------------------------+
---- 省略 ----
たくさん出てきましたね。。
Scheduler
$ sudo docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/kube-scheduler:v1.23.5
2022-04-14T13:49:30.611Z INFO Need to update DB
2022-04-14T13:49:30.611Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-14T13:49:30.611Z INFO Downloading DB...
27.09 MiB / 31.19 MiB [---------------------------------------------------->________] 86.88% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 6.81 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 6.81 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [----------------------------------------------->] 100.00% 6.81 MiB p/s ETA 0s31.19 MiB / 31.19 MiB [-------------------------------------------------] 100.00% 27.31 MiB p/s 1.3s2022-04-14T13:49:33.326Z INFO Detected OS: debian
2022-04-14T13:49:33.326Z INFO Detecting Debian vulnerabilities...
2022-04-14T13:49:33.326Z INFO Number of language-specific files: 2
k8s.gcr.io/kube-scheduler:v1.23.5 (debian 11.2)
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
脆弱性は検出されませんでした。
まとめ
検出された脆弱性に対する対応までは確認していませんが、Trivyを使用することで簡単にコンテナイメージの脆弱性診断ができました。
今回はdockerでやってみましたが、頻繁に使う場合には、インストールやバイナリをダウンロードして、trivyコマンドを使えるようにした方がよいかなと思いました。