Kubernetes 容器安全最佳实践
一、前言
哥们,别整那些花里胡哨的。容器安全是 Kubernetes 环境中的重要环节,今天直接上硬货,教你如何加固容器安全。
二、容器安全威胁
| 威胁类型 | 风险等级 | 防护措施 |
|---|---|---|
| 镜像漏洞 | 高 | 镜像扫描 |
| 特权容器 | 高 | 限制权限 |
| 网络攻击 | 中 | 网络策略 |
| 数据泄露 | 高 | 密钥管理 |
| 运行时攻击 | 中 | 运行时监控 |
三、实战配置
1. 镜像安全
bash
# 安装 trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.49.1
# 扫描镜像
trivy image nginx:latest
# 集成到 CI/CD
cat > .gitlab-ci.yml << 'EOF'
image_scanning:
stage: test
script:
- trivy image --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
allow_failure: true
EOF2. 容器权限限制
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
containers:
- name: app
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
ports:
- containerPort: 80
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}3. 网络安全
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: app
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
app: backend
ports:
- protocol: TCP
port: 90004. 密钥管理
yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
namespace: default
type: Opaque
data:
password: cGFzc3dvcmQ=
api-key: YXBpLWtleQ==
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: app
image: nginx:latest
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: password
- name: API_KEY
valueFrom:
secretKeyRef:
name: app-secret
key: api-key四、容器安全优化
1. 运行时监控
使用 Falco 监控容器行为:
yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: falco
namespace: falco
spec:
selector:
matchLabels:
app: falco
template:
metadata:
labels:
app: falco
spec:
containers:
- name: falco
image: falcosecurity/falco:latest
securityContext:
privileged: true
volumeMounts:
- name: falco-config
mountPath: /etc/falco
volumes:
- name: falco-config
configMap:
name: falco-config2. 安全策略
yaml
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 655353. 安全审计
yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["secrets", "configmaps"]
- level: Metadata
resources:
- group: ""
resources: ["pods", "services"]五、常见问题
1. 镜像漏洞
解决方案:
- 使用官方或经过验证的镜像
- 定期扫描镜像
- 及时更新镜像
2. 权限提升
解决方案:
- 限制容器权限
- 禁止特权容器
- 使用非 root 用户运行
3. 网络攻击
解决方案:
- 配置网络策略
- 启用 mTLS
- 限制网络访问
六、最佳实践总结
- 镜像安全:使用扫描工具检测漏洞
- 权限管理:限制容器权限,使用非 root 用户
- 网络安全:配置网络策略,隔离容器网络
- 密钥管理:使用 Secrets 管理敏感信息
- 运行时监控:使用 Falco 监控异常行为
- 安全审计:配置审计日志,追踪安全事件
七、总结
容器安全是 Kubernetes 环境中的重要环节。按照本文的最佳实践,你可以构建一个安全、可靠的容器环境,炸了!