内容大纲
1. Kubernetes安全概述
Kubernetes安全是确保Kubernetes集群及其运行的应用程序安全的一系列措施。Kubernetes作为容器编排平台,面临着独特的安全挑战,需要从多个层面进行保护。
Kubernetes安全的核心领域包括:
- 集群安全:保护Kubernetes控制平面和节点
- Pod安全:确保Pod的安全配置和运行
- 网络安全:保护集群内部和外部的网络通信
- 身份与访问管理:控制对集群资源的访问
- 密钥管理:安全存储和管理敏感信息
- 运行时安全:监控和保护运行中的容器
- 合规与审计:确保集群符合安全标准和法规
更多学习教程www.fgedu.net.cn
2. 集群安全
2.1 控制平面安全
$ cat kube-apiserver.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
apiServer:
extraArgs:
anonymous-auth: “false”
authorization-mode: “RBAC”
enable-admission-plugins: “NodeRestriction,PodSecurityPolicy,ServiceAccount”
tls-cert-file: “/etc/kubernetes/pki/apiserver.crt”
tls-private-key-file: “/etc/kubernetes/pki/apiserver.key”
audit-log-path: “/var/log/kubernetes/audit.log”
audit-policy-file: “/etc/kubernetes/audit-policy.yaml”
# 配置etcd安全
$ cat etcd.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
etcd:
local:
dataDir: “/var/lib/etcd”
extraArgs:
client-cert-auth: “true”
peer-client-cert-auth: “true”
cert-file: “/etc/kubernetes/pki/etcd/server.crt”
key-file: “/etc/kubernetes/pki/etcd/server.key”
peer-cert-file: “/etc/kubernetes/pki/etcd/peer.crt”
peer-key-file: “/etc/kubernetes/pki/etcd/peer.key”
trusted-ca-file: “/etc/kubernetes/pki/etcd/ca.crt”
# 配置控制器管理器安全
$ cat kube-controller-manager.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
controllerManager:
extraArgs:
use-service-account-credentials: “true”
cluster-signing-cert-file: “/etc/kubernetes/pki/ca.crt”
cluster-signing-key-file: “/etc/kubernetes/pki/ca.key”
# 配置调度器安全
$ cat kube-scheduler.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
scheduler:
extraArgs:
use-service-account-credentials: “true”
2.2 节点安全
$ cat kubelet.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: NodeConfiguration
kubeletConfiguration:
authentication:
anonymous:
enabled: false
webhook:
enabled: true
authorization:
mode: Webhook
tlsCertFile: “/var/lib/kubelet/pki/kubelet.crt”
tlsPrivateKeyFile: “/var/lib/kubelet/pki/kubelet.key”
rotateCertificates: true
serverTLSBootstrap: true
# 配置节点安全组
$ aws ec2 create-security-group \
–group-name kubernetes-node \
–description “Kubernetes node security group”
$ aws ec2 authorize-security-group-ingress \
–group-id sg-12345678 \
–protocol tcp \
–port 10250 \
–source-security-group-id sg-87654321
# 配置节点防火墙
$ ufw allow 22/tcp
$ ufw allow 10250/tcp
$ ufw allow 30000:32767/tcp
$ ufw enable
风哥风哥提示:集群安全是Kubernetes安全的基础,需要从控制平面到节点的各个层面进行全面保护。
3. Pod安全
3.1 Pod安全策略
$ cat pod-security-policy.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
# 应用Pod安全策略
$ kubectl apply -f pod-security-policy.yaml
# 授权用户使用Pod安全策略
$ kubectl create clusterrole psp:restricted \
–verb=use \
–resource=podsecuritypolicies \
–resource-name=restricted
$ kubectl create clusterrolebinding default:psp:restricted \
–clusterrole=psp:restricted \
–group=system:authenticated
3.2 安全上下文
$ cat secure-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
– name: app
image: nginx:1.19.10
securityContext:
runAsUser: 1001
allowPrivilegeEscalation: false
capabilities:
add: [“NET_ADMIN”, “SYS_TIME”]
drop: [“ALL”]
readOnlyRootFilesystem: true
volumeMounts:
– name: data
mountPath: /data
readOnly: false
volumes:
– name: data
emptyDir: {}
# 应用Pod配置
$ kubectl apply -f secure-pod.yaml
# 验证安全上下文
$ kubectl exec secure-pod — id
uid=1001 gid=1001 groups=2000
学习交流加群风哥微信: itpux-com
4. 网络安全
4.1 网络策略
$ cat default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress
# 应用默认拒绝网络策略
$ kubectl apply -f default-deny.yaml
# 创建允许特定流量的网络策略
$ cat allow-web.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-web
namespace: default
spec:
podSelector:
matchLabels:
app: web
policyTypes:
– Ingress
– Egress
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
# 应用网络策略
$ kubectl apply -f allow-web.yaml
# 测试网络策略
$ kubectl run test –image=busybox:1.32.0 –rm -it — wget -qO- http://web:80
# 应该失败,因为没有网络策略允许
$ kubectl run frontend –image=busybox:1.32.0 –rm -it –labels=app=frontend — wget -qO- http://web:80
# 应该成功,因为有网络策略允许
4.2 服务网格安全
$ istioctl install –set profile=default -y
# 启用mTLS
$ kubectl apply -f – <
5. 身份与访问管理
5.1 RBAC配置
$ kubectl create role app-role \
–verb=get,list,watch \
–resource=pods,services,deployments
# 创建角色绑定
$ kubectl create rolebinding app-role-binding \
–role=app-role \
–serviceaccount=default:app-sa
# 创建集群角色
$ kubectl create clusterrole cluster-reader \
–verb=get,list,watch \
–resource=pods,nodes,services,namespaces
# 创建集群角色绑定
$ kubectl create clusterrolebinding cluster-reader-binding \
–clusterrole=cluster-reader \
–user=reader
# 验证权限
$ kubectl auth can-i get pods –as=reader
yes
$ kubectl auth can-i delete pods –as=reader
no
5.2 ServiceAccount管理
$ kubectl create serviceaccount app-sa
# 为ServiceAccount创建密钥
$ kubectl create secret generic app-sa-token \
–type=kubernetes.io/service-account-token \
–namespace=default \
–from-literal=namespace=default \
–from-literal=serviceAccountName=app-sa
# 在Pod中使用ServiceAccount
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
serviceAccountName: app-sa
containers:
– name: app
image: busybox:1.32.0
command: [“sleep”, “3600”]
# 应用Pod配置
$ kubectl apply -f pod.yaml
# 查看ServiceAccount令牌
$ kubectl get secret app-sa-token -o jsonpath='{.data.token}’ | base64 –decode
5.3 OIDC集成
$ cat kube-apiserver.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
apiServer:
extraArgs:
oidc-issuer-url: https://accounts.google.com
oidc-client-id: your-client-id
oidc-username-claim: email
oidc-groups-claim: groups
# 应用配置
$ kubeadm init –config=kube-apiserver.yaml
# 创建集群角色绑定
$ kubectl create clusterrolebinding oidc-admin \
–clusterrole=cluster-admin \
–user=user@fgedu.net.cn
更多学习教程公众号风哥教程itpux_com
6. 密钥管理
6.1 Kubernetes Secret
$ kubectl create secret generic app-secret \
–from-literal=username=admin \
–from-literal=password=secret123
# 查看Secret
$ kubectl get secret app-secret -o yaml
# 在Pod中使用Secret
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
– name: app
image: busybox:1.32.0
command: [“sleep”, “3600”]
env:
– name: USERNAME
valueFrom:
secretKeyRef:
name: app-secret
key: username
– name: PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: password
# 应用Pod配置
$ kubectl apply -f pod.yaml
6.2 External Secrets Operator
$ helm repo add external-secrets https://charts.external-secrets.io
$ helm install external-secrets external-secrets/external-secrets \
-n external-secrets \
–create-namespace
# 创建SecretStore
$ cat secret-store.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
namespace: default
spec:
provider:
aws:
service: SecretsManager
region: us-west-2
auth:
secretRef:
accessKeyIDSecretRef:
name: aws-credentials
key: access-key
secretAccessKeySecretRef:
name: aws-credentials
key: secret-access-key
# 应用SecretStore配置
$ kubectl apply -f secret-store.yaml
# 创建ExternalSecret
$ cat external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secret
namespace: default
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets
kind: SecretStore
target:
name: app-secret
data:
– secretKey: username
remoteRef:
key: app-credentials
property: username
– secretKey: password
remoteRef:
key: app-credentials
property: password
# 应用ExternalSecret配置
$ kubectl apply -f external-secret.yaml
6.3 Vault集成
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault \
-n vault \
–create-namespace
# 配置Vault
$ kubectl exec -it vault-0 -n vault — vault operator init
$ kubectl exec -it vault-0 -n vault — vault operator unseal
# 安装Vault CSI驱动
$ helm install vault-csi-provider hashicorp/vault-csi-provider \
-n vault
# 在Pod中使用Vault
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
– name: app
image: busybox:1.32.0
command: [“sleep”, “3600”]
volumeMounts:
– name: secrets-store-inline
mountPath: /mnt/secrets-store
readOnly: true
volumes:
– name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: “vault-db”
# 应用Pod配置
$ kubectl apply -f pod.yaml
author:www.itpux.com
7. 运行时安全
7.1 运行时监控
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm install falco falcosecurity/falco \
-n falco \
–create-namespace
# 查看Falco告警
$ kubectl logs -n falco deployment/falco
# 安装Aqua Security
$ helm repo add aqua https://aquasecurity.github.io/helm-charts/
$ helm install aqua aqua/aqua \
-n aqua \
–create-namespace \
–set global.aqua.password=your-password
# 查看Aqua控制台
$ kubectl port-forward -n aqua svc/aqua-web 8080:8080
# 访问 http://fgedudb:8080
7.2 行为分析
$ cat custom-rules.yaml
– rule: Unexpected shell in container
desc: Detect shell spawned in a container
condition: spawned_process and container and shell_procs
output: “Shell spawned in container (user=%user.name, command=%proc.cmdline, container_id=%container.id, image=%container.image.repository)”
priority: WARNING
# 应用规则
$ kubectl create configmap falco-rules \
–from-file=custom-rules.yaml \
-n falco
$ kubectl patch deployment falco -n falco \
–patch ‘{“spec”:{“template”:{“spec”:{“volumes”:[{“name”:”rules”,”configMap”:{“name”:”falco-rules”}}],”containers”:[{“name”:”falco”,”volumeMounts”:[{“name”:”rules”,”mountPath”:”/etc/falco/rules.d”}]}]}}}’
8. 合规与审计
8.1 审计日志
$ cat audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
– level: RequestResponse
resources:
– group: “”
resources: [“secrets”, “configmaps”]
– level: Metadata
resources:
– group: “”
resources: [“pods”, “services”, “deployments”]
# 配置kube-apiserver
$ cat kube-apiserver.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.23.0
apiServer:
extraArgs:
audit-log-path: /var/log/kubernetes/audit.log
audit-policy-file: /etc/kubernetes/audit-policy.yaml
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
# 应用配置
$ kubeadm init –config=kube-apiserver.yaml
# 查看审计日志
$ kubectl logs kube-apiserver-master -n kube-system
8.2 合规扫描
$ curl -s https://raw.githubusercontent.com/controlplaneio/kubesec/master/install.sh | bash
# 扫描Kubernetes资源
$ kubesec scan deployment.yaml
# 安装Kube-bench
$ curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.0/kube-bench_0.6.0_linux_amd64.tar.gz -o kube-bench.tar.gz
$ tar xvf kube-bench.tar.gz
$ cd kube-bench
# 运行CIS基准测试
$ ./kube-bench
# 查看报告
$ ./kube-bench –json > kube-bench-report.json
9. 最佳实践
9.1 集群安全最佳实践
- 使用最新版本的Kubernetes
- 启用RBAC
- 配置Pod安全策略
- 使用网络策略
- 配置审计日志
- 定期更新证书
9.2 Pod安全最佳实践
- 使用非root用户运行容器
- 限制容器权限
- 使用只读根文件系统
- 配置资源限制
- 使用安全的基础镜像
- 定期扫描容器镜像
9.3 网络安全最佳实践
- 实施网络策略
- 使用服务网格
- 启用mTLS
- 限制网络访问
- 监控网络流量
9.4 密钥管理最佳实践
- 使用Secret管理敏感信息
- 集成外部密钥管理系统
- 定期轮换密钥
- 限制Secret访问权限
- 使用Vault或云提供商的密钥管理服务
10. 安全工具
10.1 集群安全工具
- Kube-bench:CIS基准测试
- Kubesec:Kubernetes配置安全扫描
- Prisma Cloud:云安全平台
- Aqua Security:容器安全平台
10.2 运行时安全工具
- Falco:运行时安全监控
- Aqua Security:运行时保护
- Calico:网络安全和策略管理
- Istio:服务网格安全
10.3 合规工具
- Chef InSpec:安全合规检查
- Auditbeat:审计日志收集和分析
- Prisma Cloud:合规扫描
- Kube-bench:CIS基准测试
生产环境建议
- 建立完善的Kubernetes安全策略
- 定期进行安全评估和漏洞扫描
- 实施自动化安全工具
- 建立安全事件响应流程
- 培训团队掌握Kubernetes安全知识
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
