{"id":1570,"date":"2025-11-09T17:56:34","date_gmt":"2025-11-09T14:56:34","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/bir-konteyner-gununde-kafama-takilanlar\/"},"modified":"2025-11-09T17:56:34","modified_gmt":"2025-11-09T14:56:34","slug":"bir-konteyner-gununde-kafama-takilanlar","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/bir-konteyner-gununde-kafama-takilanlar\/","title":{"rendered":"Bir Konteyner G\u00fcn\u00fcnde Kafama Tak\u0131lanlar"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><p>{<br \/>\n  &#8220;title&#8221;: &#8220;Rootless Docker ve Podman ile G\u00fcvenli Konteyner Nas\u0131l Kurulur? Cosign \u0130mzas\u0131, Trivy Taramas\u0131 ve En Az Yetkiyle S\u0131cac\u0131k Bir Ak\u0131\u015f&#8221;,<br \/>\n  &#8220;content&#8221;: &#8220;<\/p>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? K\u00fc\u00e7\u00fck bir servis, siz fark\u0131nda bile de\u011filken sunucuda en tepede oturan kullan\u0131c\u0131yla \u00e7al\u0131\u015f\u0131yor, loglar sakince ak\u0131yor, trafik normal. Sonra bir g\u00fcn bir ayar dosyas\u0131ndaki k\u00fc\u00e7\u00fcc\u00fck bir yanl\u0131\u015f izin, can s\u0131k\u0131c\u0131 bir kap\u0131 aral\u0131yor. \u0130\u015fte o sabah, ofiste kahvemi alm\u0131\u015fken b\u00f6yle bir \u015fey ya\u015fad\u0131m. Tek bir konteynerin g\u00f6lgesinden, sistemin geri kalan\u0131nda istemedi\u011fim izler belirdi. Durdurduk, temizledik. Ama akl\u0131m\u0131n bir k\u00f6\u015fesi \u015funu f\u0131s\u0131ldad\u0131: Bunu ba\u015flang\u0131\u00e7ta daha g\u00fcvenli kurabilirdik.<\/p>\n<p>Beni rootless konteyner d\u00fcnyas\u0131na as\u0131l \u00e7eken de buydu. K\u00f6k izni olmadan konteyner \u00e7al\u0131\u015ft\u0131rman\u0131n verdi\u011fi huzur, gereksiz g\u00fc\u00e7lerin elini sistemden \u00e7ekme fikri. \u00dcst\u00fcne bir de imzalanm\u0131\u015f g\u00f6r\u00fcnt\u00fclerle kayna\u011f\u0131 do\u011frulamak, g\u00fcvenlik taramalar\u0131yla i\u00e7eride saklanan zay\u0131fl\u0131klar\u0131 erken yakalamak. Bug\u00fcn, tam da bu ak\u0131\u015f\u0131 konu\u015fal\u0131m istiyorum: Rootless Docker ve Podman ile yola \u00e7\u0131kmak, g\u00f6r\u00fcnt\u00fcleri Cosign ile imzalamak, Trivy ile taramak ve her ad\u0131mda en az yetkiyi g\u00f6zetmek. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn, k\u00fc\u00e7\u00fck ama ta\u015f gibi bir al\u0131\u015fkanl\u0131klar seti kuraca\u011f\u0131z; hem bug\u00fcn rahat edece\u011fiz hem de yar\u0131n bir de\u011fi\u015fiklik geldi\u011finde i\u015fler yerli yerinde kalacak.<\/p>\n<p>Yaz\u0131n\u0131n sonunda bir araya gelen, pratik ve uygulanabilir bir ak\u0131\u015f\u0131m\u0131z olacak. Arada ufak komutlar ge\u00e7ecek, ama m\u00fcmk\u00fcn oldu\u011funca anla\u015f\u0131l\u0131r tutaca\u011f\u0131m. \u0130stedi\u011finiz zaman kendi ortam\u0131n\u0131za uyarlayabilece\u011finiz, s\u0131cak ve esnek bir tarif gibi d\u00fc\u015f\u00fcn\u00fcn.<\/p>\n<div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Rootless_Dunyasina_Kapi_Aralama_Neden_Ne_Zaman_Nasil\"><span class=\"toc_number toc_depth_1\">1<\/span> Rootless D\u00fcnyas\u0131na Kap\u0131 Aralama: Neden, Ne Zaman, Nas\u0131l?<\/a><ul><li><a href=\"#Basitce_rootless_nedir\"><span class=\"toc_number toc_depth_2\">1.1<\/span> Basit\u00e7e rootless nedir?<\/a><\/li><li><a href=\"#Gunluk_akisa_etkisi\"><span class=\"toc_number toc_depth_2\">1.2<\/span> G\u00fcnl\u00fck ak\u0131\u015fa etkisi<\/a><\/li><\/ul><\/li><li><a href=\"#Rootless_Docker_ve_Podman8217i_Ayaga_Kaldirma\"><span class=\"toc_number toc_depth_1\">2<\/span> Rootless Docker ve Podman&#8217;\u0131 Aya\u011fa Kald\u0131rma<\/a><ul><li><a href=\"#Docker8217da_rootless_mod\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Docker&#8217;da rootless mod<\/a><\/li><li><a href=\"#Podman_ile_dogal_rootless_deneyimi\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Podman ile do\u011fal rootless deneyimi<\/a><\/li><li><a href=\"#Ag_ve_depolama_tarafindaki_kucuk_farkindaliklar\"><span class=\"toc_number toc_depth_2\">2.3<\/span> A\u011f ve depolama taraf\u0131ndaki k\u00fc\u00e7\u00fck fark\u0131ndal\u0131klar<\/a><\/li><\/ul><\/li><li><a href=\"#Cosign_ile_Imzalama_Kaynagini_Belli_Eden_Goruntuler\"><span class=\"toc_number toc_depth_1\">3<\/span> Cosign ile \u0130mzalama: Kayna\u011f\u0131n\u0131 Belli Eden G\u00f6r\u00fcnt\u00fcler<\/a><ul><li><a href=\"#Neden_imza\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Neden imza?<\/a><\/li><li><a href=\"#Keyless_akis_ve_kucuk_bir_ornek\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Keyless ak\u0131\u015f ve k\u00fc\u00e7\u00fck bir \u00f6rnek<\/a><\/li><li><a href=\"#Imza_politikasi_nerede_devreye_girer\"><span class=\"toc_number toc_depth_2\">3.3<\/span> \u0130mza politikas\u0131 nerede devreye girer?<\/a><\/li><\/ul><\/li><li><a href=\"#Trivy_ile_Taramalar_Iceriye_Bir_El_Feneri_Tutmak\"><span class=\"toc_number toc_depth_1\">4<\/span> Trivy ile Taramalar: \u0130\u00e7eriye Bir El Feneri Tutmak<\/a><ul><li><a href=\"#Ne_ariyoruz\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Ne ar\u0131yoruz?<\/a><\/li><li><a href=\"#Hizli_ornek\"><span class=\"toc_number toc_depth_2\">4.2<\/span> H\u0131zl\u0131 \u00f6rnek<\/a><\/li><li><a href=\"#SBOM_ve_surdurulebilirlik\"><span class=\"toc_number toc_depth_2\">4.3<\/span> SBOM ve s\u00fcrd\u00fcr\u00fclebilirlik<\/a><\/li><\/ul><\/li><li><a href=\"#En_Az_Yetki_Kucuk_Aliskanliklarin_Buyuk_Etkisi\"><span class=\"toc_number toc_depth_1\">5<\/span> En Az Yetki: K\u00fc\u00e7\u00fck Al\u0131\u015fkanl\u0131klar\u0131n B\u00fcy\u00fck Etkisi<\/a><ul><li><a href=\"#Dockerfile_ve_calisma_zamani_pratikleri\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Dockerfile ve \u00e7al\u0131\u015fma zaman\u0131 pratikleri<\/a><\/li><li><a href=\"#Ag_kaynak_ve_zaman_sinirlari\"><span class=\"toc_number toc_depth_2\">5.2<\/span> A\u011f, kaynak ve zaman s\u0131n\u0131rlar\u0131<\/a><\/li><li><a href=\"#Gunlukte_netlik_panikte_sogukkanlilik\"><span class=\"toc_number toc_depth_2\">5.3<\/span> G\u00fcnl\u00fckte netlik, panikte so\u011fukkanl\u0131l\u0131k<\/a><\/li><\/ul><\/li><li><a href=\"#Hepsini_Bir_Araya_Getirelim_Kucuk_Bir_Dagitim_Tadi\"><span class=\"toc_number toc_depth_1\">6<\/span> Hepsini Bir Araya Getirelim: K\u00fc\u00e7\u00fck Bir Da\u011f\u0131t\u0131m Tad\u0131<\/a><ul><li><a href=\"#Ornek_akis\"><span class=\"toc_number toc_depth_2\">6.1<\/span> \u00d6rnek ak\u0131\u015f<\/a><\/li><\/ul><\/li><li><a href=\"#Kucuk_Aksilikler_ve_Pratik_Cozumler\"><span class=\"toc_number toc_depth_1\">7<\/span> K\u00fc\u00e7\u00fck Aksilikler ve Pratik \u00c7\u00f6z\u00fcmler<\/a><ul><li><a href=\"#Dusuk_portlara_baglanma\"><span class=\"toc_number toc_depth_2\">7.1<\/span> D\u00fc\u015f\u00fck portlara ba\u011flanma<\/a><\/li><li><a href=\"#Kalici_depolama_ve_izinler\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Kal\u0131c\u0131 depolama ve izinler<\/a><\/li><li><a href=\"#Cgroups_ve_kaynak_sinirlari\"><span class=\"toc_number toc_depth_2\">7.3<\/span> Cgroups ve kaynak s\u0131n\u0131rlar\u0131<\/a><\/li><li><a href=\"#Daemon_yoksa_panik_yok\"><span class=\"toc_number toc_depth_2\">7.4<\/span> Daemon yoksa panik yok<\/a><\/li><li><a href=\"#Imza_ve_tarama_sonuclarini_anlamlandirmak\"><span class=\"toc_number toc_depth_2\">7.5<\/span> \u0130mza ve tarama sonu\u00e7lar\u0131n\u0131 anlamland\u0131rmak<\/a><\/li><\/ul><\/li><li><a href=\"#Kapanis_Kucuk_Aliskanliklar_Buyuk_Rahatlik\"><span class=\"toc_number toc_depth_1\">8<\/span> Kapan\u0131\u015f: K\u00fc\u00e7\u00fck Al\u0131\u015fkanl\u0131klar, B\u00fcy\u00fck Rahatl\u0131k<\/a><\/li><li><a href=\"#Ek_Not_Podman_Cosign_ve_Trivy_Kaynaklari\"><span class=\"toc_number toc_depth_1\">9<\/span> Ek Not: Podman, Cosign ve Trivy Kaynaklar\u0131<\/a><\/li><\/ul><\/div>\n<h2 id='section-2'><span id=\"Rootless_Dunyasina_Kapi_Aralama_Neden_Ne_Zaman_Nasil\">Rootless D\u00fcnyas\u0131na Kap\u0131 Aralama: Neden, Ne Zaman, Nas\u0131l?<\/span><\/h2>\n<h3><span id=\"Basitce_rootless_nedir\">Basit\u00e7e rootless nedir?<\/span><\/h3>\n<p>Rootless dedi\u011fimizde kastetti\u011fimiz \u015fey, konteyner motorunun ve konteyner s\u00fcre\u00e7lerinin sistemde en tepedeki kullan\u0131c\u0131y\u0131 kullanmamas\u0131. Yani, sistemin ger\u00e7ek k\u00f6k yetkisine dokunmadan, kullan\u0131c\u0131 alan\u0131nda bir d\u00fcnyada konteynerleri \u00e7al\u0131\u015ft\u0131rmak. Bu, yanl\u0131\u015f bir yap\u0131land\u0131rma ya da beklenmedik bir a\u00e7\u0131k \u00e7\u0131kt\u0131\u011f\u0131nda etkisini do\u011fal olarak daralt\u0131yor. Kay\u0131p var m\u0131? Elbette ilk kurulumda ufak ayarlamalar, \u00f6zellikle a\u011f ve baz\u0131 dosya izinleri konusunda. Ama g\u00fcnl\u00fck i\u015fleyi\u015fe al\u0131\u015f\u0131nca o denge \u00e7ok tatl\u0131 bir noktada kal\u0131yor.<\/p>\n<h3><span id=\"Gunluk_akisa_etkisi\">G\u00fcnl\u00fck ak\u0131\u015fa etkisi<\/span><\/h3>\n<p>Geli\u015ftirmede bir \u015feyleri h\u0131zl\u0131ca denerken veya k\u00fc\u00e7\u00fck servisleri \u00fcretime ittirirken rootless yakla\u015f\u0131m\u0131 size bir emniyet katman\u0131 veriyor. Mesela d\u00fc\u015f\u00fck numaral\u0131 portlara ba\u011flan\u0131rken farkl\u0131 bir y\u00f6nteme ihtiya\u00e7 duyabilirsiniz, a\u011f taraf\u0131nda g\u00f6r\u00fcn\u00fcrl\u00fck biraz de\u011fi\u015fir, ancak sistemin d\u0131\u015f kabu\u011funu \u00e7izmeden i\u00e7eride yeni fikirlerle oynayabilmek \u00e7ok iyi hissettiriyor. En \u00f6nemlisi de, g\u00fcvenli\u011fi bir seferlik kural de\u011fil, g\u00fcnl\u00fck al\u0131\u015fkanl\u0131k haline getiriyor.<\/p>\n<h2 id='section-3'><span id=\"Rootless_Docker_ve_Podman8217i_Ayaga_Kaldirma\">Rootless Docker ve Podman&#8217;\u0131 Aya\u011fa Kald\u0131rma<\/span><\/h2>\n<h3><span id=\"Docker8217da_rootless_mod\">Docker&#8217;da rootless mod<\/span><\/h3>\n<p>Docker taraf\u0131nda rootless mod, kullan\u0131c\u0131 alan\u0131nda \u00e7al\u0131\u015fan bir yap\u0131. Kurarken, \u00f6zel bir a\u011f k\u00f6pr\u00fcs\u00fc, kullan\u0131c\u0131 uzay\u0131nda \u00e7al\u0131\u015fan a\u011f sa\u011flay\u0131c\u0131s\u0131 ve dosya sistemi s\u00fcr\u00fcc\u00fcs\u00fc devreye giriyor. Temel ak\u0131\u015f \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fclebilir: \u00d6nce Docker&#8217;\u0131 klasik \u015fekilde kurars\u0131n\u0131z, ard\u0131ndan rootless mod kurulum arac\u0131n\u0131 \u00e7al\u0131\u015ft\u0131r\u0131rs\u0131n\u0131z. Kullan\u0131c\u0131 oturumu a\u00e7\u0131k kalmal\u0131, \u00e7o\u011funlukla systemd kullan\u0131c\u0131 hizmeti etkinle\u015ftirilir. Bu sayede oturum a\u00e7t\u0131\u011f\u0131n\u0131zda konteyner motoru da sizin kullan\u0131c\u0131 alan\u0131n\u0131zda aya\u011fa kalkar. D\u00fc\u015f\u00fck numaral\u0131 portlar i\u00e7in ek bir katman kullan\u0131l\u0131r, ona az sonra de\u011finece\u011fim.<\/p>\n<p>\u0130lk kurulumdan sonra \u015funu fark edersiniz: Docker daemon art\u0131k kullan\u0131c\u0131 dizininizde sakince ya\u015far. Sistem genelini geren izinler yok. Baz\u0131 klas\u00f6rlerde izinleri netle\u015ftirmeniz gerekir, \u00f6zellikle kal\u0131c\u0131 depolama i\u00e7in ba\u011flayaca\u011f\u0131n\u0131z dizinlerin sahiplik ayarlar\u0131. Yine de, g\u00fcnl\u00fck i\u015flere ba\u015flad\u0131\u011f\u0131n\u0131zda sanki hafif bir s\u0131rt \u00e7antas\u0131yla y\u00fcr\u00fcyormu\u015fsunuz gibi, fark edilir bir rahatl\u0131k olur.<\/p>\n<h3><span id=\"Podman_ile_dogal_rootless_deneyimi\">Podman ile do\u011fal rootless deneyimi<\/span><\/h3>\n<p>Podman, rootless \u00e7al\u0131\u015fmay\u0131 \u00e7ok do\u011fal bir yerden ele al\u0131yor. Arka planda s\u00fcrekli \u00e7al\u0131\u015fan bir daemon olmadan, komut \u00e7al\u0131\u015ft\u0131k\u00e7a hayat buluyor. Bu yakla\u015f\u0131m, komutlar\u0131n\u0131z bitti\u011finde arkada g\u00fcr\u00fclt\u00fc b\u0131rakm\u0131yor. Podman ile kullan\u0131c\u0131 uzay\u0131 a\u011f sa\u011flay\u0131c\u0131s\u0131, dosya sistemi s\u00fcr\u00fcc\u00fcs\u00fc ve kullan\u0131c\u0131 e\u015flemesi gayet uyumlu bir \u015fekilde devreye giriyor. E\u011fer Docker \u00fczerinden gelen al\u0131\u015fkanl\u0131klar\u0131n\u0131z varsa, Podman&#8217;\u0131n komut yap\u0131s\u0131 size yabanc\u0131 gelmeyecek. \u0130sterseniz mevcut Dockerfile&#8217;lar\u0131 kullan\u0131r, isterseniz Podman&#8217;a \u00f6zg\u00fc k\u00fc\u00e7\u00fck rahatl\u0131klar eklersiniz. \u0130\u00e7eride mekanizma farkl\u0131 ama d\u0131\u015far\u0131dan bak\u0131nca ak\u0131\u015f tan\u0131d\u0131k.<\/p>\n<h3><span id=\"Ag_ve_depolama_tarafindaki_kucuk_farkindaliklar\">A\u011f ve depolama taraf\u0131ndaki k\u00fc\u00e7\u00fck fark\u0131ndal\u0131klar<\/span><\/h3>\n<p>Rootless d\u00fcnyada a\u011f katman\u0131, sistemin \u00e7ekirde\u011fine do\u011frudan ba\u011flanmad\u0131\u011f\u0131 i\u00e7in farkl\u0131 davran\u0131r. Mesela 80 veya 443 gibi d\u00fc\u015f\u00fck portlara do\u011frudan ba\u011flanamazs\u0131n\u0131z. \u00c7\u00f6z\u00fcm basit: Uygulamay\u0131 konteyner i\u00e7inde 8080 gibi bir porta a\u00e7\u0131p, d\u0131\u015far\u0131da ters proxy ile bu trafi\u011fi k\u00f6pr\u00fclemek. Ayr\u0131ca kullan\u0131c\u0131 alan\u0131ndaki a\u011f sa\u011flay\u0131c\u0131lar\u0131, paket filtreleme ve y\u00f6nlendirme davran\u0131\u015f\u0131n\u0131 da daha emniyetli ve s\u0131n\u0131rlar\u0131 belirgin k\u0131lar. Dosya sistemi taraf\u0131nda ise kal\u0131c\u0131 depolama ba\u011flarken dizinlerin sahipliklerini kullan\u0131c\u0131 hesab\u0131n\u0131za g\u00f6re ayarlamak \u00f6nemli. Bu k\u00fc\u00e7\u00fck ayarlar\u0131 oturttu\u011funuzda, rootless sanki ba\u015ftan beri oradaym\u0131\u015f gibi do\u011fal hissettiriyor.<\/p>\n<p>Bu noktada konteyner d\u00fcnyas\u0131n\u0131 web taraf\u0131ndan u\u00e7tan uca d\u00fc\u015f\u00fcnenler i\u00e7in iki k\u00fc\u00e7\u00fck hat\u0131rlatma ekleyeyim: Uygulamay\u0131 d\u0131\u015fa a\u00e7arken g\u00fcvenli HTTPS ayarlar\u0131n\u0131 ince ayar yapmak keyifli bir rit\u00fcel. Bu konuda ad\u0131m ad\u0131m ilerlemek isterseniz, <a href='https:\/\/www.dchost.com\/blog\/nginxte-tls-1-3-ocsp-stapling-ve-brotli-nasil-kurulur-hizli-ve-guvenli-httpsnin-sicacik-rehberi\/'>Nginx&#8217;te TLS 1.3, OCSP Stapling ve Brotli&#8217;yi kurma \u00fczerine s\u0131cak rehber<\/a> iyi bir yol arkada\u015f\u0131 olur. Bir de ters proxy ve uygulama aras\u0131ndaki ak\u0131\u015f sorunsuz olsun diye loglara bakmak, sorun an\u0131nda panik yerine netlik verir; bunun i\u00e7in de <a href=\"https:\/\/www.dchost.com\/blog\/merkezi-loglama-ve-gozlemlenebilirlik-vpste-loki-promtail-grafana-ile-sakin-kalan-bir-zihin\/\">Loki, Promtail ve Grafana ile merkezi loglama yaz\u0131s\u0131<\/a> ak\u0131lda dursun.<\/p>\n<h2 id='section-4'><span id=\"Cosign_ile_Imzalama_Kaynagini_Belli_Eden_Goruntuler\">Cosign ile \u0130mzalama: Kayna\u011f\u0131n\u0131 Belli Eden G\u00f6r\u00fcnt\u00fcler<\/span><\/h2>\n<h3><span id=\"Neden_imza\">Neden imza?<\/span><\/h3>\n<p>Bir g\u00f6r\u00fcnt\u00fcy\u00fc \u00e7ekti\u011finizde, ger\u00e7ekten sizin in\u015fa etti\u011finiz o g\u00f6r\u00fcnt\u00fc m\u00fc geliyor? \u0130\u015fte Cosign burada devreye giriyor. G\u00f6r\u00fcnt\u00fcy\u00fc imzalay\u0131p kayna\u011f\u0131n\u0131 ba\u011flars\u0131n\u0131z, imza da g\u00f6r\u00fcnt\u00fcn\u00fcn yan\u0131na \u015feffaf\u00e7a eklenir. B\u00f6ylece da\u011f\u0131t\u0131m hatt\u0131n\u0131zda ve \u00e7al\u0131\u015fma ortam\u0131n\u0131zda do\u011frulama yaparken, imzas\u0131 olmayan, beklenmedik bir g\u00f6r\u00fcnt\u00fcn\u00fcn i\u00e7eri s\u0131zmas\u0131 \u00e7ok zorla\u015f\u0131r.<\/p>\n<h3><span id=\"Keyless_akis_ve_kucuk_bir_ornek\">Keyless ak\u0131\u015f ve k\u00fc\u00e7\u00fck bir \u00f6rnek<\/span><\/h3>\n<p>Cosign, anahtar y\u00f6netimiyle u\u011fra\u015fmak istemeyenler i\u00e7in keyless ad\u0131 verilen bir ak\u0131\u015f sunuyor. Temel fikir \u015fu: Yetkilendirmeyi mevcut kimli\u011finizle yapar, imzay\u0131 \u015feffaf bir tescil defterine yazd\u0131r\u0131rs\u0131n\u0131z. \u0130\u015fin g\u00fczel taraf\u0131, g\u00fcvenlik s\u0131k\u0131la\u015f\u0131rken operasyonel y\u00fck artm\u0131yor.<\/p>\n<p>Basit bir \u00f6rnek hayal edelim. Rootless bir ortamda g\u00f6r\u00fcnt\u00fcy\u00fc in\u015fa ettiniz. Ard\u0131ndan Cosign ile imzalad\u0131n\u0131z. Komutlar\u0131n ruhu kabaca \u015f\u00f6yle:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># G\u00f6r\u00fcnt\u00fcy\u00fc in\u015fa et\npodman build -t registry.example.com\/app:1.0 .\n\n# Keyless imza (ilk \u00e7al\u0131\u015ft\u0131rmada k\u0131sa bir kimlik ak\u0131\u015f\u0131 \u00e7\u0131kar)\ncosign sign --keyless registry.example.com\/app:1.0\n\n# Do\u011frulama\ncosign verify --keyless registry.example.com\/app:1.0\n<\/code><\/pre>\n<p>Bu ak\u0131\u015f, imza ve do\u011frulama ad\u0131mlar\u0131n\u0131 basit bir al\u0131\u015fkanl\u0131k haline getiriyor. \u0130mzay\u0131 zorunlu tutan bir politika ekledi\u011finizde, yanl\u0131\u015fl\u0131kla farkl\u0131 bir g\u00f6r\u00fcnt\u00fcn\u00fcn devreye al\u0131nmas\u0131 \u00f6nleniyor. Sigstore ekosistemini merak ederseniz, <a href=\"https:\/\/sigstore.dev\/\" rel=\"nofollow noopener\" target=\"_blank\">Cosign ve arkada\u015flar\u0131n\u0131n resmi sayfas\u0131<\/a> \u00e7ok anla\u015f\u0131l\u0131r bir giri\u015f sunuyor.<\/p>\n<h3><span id=\"Imza_politikasi_nerede_devreye_girer\">\u0130mza politikas\u0131 nerede devreye girer?<\/span><\/h3>\n<p>G\u00f6r\u00fcnt\u00fcy\u00fc imzalamak kadar, bu imzay\u0131 zorunlu k\u0131lmak da \u00f6nemli. Bir kay\u0131t sunucusunda sadece imzal\u0131 g\u00f6r\u00fcnt\u00fclerin \u00e7ekilmesine izin verirsiniz, da\u011f\u0131t\u0131m katman\u0131nda do\u011frulama ba\u015far\u0131s\u0131zsa i\u015fi durdurursunuz. K\u00fc\u00e7\u00fck bir ekipte bile, bu pratik hem sorumlulu\u011fu hem de g\u00fcveni dengeler. \u0130mza yoksa yay\u0131mlama yok, kural bu kadar net.<\/p>\n<h2 id='section-5'><span id=\"Trivy_ile_Taramalar_Iceriye_Bir_El_Feneri_Tutmak\">Trivy ile Taramalar: \u0130\u00e7eriye Bir El Feneri Tutmak<\/span><\/h2>\n<h3><span id=\"Ne_ariyoruz\">Ne ar\u0131yoruz?<\/span><\/h3>\n<p>Trivy, g\u00f6r\u00fcnt\u00fcn\u00fcz\u00fcn i\u00e7inde kulland\u0131\u011f\u0131n\u0131z paketlere ve katmanlara k\u00fc\u00e7\u00fck bir el feneri tutuyor. Zay\u0131fl\u0131klar\u0131, yanl\u0131\u015f yap\u0131land\u0131rmalar\u0131, gereksiz ba\u011f\u0131ml\u0131l\u0131klar\u0131 g\u00f6r\u00fcn\u00fcr k\u0131l\u0131yor. Bazen bir temel imaja fazla g\u00fcveniyoruz; Trivy bu g\u00fcveni do\u011fruluyor ya da nazik\u00e7e uyar\u0131yor. Bir iki denemeden sonra \u015fu hissi seviyorsunuz: \u0130\u00e7eride ne oldu\u011funu biliyorum ve bilmedi\u011fim bo\u015fluklar daral\u0131yor.<\/p>\n<h3><span id=\"Hizli_ornek\">H\u0131zl\u0131 \u00f6rnek<\/span><\/h3>\n<p>Trivy&#8217;yi kurduktan sonra, bir g\u00f6r\u00fcnt\u00fcy\u00fc taramak i\u00e7in komutun tad\u0131 \u015f\u00f6yle:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># G\u00f6r\u00fcnt\u00fcy\u00fc tara\ntrivy image --severity HIGH,CRITICAL registry.example.com\/app:1.0\n\n# Kaynak kod dizininde yanl\u0131\u015f yap\u0131land\u0131rma ve ba\u011f\u0131ml\u0131l\u0131klar\ntrivy fs --exit-code 1 .\n<\/code><\/pre>\n<p>Burada kritik ve y\u00fcksek seviyede sorun varsa boru hatt\u0131n\u0131 k\u0131rd\u0131rmay\u0131 se\u00e7ebilirsiniz. Ama her projede ger\u00e7ek\u00e7ilik pay\u0131n\u0131 koruyun; baz\u0131 durumlarda acil \u00e7\u0131kar i\u00e7in risk kabul edilir, sonras\u0131nda h\u0131zl\u0131 bir d\u00fczeltme turu planlars\u0131n\u0131z. Trivy&#8217;nin d\u00f6k\u00fcmantasyonu sade ve g\u00fcncel; tak\u0131ld\u0131\u011f\u0131n\u0131z bir noktada <a href=\"https:\/\/aquasecurity.github.io\/trivy\/latest\/\" rel=\"nofollow noopener\" target=\"_blank\">Trivy belgeleri<\/a> iyi bir pusula.<\/p>\n<h3><span id=\"SBOM_ve_surdurulebilirlik\">SBOM ve s\u00fcrd\u00fcr\u00fclebilirlik<\/span><\/h3>\n<p>Trivy ile SBOM \u00fcretmek, ba\u011f\u0131ml\u0131l\u0131klar\u0131n foto\u011fraf\u0131n\u0131 \u00e7ekmek gibi. Bug\u00fcn bakt\u0131\u011f\u0131n\u0131zda masum g\u00f6r\u00fcnen bir paket, yar\u0131n bir ba\u015fl\u0131k olur. Elinizde SBOM oldu\u011funda h\u0131zl\u0131ca grep yapar gibi arars\u0131n\u0131z. Bu, g\u00fcvenli\u011fi bir projeden de\u011fil, ya\u015fam d\u00f6ng\u00fcs\u00fcnden konu\u015fmak demek.<\/p>\n<h2 id='section-6'><span id=\"En_Az_Yetki_Kucuk_Aliskanliklarin_Buyuk_Etkisi\">En Az Yetki: K\u00fc\u00e7\u00fck Al\u0131\u015fkanl\u0131klar\u0131n B\u00fcy\u00fck Etkisi<\/span><\/h2>\n<h3><span id=\"Dockerfile_ve_calisma_zamani_pratikleri\">Dockerfile ve \u00e7al\u0131\u015fma zaman\u0131 pratikleri<\/span><\/h3>\n<p>En az yetki, dev bir \u015femadan ziyade k\u00fc\u00e7\u00fck ve \u0131srarc\u0131 bir disiplin. Konteyner i\u00e7inde asla k\u00f6k kullan\u0131c\u0131yla ko\u015fmay\u0131n. Dockerfile i\u00e7inde son sat\u0131rlara yakla\u015f\u0131rken kullan\u0131c\u0131y\u0131 net belirleyin. \u00c7al\u0131\u015fma zaman\u0131 i\u00e7in dosya sistemini m\u00fcmk\u00fcn oldu\u011funca salt okunur ayarlay\u0131n ve sadece ger\u00e7ekten gereken dizinleri yaz\u0131labilir yap\u0131n. Gereksiz kabiliyetleri d\u00fc\u015f\u00fcrmek, kendinizi gereksiz bir anahtar demetinden kurtarmak gibi; elinizi \u00e7abukla\u015ft\u0131r\u0131r ve yanl\u0131\u015f kap\u0131lar\u0131 a\u00e7man\u0131z\u0131 \u00f6nler.<\/p>\n<p>Girdi parametreleri ve gizli bilgiler konusunda da ayn\u0131 titizlik. Ortama d\u00f6kece\u011finiz s\u0131rlar\u0131 dosyaya yazmaktansa, sadece \u00e7al\u0131\u015fma an\u0131nda beliren, sonra buhar olan y\u00f6ntemleri tercih edin. Gereksiz paketleri temel imajdan \u00e7\u0131kar\u0131n, hatta m\u00fcmk\u00fcnse minimal imajlarla ba\u015flay\u0131n. Boyut k\u00fc\u00e7\u00fcld\u00fck\u00e7e sald\u0131r\u0131 y\u00fczeyi de inceliyor.<\/p>\n<h3><span id=\"Ag_kaynak_ve_zaman_sinirlari\">A\u011f, kaynak ve zaman s\u0131n\u0131rlar\u0131<\/span><\/h3>\n<p>Bir servisin ne kadar CPU ve bellek kullanabilece\u011fini ba\u015ftan s\u00f6ylemek, onu makul bir \u00e7er\u00e7evede tutar. A\u011f taraf\u0131nda da, hangi kap\u0131lardan kimlerle konu\u015faca\u011f\u0131n\u0131 belirginle\u015ftirmek en g\u00fczelini yapar. Rootless yakla\u015f\u0131m bunu kolayla\u015ft\u0131r\u0131r; \u00e7\u00fcnk\u00fc d\u0131\u015f d\u00fcnyaya a\u00e7\u0131lan k\u0131s\u0131mda bir ters proxy kullanmak neredeyse do\u011fal hale gelir. K\u0131sa ya\u015faml\u0131 tokenlar, zaman\u0131nda yenilenen sertifikalar ve d\u00f6ng\u00fcsel anahtar de\u011fi\u015fimleri bu mutfa\u011f\u0131n baharatlar\u0131d\u0131r.<\/p>\n<h3><span id=\"Gunlukte_netlik_panikte_sogukkanlilik\">G\u00fcnl\u00fckte netlik, panikte so\u011fukkanl\u0131l\u0131k<\/span><\/h3>\n<p>G\u00fcvenlik sadece duvar \u00f6rmek de\u011fildir; g\u00f6r\u00fcn\u00fcrl\u00fck sa\u011flamakt\u0131r. Gereksiz log g\u00fcr\u00fclt\u00fcs\u00fc, ger\u00e7ek sorunu saklar. Bu y\u00fczden uygulama loglar\u0131n\u0131 derli toplu g\u00f6ndermek, \u00f6r\u00fcnt\u00fcleri sakin bir panelde g\u00f6rmek \u00e7ok faydal\u0131. Detayl\u0131 bir ak\u0131\u015f isterseniz, <a href=\"https:\/\/www.dchost.com\/blog\/merkezi-loglama-ve-gozlemlenebilirlik-vpste-loki-promtail-grafana-ile-sakin-kalan-bir-zihin\/\">merkezi loglama ve g\u00f6zlemlenebilirlik yaz\u0131s\u0131na<\/a> tekrar g\u00f6z atman\u0131z\u0131 \u00f6neririm. Sorun an\u0131nda h\u0131z kazand\u0131r\u0131r.<\/p>\n<h2 id='section-7'><span id=\"Hepsini_Bir_Araya_Getirelim_Kucuk_Bir_Dagitim_Tadi\">Hepsini Bir Araya Getirelim: K\u00fc\u00e7\u00fck Bir Da\u011f\u0131t\u0131m Tad\u0131<\/span><\/h2>\n<h3><span id=\"Ornek_akis\">\u00d6rnek ak\u0131\u015f<\/span><\/h3>\n<p>Basit bir ak\u0131\u015f d\u00fc\u015f\u00fcnelim. Geli\u015ftirici makinenizde rootless Podman ile g\u00f6r\u00fcnt\u00fcy\u00fc in\u015fa ettiniz. CI&#8217;da da ayn\u0131 \u015fekilde rootless \u00e7al\u0131\u015fan bir y\u00fcr\u00fct\u00fcc\u00fc var. \u00d6nce Trivy ile tarama, kritik sorun varsa durdurma. Ard\u0131ndan Cosign ile imzalama, imza yoksa kay\u0131t sunucusu geri \u00e7eviriyor. \u00dcretime \u00e7\u0131karken da\u011f\u0131t\u0131m sistemi mutlaka imzay\u0131 do\u011fruluyor. Uygulama 8080&#8217;de \u00e7al\u0131\u015f\u0131yor, d\u0131\u015far\u0131da ters proxy 443&#8217;ten gelen trafi\u011fi g\u00fcvenle y\u00f6nlendiriyor. T\u00fcm s\u00fcre\u00e7 boyunca, hi\u00e7bir yerde gereksiz yetki yok.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># 1) Build\npodman build -t registry.example.com\/app:1.2 .\n\n# 2) Trivy taramas\u0131\ntrivy image --severity HIGH,CRITICAL --exit-code 1 registry.example.com\/app:1.2\n\n# 3) Cosign imzas\u0131\ncosign sign --keyless registry.example.com\/app:1.2\n\n# 4) Push\npodman push registry.example.com\/app:1.2\n\n# 5) Da\u011f\u0131t\u0131m taraf\u0131nda do\u011frulama (CI veya admission a\u015famas\u0131)\ncosign verify --keyless registry.example.com\/app:1.2\n<\/code><\/pre>\n<p>Gerisi basit rit\u00fceller. Ters proxy konfig\u00fcrasyonu, TLS ayarlar\u0131, loglar\u0131n ak\u0131\u015f\u0131. Bu zincir kopmad\u0131\u011f\u0131nda, i\u00e7iniz rahat. E\u011fer web uygulamalar\u0131yla \u00e7al\u0131\u015f\u0131yorsan\u0131z, pratik bir \u00f6rnek olarak <a href=\"https:\/\/www.dchost.com\/blog\/docker-ile-wordpressi-vpste-nasil-yasatiriz-nginx-mariadb-redis-ve-lets-encrypt-ile-kalici-depolama-macerasi\/\">Docker ile WordPress\u2019i VPS\u2019te ya\u015fatma maceras\u0131<\/a> ho\u015f bir referans olur. S\u00fcreci s\u0131f\u0131r kesintiye yak\u0131n bir d\u00fczende kurmak isterseniz, <a href=\"https:\/\/www.dchost.com\/blog\/vpse-sifir-kesinti-ci-cd-nasil-kurulur-rsync-sembolik-surumler-ve-systemd-ile-sicacik-bir-yolculuk\/\">VPS&#8217;e s\u0131f\u0131r kesinti CI\/CD kurulum rehberi<\/a> ise da\u011f\u0131t\u0131m taraf\u0131nda \u00e7ok i\u015f g\u00f6r\u00fcr.<\/p>\n<h2 id='section-8'><span id=\"Kucuk_Aksilikler_ve_Pratik_Cozumler\">K\u00fc\u00e7\u00fck Aksilikler ve Pratik \u00c7\u00f6z\u00fcmler<\/span><\/h2>\n<h3><span id=\"Dusuk_portlara_baglanma\">D\u00fc\u015f\u00fck portlara ba\u011flanma<\/span><\/h3>\n<p>Rootless ortamda 80 ve 443 gibi portlara do\u011frudan ba\u011flanmak m\u00fcmk\u00fcn olmaz. \u00c7\u00f6z\u00fcm pratik: Ters proxy ile i\u00e7eride 8080 gibi bir porta k\u00f6pr\u00fcleyin. Bu sayede uygulama kadar g\u00fcvenlik ayarlar\u0131 da daha okunakl\u0131 hale gelir. Bir ta\u015fla iki ku\u015f: Hem \u015fifreleme katman\u0131n\u0131 d\u00fczenli y\u00f6netirsiniz hem de i\u00e7 portlar\u0131n\u0131z temiz kal\u0131r.<\/p>\n<h3><span id=\"Kalici_depolama_ve_izinler\">Kal\u0131c\u0131 depolama ve izinler<\/span><\/h3>\n<p>Bind mount yapt\u0131\u011f\u0131n\u0131z dizinlerde sahiplik meselesi bazen ufak s\u00fcrprizler do\u011furur. Konteyner i\u00e7indeki kullan\u0131c\u0131 ile d\u0131\u015far\u0131daki kullan\u0131c\u0131y\u0131 e\u015flemek i\u00e7in dizin sahipli\u011fini kullan\u0131c\u0131 hesab\u0131n\u0131za g\u00f6re ayarlamak iyi bir al\u0131\u015fkanl\u0131k. Salt okunur k\u00f6k dosya sistemiyle birlikte, yaln\u0131zca belirli dizinleri yaz\u0131labilir k\u0131lmak i\u00e7 d\u00fczeni korur.<\/p>\n<h3><span id=\"Cgroups_ve_kaynak_sinirlari\">Cgroups ve kaynak s\u0131n\u0131rlar\u0131<\/span><\/h3>\n<p>Rootless ortamda cgroups y\u00f6netimi farkl\u0131 davranabilir. \u00c7o\u011fu modern da\u011f\u0131t\u0131mda bu mesele \u00e7\u00f6z\u00fclm\u00fc\u015f durumda, yine de s\u0131n\u0131rlar\u0131 belirlerken ko\u015ftu\u011funuz ortam\u0131 g\u00f6z \u00f6n\u00fcnde bulundurun. E\u011fer bir yerlerde beklenmedik bir hata g\u00f6r\u00fcrseniz, g\u00fcnl\u00fckte minik bir iz kal\u0131r; iz s\u00fcrmek kolayd\u0131r.<\/p>\n<h3><span id=\"Daemon_yoksa_panik_yok\">Daemon yoksa panik yok<\/span><\/h3>\n<p>Podman gibi daemon olmadan \u00e7al\u0131\u015fan ara\u00e7larda ilk g\u00fcnlerde refleksleriniz al\u0131\u015f\u0131lm\u0131\u015f kal\u0131plara gidebilir. Bir i\u015f bitti\u011finde arka planda kimse kalmad\u0131\u011f\u0131 i\u00e7in kaynaklar bo\u015fal\u0131r. Bunu bir avantaj olarak g\u00f6r\u00fcn. Ayr\u0131ca k\u00f6\u015fede komutlar\u0131n\u0131z var; ara\u00e7 gitse bile tarif sizde.<\/p>\n<h3><span id=\"Imza_ve_tarama_sonuclarini_anlamlandirmak\">\u0130mza ve tarama sonu\u00e7lar\u0131n\u0131 anlamland\u0131rmak<\/span><\/h3>\n<p>Trivy bir uyar\u0131 verdi\u011finde, hemen t\u00fcm s\u00fcreci durdurmak bazen ger\u00e7ek\u00e7i olmayabilir. \u00d6nemli olan \u015fu: Riskleri g\u00f6r\u00fcn, hafif olanlar\u0131 planlay\u0131n, kritik olanlar\u0131 ise hemen ele al\u0131n. Cosign imzas\u0131nda da bir do\u011frulama hatas\u0131 g\u00f6r\u00fcrseniz, \u00f6nce imzan\u0131n do\u011fru yere yaz\u0131ld\u0131\u011f\u0131na bak\u0131n, sonra g\u00f6r\u00fcnt\u00fc etiketini sorgulay\u0131n. \u00c7o\u011fu zaman basit bir yaz\u0131m hatas\u0131d\u0131r. Nadiren daha derin bir mesele \u00e7\u0131kar ama o zaman da elimizde net sinyaller vard\u0131r.<\/p>\n<h2 id='section-9'><span id=\"Kapanis_Kucuk_Aliskanliklar_Buyuk_Rahatlik\">Kapan\u0131\u015f: K\u00fc\u00e7\u00fck Al\u0131\u015fkanl\u0131klar, B\u00fcy\u00fck Rahatl\u0131k<\/span><\/h2>\n<p>Rootless Docker ve Podman ile yola \u00e7\u0131k\u0131p, Cosign imzas\u0131 ve Trivy taramas\u0131yla ak\u0131\u015f\u0131 tamamlamak; kula\u011fa yeni bir y\u00fck gibi gelebilir. Fakat birka\u00e7 projede uygulad\u0131\u011f\u0131n\u0131zda, bu d\u00fczenin size nas\u0131l bir nefes ald\u0131rd\u0131\u011f\u0131n\u0131 net g\u00f6r\u00fcyorsunuz. En az yetki ilkesi de bu zincirin g\u00f6r\u00fcnmez kahraman\u0131. G\u00fcc\u00fc gerekti\u011fi yerde kullan\u0131p, kalan\u0131n\u0131 sade b\u0131rakt\u0131\u011f\u0131n\u0131zda i\u015fler daha az s\u00fcrprizli, daha az stresli hale geliyor.<\/p>\n<p>\u0130lk ad\u0131mda zorlan\u0131rsan\u0131z sak\u0131n moral bozmay\u0131n. K\u00fc\u00e7\u00fck bir servisle ba\u015flay\u0131n, imza ve taramay\u0131 ekleyin, sonra da\u011f\u0131t\u0131m politikas\u0131na dokunun. Bir sonraki i\u015fte a\u011f ayarlar\u0131n\u0131 ve ters proxy&#8217;yi d\u00fczeltin. Her ad\u0131m bir \u00f6ncekinin \u00fcst\u00fcne eklemleniyor. Loglar\u0131n\u0131z\u0131 toparlay\u0131p ak\u0131\u015f\u0131 netle\u015ftirmek isterseniz, <a href=\"https:\/\/www.dchost.com\/blog\/merkezi-loglama-ve-gozlemlenebilirlik-vpste-loki-promtail-grafana-ile-sakin-kalan-bir-zihin\/\">merkezi loglama rehberi<\/a> ve \u00fcretim taraf\u0131nda da\u011f\u0131t\u0131m d\u00fczeni i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/node-jsi-canliya-alirken-panik-yapma-pm2-systemd-nginx-ssl-ve-sifir-kesinti-deploy-nasil-kurulur\/\">Node.js&#8217;i canl\u0131ya al\u0131rken panik yapma yaz\u0131s\u0131<\/a> g\u00fczel tamamlay\u0131c\u0131lar olur. G\u00fcvenli\u011fin bir al\u0131\u015fkanl\u0131klar b\u00fct\u00fcn\u00fc oldu\u011funu unutmay\u0131n; bug\u00fcn att\u0131\u011f\u0131n\u0131z k\u00fc\u00e7\u00fck bir ad\u0131m, yar\u0131n hi\u00e7 istemeyece\u011finiz bir s\u00fcrprizi sessizce engeller.<\/p>\n<p>Umar\u0131m bu yaz\u0131, rootless konteyner d\u00fcnyas\u0131na ad\u0131m atarken elinizi rahatlatt\u0131. Bir g\u00fcn ayn\u0131 masada oturup kahve i\u00e7erken, siz de benzer bir hikayeyi tebess\u00fcmle anlat\u0131rs\u0131n\u0131z. O zamana kadar, ak\u0131\u015f\u0131n\u0131z\u0131 sade tutun, imzan\u0131z\u0131 eksik etmeyin, taramalar\u0131 aksatmay\u0131n. Bir dahaki yaz\u0131da g\u00f6r\u00fc\u015fmek \u00fczere.<\/p>\n<h2 id='section-10'><span id=\"Ek_Not_Podman_Cosign_ve_Trivy_Kaynaklari\">Ek Not: Podman, Cosign ve Trivy Kaynaklar\u0131<\/span><\/h2>\n<p>Podman&#8217;\u0131 ke\u015ffetmek ve pratikleri derinle\u015ftirmek i\u00e7in <a href=\"https:\/\/podman.io\/\" rel=\"nofollow noopener\" target=\"_blank\">Podman resmi sitesi<\/a>, Cosign ve imza d\u00fcnyas\u0131n\u0131n \u015feffaf kay\u0131t defteri i\u00e7in <a href=\"https:\/\/sigstore.dev\/\" rel=\"nofollow noopener\" target=\"_blank\">Sigstore<\/a> ve g\u00fcvenlik taramalar\u0131nda ad\u0131m ad\u0131m y\u00f6nergeler i\u00e7in <a href=\"https:\/\/aquasecurity.github.io\/trivy\/latest\/\" rel=\"nofollow noopener\" target=\"_blank\">Trivy dok\u00fcmantasyonu<\/a> elinizin alt\u0131nda bulunsun. Her biri anla\u015f\u0131l\u0131r, k\u0131sa \u00f6rneklerle yola \u00e7\u0131kar\u0131yor.<\/p>\n<p>&#8220;,<br \/>\n  &#8220;focus_keyword&#8221;: &#8220;Rootless Docker ve Podman&#8221;,<br \/>\n  &#8220;meta_description&#8221;: &#8220;Rootless Docker ve Podman ile g\u00fcvenli konteyner ak\u0131\u015f\u0131: Cosign imzas\u0131, Trivy taramas\u0131 ve en az yetki pratikleriyle \u00fcretimi sade, g\u00fcvenli ve s\u00fcrd\u00fcr\u00fclebilir k\u0131l\u0131n.&#8221;,<br \/>\n  &#8220;faqs&#8221;: [<br \/>\n    {<br \/>\n      &#8220;question&#8221;: &#8220;Rootless konteyner neden \u00f6nemli?&#8221;,<br \/>\n      &#8220;answer&#8221;: &#8220;Konteynerler sistemin ger\u00e7ek k\u00f6k yetkisini kullanmad\u0131\u011f\u0131nda, olas\u0131 bir a\u00e7\u0131k ya da yanl\u0131\u015f ayar etkisini do\u011fal olarak s\u0131n\u0131rlar. Hafif bir kurulum eme\u011fi kar\u015f\u0131l\u0131\u011f\u0131nda daha sakin ve g\u00fcvenli bir \u00fcretim ak\u0131\u015f\u0131 elde edersiniz.&#8221;<br \/>\n    },<br \/>\n    {<br \/>\n      &#8220;question&#8221;: &#8220;Cosign ile imzalamak pratikte bana ne kazand\u0131r\u0131r?&#8221;,<br \/>\n      &#8220;answer&#8221;: &#8220;G\u00f6r\u00fcnt\u00fcn\u00fcz\u00fcn kayna\u011f\u0131n\u0131 do\u011frulars\u0131n\u0131z. \u0130mza olmadan yay\u0131na izin vermeyen bir politika kurdu\u011funuzda, yanl\u0131\u015f ya da yetkisiz bir g\u00f6r\u00fcnt\u00fcn\u00fcn devreye girmesini basit\u00e7e engellersiniz. Operasyonel y\u00fck\u00fc de d\u00fc\u015f\u00fck.&#8221;<br \/>\n    },<br \/>\n    {<br \/>\n      &#8220;question&#8221;: &#8220;Trivy taramalar\u0131n\u0131 CI s\u00fcrecine nas\u0131l eklemeliyim?&#8221;,<br \/>\n      &#8220;answer&#8221;: &#8220;G\u00f6r\u00fcnt\u00fc in\u015fas\u0131ndan hemen sonra Trivy ile taray\u0131n, kritik bulgu varsa hatt\u0131 durdurun. Kaynak kod dizinini de taray\u0131p yanl\u0131\u015f yap\u0131land\u0131rmalar\u0131 yakalay\u0131n. Uyar\u0131lar\u0131 seviyelere ay\u0131rmak ve k\u00fc\u00e7\u00fck riskleri sprint plan\u0131na almak en pratik y\u00f6ntem.&#8221;<br \/>\n    }<br \/>\n  ]<br \/>\n}<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>{ &#8220;title&#8221;: &#8220;Rootless Docker ve Podman ile G\u00fcvenli Konteyner Nas\u0131l Kurulur? Cosign \u0130mzas\u0131, Trivy Taramas\u0131 ve En Az Yetkiyle S\u0131cac\u0131k Bir Ak\u0131\u015f&#8221;, &#8220;content&#8221;: &#8220; Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? K\u00fc\u00e7\u00fck bir servis, siz fark\u0131nda bile de\u011filken sunucuda en tepede oturan kullan\u0131c\u0131yla \u00e7al\u0131\u015f\u0131yor, loglar sakince ak\u0131yor, trafik normal. Sonra bir g\u00fcn bir ayar dosyas\u0131ndaki k\u00fc\u00e7\u00fcc\u00fck bir yanl\u0131\u015f [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1571,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1570","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1570"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1570\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1571"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}