Kubernetes安全与权限管理最佳实践构建安全可靠的容器环境一、安全概述Kubernetes安全涉及集群的多个层面包括网络安全、身份认证、访问控制和运行时安全等。1.1 安全架构┌─────────────────────────────────────────────────────────────────┐ │ 安全控制层 │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ RBAC │ │ NetworkPolicy│ │ Secrets │ │ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ └─────────┼─────────────────┼─────────────────┼─────────────────┘ │ │ │ ▼ ▼ ▼ ┌─────────────────────────────────────────────────────────────────┐ │ 运行时安全层 │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ seccomp │ │ AppArmor │ │ PodSecurity │ │ │ └──────────────┘ └──────────────┘ └──────────────┘ │ └─────────────────────────────────────────────────────────────────┘1.2 安全组件组件功能RBAC基于角色的访问控制NetworkPolicy网络访问控制Secrets敏感信息管理seccomp系统调用限制AppArmor应用程序沙箱二、RBAC配置2.1 Role配置apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: default rules: - apiGroups: [] resources: [pods] verbs: [get, list, watch]2.2 RoleBinding配置apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-binding namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io2.3 ClusterRole配置apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin rules: - apiGroups: [*] resources: [*] verbs: [*]三、ServiceAccount配置3.1 ServiceAccount创建apiVersion: v1 kind: ServiceAccount metadata: name: my-service-account namespace: default automountServiceAccountToken: true3.2 ServiceAccount权限绑定apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: my-service-account-binding subjects: - kind: ServiceAccount name: my-service-account namespace: default roleRef: kind: Role name: my-role apiGroup: rbac.authorization.k8s.io四、Secret配置4.1 创建SecretapiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: username: YWRtaW4 password: MWYyZDFlMmU2N2Rm4.2 使用SecretapiVersion: apps/v1 kind: Deployment metadata: name: my-app spec: template: spec: containers: - name: app image: my-app:latest env: - name: DB_USERNAME valueFrom: secretKeyRef: name: my-secret key: username - name: DB_PASSWORD valueFrom: secretKeyRef: name: my-secret key: password五、网络安全配置5.1 NetworkPolicy配置apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress spec: podSelector: {} policyTypes: - Ingress ingress: []5.2 允许特定端口apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-http spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - ports: - protocol: TCP port: 80六、Pod安全配置6.1 SecurityContext配置apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 containers: - name: app image: my-app:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true6.2 seccomp配置apiVersion: v1 kind: Pod metadata: name: seccomp-pod annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - name: app image: my-app:latest6.3 AppArmor配置apiVersion: v1 kind: Pod metadata: name: apparmor-pod annotations: container.apparmor.security.beta.kubernetes.io/app: runtime/default spec: containers: - name: app image: my-app:latest七、PodSecurityPolicy配置7.1 PodSecurityPolicy定义apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive-psp spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 65535 readOnlyRootFilesystem: true7.2 PSP权限绑定apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: psp:restrictive rules: - apiGroups: [policy] resources: [podsecuritypolicies] verbs: [use] resourceNames: - restrictive-psp八、安全最佳实践8.1 最小权限原则apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: minimal-role rules: - apiGroups: [apps] resources: [deployments] verbs: [get, list, watch, update]8.2 定期密钥轮换#!/bin/bash kubectl delete secret my-secret kubectl create secret generic my-secret \ --from-literalusernameadmin \ --from-literalpassword$(openssl rand -hex 16)8.3 安全扫描集成apiVersion: batch/v1 kind: CronJob metadata: name: security-scan spec: schedule: 0 3 * * * jobTemplate: spec: template: spec: containers: - name: trivy image: aquasec/trivy:latest command: - /bin/sh - -c - trivy image --severity HIGH,CRITICAL my-app:latest restartPolicy: OnFailure九、总结安全配置需要关注访问控制使用RBAC实现最小权限敏感信息使用Secret管理密码和密钥网络隔离配置NetworkPolicy限制流量运行时安全使用seccomp和AppArmor限制容器权限定期审计定期扫描和更新建议建立完善的安全体系定期进行安全审计和漏洞扫描。参考资料Kubernetes安全文档RBAC文档PodSecurityPolicy文档
