Kubernetes云原生安全最佳实践：构建安全的容器环境

Kubernetes云原生安全最佳实践构建安全的容器环境一、云原生安全概述云原生安全涵盖容器镜像安全、运行时安全、网络安全、数据安全等多个层面是保障Kubernetes集群安全的关键。1.1 安全架构┌─────────────────────────────────────────────────────────────────┐ │ Cloud Native Security │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ 镜像安全 │ │ 运行时安全 │ │ 网络安全 │ │ │ │ - 镜像扫描 │ │ - 运行策略 │ │ - 网络策略 │ │ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 数据安全层 │ │ │ │ - Secret管理 - 数据加密 - 访问控制 - 审计 │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘1.2 安全威胁矩阵威胁类型风险等级防护措施镜像漏洞高镜像扫描、签名验证配置错误高配置审计、策略检查网络攻击中网络策略、mTLS数据泄露高加密存储、访问控制权限滥用中RBAC、最小权限二、镜像安全2.1 镜像扫描配置apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 kind: ImageScan metadata: name: my-app-scan spec: registry: image: harbor.example.com/my-app:latest scanTemplate: trivy-scan-template2.2 镜像签名验证apiVersion: cosign.sigstore.dev/v1alpha1 kind: ImagePolicy metadata: name: signed-images spec: images: - glob: harbor.example.com/* authorities: - key: data: | -----BEGIN PUBLIC KEY----- base64-encoded-public-key -----END PUBLIC KEY-----2.3 镜像清理策略# 删除未使用的镜像 kubectl image prune --all # 删除特定镜像 kubectl image prune --filteruntil24h三、运行时安全3.1 Pod Security StandardsapiVersion: v1 kind: Namespace metadata: name: secure-namespace labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted3.2 Security ContextapiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL3.3 AppArmor配置apiVersion: v1 kind: Pod metadata: name: apparmor-pod annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default spec: containers: - name: app image: my-app:latest四、网络安全4.1 NetworkPolicy配置apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: []4.2 mTLS配置apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: STRICT4.3 Ingress安全配置apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: secure-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/hsts: true nginx.ingress.kubernetes.io/hsts-max-age: 31536000 spec: tls: - hosts: - example.com secretName: example-tls五、数据安全5.1 Secret管理apiVersion: v1 kind: Secret metadata: name: db-secret type: Opaque data: username: base64-encoded-username password: base64-encoded-password5.2 ExternalSecret配置apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-db-secret spec: refreshInterval: 1h secretStoreRef: name: vault-backend kind: SecretStore target: name: db-secret data: - secretKey: username remoteRef: key: secret/data/db property: username - secretKey: password remoteRef: key: secret/data/db property: password5.3 数据加密配置apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: encrypted-storage provisioner: kubernetes.io/aws-ebs parameters: type: gp3 encrypted: true reclaimPolicy: Delete六、权限管理6.1 RBAC配置apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: minimal-role rules: - apiGroups: [] resources: [pods] verbs: [get, list]6.2 ServiceAccount配置apiVersion: v1 kind: ServiceAccount metadata: name: restricted-sa automountServiceAccountToken: false6.3 权限审计# 检查权限 kubectl auth can-i delete nodes --as user # 列出所有ClusterRoleBindings kubectl get clusterrolebindings # 查看角色详情 kubectl describe clusterrole cluster-admin七、安全审计与监控7.1 审计日志配置apiVersion: v1 kind: ConfigMap metadata: name: audit-config data: audit.yaml: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets]7.2 安全告警配置apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: security-alerts spec: groups: - name: security.rules rules: - alert: PodSecurityViolation expr: kube_pod_security_policy_violations_total 0 for: 1m labels: severity: critical annotations: summary: Pod security policy violation detected八、安全最佳实践8.1 最小权限原则apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: least-privilege rules: - apiGroups: [apps] resources: [deployments] verbs: [get, update]8.2 定期安全扫描# 运行漏洞扫描 trivy image harbor.example.com/my-app:latest # 检查配置安全 kube-bench run8.3 安全补丁管理# 更新镜像 kubectl set image deployment/my-app my-appmy-app:v2.0 # 滚动更新 kubectl rollout status deployment/my-app九、总结云原生安全实践要点镜像安全扫描漏洞、验证签名、清理冗余镜像运行时安全配置Pod Security Standards和Security Context网络安全配置NetworkPolicy和mTLS数据安全加密存储、使用外部Secret管理权限管理遵循最小权限原则配置RBAC安全审计开启审计日志、配置安全告警建议建立完善的安全体系定期进行安全评估和漏洞扫描。参考资料Pod Security StandardsTrivy文档External Secrets Operator