云原生安全与合规实战从容器安全到数据保护的完整方案大家好我是迪哥。云原生环境下的安全挑战比传统架构更复杂——容器逃逸、镜像漏洞、配置泄露、数据安全等问题都需要系统性的解决方案。从镜像扫描到运行时保护从 Secrets 管理到合规审计我们搭建了一套完整的云原生安全体系。今天就聊聊云原生安全的最佳实践。安全架构全景┌─────────────────────────────────────────────────────────────────┐ │ 云原生安全体系 │ ├─────────────────────────────────────────────────────────────────┤ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ 镜像安全 │ │ 运行时安全 │ │ 数据安全 │ │ │ │ Trivy/Clair │ │ Falco/Gatekeeper│ │ 加密/脱敏 │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Secrets管理 │ │ 网络安全 │ │ 合规审计 │ │ │ │ Vault/KMS │ │ NetworkPolicy│ │ OPA/Audit │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ └─────────────────────────────────────────────────────────────────┘镜像安全Trivy 扫描配置apiVersion: v1 kind: ConfigMap metadata: name: trivy-config data: config.yaml: | scan: vuln: severity: CRITICAL,HIGH secret: enabled: true扫描脚本# 扫描镜像 trivy image --severity HIGH,CRITICAL registry.example.com/order-service:v1 # 扫描文件系统 trivy filesystem --severity HIGH,CRITICAL /app # 扫描漏洞并输出报告 trivy image --format json --output report.json registry.example.com/order-service:v1运行时安全Falco 规则配置- rule: Write below etc desc: An attempt to write to below /etc condition: evt.type write and fd.name startswith /etc/ and not proc.name in (systemd, docker, kubelet) output: File below /etc opened for writing (user%user.name command%proc.cmdline file%fd.name) priority: WARNINGGatekeeper 策略apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-owner spec: match: kinds: - apiGroups: [] kinds: [Namespace] parameters: labels: - key: owner allowedRegex: ^[a-z]$Secrets 管理HashiCorp Vault 配置apiVersion: v1 kind: Service metadata: name: vault spec: selector: app: vault ports: - port: 8200 --- apiVersion: apps/v1 kind: Deployment metadata: name: vault spec: replicas: 1 selector: matchLabels: app: vault template: spec: containers: - name: vault image: hashicorp/vault:1.13.0 args: - server - -dev ports: - containerPort: 8200K8s Secrets 配置apiVersion: v1 kind: Secret metadata: name: db-secret type: Opaque data: username: dXNlcm5hbWU password: cGFzc3dvcmQ --- apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: myapp:v1 env: - name: DB_USERNAME valueFrom: secretKeyRef: name: db-secret key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password数据安全传输加密apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80存储加密apiVersion: v1 kind: PersistentVolumeClaim metadata: name: encrypted-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: encrypted合规审计OPA 策略package kubernetes.admission deny[msg] { input.request.kind.kind Pod not input.request.object.spec.securityContext.runAsNonRoot true msg Pods must run as non-root user }Audit 日志配置apiVersion: v1 kind: ConfigMap metadata: name: audit-policy data: audit-policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets]最佳实践清单维度最佳实践镜像安全每次构建扫描拒绝有高危漏洞的镜像运行时安全部署 Falco监控异常行为Secrets使用 Vault 管理敏感数据禁止硬编码网络安全配置 NetworkPolicy限制 Pod 间通信合规定期审计确保符合行业标准说到安全我家那只叫 Docker 的哈士奇最近学会了安全防护——把零食藏到沙发底下还会用爪子盖住这保密意识比我们的 Vault 还强 我是迪哥感谢大家一路陪伴这一系列文章就到这里了
云原生安全与合规实战:从容器安全到数据保护的完整方案
发布时间:2026/5/28 2:03:49
云原生安全与合规实战从容器安全到数据保护的完整方案大家好我是迪哥。云原生环境下的安全挑战比传统架构更复杂——容器逃逸、镜像漏洞、配置泄露、数据安全等问题都需要系统性的解决方案。从镜像扫描到运行时保护从 Secrets 管理到合规审计我们搭建了一套完整的云原生安全体系。今天就聊聊云原生安全的最佳实践。安全架构全景┌─────────────────────────────────────────────────────────────────┐ │ 云原生安全体系 │ ├─────────────────────────────────────────────────────────────────┤ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ 镜像安全 │ │ 运行时安全 │ │ 数据安全 │ │ │ │ Trivy/Clair │ │ Falco/Gatekeeper│ │ 加密/脱敏 │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Secrets管理 │ │ 网络安全 │ │ 合规审计 │ │ │ │ Vault/KMS │ │ NetworkPolicy│ │ OPA/Audit │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ └─────────────────────────────────────────────────────────────────┘镜像安全Trivy 扫描配置apiVersion: v1 kind: ConfigMap metadata: name: trivy-config data: config.yaml: | scan: vuln: severity: CRITICAL,HIGH secret: enabled: true扫描脚本# 扫描镜像 trivy image --severity HIGH,CRITICAL registry.example.com/order-service:v1 # 扫描文件系统 trivy filesystem --severity HIGH,CRITICAL /app # 扫描漏洞并输出报告 trivy image --format json --output report.json registry.example.com/order-service:v1运行时安全Falco 规则配置- rule: Write below etc desc: An attempt to write to below /etc condition: evt.type write and fd.name startswith /etc/ and not proc.name in (systemd, docker, kubelet) output: File below /etc opened for writing (user%user.name command%proc.cmdline file%fd.name) priority: WARNINGGatekeeper 策略apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: ns-must-have-owner spec: match: kinds: - apiGroups: [] kinds: [Namespace] parameters: labels: - key: owner allowedRegex: ^[a-z]$Secrets 管理HashiCorp Vault 配置apiVersion: v1 kind: Service metadata: name: vault spec: selector: app: vault ports: - port: 8200 --- apiVersion: apps/v1 kind: Deployment metadata: name: vault spec: replicas: 1 selector: matchLabels: app: vault template: spec: containers: - name: vault image: hashicorp/vault:1.13.0 args: - server - -dev ports: - containerPort: 8200K8s Secrets 配置apiVersion: v1 kind: Secret metadata: name: db-secret type: Opaque data: username: dXNlcm5hbWU password: cGFzc3dvcmQ --- apiVersion: v1 kind: Pod metadata: name: app spec: containers: - name: app image: myapp:v1 env: - name: DB_USERNAME valueFrom: secretKeyRef: name: db-secret key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password数据安全传输加密apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80存储加密apiVersion: v1 kind: PersistentVolumeClaim metadata: name: encrypted-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: encrypted合规审计OPA 策略package kubernetes.admission deny[msg] { input.request.kind.kind Pod not input.request.object.spec.securityContext.runAsNonRoot true msg Pods must run as non-root user }Audit 日志配置apiVersion: v1 kind: ConfigMap metadata: name: audit-policy data: audit-policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets]最佳实践清单维度最佳实践镜像安全每次构建扫描拒绝有高危漏洞的镜像运行时安全部署 Falco监控异常行为Secrets使用 Vault 管理敏感数据禁止硬编码网络安全配置 NetworkPolicy限制 Pod 间通信合规定期审计确保符合行业标准说到安全我家那只叫 Docker 的哈士奇最近学会了安全防护——把零食藏到沙发底下还会用爪子盖住这保密意识比我们的 Vault 还强 我是迪哥感谢大家一路陪伴这一系列文章就到这里了
)
)
)
:测试如何提前在代码提交阶段发现 Bug?)
)
