内容大纲
1. 云原生安全概述
云原生安全是指在云原生环境中保护应用、数据和基础设施的安全实践。云原生环境包括容器、Kubernetes、微服务等技术,这些技术带来了新的安全挑战和机遇。
云原生安全的核心原则包括:
- 安全左移:将安全集成到开发和部署的早期阶段
- 零信任架构:默认不信任任何网络内外的请求
- 最小权限原则:只授予必要的权限
- 自动化安全:使用工具和流程自动化安全检查
- 持续安全监控:实时监控安全事件和漏洞
更多学习教程www.fgedu.net.cn
2. 容器安全
2.1 容器镜像安全
FROM alpine:3.15
# 定期更新基础镜像
FROM alpine:3.15@sha256:abc123…
# 最小化镜像
FROM alpine:3.15
RUN apk add –no-cache nginx && rm -rf /var/cache/apk/*
# 以非root用户运行
FROM alpine:3.15
RUN adduser -D -u 1000 nginx
USER nginx
# 避免使用ADD
COPY index.html /var/www/html/
# 清理临时文件
RUN apt-get update && apt-get install -y nginx && rm -rf /var/lib/apt/lists/*
# 扫描镜像漏洞
$ docker run –rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image myapp:latest
# 签名镜像
$ docker trust sign myapp:latest
# 验证镜像签名
$ docker trust inspect –pretty myapp:latest
2.2 容器运行时安全
$ docker run –cap-drop=ALL –cap-add=NET_BIND_SERVICE myapp:latest
# 使用只读文件系统
$ docker run –read-only myapp:latest
# 限制资源使用
$ docker run –memory=512m –cpus=1 myapp:latest
# 网络隔离
$ docker run –network=bridge myapp:latest
# 安全的容器运行时
$ docker run –runtime=runc myapp:latest
# 使用 gVisor
$ docker run –runtime=runsc myapp:latest
# 使用 Kata Containers
$ docker run –runtime=kata-runtime myapp:latest
2.3 容器编排安全
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
– name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
– ALL
add:
– NET_BIND_SERVICE
# 验证Pod安全
$ kubectl get pod secure-pod -o yaml
# 查看Pod安全状态
$ kubectl describe pod secure-pod
风哥风哥提示:容器安全是云原生安全的基础,需要从镜像构建、运行时配置和编排管理等多个层面进行防护。
3. Kubernetes安全
3.1 集群安全
$ kubectl get services –all-namespaces
# 启用RBAC
$ kubectl create clusterrolebinding admin-binding –clusterrole=admin –user=admin
# 配置Pod安全策略
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
# 应用Pod安全策略
$ kubectl apply -f pod-security-policy.yaml
# 绑定Pod安全策略
$ kubectl create clusterrole psp:restricted –verb=use –resource=podsecuritypolicies –resource-name=restricted
$ kubectl create clusterrolebinding default:restricted –clusterrole=psp:restricted –group=system:authenticated
3.2 网络安全
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress
# 应用网络策略
$ kubectl apply -f network-policy.yaml
# 配置允许特定流量的网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-web
namespace: default
spec:
podSelector:
matchLabels:
app: web
policyTypes:
– Ingress
– Egress
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
# 应用网络策略
$ kubectl apply -f allow-web.yaml
# 查看网络策略
$ kubectl get networkpolicies
$ kubectl describe networkpolicy allow-web
3.3 认证与授权
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-service-account
namespace: default
# 应用ServiceAccount
$ kubectl apply -f service-account.yaml
# 创建Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
namespace: default
rules:
– apiGroups: [“”]
resources: [“pods”]
verbs: [“get”, “list”, “watch”]
# 应用Role
$ kubectl apply -f role.yaml
# 创建RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-role-binding
namespace: default
subjects:
– kind: ServiceAccount
name: app-service-account
namespace: default
roleRef:
kind: Role
name: app-role
apiGroup: rbac.authorization.k8s.io
# 应用RoleBinding
$ kubectl apply -f role-binding.yaml
# 验证权限
$ kubectl auth can-i get pods –as=system:serviceaccount:default:app-service-account
学习交流加群风哥微信: itpux-com
4. 网络安全
4.1 网络加密
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: kubernetes.io/tls
data:
tls.crt:
tls.key:
# 应用TLS Secret
$ kubectl apply -f tls-secret.yaml
# 配置Ingress使用TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
namespace: default
spec:
tls:
– hosts:
– app.fgedu.net.cn
secretName: tls-secret
rules:
– host: app.fgedu.net.cn
http:
paths:
– path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
# 应用Ingress
$ kubectl apply -f ingress.yaml
# 验证TLS
$ curl -k https://app.fgedu.net.cn
4.2 网络隔离
$ kubectl create namespace development
$ kubectl create namespace production
# 配置命名空间网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-from-other-namespaces
namespace: production
spec:
podSelector: {}
policyTypes:
– Ingress
ingress:
– from:
– podSelector: {}
# 应用网络策略
$ kubectl apply -f network-policy.yaml
# 测试网络隔离
$ kubectl run test –image=busybox –namespace=development –command — sleep 3600
$ kubectl exec -it test –namespace=development — wget -qO- http://app-service.production.svc.cluster.local
4.3 网络监控
$ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
$ helm install prometheus prometheus-community/kube-prometheus-stack
# 配置网络监控
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: network-monitor
namespace: monitoring
spec:
selector:
matchLabels:
app: kube-proxy
endpoints:
– port: metrics
# 应用ServiceMonitor
$ kubectl apply -f service-monitor.yaml
# 查看网络监控指标
$ kubectl port-forward svc/prometheus-grafana 3000:80
# 打开浏览器访问 http://fgedudb:3000
学习交流加群风哥QQ113257174
5. 身份与访问管理
5.1 Kubernetes RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
– apiGroups: [“”]
resources: [“*”]
verbs: [“*”]
# 创建ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
subjects:
– kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
# 应用ClusterRoleBinding
$ kubectl apply -f cluster-role-binding.yaml
# 验证权限
$ kubectl auth can-i create pods –as=admin
# 查看当前用户权限
$ kubectl auth can-i –list
5.2 OIDC集成
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
etc:
kubelet:
extraArgs:
authentication-token-webhook: “true”
kube-apiserver:
extraArgs:
oidc-issuer-url: “https://accounts.google.com”
oidc-client-id: “my-client-id”
oidc-username-claim: “email”
oidc-groups-claim: “groups”
# 配置ServiceAccount使用OIDC
apiVersion: v1
kind: ServiceAccount
metadata:
name: oidc-service-account
namespace: default
annotations:
eks.amazonaws.com/role-arn: “arn:aws:iam::123456789012:role/oidc-role”
# 应用ServiceAccount
$ kubectl apply -f oidc-service-account.yaml
# 测试OIDC认证
$ kubectl get pods –as=oidc-user
5.3 服务账号管理
$ kubectl get serviceaccounts –all-namespaces
# 创建ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-service-account
namespace: default
# 应用ServiceAccount
$ kubectl apply -f service-account.yaml
# 为Pod指定ServiceAccount
apiVersion: v1
kind: Pod
metadata:
name: app-pod
namespace: default
spec:
serviceAccountName: app-service-account
containers:
– name: app
image: myapp:latest
# 应用Pod
$ kubectl apply -f pod.yaml
# 查看Pod的ServiceAccount
$ kubectl get pod app-pod -o yaml | grep serviceAccountName
更多学习教程公众号风哥教程itpux_com
6. 密钥管理
6.1 Kubernetes Secrets
$ kubectl create secret generic db-secret \
–from-literal=username=admin \
–from-literal=password=secret123
# 查看Secret
$ kubectl get secrets
$ kubectl describe secret db-secret
# 在Pod中使用Secret
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
– name: app
image: myapp:latest
env:
– name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
– name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
# 应用Pod
$ kubectl apply -f pod.yaml
# 验证Secret使用
$ kubectl exec -it app-pod — env | grep DB_
6.2 外部密钥管理
$ helm repo add hashicorp https://helm.releases.hashicorp.com
$ helm install vault hashicorp/vault
# 配置Vault
$ kubectl port-forward svc/vault 8200:8200
# 打开浏览器访问 http://fgedudb:8200
# 配置Kubernetes认证
$ vault auth enable kubernetes
$ vault write auth/kubernetes/config \
kubernetes_host=https://kubernetes.default.svc
# 创建Vault角色
$ vault write auth/kubernetes/role/my-role \
bound_service_account_names=app-service-account \
bound_service_account_namespaces=default \
policies=my-policy \
ttl=1h
# 创建Vault策略
$ vault policy write my-policy – << EOF
path "secret/data/myapp/*" {
capabilities = ["read"]
}
EOF
# 在应用中使用Vault
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
serviceAccountName: app-service-account
containers:
- name: app
image: myapp:latest
env:
- name: VAULT_ADDR
value: "http://vault.default.svc:8200"
6.3 密钥轮换
$ kubectl create secret generic db-secret –from-literal=username=admin –from-literal=password=new-secret123 –dry-run=client -o yaml | kubectl apply -f –
# 查看Secret历史
$ kubectl get secret db-secret -o yaml
# 配置自动轮换
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: db-secret
data:
– secretKey: username
remoteRef:
key: secret/data/myapp/db
property: username
– secretKey: password
remoteRef:
key: secret/data/myapp/db
property: password
# 应用ExternalSecret
$ kubectl apply -f external-secret.yaml
# 查看ExternalSecret
$ kubectl get externalsecrets
author:www.itpux.com
7. 运行时安全
7.1 运行时监控
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm install falco falcosecurity/falco
# 查看Falco日志
$ kubectl logs -f deployment/falco
# 配置Falco规则
apiVersion: falco.org/v1alpha1
kind: FalcoRule
metadata:
name: custom-rules
spec:
rules:
– rule: Detect shell in container
desc: Detect a shell being spawned in a container
condition: spawned_process and container and shell_procs
output: “Shell spawned in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname command=%proc.cmdline)”
priority: WARNING
# 应用Falco规则
$ kubectl apply -f falco-rule.yaml
# 测试Falco规则
$ kubectl run test –image=busybox –command — sh -c “sleep 3600”
$ kubectl exec -it test — sh
7.2 运行时防护
$ docker run –rm -v /var/lib/kubelet:/var/lib/kubelet -v /etc/kubernetes:/etc/kubernetes –net=host aquasec/kube-bench
# 运行安全扫描
$ kubectl run kube-bench –rm –image=aquasec/kube-bench:latest –restart=Never —
# 安装Trivy Operator
$ helm repo add aquasecurity https://aquasecurity.github.io/helm-charts/
$ helm install trivy-operator aquasecurity/trivy-operator
# 查看安全扫描结果
$ kubectl get vulnerabilityreports
$ kubectl get configauditreports
# 安装Aqua Security
$ helm repo add aqua https://aquasecurity.github.io/helm-charts/
$ helm install aqua aqua/aqua
# 查看安全状态
$ kubectl get pods -n aqua
7.3 运行时响应
apiVersion: falco.org/v1alpha1
kind: FalcoAlert
metadata:
name: security-alert
spec:
severity: CRITICAL
output: “Security event detected”
priority: CRITICAL
source: syscall
tags: [“security”]
# 应用FalcoAlert
$ kubectl apply -f falco-alert.yaml
# 配置Prometheus告警
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: security-alerts
namespace: monitoring
spec:
groups:
– name: security
rules:
– alert: ContainerSecurityViolation
expr: falco_events{rule=”Detect shell in container”} > 0
for: 5m
labels:
severity: critical
annotations:
summary: “Container security violation detected”
description: “A shell was spawned in a container”
# 应用PrometheusRule
$ kubectl apply -f prometheus-rule.yaml
8. 合规与审计
8.1 合规检查
$ docker run –rm -v /var/lib/kubelet:/var/lib/kubelet -v /etc/kubernetes:/etc/kubernetes –net=host aquasec/kube-bench –benchmark cis-1.6
# 查看检查结果
$ docker run –rm -v /var/lib/kubelet:/var/lib/kubelet -v /etc/kubernetes:/etc/kubernetes –net=host aquasec/kube-bench –benchmark cis-1.6 | grep FAIL
# 运行 NSA 安全指南检查
$ docker run –rm -v /var/lib/kubelet:/var/lib/kubelet -v /etc/kubernetes:/etc/kubernetes –net=host aquasec/kube-bench –benchmark nsa
# 运行 PCI DSS 检查
$ docker run –rm -v /var/lib/kubelet:/var/lib/kubelet -v /etc/kubernetes:/etc/kubernetes –net=host aquasec/kube-bench –benchmark pci
8.2 审计日志
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
etc:
kube-apiserver:
extraArgs:
audit-log-path: /var/log/kubernetes/audit.log
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
audit-policy-file: /etc/kubernetes/audit-policy.yaml
# 配置审计策略
$ cat audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
– level: Metadata
resources:
– group: “”
resources: [“pods”, “services”, “configmaps”]
– level: RequestResponse
resources:
– group: “”
resources: [“secrets”, “configmaps”]
# 应用审计策略
$ kubectl apply -f audit-policy.yaml
# 查看审计日志
$ kubectl logs -f kube-apiserver-
8.3 合规报告
$ docker run –rm -v /var/lib/kubelet:/var/lib/kubelet -v /etc/kubernetes:/etc/kubernetes –net=host aquasec/kube-bench –benchmark cis-1.6 –json > audit.json
# 安装Sonobuoy
$ curl -L https://github.com/vmware-tanzu/sonobuoy/releases/download/v0.56.14/sonobuoy_0.56.14_linux_amd64.tar.gz | tar -xz
$ sudo mv sonobuoy /usr/local/bin/
# 运行Sonobuoy
$ sonobuoy run –mode=compliance –compliance= cis-1.6
# 查看Sonobuoy状态
$ sonobuoy status
# 获取合规报告
$ sonobuoy retrieve
$ tar -xf *.tar.gz
$ cat plugins/e2e/results/global.json
9. 安全监控
9.1 安全指标监控
$ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
$ helm install prometheus prometheus-community/kube-prometheus-stack
# 配置安全指标
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: security-monitor
namespace: monitoring
spec:
selector:
matchLabels:
app: falco
endpoints:
– port: metrics
# 应用ServiceMonitor
$ kubectl apply -f service-monitor.yaml
# 查看安全指标
$ kubectl port-forward svc/prometheus-grafana 3000:80
# 打开浏览器访问 http://fgedudb:3000
# 创建安全仪表盘
$ cat security-dashboard.json
{
“annotations”: {
“list”: []
},
“editable”: true,
“gnetId”: null,
“graphTooltip”: 0,
“id”: null,
“links”: [],
“panels”: [
{
“aliasColors”: {},
“bars”: false,
“dashLength”: 10,
“dashes”: false,
“datasource”: “Prometheus”,
“fieldConfig”: {
“defaults”: {},
“overrides”: []
},
“fill”: 1,
“fillGradient”: 0,
“gridPos”: {
“h”: 8,
“w”: 12,
“x”: 0,
“y”: 0
},
“hiddenSeries”: false,
“id”: 1,
“legend”: {
“avg”: false,
“current”: false,
“max”: false,
“min”: false,
“show”: true,
“total”: false,
“values”: false
},
“lines”: true,
“linewidth”: 1,
“nullPointMode”: “null”,
“options”: {
“alertThreshold”: true
},
“percentage”: false,
“pluginVersion”: “7.5.1”,
“pointradius”: 2,
“points”: false,
“renderer”: “flot”,
“seriesOverrides”: [],
“spaceLength”: 10,
“stack”: false,
“steppedLine”: false,
“targets”: [
{
“expr”: “falco_events_total”,
“interval”: “”,
“legendFormat”: “{{rule}}”,
“refId”: “A”
}
],
“thresholds”: [],
“timeFrom”: null,
“timeRegions”: [],
“timeShift”: null,
“title”: “Falco Events”,
“tooltip”: {
“shared”: true,
“sort”: 0,
“value_type”: “individual”
},
“type”: “graph”,
“xaxis”: {
“buckets”: null,
“mode”: “time”,
“name”: null,
“show”: true,
“values”: []
},
“yaxes”: [
{
“format”: “short”,
“label”: null,
“logBase”: 1,
“max”: null,
“min”: null,
“show”: true
},
{
“format”: “short”,
“label”: null,
“logBase”: 1,
“max”: null,
“min”: null,
“show”: true
}
],
“yaxis”: {
“align”: false,
“alignLevel”: null
}
}
],
“schemaVersion”: 26,
“style”: “dark”,
“tags”: [],
“templating”: {
“list”: []
},
“time”: {
“from”: “now-6h”,
“to”: “now”
},
“timepicker”: {},
“timezone”: “”,
“title”: “Security Dashboard”,
“uid”: “security-dashboard”,
“version”: 1
}
# 导入安全仪表盘
# 在Grafana中导入security-dashboard.json
9.2 安全事件响应
apiVersion: falco.org/v1alpha1
kind: FalcoAlert
metadata:
name: security-alert
spec:
severity: CRITICAL
output: “Security event detected”
priority: CRITICAL
source: syscall
tags: [“security”]
notifier: slack
slack:
webhook: “https://hooks.slack.com/services/XXX/YYY/ZZZ”
channel: “#security-alerts”
# 应用FalcoAlert
$ kubectl apply -f falco-alert.yaml
# 配置Prometheus告警
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: security-alerts
namespace: monitoring
spec:
groups:
– name: security
rules:
– alert: ContainerSecurityViolation
expr: falco_events{rule=”Detect shell in container”} > 0
for: 5m
labels:
severity: critical
annotations:
summary: “Container security violation detected”
description: “A shell was spawned in container {{ $labels.container_name }}”
# 应用PrometheusRule
$ kubectl apply -f prometheus-rule.yaml
# 配置告警接收器
apiVersion: monitoring.coreos.com/v1
kind: AlertmanagerConfig
metadata:
name: security-alerts
namespace: monitoring
spec:
receivers:
– name: slack
slack_configs:
– api_url: “https://hooks.slack.com/services/XXX/YYY/ZZZ”
channel: “#security-alerts”
send_resolved: true
route:
group_by: [“alertname”]
group_interval: 5m
group_wait: 30s
repeat_interval: 1h
receiver: slack
routes:
– match:
severity: critical
receiver: slack
# 应用AlertmanagerConfig
$ kubectl apply -f alertmanager-config.yaml
10. 最佳实践
10.1 云原生安全最佳实践
- 安全左移:将安全集成到开发和部署的早期阶段
- 零信任架构:默认不信任任何网络内外的请求
- 最小权限原则:只授予必要的权限
- 自动化安全:使用工具和流程自动化安全检查
- 持续安全监控:实时监控安全事件和漏洞
- 容器镜像安全:使用官方基础镜像,定期扫描漏洞
- 运行时安全:限制容器能力,使用只读文件系统
- 网络安全:配置网络策略,加密网络通信
- 身份与访问管理:使用RBAC,集成OIDC
- 密钥管理:使用外部密钥管理系统,定期轮换密钥
10.2 生产环境建议
1. 使用官方基础镜像:确保镜像来源可信
2. 定期更新基础镜像:获取安全补丁
3. 扫描镜像漏洞:部署前进行安全扫描
4. 限制容器能力:使用最小权限原则
5. 使用只读文件系统:防止容器内文件被修改
6. 配置网络策略:限制容器间通信
7. 使用RBAC:精细控制访问权限
8. 集成OIDC:使用企业身份管理系统
9. 使用外部密钥管理:安全存储敏感信息
10. 配置安全监控:实时监控安全事件
11. 定期合规检查:确保符合安全标准
12. 建立安全事件响应流程:及时处理安全事件
13. 培训团队:提高安全意识和技能
14. 文档化安全配置:记录安全策略和配置
15. 定期安全审计:评估安全状况
# 示例生产环境安全配置
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
spec:
replicas: 3
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
serviceAccountName: app-service-account
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
– name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
– ALL
add:
– NET_BIND_SERVICE
resources:
limits:
memory: “512Mi”
cpu: “500m”
requests:
memory: “256Mi”
cpu: “200m”
env:
– name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-secret
key: username
– name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
ports:
– containerPort: 8080
10.3 安全工具链
- 镜像扫描:Trivy, Clair, Docker Scan
- 运行时安全:Falco, Aqua Security, Sysdig Secure
- 网络安全:Cilium, Calico, Istio
- 身份管理:Keycloak, Dex, Azure AD
- 密钥管理:HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
- 合规检查:kube-bench, Sonobuoy, CIS-CAT
- 监控告警:Prometheus, Grafana, Alertmanager
- 日志管理:ELK Stack, Loki, Fluentd
- 安全审计:Auditbeat, OpenSearch
- CI/CD安全:Snyk, OWASP ZAP, GitGuardian
生产环境建议
- 建立安全策略:制定全面的云原生安全策略
- 安全左移:将安全集成到开发和部署的早期阶段
- 自动化安全:使用工具和流程自动化安全检查
- 持续安全监控:实时监控安全事件和漏洞
- 定期安全审计:评估安全状况,发现安全隐患
- 培训团队:提高安全意识和技能
- 文档化安全配置:记录安全策略和配置
- 建立安全事件响应流程:及时处理安全事件
- 定期更新安全工具:获取新特性和安全补丁
- 参与安全社区:了解最新的安全威胁和防护措施
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
