Kubernetes安全最佳实践

Kubernetes安全最佳实践引言随着Kubernetes在企业中的广泛应用安全性已成为运维团队关注的焦点。Kubernetes集群涉及多个层面的安全风险包括容器镜像安全、网络安全、访问控制、数据保护等。本文将深入探讨Kubernetes安全的核心领域和最佳实践帮助你构建安全可靠的容器平台。Kubernetes安全架构安全分层模型┌─────────────────────────────────────────────────────────────────┐ │ Kubernetes Security Layers │ ├─────────────────────────────────────────────────────────────────┤ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 第7层: 应用层安全 │ │ │ │ - 代码安全扫描 │ │ │ │ - 运行时保护 │ │ │ │ - API安全 │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 第6层: Pod安全 │ │ │ │ - Pod Security Standards │ │ │ │ - SecurityContext │ │ │ │ - NetworkPolicy │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 第5层: 集群安全 │ │ │ │ - RBAC权限控制 │ │ │ │ - 网络隔离 │ │ │ │ - 审计日志 │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 第4层: 节点安全 │ │ │ │ - 操作系统加固 │ │ │ │ - 容器运行时安全 │ │ │ │ - 节点访问控制 │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 第3层: 网络安全 │ │ │ │ - 网络策略 │ │ │ │ - 加密传输 │ │ │ │ - 防火墙规则 │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ 第2层: 存储安全 │ │ │ │ - 数据加密 │ │ │ │ - 密钥管理 │ │ │ │ - 备份策略 │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ 第1层: 基础设施安全 │ │ │ │ - 物理安全 │ │ │ │ - 网络边界 │ │ │ │ - 访问控制 │ │ │ └─────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘安全威胁矩阵威胁类型风险等级防护措施容器镜像漏洞高镜像扫描、签名验证权限提升攻击高RBAC、Pod Security Standards网络攻击中NetworkPolicy、加密敏感数据泄露高Secret管理、数据加密配置错误中配置审计、策略验证供应链攻击高镜像仓库安全、SBOMPod安全标准Pod Security Standards级别# 限制级别Restricted最严格 apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: app image: example/app:v1.0.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALLPod Security Admission配置apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1 kind: PodSecurityConfiguration defaults: enforce: restricted enforce-version: latest audit: restricted audit-version: latest warn: restricted warn-version: latest exemptions: usernames: [] runtimeClasses: [] namespaces: - kube-systemSecurityContext配置apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: # 用户和组配置 runAsNonRoot: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 # SELinux配置 seLinuxOptions: level: s0:c123,c456 # seccomp配置 seccompProfile: type: RuntimeDefault # Windows安全选项 windowsOptions: runAsUserName: ContainerUser containers: - name: app image: example/app:v1.0.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true privileged: false capabilities: drop: - ALL add: - NET_BIND_SERVICE runAsNonRoot: true runAsUser: 1000RBAC权限管理最小权限原则apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-deployer namespace: default rules: - apiGroups: [apps] resources: [deployments, replicasets] verbs: [get, list, watch, create, update, patch, delete] - apiGroups: [] resources: [pods, services] verbs: [get, list, watch]ServiceAccount配置apiVersion: v1 kind: ServiceAccount metadata: name: app-service-account namespace: default automountServiceAccountToken: false # 禁用自动挂载 --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-deployer-binding namespace: default subjects: - kind: ServiceAccount name: app-service-account namespace: default roleRef: kind: Role name: app-deployer apiGroup: rbac.authorization.k8s.io集群级权限控制apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin-limited rules: - apiGroups: [*] resources: [*] verbs: [*] - nonResourceURLs: [*] verbs: [*] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user-binding subjects: - kind: User name: adminexample.com apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin-limited apiGroup: rbac.authorization.k8s.io密钥与敏感数据管理Secret配置最佳实践apiVersion: v1 kind: Secret metadata: name: db-credentials type: Opaque data: username: YWRtaW4 # base64编码 password: cGFzc3dvcmQ # base64编码 --- apiVersion: v1 kind: Pod metadata: name: app-pod spec: containers: - name: app image: example/app:v1.0.0 env: - name: DB_USERNAME valueFrom: secretKeyRef: name: db-credentials key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-credentials key: password volumeMounts: - name: secrets mountPath: /etc/secrets readOnly: true volumes: - name: secrets secret: secretName: db-credentials defaultMode: 0400 # 只读权限使用External SecretsapiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: db-secret spec: secretStoreRef: name: vault-backend kind: SecretStore target: name: db-secret creationPolicy: Owner data: - secretKey: username remoteRef: key: secret/data/production/db property: username - secretKey: password remoteRef: key: secret/data/production/db property: password加密配置apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets - configmaps - persistentvolumeclaims - customresourcedefinitions providers: - aescbc: keys: - name: key1 secret: base64-encoded-secret-key - identity: {}网络安全NetworkPolicy配置apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress namespace: default spec: podSelector: {} policyTypes: - Ingress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access namespace: backend spec: podSelector: matchLabels: app: database policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: api-server ports: - protocol: TCP port: 3306Ingress安全配置apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/force-ssl-redirect: true nginx.ingress.kubernetes.io/hsts: true nginx.ingress.kubernetes.io/hsts-max-age: 31536000 nginx.ingress.kubernetes.io/hsts-include-subdomains: true nginx.ingress.kubernetes.io/hsts-preload: true nginx.ingress.kubernetes.io/limit-rps: 100 nginx.ingress.kubernetes.io/limit-rpm: 1000 spec: tls: - hosts: - api.example.com secretName: api-tls-secret rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 80网络加密配置apiVersion: v1 kind: Service metadata: name: secure-service spec: ports: - port: 443 targetPort: 8443 name: https selector: app: secure-app镜像安全镜像扫描配置apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ScanPolicy metadata: name: strict-scan-policy spec: regoFile: | package scanner default allow false allow { vulnerability.cvss.score 7.0 } allow { vulnerability.severity low }镜像签名验证apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: cosign-policy spec: images: - glob: registry.example.com/* authorities: - key: data: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXAMPLEKEY -----END PUBLIC KEY-----镜像仓库访问控制apiVersion: v1 kind: Secret metadata: name: registry-credentials type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: base64-encoded-docker-config --- apiVersion: v1 kind: ServiceAccount metadata: name: image-puller imagePullSecrets: - name: registry-credentials运行时安全seccomp配置apiVersion: v1 kind: Pod metadata: name: seccomp-pod spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: app image: example/app:v1.0.0AppArmor配置apiVersion: v1 kind: Pod metadata: name: apparmor-pod annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default spec: containers: - name: app image: example/app:v1.0.0运行时监控apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: protect-secrets spec: selector: matchLabels: app: sensitive-app process: matchPaths: - path: /bin/cat ownerOnly: true file: matchPaths: - path: /etc/secrets/ readOnly: true ownerOnly: true审计日志审计配置apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets] users: [*] - level: Metadata resources: - group: * resources: [*] - level: None resources: - group: resources: [events]审计日志收集apiVersion: v1 kind: ConfigMap metadata: name: audit-policy namespace: kube-system data: audit-policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets, configmaps]安全合规检查Kube-bench配置# 运行安全扫描 kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/master/job.yaml # 查看扫描结果 kubectl logs kube-bench # 导出报告 kubectl logs kube-bench security-report.txtCIS基准检查apiVersion: v1 kind: ConfigMap metadata: name: cis-benchmarks data: benchmark.yaml: | apiVersion: cis.security.k8s.io/v1 kind: CISBenchmark spec: version: 1.23 checks: - name: 1.1.1 description: Ensure that the API server --anonymous-auth is set to false severity: critical安全监控与告警Prometheus安全指标apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: security-alerts spec: groups: - name: security.rules rules: - alert: SecretAccessDenied expr: sum(rate(kube_apiserver_request_total{verbget,resourcesecrets,code!~2.*}[5m])) 5 for: 5m labels: severity: critical annotations: summary: High number of secret access denials - alert: PrivilegedPodCreated expr: sum(kube_pod_spec_securitycontext_privileged) 0 for: 1m labels: severity: warning annotations: summary: Privileged pod detectedFalco规则- rule: Write below binary dir desc: An attempt to write to any file below a set of binary directories condition: write_evt and fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and not proc.name in (dpkg, rpm, apt-get, yum) output: File below binary directory opened for writing (user%user.name command%proc.cmdline file%fd.name) priority: WARNING tags: [filesystem, mitre_persistence]安全最佳实践总结清单检查检查项状态Pod Security Standards启用✅RBAC最小权限原则✅Secret加密存储✅NetworkPolicy配置✅镜像扫描启用✅审计日志开启✅运行时保护启用✅定期安全扫描✅安全部署清单镜像安全使用私有仓库、签名验证、漏洞扫描Pod安全强制执行Restricted级别、禁用特权容器网络安全默认拒绝策略、加密传输、网络隔离权限管理最小权限、定期审计、轮换密钥数据保护加密存储、密钥管理、备份策略监控告警实时监控、异常检测、安全告警总结本文深入探讨了Kubernetes安全的核心领域和最佳实践包括Pod安全Pod Security Standards、SecurityContext配置权限管理RBAC、ServiceAccount、最小权限原则密钥管理Secret配置、External Secrets、数据加密网络安全NetworkPolicy、Ingress安全、加密传输镜像安全镜像扫描、签名验证、仓库访问控制运行时安全seccomp、AppArmor、运行时监控审计日志审计配置、日志收集安全监控Prometheus告警、Falco规则通过实施这些安全最佳实践可以显著提升Kubernetes集群的安全性保护应用和数据免受各种威胁。