内容大纲
1. Kubernetes安全概述
Kubernetes安全是云原生环境中的重要组成部分,它涉及集群、Pod、网络、身份与访问管理、密钥管理、运行时安全等多个方面。有效的Kubernetes安全措施可以保护集群免受攻击,确保应用的安全性和可靠性。
Kubernetes安全的核心挑战包括:
- 集群配置安全
- Pod安全策略
- 网络安全隔离
- 身份与访问管理
- 密钥管理
- 运行时安全
- 合规与审计
学习交流加群风哥微信: itpux-com
2. 集群安全
2.1 集群配置安全
# 配置kube-apiserver安全参数
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.21.0
apiServer:
extraArgs:
enable-admission-plugins: “NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota,PodSecurityPolicy”
audit-log-path: /var/log/kubernetes/audit.log
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
tls-cert-file: /etc/kubernetes/pki/apiserver.crt
tls-private-key-file: /etc/kubernetes/pki/apiserver.key
client-ca-file: /etc/kubernetes/pki/ca.crt
requestheader-client-ca-file: /etc/kubernetes/pki/front-proxy-ca.crt
enable-bootstrap-token-auth: “true”
authorization-mode: “RBAC”
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.21.0
apiServer:
extraArgs:
enable-admission-plugins: “NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota,PodSecurityPolicy”
audit-log-path: /var/log/kubernetes/audit.log
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
tls-cert-file: /etc/kubernetes/pki/apiserver.crt
tls-private-key-file: /etc/kubernetes/pki/apiserver.key
client-ca-file: /etc/kubernetes/pki/ca.crt
requestheader-client-ca-file: /etc/kubernetes/pki/front-proxy-ca.crt
enable-bootstrap-token-auth: “true”
authorization-mode: “RBAC”
2.2 节点安全
# 节点安全配置
# 1. 禁用特权容器
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: no-privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
# 1. 禁用特权容器
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: no-privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
2.3 集群安全最佳实践
- 定期更新Kubernetes版本
- 启用RBAC
- 使用Pod安全策略
- 配置节点安全措施
- 定期审计集群配置
风哥风哥提示:集群安全是Kubernetes安全的基础,需要从配置、节点和网络等多个方面进行防护。
3. Pod安全
3.1 Pod安全上下文
# Pod安全上下文配置
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
supplementalGroups: [1001, 1002]
seLinuxOptions:
level: “s0:c123,c456”
containers:
– name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
– ALL
add:
– NET_BIND_SERVICE
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
level: “s0:c123,c456”
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
supplementalGroups: [1001, 1002]
seLinuxOptions:
level: “s0:c123,c456”
containers:
– name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
– ALL
add:
– NET_BIND_SERVICE
seccompProfile:
type: RuntimeDefault
seLinuxOptions:
level: “s0:c123,c456”
3.2 Pod安全策略
# Pod安全策略配置
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: ‘docker/default’
apparmor.security.beta.kubernetes.io/allowedProfileNames: ‘runtime/default’
seccomp.security.alpha.kubernetes.io/defaultProfileName: ‘docker/default’
apparmor.security.beta.kubernetes.io/defaultProfileName: ‘runtime/default’
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
– ALL
volumes:
– ‘configMap’
– ’emptyDir’
– ‘projected’
– ‘secret’
– ‘downwardAPI’
– ‘persistentVolumeClaim’
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: ‘MustRunAsNonRoot’
seLinux:
rule: ‘RunAsAny’
supplementalGroups:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
fsGroup:
rule: ‘MustRunAs’
ranges:
– min: 1
max: 65535
readOnlyRootFilesystem: true
3.3 Pod安全最佳实践
- 使用非root用户运行容器
- 设置只读文件系统
- 限制容器能力
- 使用Pod安全策略
- 定期扫描容器镜像
更多学习教程www.fgedu.net.cn
4. 网络安全
4.1 网络策略
# 网络策略配置
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-allow-all
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-allow-all
namespace: default
spec:
podSelector:
matchLabels:
app: web
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
4.2 服务网格安全
# Istio mTLS配置
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
4.3 网络安全最佳实践
- 使用网络策略限制Pod间通信
- 启用服务网格的mTLS
- 使用Ingress控制器管理外部访问
- 配置网络访问控制列表
- 监控网络流量异常
5. 身份与访问管理
5.1 Kubernetes RBAC
# 创建服务账户
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: default
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: default
# 创建角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: default
rules:
– apiGroups: [“”]
resources: [“pods”]
verbs: [“get”, “watch”, “list”]
# 创建角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
– kind: ServiceAccount
name: my-service-account
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
5.2 OIDC集成
# Kubernetes OIDC配置
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-apiserver
namespace: kube-system
data:
kube-apiserver.yaml: |
apiServer:
extraArgs:
oidc-issuer-url: https://accounts.google.com
oidc-client-id: my-client-id
oidc-username-claim: email
oidc-groups-claim: groups
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-apiserver
namespace: kube-system
data:
kube-apiserver.yaml: |
apiServer:
extraArgs:
oidc-issuer-url: https://accounts.google.com
oidc-client-id: my-client-id
oidc-username-claim: email
oidc-groups-claim: groups
5.3 身份与访问管理最佳实践
- 实施最小权限原则
- 使用RBAC进行访问控制
- 集成OIDC进行身份认证
- 定期审计访问权限
- 使用服务账户而非用户账户
author:www.itpux.com
6. 密钥管理
6.1 Kubernetes Secrets
# 创建Secret
$ kubectl create secret generic my-secret \
–from-literal=username=admin \
–from-literal=password=secret123
$ kubectl create secret generic my-secret \
–from-literal=username=admin \
–from-literal=password=secret123
# 在Pod中使用Secret
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
– name: app
image: myapp:latest
env:
– name: USERNAME
valueFrom:
secretKeyRef:
name: my-secret
key: username
– name: PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: password
6.2 外部密钥管理
- HashiCorp Vault
- AWS Secrets Manager
- Azure Key Vault
- Google Secret Manager
6.3 密钥管理最佳实践
- 使用外部密钥管理系统
- 定期轮换密钥
- 加密存储密钥
- 限制密钥访问权限
- 审计密钥使用情况
更多学习教程公众号风哥教程itpux_com
7. 运行时安全
7.1 运行时监控
# 使用Falco监控运行时行为
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm install falco falcosecurity/falco
$ helm repo add falcosecurity https://falcosecurity.github.io/charts
$ helm install falco falcosecurity/falco
# 查看Falco告警
$ kubectl logs -n falco deployment/falco
7.2 运行时防护
- 使用Falco进行行为监控
- 使用AppArmor或SELinux限制容器行为
- 使用gVisor提供额外的隔离层
- 实施运行时沙箱
7.3 运行时安全最佳实践
- 监控容器行为异常
- 限制容器网络访问
- 禁止特权容器
- 使用只读文件系统
- 定期扫描运行时漏洞
8. 合规与审计
8.1 审计日志
# 启用Kubernetes审计日志
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-apiserver
namespace: kube-system
data:
kube-apiserver.yaml: |
apiServer:
extraArgs:
audit-log-path: /var/log/kubernetes/audit.log
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
audit-policy-file: /etc/kubernetes/audit-policy.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-apiserver
namespace: kube-system
data:
kube-apiserver.yaml: |
apiServer:
extraArgs:
audit-log-path: /var/log/kubernetes/audit.log
audit-log-maxage: “30”
audit-log-maxbackup: “10”
audit-log-maxsize: “100”
audit-policy-file: /etc/kubernetes/audit-policy.yaml
# 审计策略配置
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
– level: RequestResponse
resources:
– group: “”
resources: [“secrets”, “configmaps”]
– level: Metadata
resources:
– group: “”
resources: [“pods”, “services”, “deployments”]
8.2 合规扫描
# 使用kubesec扫描Kubernetes配置
$ docker run -i kubesec/kubesec:latest scan /dev/stdin <
$ docker run -i kubesec/kubesec:latest scan /dev/stdin <
8.3 合规与审计最佳实践
- 启用审计日志
- 定期进行合规扫描
- 实施安全策略即代码
- 定期进行安全审计
- 建立合规监控体系
风哥风哥提示:合规与审计是Kubernetes安全的重要组成部分,需要建立完善的监控和审计体系。
9. 最佳实践
9.1 集群安全最佳实践
- 启用RBAC
- 使用Pod安全策略
- 配置节点安全措施
- 定期更新Kubernetes版本
- 使用网络策略限制通信
9.2 Pod安全最佳实践
- 使用非root用户运行容器
- 设置只读文件系统
- 限制容器能力
- 使用Pod安全策略
- 定期扫描容器镜像
9.3 网络安全最佳实践
- 使用网络策略限制Pod间通信
- 启用服务网格的mTLS
- 使用Ingress控制器管理外部访问
- 配置网络访问控制列表
- 监控网络流量异常
9.4 身份与访问管理最佳实践
- 实施最小权限原则
- 使用RBAC进行访问控制
- 集成OIDC进行身份认证
- 定期审计访问权限
- 使用服务账户而非用户账户
9.5 密钥管理最佳实践
- 使用外部密钥管理系统
- 定期轮换密钥
- 加密存储密钥
- 限制密钥访问权限
- 审计密钥使用情况
学习交流加群风哥QQ113257174
10. 安全工具
10.1 集群安全工具
- Kubesec:Kubernetes配置安全扫描
- Pod Security Policy:Pod安全策略
- Network Policy:网络策略
- Kubernetes Audit:审计日志
10.2 容器安全工具
- Trivy:容器镜像扫描
- Clair:容器镜像漏洞扫描
- Docker Bench for Security:Docker安全检查
- Aqua Security:容器安全平台
10.3 运行时安全工具
- Falco:运行时行为监控
- AppArmor:Linux安全模块
- SELinux:安全增强Linux
- gVisor:容器运行时沙箱
10.4 密钥管理工具
- HashiCorp Vault:密钥管理
- AWS Secrets Manager:AWS密钥管理
- Azure Key Vault:Azure密钥管理
- Google Secret Manager:Google密钥管理
10.5 合规与审计工具
- InSpec:安全合规测试
- Checkov:基础设施即代码扫描
- Terraform Sentinel:基础设施即代码安全
- OPA:策略引擎
生产环境风哥建议:
- 建立完善的Kubernetes安全体系
- 实施自动化安全工具
- 定期进行安全评估和审计
- 建立安全事件响应机制
- 持续更新安全措施
- 培训开发和运维人员的安全意识
author:www.itpux.com
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
