forked from Azure/review-checklists
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patharo_checklist.zh-Hant.json
543 lines (543 loc) · 23.8 KB
/
aro_checklist.zh-Hant.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
{
"categories": [
{
"name": "身份和訪問管理"
},
{
"name": "網路拓撲和連接"
},
{
"name": "運營管理"
},
{
"name": "平臺自動化"
},
{
"name": "安全"
}
],
"items": [
{
"category": "身份和訪問管理",
"guid": "d7e47431-76c8-4bdb-b55b-ce619e8a03f9",
"id": "A01.01",
"link": "https://learn.microsoft.com/azure/openshift/howto-create-service-principal?pivots=aro-azurecli",
"severity": "高",
"subcategory": "身份",
"text": "在創建 ARO 群集之前,請創建服務主體及其角色分配。",
"waf": "安全"
},
{
"category": "身份和訪問管理",
"guid": "7879424d-6267-486d-90b9-6c97be985190",
"id": "A01.02",
"link": "https://learn.microsoft.com/azure/openshift/configure-azure-ad-ui",
"severity": "高",
"subcategory": "身份",
"text": "使用 AAD 對 ARO 群集中的用戶進行身份驗證。",
"waf": "安全"
},
{
"category": "身份和訪問管理",
"guid": "adfec5f9-a82d-46e9-a8d1-5a0c7fed5d15",
"id": "A01.03",
"link": "https://docs.openshift.com/container-platform/4.14/authentication/remove-kubeadmin.html",
"subcategory": "身份",
"text": "使用 AAD 身份驗證時,請從群集中刪除 kubeadmin 使用者。",
"waf": "安全"
},
{
"category": "身份和訪問管理",
"guid": "483835c9-86bb-4291-8155-a11475e39f54",
"id": "A01.04",
"link": "https://docs.openshift.com/container-platform/4.13/applications/projects/working-with-projects.html",
"severity": "高",
"subcategory": "身份",
"text": "定義 OpenShift 專案以限制 RBAC 許可權並隔離集群中的工作負載。",
"waf": "安全"
},
{
"category": "身份和訪問管理",
"guid": "0acccd97-9376-4bcd-a375-0ab2ab039da6",
"id": "A01.05",
"link": "https://docs.openshift.com/container-platform/4.13/authentication/using-rbac.html",
"severity": "中等",
"subcategory": "身份",
"text": "在OpenShift中定義所需的 RBAC 角色,這些角色的範圍限定為專案或集群。",
"waf": "安全"
},
{
"category": "身份和訪問管理",
"guid": "d54d7c89-29db-4107-b532-5ae625ca44e4",
"id": "A01.06",
"link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts",
"severity": "中等",
"subcategory": "身份",
"text": "最大程度地減少具有管理員許可權和機密訪問許可權的用戶數量。",
"waf": "安全"
},
{
"category": "身份和訪問管理",
"guid": "685e2223-ace8-4bb1-8307-ca5f16f154e3",
"id": "A01.07",
"link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure",
"severity": "中等",
"subcategory": "身份",
"text": "在 AAD 中對具有特權角色的 ARO 使用者使用 Privileged Identity Management。",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "aa369282-9e7e-4216-8836-87af467a1f89",
"id": "B01.01",
"link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview",
"severity": "低",
"subcategory": "DDoS 攻擊",
"text": "使用 Azure DDoS 網路/IP 防護來保護用於 ARO 群集的虛擬網路,除非在集中式訂閱中使用 Azure 防火牆或 WAF",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "35bda433-24f1-4481-8533-182aa5174269",
"id": "B02.01",
"link": "https://docs.openshift.com/container-platform/4.13/networking/routes/secured-routes.html",
"severity": "高",
"subcategory": "加密",
"text": "配置為使用入口的所有 Web 應用程式都應使用 TLS 加密,並且不應允許通過未加密的 HTTP 進行訪問。",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "44008ae7-d7e4-4743-876c-8bdbf55bce61",
"id": "B03.01",
"link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview",
"severity": "中等",
"subcategory": "互聯網",
"text": "將 Azure Front Door 與 WAF 結合使用,將 ARO 應用程式安全地發布到 Internet,尤其是在多區域環境中。",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "9e8a03f9-7879-4424-b626-786d60b96c97",
"id": "B03.02",
"link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door",
"severity": "中等",
"subcategory": "互聯網",
"text": "如果使用 Azure Front Door 在 ARO 上公開應用,請使用專用連結將 Front Door 與 ARO 路由器連接。",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "be985190-4838-435c-a86b-b2912155a114",
"id": "B03.03",
"link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress",
"severity": "中等",
"subcategory": "互聯網",
"text": "如果安全策略要求檢查 ARO 群集中生成的所有出站 Internet 流量,請使用 Azure 防火牆或 NVA 保護出口網路流量。",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "75e39f54-0acc-4cd9-9937-6bcda3750ab2",
"id": "B04.01",
"link": "https://learn.microsoft.com/azure/openshift/howto-create-private-cluster-4x",
"severity": "高",
"subcategory": "私人訪問",
"text": "如果您的安全策略要求您為 OpenShift API 使用私有 IP 位址,請部署私有 ARO 集群。",
"waf": "安全"
},
{
"category": "網路拓撲和連接",
"guid": "ab039da6-d54d-47c8-a29d-b107d5325ae6",
"id": "B04.02",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
"severity": "中等",
"subcategory": "私人訪問",
"text": "使用 Azure 專用連結來保護與託管 Azure 服務(包括 Azure 容器註冊表)的網路連接。",
"waf": "安全"
},
{
"category": "運營管理",
"guid": "25ca44e4-685e-4222-9ace-8bb12307ca5f",
"id": "C01.01",
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-enable-arc-enabled-clusters",
"severity": "高",
"subcategory": "操作",
"text": "使用內置的 Prometheus、OpenShift Logging 或 Container Insights 集成建立監控流程。",
"waf": "操作"
},
{
"category": "運營管理",
"guid": "16f154e3-aa36-4928-89e7-e216183687af",
"id": "C01.02",
"link": "https://docs.openshift.com/container-platform/4.13/cicd/pipelines/understanding-openshift-pipelines.html",
"severity": "中等",
"subcategory": "操作",
"text": "通過 DevOps 實踐和 CI/CD 解決方案(例如 OpenShift 提供的 Pipelines/GitOps)自動執行應用程式交付流程。",
"waf": "操作"
},
{
"category": "運營管理",
"guid": "467a1f89-35bd-4a43-924f-14811533182a",
"id": "C01.03",
"link": "https://learn.microsoft.com/azure/architecture/guide/design-principles/managed-services",
"severity": "低",
"subcategory": "操作",
"text": "盡可能從容器內部刪除服務狀態。請改用支援多區域複製的 Azure 平臺即服務 (PaaS)。",
"waf": "操作"
},
{
"category": "運營管理",
"guid": "1b7da8cf-aa66-4e15-b4d5-ada97dc3e232",
"id": "C01.04",
"link": "https://learn.microsoft.com/azure/openshift/howto-create-a-storageclass",
"severity": "低",
"subcategory": "操作",
"text": "將 RWX 儲存與內置的 Azure 檔儲存類配合使用。",
"waf": "操作"
},
{
"category": "運營管理",
"guid": "6bb235c7-05e1-4696-bded-fa8a4c8cdec4",
"id": "C02.01",
"link": "https://docs.openshift.com/container-platform/4.13/nodes/clusters/nodes-cluster-limit-ranges.html",
"severity": "中等",
"subcategory": "性能",
"text": "使用 Pod 請求和限制來管理集群中的計算資源。",
"waf": "性能"
},
{
"category": "運營管理",
"guid": "c620c30c-14ee-4b7f-9ae8-d9b3fec228e7",
"id": "C02.02",
"link": "https://docs.openshift.com/container-platform/4.13/applications/quotas/quotas-setting-per-project.html",
"severity": "中等",
"subcategory": "性能",
"text": "對項目強制實施資源配額。",
"waf": "性能"
},
{
"category": "運營管理",
"guid": "87ab177a-db59-4f6b-a613-334fd09dc234",
"id": "C02.03",
"link": "https://docs.openshift.com/container-platform/4.13/machine_management/applying-autoscaling.html",
"severity": "高",
"subcategory": "性能",
"text": "定義 ClusterAutoScaler 和 MachineAutoScaler,以便在群集耗盡資源以支援更多部署時擴展電腦。",
"waf": "性能"
},
{
"category": "運營管理",
"guid": "19db6128-1269-4040-a4ba-4d3e0804276d",
"id": "C03.01",
"link": "https://learn.microsoft.com/azure/openshift/support-policies-v4#supported-virtual-machine-sizes",
"severity": "高",
"subcategory": "可靠性",
"text": "使用足夠大以包含多個容器實例的虛擬機大小,以便獲得增加密度的好處,但又不能太大以至於群集無法處理故障節點的工作負載。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "4b98b15c-8b31-4aa5-aceb-58889135e227",
"id": "C03.02",
"link": "https://docs.openshift.com/container-platform/4.13/machine_management/deploying-machine-health-checks.html",
"severity": "高",
"subcategory": "可靠性",
"text": "部署電腦運行狀況檢查以自動修復計算機池中損壞的電腦。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "896d31b6-6c67-4ba5-a119-c08e8f5d587c",
"id": "C03.03",
"link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-metric-alerts",
"severity": "高",
"subcategory": "可靠性",
"text": "使用警報系統在需要直接操作時提供通知:容器見解指標警報或內置警報 UI。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "7e9ced16-acd1-476e-b9b2-41a998a57ae7",
"id": "C03.04",
"link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview#availability-zones",
"severity": "高",
"subcategory": "可靠性",
"text": "確保集群創建在支援可用區的地域,併為每個可用區創建一台機器。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "7b997e71-1b7d-4a8c-baa6-6e15d4d5ada9",
"id": "C03.05",
"link": "https://docs.openshift.com/container-platform/4.13/machine_management/creating-infrastructure-machinesets.html",
"severity": "低",
"subcategory": "可靠性",
"text": "創建基礎架構機器集以容納基礎架構元件。將特定的 Kubernetes 標籤應用於這些電腦,然後更新基礎結構元件以僅在這些電腦上運行。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "7dc3e232-6bb2-435c-905e-1696fdedfa8a",
"id": "C03.06",
"link": "https://learn.microsoft.com/azure/openshift/howto-create-a-backup#create-a-backup-with-velero-to-include-snapshots",
"severity": "中等",
"subcategory": "可靠性",
"text": "創建應用程式備份並規劃還原,並在備份中包括永久性卷。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "81c12318-1a64-4174-8583-3fb4ae3c2df7",
"id": "C03.07",
"link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-priority.html",
"severity": "低",
"subcategory": "可靠性",
"text": "使用 Pod 優先順序,以便在資源有限的情況下運行最關鍵的 Pod。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "43166c3b-cbe0-45bb-b209-d4a0da577784",
"id": "C04.01",
"link": "https://docs.openshift.com/container-platform/4.13/architecture/admission-plug-ins.html",
"severity": "低",
"subcategory": "安全",
"text": "使用准入外掛程式管理集群功能,這些外掛程式通常用於強制實施安全策略、資源限制或配置要求。",
"waf": "安全"
},
{
"category": "運營管理",
"guid": "24d21678-5d2f-4a56-a56a-d48408fe8273",
"id": "C04.02",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication",
"severity": "低",
"subcategory": "安全",
"text": "將容器映像存儲在 Azure 容器註冊表中,並將註冊表異地複製到每個區域。",
"waf": "安全"
},
{
"category": "運營管理",
"guid": "4c486ba2-80dc-4059-8cf7-5ee8e1309ccc",
"id": "C05.01",
"link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-vertical-autoscaler.html",
"severity": "中等",
"subcategory": "工作量",
"text": "優化CPU和記憶體請求值,並使用垂直Pod自動縮放程式最大限度地提高集群資源的效率。",
"waf": "性能"
},
{
"category": "運營管理",
"guid": "d579366b-cda2-4750-aa1a-bfe9d55d14c3",
"id": "C05.02",
"link": "https://docs.openshift.com/container-platform/4.13/applications/application-health.html",
"severity": "中等",
"subcategory": "工作量",
"text": "向Pod添加運行狀況探測以監視應用程式運行狀況。確保 Pod 包含 livenessProbe 和 readinessProbe。使用啟動探測器確定應用程式啟動的點。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "c4929cb1-b3d1-4325-ae12-4ba34d0685ed",
"id": "C05.03",
"link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-autoscaling.html",
"severity": "中等",
"subcategory": "工作量",
"text": "使用水準 Pod 自動縮放程式縮放 Pod 以滿足需求。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "dce9be3b-b0dd-4b3b-95fb-2ec14eeaa359",
"id": "C05.04",
"link": "https://docs.openshift.com/container-platform/4.13/nodes/pods/nodes-pods-configuring.html#nodes-pods-pod-distruption-about_nodes-pods-configuring",
"severity": "中等",
"subcategory": "工作量",
"text": "使用中斷預算來確保存在所需數量的 Pod 副本來處理預期的應用程式負載。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "2829e2ed-b217-4367-9aff-6791b4935ada",
"id": "C05.05",
"link": "https://docs.openshift.com/container-platform/4.13/nodes/scheduling/nodes-scheduler-pod-topology-spread-constraints.html",
"severity": "中等",
"subcategory": "工作量",
"text": "使用 Pod 拓撲約束在整個集群的節點上自動調度 Pod。",
"waf": "可靠性"
},
{
"category": "平臺自動化",
"guid": "42324ece-81c1-4231-a1a6-417415833fb4",
"id": "D01.01",
"link": "https://docs.openshift.com/container-platform/4.13/applications/deployments/route-based-deployment-strategies.html",
"severity": "低",
"subcategory": "工作量",
"text": "考慮使用藍/綠或金絲雀策略來部署新版本的應用程式。",
"waf": "操作"
},
{
"category": "平臺自動化",
"guid": "ae3c2df7-4316-46c3-acbe-05bbe209d4a0",
"id": "D01.02",
"link": "https://docs.openshift.com/container-platform/4.13/cicd/gitops/understanding-openshift-gitops.html",
"severity": "低",
"subcategory": "工作量",
"text": "請考慮使用紅帽 OpenShift GitOps。Red Hat OpenShift GitOps 使用 Argo CD 來維護集群資源並支援應用 CI/CD。",
"waf": "操作"
},
{
"category": "安全",
"guid": "da577784-24d2-4167-a5d2-fa56c56ad484",
"id": "E01.01",
"link": "https://learn.microsoft.com/azure/openshift/support-lifecycle",
"severity": "高",
"subcategory": "控制平面",
"text": "讓您的集群保持在最新的 OpenShift 版本上,以避免潛在的安全或升級問題。",
"waf": "安全"
},
{
"category": "安全",
"guid": "08fe8273-4c48-46ba-880d-c0591cf75ee8",
"id": "E01.02",
"link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/quickstart-connect-cluster",
"severity": "高",
"subcategory": "控制平面",
"text": "將 Azure Red Hat OpenShift 群集連接到已啟用 Azure Arc 的 Kubernetes。",
"waf": "安全"
},
{
"category": "安全",
"guid": "e1309ccc-d579-4366-acda-2750aa1abfe9",
"id": "E02.01",
"link": "https://docs.openshift.com/container-platform/4.10/security/encrypting-etcd.html",
"severity": "低",
"subcategory": "加密",
"text": "對於 Azure Red Hat OpenShift 4 群集,預設情況下不會對 etcd 數據進行加密,但建議啟用 etcd 加密以提供另一層數據安全性。",
"waf": "安全"
},
{
"category": "安全",
"guid": "d55d14c3-c492-49cb-8b3d-1325ae124ba3",
"id": "E03.01",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
"severity": "中等",
"subcategory": "姿勢",
"text": "使用已啟用 Arc 的 Kubernetes 支援的 Microsoft Defender for Containers 來保護群集、容器和應用程式。",
"waf": "安全"
},
{
"category": "安全",
"guid": "4d0685ed-dce9-4be3-ab0d-db3b55fb2ec1",
"id": "E04.01",
"link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider",
"severity": "中等",
"subcategory": "秘密",
"text": "對於需要訪問敏感資訊的應用程式,請將服務主體和AKV機密提供程式與已啟用Arc的 Kubernetes 群集的擴展配合使用。",
"waf": "安全"
},
{
"category": "安全",
"guid": "4eeaa359-2829-4e2e-bb21-73676aff6791",
"id": "E05.01",
"link": "https://learn.microsoft.com/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources",
"severity": "中等",
"subcategory": "工作量",
"text": "保護 Pod 對資源的訪問。提供最少數量的許可權,並避免使用根或特權升級。",
"waf": "安全"
},
{
"category": "安全",
"guid": "b4935ada-4232-44ec-b81c-123181a64174",
"id": "E05.02",
"link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes",
"severity": "中等",
"subcategory": "工作量",
"text": "使用 Azure Policy 擴展監視和強制實施配置。",
"waf": "安全"
},
{
"category": "安全",
"guid": "15833fb4-ae3c-42df-9431-66c3bcbe05bb",
"id": "E05.03",
"link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
"severity": "高",
"subcategory": "工作量",
"text": "使用 Microsoft Defender 或任何其他圖像掃描解決方案掃描圖像以查找漏洞。",
"waf": "安全"
},
{
"category": "安全",
"guid": "e209d4a0-da57-4778-924d-216785d2fa56",
"id": "E05.04",
"link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
"severity": "低",
"subcategory": "工作量",
"text": "將 Azure 容器註冊表的專用專用實例部署到每個登陸區域訂閱。",
"waf": "安全"
}
],
"metadata": {
"name": "Use the 'Import latest checklist' button to get the latest version of a review checklist",
"state": " ",
"timestamp": "December 15, 2023"
},
"severities": [
{
"name": "高"
},
{
"name": "中等"
},
{
"name": "低"
}
],
"status": [
{
"description": "此檢查尚未查看",
"name": "未驗證"
},
{
"description": "有一個與此檢查關聯的操作項",
"name": "打開"
},
{
"description": "此檢查已經過驗證,沒有與之關聯的其他操作項",
"name": "實現"
},
{
"description": "建議已理解,但當前要求不需要",
"name": "接受風險"
},
{
"description": "不適用於當前設計",
"name": "不適用"
}
],
"waf": [
{
"name": "可靠性"
},
{
"name": "安全"
},
{
"name": "成本"
},
{
"name": "操作"
},
{
"name": "性能"
}
],
"yesno": [
{
"name": "是的"
},
{
"name": "不"
}
]
}