Kubernetes与安全合规最佳实践

张开发
2026/4/4 22:44:21 15 分钟阅读

最新文章

推荐文章

相关文章

分享文章

Kubernetes与安全合规最佳实践
Kubernetes与安全合规最佳实践1. Kubernetes安全基础Kubernetes安全是一个多层次的概念涉及集群、节点、Pod、网络和应用等多个层面。了解Kubernetes安全基础是构建安全合规环境的前提。1.1 安全分层模型层次安全关注点最佳实践集群层控制平面安全、API服务器安全使用RBAC、启用审计日志节点层操作系统安全、容器运行时安全定期更新节点、使用安全的容器运行时Pod层容器安全、镜像安全使用安全的基础镜像、扫描镜像漏洞网络层网络隔离、流量加密使用网络策略、启用TLS加密存储层数据安全、密钥管理使用Secret管理敏感信息、加密存储应用层应用代码安全、依赖安全代码审计、依赖扫描2. 集群安全配置2.1 API服务器安全配置API服务器安全选项# kube-apiserver.yaml apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration kubernetesVersion: v1.25.0 apiServer: extraArgs: enable-admission-plugins: NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota,PodSecurityPolicy tls-cert-file: /etc/kubernetes/pki/apiserver.crt tls-private-key-file: /etc/kubernetes/pki/apiserver.key audit-log-path: /var/log/kubernetes/audit.log audit-log-maxage: 30 audit-log-maxbackup: 10 audit-log-maxsize: 100 anonymous-auth: false authorization-mode: RBAC2.2 ETCD安全配置ETCD加密# etcd.yaml apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration etcd: local: dataDir: /var/lib/etcd extraArgs: encryption-provider-config: /etc/kubernetes/etcd-encryption.yaml创建加密配置# etcd-encryption.yaml apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: c2VjcmV0IGtleQ - identity: {}2.3 节点安全配置节点安全# kubelet-config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration address: 0.0.0.0 port: 10250 readOnlyPort: 0 authentication: anonymous: enabled: false webhook: enabled: true authorization: mode: Webhook clusterDomain: cluster.local clusterDNS: - 10.96.0.103. Pod安全策略3.1 Pod安全标准应用Pod安全标准apiVersion: policy/v1 kind: PodSecurityPolicy metadata: name: restricted annotations: apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 655353.2 Pod安全上下文配置Pod安全上下文apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 containers: - name: app image: nginx:1.21 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true4. 网络安全4.1 网络策略配置网络策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-app-ingress namespace: default spec: podSelector: matchLabels: app: my-app policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80804.2 TLS加密配置Ingress TLSapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress namespace: default spec: tls: - hosts: - example.com secretName: tls-secret rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: my-app port: number: 80创建TLS密钥# 创建TLS密钥和证书 openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout tls.key \ -out tls.crt \ -subj /CNexample.com/OExample Org # 创建Kubernetes Secret kubectl create secret tls tls-secret \ --key tls.key \ --cert tls.crt5. 身份认证和授权5.1 RBAC配置创建RBAC角色apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-reader namespace: default rules: - apiGroups: [] resources: [pods, services, configmaps] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-reader-binding namespace: default subjects: - kind: ServiceAccount name: app-service-account namespace: default roleRef: kind: Role name: app-reader apiGroup: rbac.authorization.k8s.io5.2 服务账户创建服务账户apiVersion: v1 kind: ServiceAccount metadata: name: app-service-account namespace: default --- apiVersion: apps/v1 kind: Deployment metadata: name: my-app namespace: default spec: replicas: 3 selector: matchLabels: app: my-app template: metadata: labels: app: my-app spec: serviceAccountName: app-service-account containers: - name: app image: nginx:1.21 ports: - containerPort: 805.3 集群角色创建集群角色apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-reader rules: - apiGroups: [] resources: [nodes, namespaces] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-reader-binding subjects: - kind: User name: admin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-reader apiGroup: rbac.authorization.k8s.io6. 安全监控和审计6.1 审计日志配置审计日志# audit-policy.yaml apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata resources: - group: resources: [pods, services, secrets] - level: RequestResponse resources: - group: resources: [secrets] - level: None resources: - group: resources: [events]配置API服务器使用审计策略# kube-apiserver.yaml apiServer: extraArgs: audit-log-path: /var/log/kubernetes/audit.log audit-policy-file: /etc/kubernetes/audit-policy.yaml audit-log-maxage: 30 audit-log-maxbackup: 10 audit-log-maxsize: 1006.2 安全监控部署Falco进行运行时安全监控apiVersion: apps/v1 kind: DaemonSet metadata: name: falco namespace: falco spec: selector: matchLabels: app: falco template: metadata: labels: app: falco spec: containers: - name: falco image: falcosecurity/falco:latest securityContext: privileged: true volumeMounts: - name: dev mountPath: /host/dev - name: proc mountPath: /host/proc - name: sys mountPath: /host/sys - name: falco-config mountPath: /etc/falco volumes: - name: dev hostPath: path: /dev - name: proc hostPath: path: /proc - name: sys hostPath: path: /sys - name: falco-config configMap: name: falco-config6.3 安全扫描使用Trivy扫描镜像apiVersion: batch/v1 kind: Job metadata: name: image-scan namespace: security spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: - trivy - image - --severity - HIGH,CRITICAL - your-registry/app:latest restartPolicy: Never7. 合规要求和实践7.1 CIS Kubernetes BenchmarkCIS合规检查# 安装kubesec curl -s https://raw.githubusercontent.com/controlplaneio/kubesec/master/get.sh | bash # 扫描Deployment配置 kubesec scan deployment.yaml # 安装kube-bench curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.11/kube-bench_0.6.11_linux_amd64.tar.gz | tar -xz # 运行CIS基准检查 ./kube-bench7.2 GDPR合规数据保护措施数据最小化只收集必要的数据数据加密传输和存储中的数据加密访问控制严格的RBAC配置数据删除实现数据生命周期管理审计日志记录所有数据访问7.3 PCI DSS合规PCI DSS要求网络隔离使用网络策略隔离支付处理系统访问控制实施最小权限原则数据加密加密传输中的支付数据安全监控实时监控异常活动漏洞管理定期扫描漏洞8. 密钥管理8.1 使用Secret创建和使用SecretapiVersion: v1 kind: Secret metadata: name: app-secret namespace: default type: Opaque data: username: YWRtaW4 password: cGFzc3dvcmQ --- apiVersion: apps/v1 kind: Deployment metadata: name: my-app namespace: default spec: template: spec: containers: - name: app image: nginx:1.21 env: - name: USERNAME valueFrom: secretKeyRef: name: app-secret key: username - name: PASSWORD valueFrom: secretKeyRef: name: app-secret key: password8.2 使用外部密钥管理系统集成HashiCorp VaultapiVersion: apps/v1 kind: Deployment metadata: name: vault-agent namespace: default spec: replicas: 1 selector: matchLabels: app: vault-agent template: metadata: labels: app: vault-agent spec: containers: - name: vault-agent image: hashicorp/vault:latest command: - vault - agent - -config/etc/vault/config.hcl volumeMounts: - name: vault-config mountPath: /etc/vault volumes: - name: vault-config configMap: name: vault-configVault配置apiVersion: v1 kind: ConfigMap metadata: name: vault-config namespace: default data: config.hcl: | exit_after_auth true pid_file /home/vault/pidfile auto_auth { method kubernetes { mount_path auth/kubernetes config { role app-role } } } template { destination /etc/secrets/config.json contents EOT { database: { username: {{with secret \database/creds/app\}}{{.Data.username}}{{end}}, password: {{with secret \database/creds/app\}}{{.Data.password}}{{end}} } } EOT }9. 常见安全问题与解决方案问题原因解决方案特权容器容器以root权限运行使用非root用户禁用特权模式不安全的镜像基础镜像包含漏洞使用官方镜像定期扫描镜像网络暴露服务暴露在公网使用网络策略限制访问敏感信息泄露硬编码密钥使用Secret管理敏感信息权限过度服务账户权限过大实施最小权限原则使用RBAC审计缺失缺少安全审计启用审计日志配置监控10. 安全最佳实践10.1 集群安全最佳实践定期更新保持Kubernetes版本和组件的更新最小化攻击面禁用不必要的服务和端口网络隔离使用网络策略隔离工作负载加密通信启用TLS加密所有通信安全配置遵循CIS基准配置10.2 应用安全最佳实践使用安全的基础镜像选择最小化、经过安全扫描的镜像容器硬化禁用特权限制能力使用只读文件系统应用安全实施输入验证防止注入攻击依赖管理定期更新依赖扫描漏洞安全测试进行渗透测试和安全审计10.3 持续安全安全扫描集成镜像扫描到CI/CD流程运行时监控部署Falco等运行时安全工具安全审计定期进行安全审计和合规检查事件响应建立安全事件响应流程安全培训对开发和运维人员进行安全培训11. 实践案例11.1 安全的多租户集群配置多租户隔离apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tenant-isolation namespace: tenant-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: tenant: tenant-a egress: - to: - namespaceSelector: matchLabels: tenant: tenant-a - namespaceSelector: matchLabels: name: kube-system11.2 安全的CI/CD流程集成安全扫描# .gitlab-ci.yml stages: - build - test - security - deploy security-scan: stage: security image: aquasec/trivy:latest script: - trivy image --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA artifacts: paths: - trivy-results.json when: always12. 总结Kubernetes与安全合规最佳实践需要考虑以下因素多层次安全从集群到应用的全方位安全防护最小权限原则实施严格的RBAC和Pod安全策略网络安全使用网络策略和TLS加密保护通信密钥管理安全管理敏感信息和密钥监控审计实时监控和审计安全事件合规要求满足CIS、GDPR、PCI DSS等合规标准持续改进定期安全评估和更新通过以上实践可以构建一个安全、合规的Kubernetes环境保护应用和数据的安全同时满足各种合规要求。

更多文章