Linux教程FG443-Kubernetes安全配置

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍Kubernetes集群的安全配置方法。

Part01-安全概述

1.1 安全机制

# Kubernetes安全机制
[root@k8s-master ~]# cat > /root/k8s-security.txt << 'EOF' Kubernetes安全机制 ================= 1. 认证(Authentication) - 证书认证 - Token认证 - 静态密码认证 2. 授权(Authorization) - RBAC: 基于角色 - ABAC: 基于属性 - Node授权 - Webhook授权 3. 准入控制(Admission Control) - ValidatingWebhook - MutatingWebhook - 内置准入控制器 4. 安全上下文 - runAsUser/runAsGroup - readOnlyRootFilesystem - allowPrivilegeEscalation - capabilities 5. 网络安全 - NetworkPolicy - Service Mesh - TLS加密 EOF

Part02-RBAC配置

2.1 角色与权限

# 创建命名空间
[root@k8s-master ~]# kubectl create namespace fgedu-dev
namespace/fgedu-dev created

# 创建ServiceAccount
[root@k8s-master ~]# kubectl create serviceaccount fgedu-admin -n fgedu-dev
serviceaccount/fgedu-admin created

# 创建Role
[root@k8s-master ~]# cat > fgedu-role.yaml << 'EOF' apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: fgedu-admin-role namespace: fgedu-dev rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] EOF [root@k8s-master ~]# kubectl apply -f fgedu-role.yaml role.rbac.authorization.k8s.io/fgedu-admin-role created # 创建RoleBinding [root@k8s-master ~]# cat > fgedu-rolebinding.yaml << 'EOF' apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: fgedu-admin-binding namespace: fgedu-dev subjects: - kind: ServiceAccount name: fgedu-admin namespace: fgedu-dev roleRef: kind: Role name: fgedu-admin-role apiGroup: rbac.authorization.k8s.io EOF [root@k8s-master ~]# kubectl apply -f fgedu-rolebinding.yaml rolebinding.rbac.authorization.k8s.io/fgedu-admin-binding created # 创建ClusterRole [root@k8s-master ~]# cat > fgedu-clusterrole.yaml << 'EOF' apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: fgedu-viewer rules: - apiGroups: [""] resources: ["pods", "services", "nodes", "namespaces"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] verbs: ["get", "list", "watch"]更多学习教程公众号风哥教程itpux_com EOF [root@k8s-master ~]# kubectl apply -f fgedu-clusterrole.yaml clusterrole.rbac.authorization.k8s.io/fgedu-viewer created # 查看RBAC资源 [root@k8s-master ~]# kubectl get role,rolebinding -n fgedu-dev NAME CREATED AT role.rbac.authorization.k8s.io/fgedu-admin-role 2026-04-04T03:00:00Z NAME ROLE AGE rolebinding.rbac.authorization.k8s.io/fgedu-admin-binding Role/fgedu-admin-role 1m

Part03-Pod安全策略

3.1 安全上下文配置

# 创建安全Pod配置
[root@k8s-master ~]# cat > fgedu-secure-pod.yaml << 'EOF' apiVersion: v1 kind: Pod metadata: name: fgedu-secure-app namespace: fgedu-dev spec: serviceAccountName: fgedu-admin securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: app image: nginx:1.25 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 capabilities: drop: - ALL resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi volumeMounts: - name: tmp mountPath: /tmp - name: cache mountPath: /var/cache/nginx - name: run mountPath: /var/run volumes: - name: tmp emptyDir: {} - name: cache emptyDir: {} - name: run emptyDir: {} EOF [root@k8s-master ~]# kubectl apply -f fgedu-secure-pod.yaml pod/fgedu-secure-app created # 查看Pod安全配置 [root@k8s-master ~]# kubectl get pod fgedu-secure-app -n fgedu-dev -o yaml | grep -A 20 "securityContext:" seccompProfile: type: RuntimeDefault securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault

Part04-Pod安全标准

4.1 安全标准配置

# 创建命名空间安全标签
[root@k8s-master ~]# kubectl label namespace fgedu-dev pod-security.kubernetes.io/enforce=restricted
namespace/fgedu-dev labeled

[root@k8s-master ~]# kubectl label namespace fgedu-dev pod-security.kubernetes.io/enforce-version=latest
namespace/fgedu-dev labeled

# 查看命名空间标签
[root@k8s-master ~]# kubectl get namespace fgedu-dev –show-labels
NAME STATUS AGE LABELS
fgedu-dev Active 10m kubernetes.io/metadata.name=fgedu-dev,pod-security.kubernetes.io/enforce=restricted,pod-security.kubernetes.io/enforce-version=latest

# 创建符合restricted标准的Pod
[root@k8s-master ~]# cat > fgedu-restricted-pod.yaml << 'EOF' apiVersion: v1 kind: Pod metadata: name: fgedu-restricted-app namespace: fgedu-dev spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: app image: nginx:1.25 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi EOF [root@k8s-master ~]# kubectl apply -f fgedu-restricted-pod.yaml pod/fgedu-restricted-app created # 查看Pod状态 [root@k8s-master ~]# kubectl get pods -n fgedu-dev NAME READY STATUS RESTARTS AGE fgedu-restricted-app 1/1 Running 0 10s fgedu-secure-app 1/1 Running 0 5m

风哥针对安全配置建议：

使用RBAC控制访问权限
配置Pod安全上下文
启用Pod安全标准
使用网络策略隔离
定期审计安全配置

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html