# 安装kube-bench
[root@k8s-master ~]# curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.17/kube-bench_0.6.17_linux_amd64.tar.gz -o kube-bench.tar.gz
[root@k8s-master ~]# tar -xzf kube-bench.tar.gz
[root@k8s-master ~]# mv kube-bench /usr/local/bin/

# 运行安全检查
[root@k8s-master ~]# kube-bench run –targets master
[INFO] 1 Control Plane Security Configuration
[INFO] 1.1 Control Plane Node Configuration Files
[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
[FAIL] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)

[INFO] 1.2 API Server
[PASS] 1.2.1 Ensure that the –anonymous-auth argument is set to false (Automated)
[FAIL] 1.2.2 Ensure that the –token-auth-file parameter is not set (Automated)
[PASS] 1.2.3 Ensure that the –DenyServiceExternalIPs is not set (Automated)

== Summary ==
41 checks PASS
13 checks FAIL
12 checks WARN

# 查看详细修复建议
[root@k8s-master ~]# kube-bench run –targets master –check 1.2.2
[FAIL] 1.2.2 Ensure that the –token-auth-file parameter is not set (Automated)
Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and remove the –token-auth-file= parameter.

# 创建只读角色
[root@k8s-master ~]# cat > fgedu-readonly-role.yaml << 'EOF' apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: fgedu-readonly namespace: fgedu-prod rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments", "replicasets", "statefulsets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: fgedu-readonly-binding namespace: fgedu-prod subjects: - kind: User name: fgedu-viewer apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: fgedu-readonly apiGroup: rbac.更多视频教程www.fgedu.net.cnauthorization.k8s.io EOF [root@k8s-master ~]# kubectl apply -f fgedu-readonly-role.yaml role.rbac.authorization.k8s.io/fgedu-readonly created rolebinding.rbac.authorization.k8s.io/fgedu-readonly-binding created # 创建开发者角色 [root@k8s-master 更多学习教程公众号风哥教程itpux_com~]# cat > fgedu-developer-role.yaml << 'EOF' apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: fgedu-developer namespace: fgedu-prod rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["apps"] resources: ["deployments", "replicasets", "statefulsets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods/log", "pods/exec"] verbs: ["get"] EOF [root@k8s-master ~]# kubectl apply -f fgedu-developer-role.yaml role.rbac.authorization.k8s.io/fgedu-developer created

# 配置命名空间安全标签
[root@k8s-master ~]# kubectl label namespace fgedu-prod pod-security.kubernetes.io/enforce=restricted
namespace/fgedu-prod labeled

[root@k8s-master ~]# kubectl label namespace fgedu-prod pod-security.kubernetes.io/enforce-version=v1.28
namespace/fgedu-prod labeled

# 创建符合安全标准的Pod
[root@k8s-master ~]# cat > fgedu-secure-pod.yaml << 'EOF' apiVersion: v1 kind: Pod metadata: name: fgedu-secure-app namespace: fgedu-prod spec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: app image: nginx:1.25 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL volumeMounts: - name: tmp mountPath: /tmp - name: cache mountPath: /var/cache/nginx - name: run mountPath: /var/run volumes: - name: tmp emptyDir: {} - name: cache emptyDir: {} - name: run emptyDir: {} EOF [root@k8s-master ~]# kubectl apply -f fgedu-secure-pod.yaml pod/fgedu-secure-app created # 验证安全配置 [root@k8s-master ~]# kubectl get pod fgedu-secure-app -n fgedu-prod -o yaml | grep -A 10 securityContext securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true securityContext: fsGroup: 1000 runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault

# 配置默认拒绝策略
[root@k8s-master ~]# cat > fgedu-default-deny.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: fgedu-prod spec: podSelector: {} policyTypes: - Ingress - Egress EOF [rofrom PG视频:www.itpux.comot@k8s-master ~]# kubectl apply -f fgedu-default-deny.yaml networkpolicy.networking.k8s.io/default-deny-all created # 配置应用网络策略 [root@k8s-master ~]# cat > fgedu-app-networkpolicy.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: fgedu-app-policy namespace: fgedu-prod spec: podSelector: matchLabels: app: fgedu-web policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: fgedu-database ports: - protocol: TCP port: 3306 - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53 EOF [root@k8s-master ~]# kubectl apply -f fgedu-app-networkpolicy.yaml networkpolicy.networking.k8s.io/fgedu-app-policy created # 验证网络策略 [root@k8s-master ~]# kubectl get networkpolicy -n fgedu-prod NAME POD-SELECTOR AGE default-deny-all 2m
fgedu-app-policy app=fgedu-web 1m