Kubernetes安全加固最佳实践
Kubernetes安全加固最佳实践
引言
随着Kubernetes在企业生产环境中的广泛应用,安全问题变得越来越重要。Kubernetes集群面临着多种安全威胁,包括容器漏洞、网络攻击、权限滥用等。本文将深入探讨如何全面加固Kubernetes集群的安全。
一、集群安全架构
1.1 安全边界设计
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: [] --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-egress-to-dns spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 531.2 多租户隔离
apiVersion: v1 kind: Namespace metadata: name: tenant-a labels: tenant: tenant-a --- apiVersion: v1 kind: ResourceQuota metadata: name: tenant-a-quota namespace: tenant-a spec: hard: requests.cpu: "4" requests.memory: "8Gi" limits.cpu: "8" limits.memory: "16Gi" pods: "20" --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tenant-a-isolation namespace: tenant-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: tenant: tenant-a egress: - to: - namespaceSelector: matchLabels: tenant: tenant-a二、Pod安全配置
2.1 Pod安全策略
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' runAsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535 seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 655352.2 安全上下文配置
apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 3000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL三、RBAC权限管理
3.1 最小权限原则
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-developer namespace: my-app rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "watch", "create", "update", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-developer-binding namespace: my-app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: app-developer subjects: - kind: User name: developer@example.com apiGroup: rbac.authorization.k8s.io3.2 服务账号管理
apiVersion: v1 kind: ServiceAccount metadata: name: app-sa namespace: my-app automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-sa-binding namespace: my-app roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: minimal-permissions subjects: - kind: ServiceAccount name: app-sa namespace: my-app四、密钥管理
4.1 外部密钥存储集成
apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-keyvault spec: provider: azure parameters: keyvaultName: "my-keyvault" objects: | array: - | objectName: db-password objectType: secret objectVersion: "" - | objectName: api-cert objectType: certificate objectVersion: "" secretObjects: - data: - key: password objectName: db-password - key: tls.crt objectName: api-cert - key: tls.key objectName: api-cert secretName: app-secrets type: Opaque4.2 密钥轮换策略
apiVersion: batch/v1 kind: CronJob metadata: name: secret-rotation spec: schedule: "0 0 * * 0" jobTemplate: spec: template: spec: serviceAccountName: rotation-sa containers: - name: rotation image: vault:latest command: ["vault", "write", "-f", "secret/data/my-app/db-password", "-rotate"] env: - name: VAULT_ADDR value: "https://vault.example.com:8200" - name: VAULT_TOKEN valueFrom: secretKeyRef: name: vault-token key: token restartPolicy: OnFailure五、镜像安全
5.1 镜像仓库认证
apiVersion: v1 kind: Secret metadata: name: regcred namespace: my-app type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsiYXV0aG9yaXpl5.2 镜像扫描集成
apiVersion: batch/v1 kind: Job metadata: name: image-scan spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: ["trivy", "image", "--severity", "HIGH,CRITICAL", "--exit-code", "1", "my-app:latest"] volumeMounts: - name: cache mountPath: /root/.cache restartPolicy: Never volumes: - name: cache emptyDir: {}六、运行时安全
6.1 seccomp配置
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default name: secure-pod spec: containers: - name: app image: my-app:latest6.2 AppArmor配置
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default name: secure-pod spec: containers: - name: app image: my-app:latest七、审计与监控
7.1 审计日志配置
apiVersion: v1 kind: ConfigMap metadata: name: audit-config data: audit.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: "" resources: ["secrets", "configmaps"] - level: Request resources: - group: "" resources: ["pods", "services", "deployments"] - level: None resources: - group: "" resources: ["events"]7.2 安全事件监控
apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: security-alerts spec: groups: - name: security.rules rules: - alert: UnauthorizedAccessAttempt expr: sum(rate(kube_apiserver_request_total{verb="get",resource="secrets",code!~"2.*"}[5m])) > 5 for: 5m labels: severity: critical annotations: summary: "High number of secret access denials" - alert: PrivilegedPodCreated expr: sum(kube_pod_owner{owner_kind="Deployment",pod_annotation_special_pod_security_admission_kubernetes_io_level="privileged"}) > 0 for: 1m labels: severity: warning annotations: summary: "Privileged pod detected"八、安全合规检查
8.1 Kube-Bench集成
apiVersion: batch/v1 kind: CronJob metadata: name: kube-bench spec: schedule: "0 2 * * *" jobTemplate: spec: template: spec: hostPID: true containers: - name: kube-bench image: aquasec/kube-bench:latest command: ["kube-bench", "run", "--target", "node"] volumeMounts: - name: var-lib-kubelet mountPath: /var/lib/kubelet - name: etc-kubernetes mountPath: /etc/kubernetes restartPolicy: Never volumes: - name: var-lib-kubelet hostPath: path: /var/lib/kubelet - name: etc-kubernetes hostPath: path: /etc/kubernetes8.2 CIS基准检查
kube-bench run --target master --output json | jq '.controls[] | select(.status == "FAIL")'九、最佳实践总结
| 实践领域 | 关键要点 |
|---|---|
| 网络安全 | 使用NetworkPolicy实现网络隔离 |
| Pod安全 | 配置安全上下文,禁止特权容器 |
| RBAC管理 | 遵循最小权限原则,定期审计权限 |
| 密钥管理 | 使用外部密钥存储,定期轮换密钥 |
| 镜像安全 | 扫描镜像漏洞,使用私有仓库 |
| 运行时安全 | 启用seccomp和AppArmor |
| 审计监控 | 配置审计日志和安全告警 |
| 合规检查 | 定期执行安全基准检查 |
结语
Kubernetes安全是一个持续的过程,需要从多个维度进行加固。通过合理的安全配置和持续的安全审计,可以构建一个安全可靠的Kubernetes集群。未来随着云原生技术的发展,安全防护将变得更加智能化和自动化。