内容大纲
1. 云原生安全概述
云原生安全是指在云原生环境中保护应用、数据和基础设施的安全措施。云原生环境包括容器、Kubernetes、微服务等技术栈,其安全挑战与传统IT环境有所不同。
云原生安全的核心原则包括:
- 默认安全:从设计开始就考虑安全
- 最小权限:只授予必要的权限
- 深度防御:多层次的安全防护
- 自动化安全:通过自动化工具实现安全管理
- 可观测性:实时监控和检测安全事件
更多学习教程www.fgedu.net.cn
2. 容器安全
2.1 容器镜像安全
$ docker pull nginx:latest
# 扫描镜像漏洞
$ docker run –rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image nginx:latest
# 构建安全镜像
$ cat Dockerfile
FROM alpine:3.14
RUN apk add –no-cache nginx \
&& rm -rf /var/cache/apk/*
USER nginx
EXPOSE 80
CMD [“nginx”, “-g”, “daemon off;”]
# 验证镜像
$ docker build -t secure-nginx .
$ docker run –rm –read-only secure-nginx
2.2 容器运行时安全
$ docker run –rm \
–cap-drop=ALL \
–read-only \
–security-opt=no-new-privileges \
–user=nginx \
nginx:latest
# 限制资源
$ docker run –rm \
–memory=128m \
–cpus=0.5 \
–pids-limit=100 \
nginx:latest
# 网络隔离
$ docker network create isolated-network
$ docker run –rm \
–network=isolated-network \
nginx:latest
风哥风哥提示:容器安全需要从镜像构建到运行时的全生命周期管理,确保每个环节都有相应的安全措施。
3. Kubernetes安全
3.1 集群安全
$ kubectl create clusterrolebinding cluster-admin-binding \
–clusterrole=cluster-admin \
–user=admin
# 配置Pod安全策略
$ cat pod-security-policy.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
# 应用Pod安全策略
$ kubectl apply -f pod-security-policy.yaml
3.2 命名空间安全
$ kubectl create namespace production
# 配置资源配额
$ cat resource-quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: production-quota
namespace: production
spec:
hard:
requests.cpu: “10”
requests.memory: 20Gi
limits.cpu: “20”
limits.memory: 40Gi
pods: “50”
services: “10”
# 应用资源配额
$ kubectl apply -f resource-quota.yaml -n production
# 配置网络策略
$ cat network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: production
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress
# 应用网络策略
$ kubectl apply -f network-policy.yaml -n production
学习交流加群风哥微信: itpux-com
4. 网络安全
4.1 网络隔离
$ cat allow-web.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-web
namespace: production
spec:
podSelector:
matchLabels:
app: web
policyTypes:
– Ingress
– Egress
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
# 应用网络策略
$ kubectl apply -f allow-web.yaml -n production
# 测试网络策略
$ kubectl run test –image=busybox:1.32.0 –rm -it — wget -qO- http://web:80
# 应该失败,因为没有网络策略允许
$ kubectl run frontend –image=busybox:1.32.0 –rm -it –labels=app=frontend — wget -qO- http://web:80
# 应该成功,因为有网络策略允许
4.2 服务网格安全
$ istioctl install –set profile=default -y
# 启用mTLS
$ kubectl apply -f – <
5. 身份与访问管理
5.1 ServiceAccount管理
$ kubectl create serviceaccount app-sa
# 绑定角色
$ kubectl create role app-role \
–verb=get,list,watch \
–resource=pods,services
$ kubectl create rolebinding app-role-binding \
–role=app-role \
–serviceaccount=default:app-sa
# 在Pod中使用ServiceAccount
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
serviceAccountName: app-sa
containers:
– name: app
image: busybox:1.32.0
command: [“sleep”, “3600”]
# 应用Pod配置
$ kubectl apply -f pod.yaml
5.2 RBAC配置
$ kubectl create clusterrole monitor \
–verb=get,list,watch \
–resource=pods,nodes,services,endpoints
# 创建集群角色绑定
$ kubectl create clusterrolebinding monitor-binding \
–clusterrole=monitor \
–user=monitor
# 验证权限
$ kubectl auth can-i get pods –as=monitor
yes
$ kubectl auth can-i delete pods –as=monitor
no
5.3 OIDC集成
$ cat kube-apiserver.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
apiServer:
extraArgs:
oidc-issuer-url: https://accounts.google.com
oidc-client-id: your-client-id
oidc-username-claim: email
oidc-groups-claim: groups
# 应用配置
$ kubeadm init –config=kube-apiserver.yaml
# 创建集群角色绑定
$ kubectl create clusterrolebinding oidc-admin \
–clusterrole=cluster-admin \
–user=user@fgedu.net.cn
更多学习教程公众号风哥教程itpux_com
6. 密钥管理
6.1 Kubernetes Secret
$ kubectl create secret generic app-secret \
–from-literal=username=admin \
–from-literal=password=secret123
# 在Pod中使用Secret
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
– name: app
image: busybox:1.32.0
command: [“sleep”, “3600”]
env:
– name: USERNAME
valueFrom:
secretKeyRef:
name: app-secret
key: username
– name: PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: password
# 应用Pod配置
$ kubectl apply -f pod.yaml
6.2 External Secrets Operator
$ helm repo add external-secrets https://charts.external-secrets.io
$ helm install external-secrets external-secrets/external-secrets \
-n external-secrets \
–create-namespace
# 创建SecretStore
$ cat secret-store.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
namespace: default
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
auth:
secretRef:
accessKeyIDSecretRef:
name: aws-credentials
key: access-key
secretAccessKeySecretRef:
name: aws-credentials
key: secret-access-key
# 应用SecretStore配置
$ kubectl apply -f secret-store.yaml
# 创建ExternalSecret
$ cat external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secret
namespace: default
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets
kind: SecretStore
target:
name: app-secret
data:
– secretKey: username
remoteRef:
key: app-credentials
property: username
– secretKey: password
remoteRef:
key: app-credentials
property: password
# 应用ExternalSecret配置
$ kubectl apply -f external-secret.yaml
6.3 Vault集成
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault \
-n vault \
–create-namespace
# 配置Vault
$ kubectl exec -it vault-0 -n vault — vault operator init
$ kubectl exec -it vault-0 -n vault — vault operator unseal
# 安装Vault CSI驱动
$ helm install vault-csi-provider hashicorp/vault-csi-provider \
-n vault
# 在Pod中使用Vault
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
– name: app
image: busybox:1.32.0
command: [“sleep”, “3600”]
volumeMounts:
– name: secrets-store-inline
mountPath: /mnt/secrets-store
readOnly: true
volumes:
– name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: “vault-db”
# 应用Pod配置
$ kubectl apply -f pod.yaml
author:www.itpux.com
7. 运行时安全
7.1 运行时监控
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm install falco falcosecurity/falco \
-n falco \
–create-namespace
# 查看Falco告警
$ kubectl logs -n falco deployment/falco
# 安装Aqua Security
$ helm repo add aqua https://aquasecurity.github.io/helm-charts/
$ helm install aqua aqua/aqua \
-n aqua \
–create-namespace \
–set global.aqua.password=your-password
# 查看Aqua控制台
$ kubectl port-forward -n aqua svc/aqua-web 8080:8080
# 访问 http://fgedudb:8080
7.2 行为分析
$ cat custom-rules.yaml
– rule: Unexpected shell in container
desc: Detect shell spawned in a container
condition: spawned_process and container and shell_procs
output: “Shell spawned in container (user=%user.name, command=%proc.cmdline, container_id=%container.id, image=%container.image.repository)”
priority: WARNING
# 应用规则
$ kubectl create configmap falco-rules \
–from-file=custom-rules.yaml \
-n falco
$ kubectl patch deployment falco -n falco \
–patch ‘{“spec”:{“template”:{“spec”:{“volumes”:[{“name”:”rules”,”configMap”:{“name”:”falco-rules”}}],”containers”:[{“name”:”falco”,”volumeMounts”:[{“name”:”rules”,”mountPath”:”/etc/falco/rules.d”}]}]}}}’
8. 合规与审计
8.1 审计日志
$ cat audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
– level: RequestResponse
resources:
– group: “”
resources: [“secrets”, “configmaps”]
– level: Metadata
resources:
– group: “”
resources: [“pods”, “services”, “deployments”]
# 配置kube-apiserver
$ cat kube-apiserver.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
apiServer:
extraArgs:
audit-log-path: /var/log/kubernetes/audit.log
audit-policy-file: /etc/kubernetes/audit-policy.yaml
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
# 应用配置
$ kubeadm init –config=kube-apiserver.yaml
# 查看审计日志
$ kubectl logs kube-apiserver-master -n kube-system
8.2 合规扫描
$ curl -s https://raw.githubusercontent.com/controlplaneio/kubesec/master/install.sh | bash
# 扫描Kubernetes资源
$ kubesec scan deployment.yaml
# 安装Prisma Cloud
$ helm repo add twistlock https://registry.prismacloud.io/charts/twistlock
$ helm install prismacloud twistlock/twistlock \
-n prismacloud \
–create-namespace \
–set global.twistlock.url=your-prisma-cloud-url \
–set global.twistlock.token=your-token
# 运行合规扫描
$ kubectl exec -n prismacloud deployment/twistlock-defender — twistcli scan kubernetes
9. 最佳实践
9.1 安全架构最佳实践
- 采用零信任架构
- 实施深度防御策略
- 使用服务网格增强安全
- 定期进行安全评估
9.2 容器安全最佳实践
- 使用官方镜像
- 定期扫描镜像漏洞
- 使用最小化基础镜像
- 以非root用户运行容器
- 限制容器权限
9.3 Kubernetes安全最佳实践
- 启用RBAC
- 配置Pod安全策略
- 使用网络策略
- 定期更新Kubernetes版本
- 配置审计日志
9.4 密钥管理最佳实践
- 使用Secret管理敏感信息
- 集成外部密钥管理系统
- 定期轮换密钥
- 限制Secret访问权限
10. 安全工具
10.1 镜像安全工具
- Trivy:开源漏洞扫描工具
- Clair:容器镜像漏洞扫描
- Docker Scout:Docker官方安全分析工具
- Aqua Security:商业容器安全平台
10.2 运行时安全工具
- Falco:运行时安全监控
- Aqua Security:运行时保护
- Prismacloud:云安全平台
- Calico:网络安全和策略管理
10.3 合规工具
- Kubesec:Kubernetes配置安全扫描
- Kube-bench:Kubernetes CIS基准测试
- Prisma Cloud:合规扫描
- Auditbeat:审计日志收集和分析
生产环境建议
- 建立完善的云原生安全策略
- 实施自动化安全工具
- 定期进行安全培训
- 建立安全事件响应流程
- 持续监控和改进安全措施
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
