Kubernetes安全策略Skill k8s-security-policies

这个技能用于实施Kubernetes集群的安全策略,包括网络策略、Pod安全标准和基于角色的访问控制(RBAC),以实现生产级安全性。适用于网络安全隔离、Pod安全标准配置和最小权限访问管理,关键词包括Kubernetes安全策略、网络隔离、Pod安全、RBAC、云原生安全。

Docker/K8s 0 次安装 0 次浏览 更新于 3/16/2026

name: k8s-security-policies description: 实施Kubernetes安全策略,包括NetworkPolicy、PodSecurityPolicy和RBAC,以实现生产级安全性。用于保护Kubernetes集群、实施网络隔离或强制执行Pod安全标准时使用。

Kubernetes安全策略

在Kubernetes中实现网络策略、Pod安全策略、RBAC和Pod安全标准的全面指南。

目的

为Kubernetes集群实施深度防御安全,使用网络策略、Pod安全标准和RBAC。

何时使用此技能

  • 实施网络分段
  • 配置Pod安全标准
  • 设置最小权限访问的RBAC
  • 创建合规性安全策略
  • 实施准入控制
  • 保护多租户集群

Pod安全标准

1. 特权(无限制)

apiVersion: v1
kind: Namespace
metadata:
  name: privileged-ns
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged

2. 基线(最小限制)

apiVersion: v1
kind: Namespace
metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline

3. 限制(最严格)

apiVersion: v1
kind: Namespace
metadata:
  name: restricted-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

网络策略

默认拒绝所有

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

允许前端到后端

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

允许DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - protocol: UDP
      port: 53

参考:assets/network-policy-template.yaml

RBAC配置

角色(命名空间范围)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: production
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

集群角色(集群范围)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
  name: default
  namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

参考:references/rbac-patterns.md

Pod安全上下文

限制Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp:1.0
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

使用OPA Gatekeeper执行策略

ConstraintTemplate

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("missing required labels: %v", [missing])
        }

Constraint

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-app-label
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["app", "environment"]

服务网格安全(Istio)

PeerAuthentication(mTLS)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/production/sa/frontend"]

最佳实践

  1. 在命名空间级别实施Pod安全标准
  2. 使用网络策略进行网络分段
  3. 为所有服务账户应用最小权限RBAC
  4. 启用准入控制(OPA Gatekeeper/Kyverno)
  5. 以非root用户运行容器
  6. 使用只读根文件系统
  7. 除非需要,否则丢弃所有能力
  8. 实施资源配额和限制范围
  9. 为安全事件启用审计日志
  10. 定期对镜像进行安全扫描

合规框架

CIS Kubernetes基准

  • 使用RBAC授权
  • 启用审计日志
  • 使用Pod安全标准
  • 配置网络策略
  • 实施静态秘密加密
  • 启用节点认证

NIST网络安全框架

  • 实施深度防御
  • 使用网络分段
  • 配置安全监控
  • 实施访问控制
  • 启用日志和监控

故障排除

网络策略不工作:

# 检查CNI是否支持网络策略
kubectl get nodes -o wide
kubectl describe networkpolicy <name>

RBAC权限被拒绝:

# 检查有效权限
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa

参考文件

  • assets/network-policy-template.yaml - 网络策略示例
  • assets/pod-security-template.yaml - Pod安全策略
  • references/rbac-patterns.md - RBAC配置模式

相关技能

  • k8s-manifest-generator - 用于创建安全清单
  • gitops-workflow - 用于自动化策略部署