Kubernetes安全加固指南：构建安全的容器平台

Kubernetes安全加固指南构建安全的容器平台一、Kubernetes安全概述Kubernetes安全涉及多个层面包括网络安全、Pod安全、数据安全、访问控制等。构建安全的Kubernetes集群需要从多个维度进行加固。1.1 安全维度维度说明关注点网络安全Pod间通信、外部访问控制NetworkPolicy、Ingress安全Pod安全容器运行时安全权限控制、资源限制数据安全敏感数据保护Secret管理、数据加密访问控制API访问权限RBAC、认证授权镜像安全容器镜像安全镜像扫描、签名验证运行时安全运行时防护seccomp、AppArmor1.2 安全架构外部网络 ↓ Firewall/Ingress Controller ↓ NetworkPolicy (网络隔离) ↓ Pod Security Standards ↓ RBAC (访问控制) ↓ Secrets/Encryption (数据安全)二、网络安全加固2.1 NetworkPolicy配置apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: [] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-database-access spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: api - podSelector: matchLabels: app: worker ports: - protocol: TCP port: 54322.2 Ingress安全配置apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/force-ssl-redirect: true nginx.ingress.kubernetes.io/hsts: true nginx.ingress.kubernetes.io/hsts-max-age: 31536000 spec: tls: - hosts: - secure.example.com secretName: tls-secret rules: - host: secure.example.com http: paths: - path: / pathType: Prefix backend: service: name: secure-service port: number: 4432.3 服务账户隔离apiVersion: v1 kind: ServiceAccount metadata: name: limited-sa namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: limited-role namespace: default rules: - apiGroups: [] resources: [pods] verbs: [get, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: limited-binding namespace: default subjects: - kind: ServiceAccount name: limited-sa roleRef: kind: Role name: limited-role apiGroup: rbac.authorization.k8s.io三、Pod安全加固3.1 Pod安全标准apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi3.2 Seccomp配置apiVersion: v1 kind: Pod metadata: name: seccomp-pod annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: app image: my-app:latest3.3 AppArmor配置apiVersion: v1 kind: Pod metadata: name: apparmor-pod annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default spec: containers: - name: app image: my-app:latest四、数据安全加固4.1 Secret管理apiVersion: v1 kind: Secret metadata: name: db-secret type: Opaque data: username: dXNlcjE password: cGFzc3dvcmQ --- apiVersion: v1 kind: Pod metadata: name: secret-pod spec: containers: - name: app image: my-app:latest env: - name: DB_USERNAME valueFrom: secretKeyRef: name: db-secret key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password4.2 数据加密配置apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: encrypted-storage provisioner: kubernetes.io/aws-ebs parameters: type: gp3 encrypted: true reclaimPolicy: Delete4.3 敏感数据审计apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets] - level: Metadata resources: - group: resources: [configmaps]五、镜像安全5.1 镜像拉取策略apiVersion: v1 kind: Pod metadata: name: secure-image-pod spec: imagePullSecrets: - name: regcred containers: - name: app image: registry.example.com/my-app:v1.0.0 imagePullPolicy: Always5.2 镜像签名验证apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: image-validation-webhook webhooks: - name: image-validation.example.com rules: - apiGroups: [] apiVersions: [v1] operations: [CREATE, UPDATE] resources: [pods] clientConfig: service: name: image-validator namespace: kube-system5.3 私有镜像仓库配置kubectl create secret docker-registry regcred \ --docker-serverregistry.example.com \ --docker-usernameuser \ --docker-passwordpassword \ --docker-emailuserexample.com六、访问控制加固6.1 RBAC最佳实践apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: read-only-cluster rules: - apiGroups: [] resources: [nodes, services, pods] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-only-binding subjects: - kind: User name: readonly-user apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: read-only-cluster apiGroup: rbac.authorization.k8s.io6.2 服务账户最小权限apiVersion: v1 kind: ServiceAccount metadata: name: minimal-sa namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: minimal-role namespace: default rules: - apiGroups: [] resources: [configmaps] verbs: [get, watch, list]七、运行时安全7.1 容器运行时保护apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: gvisor handler: runsc7.2 安全上下文配置apiVersion: v1 kind: Pod metadata: name: security-context-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL add: - NET_BIND_SERVICE八、安全监控与审计8.1 安全事件监控apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: security-monitor namespace: monitoring spec: selector: matchLabels: app: security-exporter endpoints: - port: metrics interval: 30s8.2 审计日志配置apiVersion: v1 kind: ConfigMap metadata: name: audit-config namespace: kube-system data: audit.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [pods, services, secrets] - level: Metadata resources: - group: rbac.authorization.k8s.io resources: [roles, rolebindings]九、安全扫描与漏洞检测9.1 镜像漏洞扫描apiVersion: batch/v1 kind: CronJob metadata: name: image-scan spec: schedule: 0 3 * * * jobTemplate: spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: - /bin/sh - -c - trivy image --severity HIGH,CRITICAL registry.example.com/my-app:latest restartPolicy: OnFailure9.2 配置合规检查apiVersion: batch/v1 kind: Job metadata: name: kube-bench spec: template: spec: containers: - name: kube-bench image: aquasec/kube-bench:latest command: - kube-bench - run volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet - name: etc-systemd mountPath: /etc/systemd volumes: - name: var-lib-kubelet hostPath: path: /var/lib/kubelet - name: etc-systemd hostPath: path: /etc/systemd restartPolicy: OnFailure十、总结Kubernetes安全加固需要从多个维度进行网络安全配置NetworkPolicy隔离Pod通信Pod安全使用安全上下文限制容器权限数据安全妥善管理Secret和敏感数据访问控制实施RBAC最小权限原则镜像安全验证镜像来源和完整性运行时安全使用seccomp和AppArmor限制系统调用监控审计配置安全事件监控和审计日志建议定期进行安全审计和漏洞扫描持续改进安全配置。参考资料Kubernetes安全文档Pod安全标准NetworkPolicy文档