名称: kubernetes-security 用户可调用: false 描述: 用于实施Kubernetes安全最佳实践,包括RBAC、Pod安全策略和网络策略。 允许的工具: []
Kubernetes安全
Kubernetes部署的安全最佳实践。
Pod安全
以非根用户运行
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
只读根文件系统
spec:
containers:
- name: app
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
丢弃能力
spec:
containers:
- name: app
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
防止特权提升
spec:
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
privileged: false
网络安全
网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
RBAC
服务账户
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
namespace: default
角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
subjects:
- kind: ServiceAccount
name: app-sa
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
秘密管理
静态加密
在etcd中为秘密启用加密。
外部秘密
使用外部秘密管理:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: app-secrets
data:
- secretKey: password
remoteRef:
key: secret/data/app
property: password
避免硬编码
# 不好
env:
- name: DB_PASSWORD
value: "hardcoded-password"
# 好
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
资源限制
防止资源耗尽
spec:
containers:
- name: app
resources:
limits:
memory: "256Mi"
cpu: "500m"
requests:
memory: "128Mi"
cpu: "250m"
限制范围
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
spec:
limits:
- max:
memory: 512Mi
min:
memory: 64Mi
type: Container
资源配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
镜像安全
使用特定标签
# 不好
image: nginx:latest
# 好
image: nginx:1.21.6
镜像拉取策略
spec:
containers:
- name: app
image: myapp:1.0.0
imagePullPolicy: IfNotPresent
私有注册表
spec:
imagePullSecrets:
- name: registry-credentials
containers:
- name: app
image: private.registry.com/myapp:1.0.0
Pod安全标准
限制配置文件
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
安全扫描
# 使用kubesec扫描清单
kubesec scan pod.yaml
# 使用trivy扫描镜像
trivy image nginx:1.21
# 使用OPA进行策略验证
opa eval -d policy.rego -i manifest.yaml