Kubernetes 安全完整实践指南
Kubernetes安全是云原生安全的核心组成部分,涉及集群、节点、网络、存储和应用等多个层面的安全防护。随着Kubernetes在生产环境中的广泛应用,建立完善的安全防护体系已成为企业必须面对的重要挑战。
🛡️ Kubernetes 4C安全模型
安全层次架构
yaml
kubernetes_4c_model:
cloud_infrastructure:
description: "云基础设施安全层"
responsibilities:
- "物理机房和网络安全"
- "虚拟化平台安全"
- "云服务提供商安全"
- "基础设施即代码安全"
security_controls:
- "VPC网络隔离"
- "防火墙和安全组"
- "IAM身份管理"
- "审计日志记录"
cluster_security:
description: "Kubernetes集群安全层"
components:
api_server: "API服务器安全配置"
etcd: "数据存储加密"
kubelet: "节点代理安全"
network: "集群网络安全"
key_practices:
- "RBAC权限控制"
- "准入控制器配置"
- "网络策略实施"
- "密钥管理"
container_security:
description: "容器安全层"
focus_areas:
- "镜像安全扫描"
- "运行时安全监控"
- "安全上下文配置"
- "资源限制设置"
code_security:
description: "应用代码安全层"
practices:
- "安全编码规范"
- "依赖漏洞管理"
- "静态代码分析"
- "动态安全测试"yaml
threat_model:
common_attack_vectors:
api_server_attacks:
- "未授权API访问"
- "权限提升攻击"
- "配置错误利用"
container_escape:
- "特权容器滥用"
- "主机路径挂载"
- "内核漏洞利用"
lateral_movement:
- "服务账户滥用"
- "网络策略绕过"
- "密钥泄露利用"
data_exfiltration:
- "存储卷数据访问"
- "环境变量泄露"
- "日志信息收集"
security_controls:
prevention:
- "Pod Security Standards"
- "网络策略隔离"
- "RBAC最小权限"
- "准入控制验证"
detection:
- "审计日志监控"
- "运行时行为分析"
- "异常网络流量检测"
- "资源使用监控"
response:
- "自动化隔离"
- "事件通知告警"
- "取证数据收集"
- "恢复流程执行"🔐 集群安全配置
API服务器安全
yaml
api_server_auth:
certificate_authentication:
client_cert_config: |
# 客户端证书认证
--client-ca-file=/etc/kubernetes/pki/ca.crt
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
oidc_integration:
config_example: |
# OIDC认证配置
--oidc-issuer-url=https://auth.example.com
--oidc-client-id=kubernetes
--oidc-username-claim=email
--oidc-username-prefix=oidc:
--oidc-groups-claim=groups
--oidc-groups-prefix=oidc:
service_account_auth:
token_config: |
# ServiceAccount Token配置
--service-account-key-file=/etc/kubernetes/pki/sa.pub
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--service-account-api-audiences=api,vaultyaml
authorization_config:
rbac_configuration:
basic_roles: |
# 基础角色定义
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
cluster_roles: |
# 集群级角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring-reader
rules:
- apiGroups: [""]
resources: ["nodes", "pods", "services", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]
admission_controllers:
security_admission: |
# 安全准入控制器
--enable-admission-plugins=NodeRestriction,ResourceQuota,PodSecurity,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
--disable-admission-plugins=AlwaysAdmit
pod_security_admission: |
# Pod安全准入
apiVersion: v1
kind: Namespace
metadata:
name: secure-workloads
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted🔒 容器和Pod安全
Security Context配置
yaml
pod_security_context:
secure_pod_example: |
apiVersion: v1
kind: Pod
metadata:
name: secure-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:v1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
resources:
limits:
cpu: "1"
memory: "512Mi"
ephemeral-storage: "1Gi"
requests:
cpu: "100m"
memory: "128Mi"
ephemeral-storage: "100Mi"
volumeMounts:
- name: tmp-volume
mountPath: /tmp
- name: cache-volume
mountPath: /app/cache
volumes:
- name: tmp-volume
emptyDir: {}
- name: cache-volume
emptyDir: {}
network_policies:
default_deny: |
# 默认拒绝策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
application_policy: |
# 应用网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-app-netpol
namespace: production
spec:
podSelector:
matchLabels:
app: web-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
- to: []
ports:
- protocol: UDP
port: 53yaml
secrets_management:
kubernetes_secrets:
basic_secret: |
# 基础Secret配置
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
namespace: production
type: Opaque
data:
username: YWRtaW4=
password: MWYyZDFlMmU2N2Rm
tls_secret: |
# TLS证书Secret
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
namespace: production
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTi...
tls.key: LS0tLS1CRUdJTi...
external_secrets:
vault_integration: |
# External Secrets与Vault集成
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
namespace: production
spec:
provider:
vault:
server: "https://vault.example.com"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "external-secrets"
external_secret: |
# 外部Secret同步
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
namespace: production
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: database-secret
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: database/credentials
property: username
- secretKey: password
remoteRef:
key: database/credentials
property: password📊 监控和审计
安全监控配置
yaml
audit_configuration:
audit_policy: |
# 审计策略配置
apiVersion: audit.k8s.io/v1
kind: Policy
omitStages:
- RequestReceived
rules:
# 记录认证失败
- level: Metadata
namespaces: [""]
verbs: [""]
resources: [""]
omitStages:
- RequestReceived
# 详细记录敏感操作
- level: Request
resources:
- group: ""
resources: ["secrets", "configmaps"]
- group: "rbac.authorization.k8s.io"
resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
verbs: ["create", "update", "patch", "delete"]
# 记录Pod执行操作
- level: Request
resources:
- group: ""
resources: ["pods/exec", "pods/portforward"]
log_analysis: |
# 审计日志分析
# 分析认证失败
jq 'select(.verb != null and .responseStatus.code >= 400)' audit.log
# 分析特权操作
jq 'select(.verb == "create" and .objectRef.resource == "pods/exec")' audit.log
# 分析RBAC变更
jq 'select(.objectRef.apiGroup == "rbac.authorization.k8s.io")' audit.logyaml
security_monitoring:
prometheus_metrics:
key_metrics:
- "apiserver_audit_total"
- "apiserver_current_inflight_requests"
- "apiserver_request_duration_seconds"
- "kubernetes_build_info"
- "up{job='kubernetes-apiservers'}"
alerting_rules: |
# 安全告警规则
groups:
- name: kubernetes-security
rules:
- alert: KubernetesAuthFailures
expr: increase(apiserver_audit_total{code!~"2.."}[5m]) > 10
for: 2m
labels:
severity: warning
annotations:
summary: "High number of authentication failures"
- alert: KubernetesPrivilegedPod
expr: increase(apiserver_audit_total{objectRef_resource="pods",verb="create"}[5m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Privileged pod created"
falco_rules: |
# Falco安全检测规则
- rule: Privileged container
desc: Detect privileged container creation
condition: k8s_audit and ka.verb="create" and ka.target.resource="pods"
output: Privileged container created (user=%ka.user.name pod=%ka.target.name)
priority: CRITICAL📋 Kubernetes安全面试重点
基础概念类
Kubernetes 4C安全模型各层的职责?
- Cloud基础设施安全配置
- Cluster集群安全策略
- Container容器安全控制
- Code应用安全实践
API服务器的主要安全机制?
- 认证方式和配置
- 授权策略类型
- 准入控制器功能
- TLS通信加密
etcd安全配置的关键要素?
- 静态数据加密
- 传输加密配置
- 访问控制策略
- 备份安全管理
RBAC权限类
RBAC核心组件和工作原理?
- Role和ClusterRole区别
- RoleBinding绑定机制
- ServiceAccount管理
- 权限最小化原则
如何设计安全的RBAC策略?
- 角色设计最佳实践
- 权限聚合和继承
- 临时访问控制
- 权限审计和清理
ServiceAccount安全配置?
- Token自动轮换
- 工作负载身份集成
- 跨集群身份管理
- 权限范围控制
网络安全类
Kubernetes网络策略实现原理?
- CNI插件集成
- Ingress/Egress控制
- 默认拒绝策略
- 微分段网络设计
如何防护容器逃逸攻击?
- Security Context配置
- Pod Security Standards
- Runtime监控检测
- 权限限制策略
服务网格安全集成?
- mTLS自动配置
- 服务间授权策略
- 流量加密保护
- 身份验证集成
监控审计类
Kubernetes审计配置和分析?
- 审计策略设计
- 关键事件监控
- 日志分析方法
- 异常检测机制
安全监控指标和告警?
- 关键安全指标
- 告警规则设计
- 事件关联分析
- 自动化响应
Pod Security Standards实施?
- 安全策略迁移
- 配置文件选择
- 兼容性评估
- 渐进式部署
🔗 相关内容
- RBAC深度配置 - RBAC权限管理详细实践
- Pod Security Standards - Pod安全标准实施指南
- 零信任架构 - 零信任安全模型设计
- 容器安全 - 容器安全完整实践
Kubernetes安全是云原生安全的基石,需要从集群配置、网络策略、访问控制到监控审计等多个维度建立完整的安全防护体系。通过深入理解Kubernetes安全模型和正确实施安全配置,可以构建安全可靠的容器化应用平台。