Kubernetes安全加固最佳实践引言随着Kubernetes在企业生产环境中的广泛应用安全问题变得越来越重要。Kubernetes集群面临着多种安全威胁包括容器漏洞、网络攻击、权限滥用等。本文将深入探讨如何全面加固Kubernetes集群的安全。一、集群安全架构1.1 安全边界设计apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: [] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-to-dns spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 531.2 多租户隔离apiVersion: v1 kind: Namespace metadata: name: tenant-a labels: tenant: tenant-a --- apiVersion: v1 kind: ResourceQuota metadata: name: tenant-a-quota namespace: tenant-a spec: hard: requests.cpu: 4 requests.memory: 8Gi limits.cpu: 8 limits.memory: 16Gi pods: 20 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tenant-a-isolation namespace: tenant-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: tenant: tenant-a egress: - to: - namespaceSelector: matchLabels: tenant: tenant-a二、Pod安全配置2.1 Pod安全策略apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 65535 seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 655352.2 安全上下文配置apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL三、RBAC权限管理3.1 最小权限原则apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-developer namespace: my-app rules: - apiGroups: [] resources: [pods, services, configmaps, secrets] verbs: [get, list, watch, create, update, delete] - apiGroups: [apps] resources: [deployments, replicasets] verbs: [get, list, watch, create, update, delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-developer-binding namespace: my-app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: app-developer subjects: - kind: User name: developerexample.com apiGroup: rbac.authorization.k8s.io3.2 服务账号管理apiVersion: v1 kind: ServiceAccount metadata: name: app-sa namespace: my-app automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-sa-binding namespace: my-app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: minimal-permissions subjects: - kind: ServiceAccount name: app-sa namespace: my-app四、密钥管理4.1 外部密钥存储集成apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-keyvault spec: provider: azure parameters: keyvaultName: my-keyvault objects: | array: - | objectName: db-password objectType: secret objectVersion: - | objectName: api-cert objectType: certificate objectVersion: secretObjects: - data: - key: password objectName: db-password - key: tls.crt objectName: api-cert - key: tls.key objectName: api-cert secretName: app-secrets type: Opaque4.2 密钥轮换策略apiVersion: batch/v1 kind: CronJob metadata: name: secret-rotation spec: schedule: 0 0 * * 0 jobTemplate: spec: template: spec: serviceAccountName: rotation-sa containers: - name: rotation image: vault:latest command: [vault, write, -f, secret/data/my-app/db-password, -rotate] env: - name: VAULT_ADDR value: https://vault.example.com:8200 - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-token key: token restartPolicy: OnFailure五、镜像安全5.1 镜像仓库认证apiVersion: v1 kind: Secret metadata: name: regcred namespace: my-app type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsiYXV0aG9yaXpl5.2 镜像扫描集成apiVersion: batch/v1 kind: Job metadata: name: image-scan spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: [trivy, image, --severity, HIGH,CRITICAL, --exit-code, 1, my-app:latest] volumeMounts: - name: cache mountPath: /root/.cache restartPolicy: Never volumes: - name: cache emptyDir: {}六、运行时安全6.1 seccomp配置apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default name: secure-pod spec: containers: - name: app image: my-app:latest6.2 AppArmor配置apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default name: secure-pod spec: containers: - name: app image: my-app:latest七、审计与监控7.1 审计日志配置apiVersion: v1 kind: ConfigMap metadata: name: audit-config data: audit.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets, configmaps] - level: Request resources: - group: resources: [pods, services, deployments] - level: None resources: - group: resources: [events]7.2 安全事件监控apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: security-alerts spec: groups: - name: security.rules rules: - alert: UnauthorizedAccessAttempt expr: sum(rate(kube_apiserver_request_total{verbget,resourcesecrets,code!~2.*}[5m])) 5 for: 5m labels: severity: critical annotations: summary: High number of secret access denials - alert: PrivilegedPodCreated expr: sum(kube_pod_owner{owner_kindDeployment,pod_annotation_special_pod_security_admission_kubernetes_io_levelprivileged}) 0 for: 1m labels: severity: warning annotations: summary: Privileged pod detected八、安全合规检查8.1 Kube-Bench集成apiVersion: batch/v1 kind: CronJob metadata: name: kube-bench spec: schedule: 0 2 * * * jobTemplate: spec: template: spec: hostPID: true containers: - name: kube-bench image: aquasec/kube-bench:latest command: [kube-bench, run, --target, node] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet - name: etc-kubernetes mountPath: /etc/kubernetes restartPolicy: Never volumes: - name: var-lib-kubelet hostPath: path: /var/lib/kubelet - name: etc-kubernetes hostPath: path: /etc/kubernetes8.2 CIS基准检查kube-bench run --target master --output json | jq .controls[] | select(.status FAIL)九、最佳实践总结实践领域关键要点网络安全使用NetworkPolicy实现网络隔离Pod安全配置安全上下文禁止特权容器RBAC管理遵循最小权限原则定期审计权限密钥管理使用外部密钥存储定期轮换密钥镜像安全扫描镜像漏洞使用私有仓库运行时安全启用seccomp和AppArmor审计监控配置审计日志和安全告警合规检查定期执行安全基准检查结语Kubernetes安全是一个持续的过程需要从多个维度进行加固。通过合理的安全配置和持续的安全审计可以构建一个安全可靠的Kubernetes集群。未来随着云原生技术的发展安全防护将变得更加智能化和自动化。
Kubernetes安全加固最佳实践
发布时间:2026/5/31 23:03:29
Kubernetes安全加固最佳实践引言随着Kubernetes在企业生产环境中的广泛应用安全问题变得越来越重要。Kubernetes集群面临着多种安全威胁包括容器漏洞、网络攻击、权限滥用等。本文将深入探讨如何全面加固Kubernetes集群的安全。一、集群安全架构1.1 安全边界设计apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: [] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-to-dns spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 531.2 多租户隔离apiVersion: v1 kind: Namespace metadata: name: tenant-a labels: tenant: tenant-a --- apiVersion: v1 kind: ResourceQuota metadata: name: tenant-a-quota namespace: tenant-a spec: hard: requests.cpu: 4 requests.memory: 8Gi limits.cpu: 8 limits.memory: 16Gi pods: 20 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tenant-a-isolation namespace: tenant-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: tenant: tenant-a egress: - to: - namespaceSelector: matchLabels: tenant: tenant-a二、Pod安全配置2.1 Pod安全策略apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot runAsGroup: rule: MustRunAs ranges: - min: 1 max: 65535 seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 655352.2 安全上下文配置apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL三、RBAC权限管理3.1 最小权限原则apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-developer namespace: my-app rules: - apiGroups: [] resources: [pods, services, configmaps, secrets] verbs: [get, list, watch, create, update, delete] - apiGroups: [apps] resources: [deployments, replicasets] verbs: [get, list, watch, create, update, delete] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-developer-binding namespace: my-app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: app-developer subjects: - kind: User name: developerexample.com apiGroup: rbac.authorization.k8s.io3.2 服务账号管理apiVersion: v1 kind: ServiceAccount metadata: name: app-sa namespace: my-app automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-sa-binding namespace: my-app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: minimal-permissions subjects: - kind: ServiceAccount name: app-sa namespace: my-app四、密钥管理4.1 外部密钥存储集成apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-keyvault spec: provider: azure parameters: keyvaultName: my-keyvault objects: | array: - | objectName: db-password objectType: secret objectVersion: - | objectName: api-cert objectType: certificate objectVersion: secretObjects: - data: - key: password objectName: db-password - key: tls.crt objectName: api-cert - key: tls.key objectName: api-cert secretName: app-secrets type: Opaque4.2 密钥轮换策略apiVersion: batch/v1 kind: CronJob metadata: name: secret-rotation spec: schedule: 0 0 * * 0 jobTemplate: spec: template: spec: serviceAccountName: rotation-sa containers: - name: rotation image: vault:latest command: [vault, write, -f, secret/data/my-app/db-password, -rotate] env: - name: VAULT_ADDR value: https://vault.example.com:8200 - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-token key: token restartPolicy: OnFailure五、镜像安全5.1 镜像仓库认证apiVersion: v1 kind: Secret metadata: name: regcred namespace: my-app type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsiYXV0aG9yaXpl5.2 镜像扫描集成apiVersion: batch/v1 kind: Job metadata: name: image-scan spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: [trivy, image, --severity, HIGH,CRITICAL, --exit-code, 1, my-app:latest] volumeMounts: - name: cache mountPath: /root/.cache restartPolicy: Never volumes: - name: cache emptyDir: {}六、运行时安全6.1 seccomp配置apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default name: secure-pod spec: containers: - name: app image: my-app:latest6.2 AppArmor配置apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default name: secure-pod spec: containers: - name: app image: my-app:latest七、审计与监控7.1 审计日志配置apiVersion: v1 kind: ConfigMap metadata: name: audit-config data: audit.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets, configmaps] - level: Request resources: - group: resources: [pods, services, deployments] - level: None resources: - group: resources: [events]7.2 安全事件监控apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: security-alerts spec: groups: - name: security.rules rules: - alert: UnauthorizedAccessAttempt expr: sum(rate(kube_apiserver_request_total{verbget,resourcesecrets,code!~2.*}[5m])) 5 for: 5m labels: severity: critical annotations: summary: High number of secret access denials - alert: PrivilegedPodCreated expr: sum(kube_pod_owner{owner_kindDeployment,pod_annotation_special_pod_security_admission_kubernetes_io_levelprivileged}) 0 for: 1m labels: severity: warning annotations: summary: Privileged pod detected八、安全合规检查8.1 Kube-Bench集成apiVersion: batch/v1 kind: CronJob metadata: name: kube-bench spec: schedule: 0 2 * * * jobTemplate: spec: template: spec: hostPID: true containers: - name: kube-bench image: aquasec/kube-bench:latest command: [kube-bench, run, --target, node] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet - name: etc-kubernetes mountPath: /etc/kubernetes restartPolicy: Never volumes: - name: var-lib-kubelet hostPath: path: /var/lib/kubelet - name: etc-kubernetes hostPath: path: /etc/kubernetes8.2 CIS基准检查kube-bench run --target master --output json | jq .controls[] | select(.status FAIL)九、最佳实践总结实践领域关键要点网络安全使用NetworkPolicy实现网络隔离Pod安全配置安全上下文禁止特权容器RBAC管理遵循最小权限原则定期审计权限密钥管理使用外部密钥存储定期轮换密钥镜像安全扫描镜像漏洞使用私有仓库运行时安全启用seccomp和AppArmor审计监控配置审计日志和安全告警合规检查定期执行安全基准检查结语Kubernetes安全是一个持续的过程需要从多个维度进行加固。通过合理的安全配置和持续的安全审计可以构建一个安全可靠的Kubernetes集群。未来随着云原生技术的发展安全防护将变得更加智能化和自动化。
:TVA负样本制衡策略:解决工业全良品、缺陷极少的极端场景)
)
)
