# Kubernetes安全加固
[root@k8s-master ~]# cat > /root/k8s-security-hardening.txt << 'EOF' Kubernetes安全加固 ================= 1. 集群安全 - 控制平面安全 - etcd加密 - API Server加固 - 证书管理 2. 工作负载安全 - Pod安全策略 - 安全上下文 - 资源限制 - 网络隔离 3. 访问控制 - RBAC配置 - ServiceAccount管理 - 准入控制器 - 审计日志 4. 安全工具 - kube-bench: CIS基准检查 - kube-hunter: 安全漏洞扫描 - Trivy: 镜像安全扫描 - Falco: 运行时安全 EOF

# 安装kube-bench
[root@k8s-master ~]# curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.7.0/kube-bench_0.7.0_linux_amd64.tar.gz -o kube-bench.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 648 100 648 0 0 1234 0 –:–:– –:–:– –:–:– 1234
100 12.3M 100 12.3M 0 0 5678k 0 0:00:02 0:00:02 –:–:– 6789k

[root@k8s-master ~]# tar -xzf kube-bench.tar.gz
[root@k8s-master ~]# mv kube-bench /usr/local/bin/
[root@k8s-master ~]# chmod +x /usr/local/bin/kube-bench

# 运行安全检查
[root@k8s-master ~]# kube-bench run –targets master
[INFO] 1 Control Plane Security Configuration
[INFO] 1.1 Control Plane Node Configuration
[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (学习交流加群风哥微信: itpux-comAutomated)
[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)
[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Automated)
[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Automated)
[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
[PASS] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)

[INFO] 1.2 API Server
[PASS] 1.2.1 Ensure that the –anonymous-auth argument is set to false (Automated)
[PASS] 1.2.2 Ensure that the –token-auth-file parameter is not set (Automated)
[PASS] 1.2.3 Ensure that the –DenyServiceExternalIPs is not set (Automated)
[WARN] 1.2.4 Ensure that the –kubelet-https argument is set to true (Automated)
[PASS] 1.2.5 Ensure that the –kubelet-client-certificate and –kubelet-client-key arguments are set as appropriate (Automated)
[PASS] 1.2.6 Ensure that the –kubelet-certificate-authority argument is set as appropriate (Automated)
[PASS] 1.2.7 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Automated)
[PASS] 1.2.8 Ensure that the –authorization-mode argument includes Node (Automated)
[PASS] 1.2.9 Ensure that the –authorization-mode argument includes RBAC (Automated)
[WARN] 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Manual)
[PASS] 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
[WARN] 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
[PASS] 1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set (Automated)
[PASS] 1.2.14 Ensure that the admfrom PG视频:www.itpux.comission control plugin ServiceAccount is set (Automated)
[PASS] 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
[PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)
[PASS] 1.2.17 Ensure that the –secure-port arg学习交流加群风哥QQ113257174ument is not set to 0 (Automated)
[PASS] 1.2.18 Ensure that the –profiling argument is set to false (Automated)
[PASS] 1.2.19 Ensure that the –audit-log-path argument is set (Automated)
[PASS] 1.2.20 Ensure that the –audit-log-maxage argument is set to 30 or as appropriate (Automated)
[PASS] 1.2.21 Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
[PASS] 1.2.22 Ensure that the –audit-log-maxsize argument is set to 100 or as appropriate (Automated)

== Summary ==
41 checks PASS
12 checks WARN
0 checks FAIL

# 安装Trivy
[root@k8s-master ~]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.47.0/trivy_0.47.0_Linux-64bit.rpm
Retrieving https://github.com/aquasecurity/trivy/releases/download/v0.47.0/trivy_0.47.0_Linux-64bit.rpm
Preparing… ################################# [100%]
Updating / installing…
1:trivy-0.47.0-1 ################################# [100%]

# 扫描镜像
[root@k8s-master ~]# trivy image nginx:1.25
2026-04-04T20:00:00.000+0800 INFO Vulnerability scanning is enabled
2026-04-04T20:00:00.100+0800 INFO Secret scanning is enabled
2026-04-04T20:00:00.100+0800 INFO If your scanning is slow, please try ‘–scanners vuln’ to disable secret scanning
2026-04-04T20:00:00.100+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret for more info

nginx:1.25 (debian 12.2)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────────┬──────────┬───────────────────┬───────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │
├──────────────────┼────────────────────┼──────────┼───────────────────┼───────────────┤
│ libnghttp2-14 │ CVE-2023-44487 │ HIGH │ 1.52.0-1 │ 1.52.0-1+deb12u1 │
├──────────────────┼────────────────────┼──────────┼───────────────────┼───────────────┤
│ libnghttp2-14 │ CVE-2023-44487 │ MEDIUM │ 1.52.0-1 │ 1.52.0-1+deb12u1 │
└──────────────────┴────────────────────┴──────────┴───────────────────┴───────────────┘

# 扫描Kubernetes集群中的镜像
[root@k8s-master ~]# trivy k8s –report summary all
Summary Report for k8s
======================

Workload Assessment
┌───────────────────┬───────────────────┬────────────────────┐
│ Namespace │ Workload Type │ Vulnerabilities │
│ │ │ C H M L U │
├───────────────────┼───────────────────┼────────────────────┤
│ kube-system │ Deployment/coredns│ 0 1 2 3 0 │
│ kube-system │ DaemonSet/kube-proxy│ 0 0 1 2 0 │
│ fgedu-prod │ Deployment/fgedu-web│ 0 1 1 0 0 │
└───────────────────┴───────────────────┴────────────────────┘

Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

# 创建审计策略文件
[root@k8s-master ~]# cat > /etc/kubernetes/audit-policy.yaml << 'EOF' apiVersion: audit.k8s.io/v1 kind: Policy rules: # 记录所有请求 - level: Metadata resources: - group: "" resources: ["pods", "services", "secrets", "configmaps"] # 记录敏感操作 - level: RequestResponse resources: - group: "" resources: ["secrets"] verbs: ["create", "update", "patch", "delete"] # 记录认证失败 - level: Metadata omitStages: - "RequestReceived" # 忽略系统请求 - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" resources: ["endpoints", "services"] EOF # 配置API Server审计 [root@k8s-master ~]# cat >> /etc/kubernetes/manifests/kube-apiserver.yaml << 'EOF' - --audit-policy-file=/etc/kubernetes/audit-policy.yaml - --audit-log-path=/var/log/kubernetes/audit.log - --audit-log-maxage=30 - --audit-log-maxbackup=10 - --audit-log-maxsize=100 volumeMounts: - mountPath: /etc/kubernetes/audit-policy.yaml name: audit readOnly: true - mountPath: /var/log/kubernetes name: audit-log readOnly: false volumes: - hostPath: path: /etc/kubernetes/audit-policy.yaml type: File name: audit - hostPath: path: /var/log/kubernetes type: DirectoryOrCreate name: audit-log EOF # 重启API Server [root@k8s-master ~]# kubectl get pods -n kube-system kube-apiserver-k8s-master -o yaml | kubectl replace --force -f - pod "kube-apiserver-k8s-master" deleted pod "kube-apiserver-k8s-master" replaced # 查看审计日志 [root@k8s-master ~]# tail -f /var/log/kubernetes/audit.log | jq { "kind": "Event", "apiVersion": "audit.k8s.io/v1", "level": "Metadata", "auditID": "abc123-def456", "stage": "ResponseComplete", "requestURI": "/api/v1/namespaces/default/pods", "verb": "list", "user": { "username": "kubernetes-admin", "groups": ["system:masters", "system:authenticated"] }, "sourceIPs": ["192.168.1.100"], "userAgent": "kubectl/v1.28.3 (linux/amd64) kubernetes/abc123", "objectRef": { "resource": "pods", "namespace": "default", "apiVersion": "v1" }, "responseStatus": { "metadata": {}, "code": 200 }, "requestReceivedTimestamp": "2026-04-04T12:00:00.000000Z", "stageTimestamp": "2026-04-04T12:00:00.100000Z", "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "" } }