Kubernetes云原生安全合规实践
Kubernetes云原生安全合规实践
一、引言
云原生安全合规是企业采用Kubernetes必须面对的重要问题。本文将深入探讨Kubernetes安全合规的核心领域、最佳实践和合规框架。
二、安全合规架构
2.1 安全合规参考架构
┌─────────────────────────────────────────────────────────────────┐ │ 安全合规架构 │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 合规框架层 │ │ │ │ (SOC2 / GDPR / HIPAA / PCI-DSS) │ │ │ ├─────────────────────────────────────────────────────────┤ │ │ │ 安全控制层 │ │ │ │ (RBAC / NetworkPolicy / Secrets / Audit) │ │ │ ├─────────────────────────────────────────────────────────┤ │ │ │ 基础设施层 │ │ │ │ (Nodes / Pods / Services / Storage) │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘2.2 合规框架对比
| 框架 | 适用领域 | 核心要求 |
|---|---|---|
| SOC2 | 云服务提供商 | 安全性、可用性、处理完整性 |
| GDPR | 数据隐私 | 数据保护、隐私合规 |
| HIPAA | 医疗健康 | 医疗数据保护 |
| PCI-DSS | 支付卡行业 | 支付数据安全 |
三、安全合规实践
3.1 RBAC合规配置
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: compliance-audit rules: - apiGroups: [""] resources: ["pods", "services", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments", "statefulsets"] verbs: ["get", "list", "watch"]apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: compliance-audit-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: compliance-audit subjects: - kind: ServiceAccount name: compliance-audit namespace: kube-system3.2 审计日志配置
apiVersion: v1 kind: ConfigMap metadata: name: audit-policy namespace: kube-system data: audit-policy.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: ["secrets", "configmaps"] - level: Request resources: - group: "*" resources: ["*"]apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver command: - kube-apiserver - --audit-log-path=/var/log/kubernetes/audit.log - --audit-policy-file=/etc/kubernetes/audit-policy.yaml - --audit-log-maxage=30 - --audit-log-maxbackup=10 - --audit-log-maxsize=100四、数据保护合规
4.1 数据加密配置
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: encrypted-storage provisioner: ebs.csi.aws.com parameters: type: gp3 encrypted: "true" kmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/abcd1234" allowVolumeExpansion: true4.2 Secret管理
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: db-secret spec: refreshInterval: 1h secretStoreRef: name: vault-backend kind: SecretStore target: name: db-secret creationPolicy: Owner data: - secretKey: username remoteRef: key: database/username - secretKey: password remoteRef: key: database/password4.3 数据访问日志
apiVersion: v1 kind: ConfigMap metadata: name: fluentd-config data: fluentd.conf: | <source> @type tail path /var/log/containers/*.log pos_file /var/log/fluentd-containers.log.pos tag kubernetes.* <parse> @type json </parse> </source> <match kubernetes.**> @type elasticsearch host elasticsearch.example.com port 9200 index_name kubernetes-logs </match>五、网络安全合规
5.1 网络隔离策略
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: compliance-network-isolation spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 egress: - to: - ipBlock: cidr: 10.0.0.0/85.2 mTLS配置
apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: restricted spec: allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: [] defaultAddCapabilities: [] forbiddenSysctls: - "*" fsGroup: type: MustRunAs groups: - system:authenticated priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: MustRunAsNonRoot seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret六、容器安全合规
6.1 镜像安全扫描
# 使用Trivy扫描镜像 trivy image --severity HIGH,CRITICAL registry.example.com/my-app:1.0.0 # 使用Snyk扫描 snyk container test registry.example.com/my-app:1.0.0 # 使用Grype扫描 grype registry.example.com/my-app:1.0.06.2 镜像签名验证
# 使用Cosign签名镜像 cosign sign --key cosign.key registry.example.com/my-app:1.0.0 # 验证镜像签名 cosign verify --key cosign.pub registry.example.com/my-app:1.0.06.3 运行时安全
apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:1.0.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true七、合规审计与报告
7.1 合规审计脚本
#!/bin/bash echo "=== Kubernetes Security Compliance Audit ===" echo "" echo "1. Checking RBAC Configuration..." kubectl get roles --all-namespaces | grep -E "(admin|edit)" echo "" echo "2. Checking Network Policies..." kubectl get networkpolicies --all-namespaces echo "" echo "3. Checking Secret Management..." kubectl get secrets --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.type}{"\n"}{end}' echo "" echo "4. Checking Pod Security..." kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.securityContext}{"\n"}{end}' echo "" echo "=== Audit Complete ==="7.2 合规报告生成
import subprocess import json def run_command(cmd): result = subprocess.run(cmd, shell=True, capture_output=True, text=True) return result.stdout def generate_report(): report = { "audit_date": "2024-01-15", "cluster": "production", "findings": [] } # 检查网络策略 np_output = run_command("kubectl get networkpolicies --all-namespaces") if "deny-all" not in np_output: report["findings"].append({ "severity": "warning", "issue": "Missing default deny network policy", "recommendation": "Create a default deny network policy for all namespaces" }) # 检查RBAC rbac_output = run_command("kubectl get clusterrolebindings") if "cluster-admin" in rbac_output: report["findings"].append({ "severity": "critical", "issue": "Overly permissive cluster-admin role bindings found", "recommendation": "Review and restrict cluster-admin role bindings" }) return json.dumps(report, indent=2) print(generate_report())八、总结
Kubernetes安全合规是一个系统性工程,需要从多个层面进行把控。通过实施RBAC权限控制、网络隔离、数据加密、镜像安全扫描等措施,可以满足各种合规框架的要求,构建安全可靠的云原生环境。