KubeSphere教程FG022-KubeSphere网络策略与Pod安全管控实战
本教程详细介绍KubeSphere中网络策略与Pod安全管控的实战操作,包括基础概念、生产环境规划、具体实施方案和实战案例。风哥教程参考KubeSphere官方文档KubeSphere容器平台使用指南、KubeSphere安全管理等相关内容。
目录大纲
Part01-基础概念与理论知识
1.1 网络策略核心概念
网络策略(Network Policy)是Kubernetes中用于控制Pod间通信的规则,它允许我们:
- 限制Pod之间的通信
- 控制Pod的入站和出站流量
- 基于标签选择器定义通信规则
- 实现网络隔离,提高集群安全性
1.2 Pod安全管控核心概念
Pod安全管控是Kubernetes中用于保障Pod安全的机制,包括: 风哥提示:
- Pod安全策略(PodSecurityPolicy):已被废弃,由Pod Security Standards替代
- Pod Security Standards(PSS):定义了三个安全级别:Privileged、Baseline、Restricted
- Pod Security Admission(PSA):基于PSS的准入控制器
- 安全上下文(Security Context):为Pod和容器设置安全相关的配置
1.3 安全模型与防护策略
Kubernetes的安全模型基于以下原则:
- 默认拒绝:默认情况下,所有通信都被拒绝
- 最小权限:只授予必要的权限
- 分层防御:采用多层安全措施
- 审计与监控:实时监控安全事件
Part02-生产环境规划与建议
2.1 网络安全规划
在实施网络策略时,网络安全规划是非常重要的:
- 网络隔离:将不同功能的应用部署在不同的命名空间中
- 通信规则:明确定义Pod之间的通信规则
- 流量控制:限制不必要的入站和出站流量
- 网络策略测试:在测试环境中充分测试网络策略
2.2 Pod安全规划
Pod安全规划对于保障应用安全也非常重要:
- 安全标准选择:根据应用需求选择合适的Pod Security Standard
- 安全上下文配置:为Pod和容器设置合适的安全上下文
- 权限管理:严格控制Pod的权限
- 容器镜像安全:使用安全的容器镜像,定期更新
2.3 安全策略规划
安全策略规划是网络策略与Pod安全管控的核心:
- 策略分级:根据应用的安全需求,制定不同级别的安全策略
- 策略测试:在测试环境中测试安全策略的有效性
- 策略更新:定期更新安全策略,适应新的安全威胁
- 策略审计:定期审计安全策略的执行情况
Part03-生产环境项目实施方案
3.1 网络策略配置
在KubeSphere中,网络策略的配置步骤:
- 创建命名空间:为应用创建独立的命名空间
- 定义网络策略:根据应用需求定义网络策略
- 应用网络策略:将网络策略应用到命名空间中
- 测试网络策略:验证网络策略的有效性
3.2 Pod安全策略配置
Pod安全策略的配置步骤: 学习交流加群风哥微信: itpux-com
- 启用Pod Security Admission:在集群中启用PSA
- 为命名空间配置Pod Security Standard:选择合适的安全级别
- 验证配置:确保Pod能够正常运行
- 调整配置:根据应用需求调整安全配置
3.3 安全上下文配置
安全上下文的配置步骤:
- 为Pod设置安全上下文:配置Pod级别的安全设置
- 为容器设置安全上下文:配置容器级别的安全设置
- 测试配置:确保应用能够正常运行
- 优化配置:根据应用需求优化安全配置
Part04-生产案例与实战讲解
4.1 网络策略实战案例
下面我们来实战演示网络策略的配置: 学习交流加群风哥QQ113257174
# 创建命名空间
kubectl create namespace fgedu
namespace/fgedu created
kubectl create namespace fgedu
namespace/fgedu created
# 部署应用
cat > app-deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: fgedu
spec:
replicas: 3
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
– name: app
image: nginx:1.19.10
ports:
– containerPort: 80
EOF
kubectl apply -f app-deployment.yaml
deployment.apps/app created
cat > app-deployment.yaml << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: fgedu
spec:
replicas: 3
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
– name: app
image: nginx:1.19.10
ports:
– containerPort: 80
EOF
kubectl apply -f app-deployment.yaml
deployment.apps/app created
# 创建服务
cat > app-service.yaml << EOF
apiVersion: v1
kind: Service
metadata:
name: app
namespace: fgedu
spec:
selector:
app: app
ports:
,
– port: 80
targetPort: 80
EOF
kubectl apply -f app-service.yaml
service/app created
cat > app-service.yaml << EOF
apiVersion: v1
kind: Service
metadata:
name: app
namespace: fgedu
spec:
selector:
app: app
ports:
,
– port: 80
targetPort: 80
EOF
kubectl apply -f app-service.yaml
service/app created
# 创建网络策略
cat > network-policy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
namespace: fgedu
spec:
podSelector:
matchLabels:
app: app
policyTypes:
– Ingress
– Egress
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
EOF
kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/app-network-policy created
cat > network-policy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
namespace: fgedu
spec:
podSelector:
matchLabels:
app: app
policyTypes:
– Ingress
– Egress
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
egress:
– to:
– podSelector:
matchLabels:
app: backend
ports:
– protocol: TCP
port: 8080
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
EOF
kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/app-network-policy created
# 测试网络策略
# 创建测试Pod
kubectl run test-pod –image=busybox –namespace=fgedu –command — sleep 3600
pod/test-pod created
# 测试从测试Pod访问app服务
kubectl exec -it test-pod –namespace=fgedu — wget -q -O – http://app
# 应该无法访问,因为测试Pod没有frontend标签
# 创建测试Pod
kubectl run test-pod –image=busybox –namespace=fgedu –command — sleep 3600
pod/test-pod created
# 测试从测试Pod访问app服务
kubectl exec -it test-pod –namespace=fgedu — wget -q -O – http://app
# 应该无法访问,因为测试Pod没有frontend标签
4.2 Pod安全管控实战案例
下面我们来实战演示Pod安全管控的配置: 更多视频教程www.fgedu.net.cn
# 为命名空间配置Pod Security Standard
kubectl label namespace fgedu pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/enforce-version=v1.24
namespace/fgedu labeled
kubectl label namespace fgedu pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/enforce-version=v1.24
namespace/fgedu labeled
# 测试Pod安全标准
# 创建一个符合baseline标准的Pod
cat > baseline-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: baseline-pod
namespace: fgedu
spec:
containers:
– name: app
image: nginx:1.19.10
EOF
kubectl apply -f baseline-pod.yaml
pod/baseline-pod created
# 创建一个符合baseline标准的Pod
cat > baseline-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: baseline-pod
namespace: fgedu
spec:
containers:
– name: app
image: nginx:1.19.10
EOF
kubectl apply -f baseline-pod.yaml
pod/baseline-pod created
# 创建一个不符合baseline标准的Pod
cat > non-compliant-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: non-compliant-pod
namespace: fgedu
spec:
containers:
– name: app
image: nginx:1.19.10
securityContext:
privileged: true
EOF
kubectl apply -f non-compliant-pod.yaml
Error from server (Forbidden): pods “non-compliant-pod” is forbidden: violates PodSecurity “baseline:v1.24”: privileged (container “app” must not set securityContext.privileged=true)
cat > non-compliant-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: non-compliant-pod
namespace: fgedu
spec:
containers:
– name: app
image: nginx:1.19.10
securityContext:
privileged: true
EOF
kubectl apply -f non-compliant-pod.yaml
Error from server (Forbidden): pods “non-compliant-pod” is forbidden: violates PodSecurity “baseline:v1.24”: privileged (container “app” must not set securityContext.privileged=true)
4.3 多租户安全隔离实战
下面我们来实战演示多租户安全隔离: 更多学习教程公众号风哥教程itpux_com
# 创建多个命名空间
kubectl create namespace fgedu-tenant1
kubectl create namespace fgedu-tenant2
namespace/fgedu-tenant1 created
namespace/fgedu-tenant2 created
kubectl create namespace fgedu-tenant1
kubectl create namespace fgedu-tenant2
namespace/fgedu-tenant1 created
namespace/fgedu-tenant2 created
# 为每个命名空间配置网络策略
cat > tenant1-network-policy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tenant1-network-policy
namespace: fgedu-tenant1
spec:
podSelector: {},
policyTypes:
– Ingress
– Egress
ingress:
– from:
– namespaceSelector:
matchLabels:
name: fgedu-tenant1
egress:
– to:
– namespaceSelector:
matchLabels:
name: fgedu-tenant1
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
EOF
kubectl apply -f tenant1-network-policy.yaml
networkpolicy.networking.k8s.io/tenant1-network-policy created
cat > tenant1-network-policy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tenant1-network-policy
namespace: fgedu-tenant1
spec:
podSelector: {},
policyTypes:
– Ingress
– Egress
ingress:
– from:
– namespaceSelector:
matchLabels:
name: fgedu-tenant1
egress:
– to:
– namespaceSelector:
matchLabels:
name: fgedu-tenant1
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
EOF
kubectl apply -f tenant1-network-policy.yaml
networkpolicy.networking.k8s.io/tenant1-network-policy created
# 为tenant2创建类似的网络策略
cat > tenant2-network-policy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tenant2-network-policy
namespace: fgedu-tenant2
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress
ingress:
– from:
– namespaceSelector:
matchLabels:
name: fgedu-tenant2
egress:
– to:
– namespaceSelector:
matchLabels:
name: fgedu-tenant2
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
EOF
kubectl apply -f tenant2-network-policy.yaml
networkpolicy.networking.k8s.io/tenant2-network-policy created
cat > tenant2-network-policy.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tenant2-network-policy
namespace: fgedu-tenant2
spec:
podSelector: {}
policyTypes:
– Ingress
– Egress
ingress:
– from:
– namespaceSelector:
matchLabels:
name: fgedu-tenant2
egress:
– to:
– namespaceSelector:
matchLabels:
name: fgedu-tenant2
– to:
– namespaceSelector:
matchLabels:
name: kube-system
ports:
– protocol: UDP
port: 53
EOF
kubectl apply -f tenant2-network-policy.yaml
networkpolicy.networking.k8s.io/tenant2-network-policy created
# 测试多租户隔离
# 在tenant1中创建Pod
,
kubectl run tenant1-pod –image=busybox –namespace=fgedu-tenant1 –command — sleep 3600
pod/tenant1-pod created
# 在tenant2中创建Pod
kubectl run tenant2-pod –image=nginx:1.19.10 –namespace=fgedu-tenant2
pod/tenant2-pod created
# 测试从tenant1访问tenant2
kubectl exec -it tenant1-pod –namespace=fgedu-tenant1 — wget -q -O – http://tenant2-pod.fgedu-tenant2.svc.cluster.local
# 应该无法访问,因为网络策略限制了跨命名空间通信
# 在tenant1中创建Pod
,
kubectl run tenant1-pod –image=busybox –namespace=fgedu-tenant1 –command — sleep 3600
pod/tenant1-pod created
# 在tenant2中创建Pod
kubectl run tenant2-pod –image=nginx:1.19.10 –namespace=fgedu-tenant2
pod/tenant2-pod created
# 测试从tenant1访问tenant2
kubectl exec -it tenant1-pod –namespace=fgedu-tenant1 — wget -q -O – http://tenant2-pod.fgedu-tenant2.svc.cluster.local
# 应该无法访问,因为网络策略限制了跨命名空间通信
Part05-风哥经验总结与分享
5.1 常见问题与解决方案
在实施网络策略与Pod安全管控时,常见的问题及解决方案: from K8S+DB视频:www.itpux.com
- 网络策略不生效:检查网络插件是否支持网络策略,确保网络策略配置正确
- Pod创建失败:检查Pod安全标准配置,确保Pod符合安全要求
- 应用无法通信:检查网络策略配置,确保允许必要的通信
- 安全上下文配置错误:检查安全上下文配置,确保符合应用需求
5.2 最佳实践建议
网络策略与Pod安全管控的最佳实践:
- 采用默认拒绝策略:默认拒绝所有通信,只允许必要的通信
- 使用命名空间隔离:将不同功能的应用部署在不同的命名空间中
- 选择合适的安全标准:根据应用需求选择合适的Pod Security Standard
- 定期审计:定期审计网络策略和Pod安全配置,确保安全性
- 测试验证:在测试环境中充分测试网络策略和安全配置
5.3 安全优化技巧
网络策略与Pod安全管控的安全优化技巧:
- 使用最小权限原则:只授予应用必要的权限
- 限制容器的 capabilities:只授予必要的capabilities
- 使用非root用户:容器以非root用户运行
- 启用SELinux或AppArmor:增强容器的安全性
- 定期更新容器镜像:及时修复安全漏洞
在实施网络策略与Pod安全管控时,一定要在测试环境中充分测试,确保不会影响应用的正常运行。
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
