一、容器安全概述
容器安全是云原生安全的基础:
安全层次:
- 镜像安全
- 运行时安全
- 网络安全
- 供应链安全
二、镜像安全
1. 镜像扫描
bash
# Trivy扫描
trivy image myapp:latest
# Clair扫描
clairctl analyze -l myapp:latest
# Docker扫描
docker scan myapp:latest2. 最小化基础镜像
dockerfile
# ❌ 不推荐
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y python3
# ✅ 推荐
FROM python:3.11-slim
# ✅ 最佳
FROM gcr.io/distroless/python:3.113. 安全构建
dockerfile
# 使用非root用户
FROM node:18-alpine
RUN addgroup -g 1001 appgroup && \
adduser -u 1001 -G appgroup -s /bin/sh -D appuser
USER appuser
# 多阶段构建
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:18-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node三、运行时安全
1. Pod安全策略
yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'2. 安全上下文
yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL四、网络安全
1. 网络策略
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: nginx-ingress
ports:
- protocol: TCP
port: 802. 服务网格安全
yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT五、密钥管理
1. Secret管理
yaml
apiVersion: v1
kind: Secret
metadata:
name: db-credentials
type: Opaque
stringData:
username: admin
password: ${DB_PASSWORD}2. 外部密钥管理
yaml
# 使用SealedSecret
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: db-credentials
spec:
encryptedData:
username: AgBy...==
password: AgBy...==六、供应链安全
1. 签名验证
bash
# Cosign签名
cosign sign myapp:latest
# 验证镜像
cosign verify myapp:latest2. 准入控制
yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: image-validator
webhooks:
- name: validate-images.example.com
rules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods"]
clientConfig:
service:
name: image-validator
namespace: default
caBundle: LS0t...
admissionReviewVersions: ["v1"]
sideEffects: None
failurePolicy: Reject七、监控与审计
1. 审计日志
yaml
# kube-apiserver配置
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
yaml
# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["pods", "secrets"]
- level: Metadata
resources:
- group: "apps"
resources: ["deployments"]2. 运行时监控
yaml
apiVersion: security.datadoghq.com/v1
kind: RuntimeSecurityPolicy
metadata:
name: runtime-policy
spec:
meta:
runtimeType: syscall
rules:
- name: spawn_shell
condition:
evt.type == "exec"
evt.argv[0] == "/bin/sh"
action:
type: block八、总结
容器安全最佳实践:
- 镜像:最小化、定期扫描
- 运行时:安全上下文、PSP
- 网络:NetworkPolicy
- 供应链:签名、准入
个人观点,仅供参考