Kubernetes安全策略Skill k8s-security-policies

这个技能用于在Kubernetes集群中实现全面的安全策略,包括网络隔离、Pod安全标准和基于角色的访问控制(RBAC),适用于生产环境的安全加固和合规性要求。关键词:Kubernetes、安全策略、网络策略、RBAC、Pod安全、云原生安全。

Docker/K8s 0 次安装 0 次浏览 更新于 3/22/2026

name: k8s-security-policies description: 实现Kubernetes安全策略,包括NetworkPolicy、PodSecurityPolicy和RBAC,用于生产级安全。适用于保护Kubernetes集群、实现网络隔离或强制执行Pod安全标准。

Kubernetes安全策略

在Kubernetes中实现NetworkPolicy、PodSecurityPolicy、RBAC和Pod安全标准的全面指南。

目的

使用网络策略、Pod安全标准和RBAC为Kubernetes集群实现深度防御安全。

何时使用此技能

  • 实现网络分段
  • 配置Pod安全标准
  • 设置最小权限RBAC访问
  • 创建合规性安全策略
  • 实施准入控制
  • 保护多租户集群

Pod安全标准

1. 特权(无限制)

apiVersion: v1
kind: Namespace
metadata:
  name: privileged-ns
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged

2. 基线(最小限制)

apiVersion: v1
kind: Namespace
metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline

3. 限制(最严格)

apiVersion: v1
kind: Namespace
metadata:
  name: restricted-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

网络策略

默认拒绝所有

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

允许前端到后端

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080

允许DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

参考:assets/network-policy-template.yaml

RBAC配置

角色(命名空间范围)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]

集群角色(集群范围)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]

角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: default
    namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

参考:references/rbac-patterns.md

Pod安全上下文

限制Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: myapp:1.0
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

使用OPA Gatekeeper进行策略执行

ConstraintTemplate

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("missing required labels: %v", [missing])
        }

Constraint

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-app-label
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["app", "environment"]

服务网格安全(Istio)

PeerAuthentication(mTLS)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/production/sa/frontend"]

最佳实践

  1. 在命名空间级别实施Pod安全标准
  2. 使用网络策略进行网络分段
  3. 为所有服务账户应用最小权限RBAC
  4. 启用准入控制(OPA Gatekeeper/Kyverno)
  5. 以非root用户运行容器
  6. 使用只读根文件系统
  7. 丢弃所有权限除非需要
  8. 实施资源配额和限制范围
  9. 启用安全事件审计日志
  10. 定期扫描镜像安全

合规性框架

CIS Kubernetes基准

  • 使用RBAC授权
  • 启用审计日志
  • 使用Pod安全标准
  • 配置网络策略
  • 实现静态秘密加密
  • 启用节点认证

NIST网络安全框架

  • 实施深度防御
  • 使用网络分段
  • 配置安全监控
  • 实施访问控制
  • 启用日志和监控

故障排除

网络策略不工作:

# 检查CNI是否支持NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>

RBAC权限被拒绝:

# 检查有效权限
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa

参考文件

  • assets/network-policy-template.yaml - 网络策略示例
  • assets/pod-security-template.yaml - Pod安全策略
  • references/rbac-patterns.md - RBAC配置模式

相关技能

  • k8s-manifest-generator - 用于创建安全清单
  • gitops-workflow - 用于自动化策略部署