Kubernetes安全加固实战
Kubernetes安全加固实战
一、引言
Kubernetes集群的安全性至关重要,涉及多个层面的防护措施。本文将深入探讨Kubernetes安全的核心领域和最佳实践。
二、安全架构设计
2.1 Kubernetes安全层次
┌─────────────────────────────────────────────────────────────────┐ │ Kubernetes安全层次 │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ 应用层安全 │ │ │ │ (容器镜像安全、代码安全、运行时保护) │ │ │ ├───────────────────────────────────────────────────────────┤ │ │ │ 平台层安全 │ │ │ │ (网络隔离、RBAC、Pod安全策略) │ │ │ ├───────────────────────────────────────────────────────────┤ │ │ │ 基础设施安全 │ │ │ │ (节点安全、网络安全、存储安全) │ │ │ ├───────────────────────────────────────────────────────────┤ │ │ │ 数据层安全 │ │ │ │ (数据加密、密钥管理、备份恢复) │ │ │ └───────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────┘2.2 安全威胁矩阵
| 威胁类型 | 描述 | 防护措施 |
|---|---|---|
| 容器逃逸 | 容器突破隔离访问宿主机 | 使用安全容器运行时 |
| 网络攻击 | 服务间通信被窃听或篡改 | 网络策略、mTLS |
| 权限提升 | 恶意获取更高权限 | RBAC、Pod安全策略 |
| 镜像篡改 | 镜像被植入恶意代码 | 镜像签名、扫描 |
| 敏感数据泄露 | 密钥或配置泄露 | Secret管理、加密 |
三、集群安全加固
3.1 控制平面安全
apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver image: k8s.gcr.io/kube-apiserver:v1.28.2 command: - kube-apiserver - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy - --audit-log-path=/var/log/kubernetes/audit.log - --audit-policy-file=/etc/kubernetes/audit-policy.yaml3.2 审计策略配置
apiVersion: v1 kind: ConfigMap metadata: name: audit-policy namespace: kube-system data: audit-policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: ["secrets", "configmaps"] - level: Request resources: - group: "*" resources: ["*"]四、Pod安全策略
4.1 Pod Security Admission
apiVersion: policy/v1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'emptyDir' - 'secret' - 'configMap' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny'4.2 网络策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - IngressapiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-db-access spec: podSelector: matchLabels: app: database ingress: - from: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 5432五、镜像安全
5.1 镜像扫描
# 使用Trivy扫描镜像 trivy image --severity HIGH,CRITICAL registry.example.com/my-app:1.0.0 # 使用Snyk扫描 snyk container test registry.example.com/my-app:1.0.0 # 使用Grype扫描 grype registry.example.com/my-app:1.0.05.2 镜像签名与验证
# 使用Cosign签名镜像 cosign sign --key cosign.key registry.example.com/my-app:1.0.0 # 验证镜像签名 cosign verify --key cosign.pub registry.example.com/my-app:1.0.0 # 配置Kubernetes验证策略 kubectl apply -f image-policy.yaml5.3 ImagePolicyWebhook配置
apiVersion: v1 kind: ConfigMap metadata: name: imagepolicy-webhook namespace: kube-system data: config.yaml: | imagePolicy: kubeConfigFile: /etc/admission-controller/config allowTTL: 50 denyTTL: 50 retryBackoff: 500六、密钥与敏感数据管理
6.1 Secret管理
apiVersion: v1 kind: Secret metadata: name: db-secret type: Opaque data: username: dXNlcm5hbWU= password: cGFzc3dvcmQ=6.2 External Secrets Operator
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: db-secret spec: refreshInterval: 1h secretStoreRef: name: vault-backend kind: SecretStore target: name: db-secret creationPolicy: Owner data: - secretKey: username remoteRef: key: database/username - secretKey: password remoteRef: key: database/password6.3 Vault集成
apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: vault-backend spec: provider: vault: server: https://vault.example.com:8200 path: secret version: v2 auth: kubernetes: mountPath: kubernetes role: k8s-role serviceAccountRef: name: vault-auth七、运行时安全
7.1 AppArmor配置
apiVersion: v1 kind: Pod metadata: name: secure-pod annotations: container.apparmor.security.beta.kubernetes.io/my-container: runtime/default spec: containers: - name: my-container image: my-app:1.0.07.2 Seccomp配置
apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: my-container image: my-app:1.0.07.3 运行时保护
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: SeccompProfile metadata: name: restricted-profile spec: defaultAction: SCMP_ACT_ERRNO syscalls: - action: SCMP_ACT_ALLOW names: - read - write - open - close - socket八、安全监控与审计
8.1 安全事件监控
apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: security-rules spec: groups: - name: security.rules rules: - alert: PodSecurityPolicyViolation expr: sum(rate(kube_pod_security_policy_violations_total[5m])) > 0 for: 1m labels: severity: critical annotations: summary: "Pod Security Policy violation detected"8.2 审计日志分析
# 查看审计日志 kubectl logs -n kube-system kube-apiserver | grep -i "violation" # 使用Falco进行运行时检测 kubectl apply -f falco.yaml # 查看Falco告警 kubectl logs -n falco falco-xxxxx九、总结
Kubernetes安全是一个系统性工程,需要从多个层面进行防护。通过实施Pod安全策略、网络隔离、镜像扫描、密钥管理和运行时保护等措施,可以构建一个安全可靠的Kubernetes集群。