name: k8s-security-policies description: 实现Kubernetes安全策略,包括NetworkPolicy、PodSecurityPolicy和RBAC,用于生产级安全。在保护Kubernetes集群、实施网络隔离或执行pod安全标准时使用。 version: 1.0.0 model: sonnet invoked_by: [devops] tools: [Read, Write, Edit, Bash, Glob, Grep] verified: false lastVerifiedAt: 2026-02-19T05:29:09.098Z
Kubernetes安全策略
实现NetworkPolicy、PodSecurityPolicy、RBAC和Pod安全标准的全面指南。
目的
使用网络策略、pod安全标准和RBAC为Kubernetes集群实施防御深度安全。
何时使用此技能
- 实施网络分段
- 配置pod安全标准
- 设置最小权限RBAC访问
- 为合规性创建安全策略
- 实施准入控制
- 保护多租户集群
Pod安全标准
1. 特权模式(无限制)
apiVersion: v1
kind: Namespace
metadata:
name: privileged-ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
2. 基线模式(最小限制)
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baseline
3. 限制模式(最严格限制)
apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
网络策略
默认拒绝所有
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
允许前端访问后端
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
允许DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
参考: 查看 assets/network-policy-template.yaml
RBAC配置
角色(命名空间范围)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: ['']
resources: ['pods']
verbs: ['get', 'watch', 'list']
集群角色(集群范围)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: ['']
resources: ['secrets']
verbs: ['get', 'watch', 'list']
角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
参考: 查看 references/rbac-patterns.md
Pod安全上下文
限制模式Pod
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
使用OPA Gatekeeper进行策略执行
约束模板
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("missing required labels: %v", [missing])
}
约束
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: ['apps']
kinds: ['Deployment']
parameters:
labels: ['app', 'environment']
服务网格安全(Istio)
对等认证(mTLS)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
授权策略
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
namespace: production
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
principals: ['cluster.local/ns/production/sa/frontend']
最佳实践
- 在命名空间级别实施Pod安全标准
- 使用网络策略进行网络分段
- 为所有服务账户应用最小权限RBAC
- 启用准入控制(OPA Gatekeeper/Kyverno)
- 以非root用户运行容器
- 使用只读根文件系统
- 除非需要,否则丢弃所有能力
- 实现资源配额和限制范围
- 为安全事件启用审计日志
- 定期对镜像进行安全扫描
合规框架
CIS Kubernetes基准
- 使用RBAC授权
- 启用审计日志
- 使用Pod安全标准
- 配置网络策略
- 实施静态密钥加密
- 启用节点认证
NIST网络安全框架
- 实施防御深度
- 使用网络分段
- 配置安全监控
- 实施访问控制
- 启用日志和监控
故障排除
NetworkPolicy不工作:
# 检查CNI是否支持NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>
RBAC权限被拒绝:
# 检查有效权限
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa
参考文件
assets/network-policy-template.yaml- 网络策略示例assets/pod-security-template.yaml- Pod安全策略references/rbac-patterns.md- RBAC配置模式
相关技能
k8s-manifest-generator- 用于创建安全清单gitops-workflow- 用于自动化策略部署
内存协议(强制)
开始前:
cat C:\dev\projects\agent-studio\.claude\context\memory\learnings.md
完成后:
- 新模式 ->
C:\dev\projects\agent-studio\.claude\context\memory\learnings.md - 发现的问题 ->
C:\dev\projects\agent-studio\.claude\context\memory\issues.md - 做出的决策 ->
C:\dev\projects\agent-studio\.claude\context\memory\decisions.md
假设中断:如果不在记忆中,它就没有发生。