Kubernetes安全挑战

Kubernetes已经成为容器编排的事实标准,全球超过80%的企业在生产环境中使用Kubernetes。然而,Kubernetes的复杂性也带来了大量安全挑战。Red Hat的调查显示,93%的受访企业在过去12个月内经历过至少一次Kubernetes安全事件。

常见的Kubernetes安全问题包括:配置错误暴露的API Server、特权容器逃逸、镜像漏洞、网络隔离不足等。

Kubernetes安全层次

安全层次关键措施优先级工具/方案
集群层API Server加固极高RBAC, 审计日志
节点层操作系统加固CIS Benchmark
网络层网络策略Calico, Cilium
Pod层安全上下文PSA, OPA
容器层镜像扫描Trivy, Snyk
运行时行为监控Falco

集群安全加固

API Server安全配置

# kube-apiserver 安全配置要点
apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
spec:
  containers:
  - command:
    - kube-apiserver
    # 启用RBAC授权
    - --authorization-mode=RBAC,Node
    # 启用审计日志
    - --audit-log-path=/var/log/kubernetes/audit.log
    - --audit-log-maxage=30
    - --audit-log-maxbackup=10
    - --audit-log-maxsize=100
    # 启用准入控制器
    - --enable-admission-plugins=NodeRestriction,PodSecurity
    # 禁用匿名访问
    - --anonymous-auth=false
    # 启用TLS
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    # 加密etcd数据
    - --encryption-provider-config=/etc/kubernetes/enc/enc.yaml

RBAC配置示例

# 创建只读角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]
---
# 绑定角色到用户
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: User
  name: developer
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
---
# 限制性的ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: restricted-admin
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "create", "update"]
  # 注意:不包含 "delete"

Pod安全标准

Pod Security Admission(PSA)

Kubernetes 1.25+推荐使用PSA替代已废弃的PodSecurityPolicy:

# 为命名空间配置安全标准
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    # 强制执行restricted级别
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    # 审计baseline级别
    pod-security.kubernetes.io/audit: baseline
    # 警告privileged级别
    pod-security.kubernetes.io/warn: restricted

安全的Pod配置

apiVersion: v1
kind: Pod
metadata:
  name: secure-app
  namespace: production
spec:
  # 使用非root用户运行
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault

  containers:
  - name: app
    image: myapp:v1.0@sha256:abc123...  # 使用镜像摘要
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
    resources:
      limits:
        cpu: "500m"
        memory: "256Mi"
      requests:
        cpu: "100m"
        memory: "128Mi"

    # 只读挂载
    volumeMounts:
    - name: tmp
      mountPath: /tmp
    - name: config
      mountPath: /etc/app/config
      readOnly: true

  # 使用emptyDir作为临时存储
  volumes:
  - name: tmp
    emptyDir: {}
  - name: config
    configMap:
      name: app-config

  # 不自动挂载ServiceAccount token
  automountServiceAccountToken: false

网络策略

默认拒绝所有流量

# 默认拒绝所有入站流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
---
# 默认拒绝所有出站流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress
---
# 只允许特定的通信
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

镜像安全

# 使用Trivy扫描镜像漏洞
trivy image --severity HIGH,CRITICAL myapp:v1.0

# 在CI/CD中集成镜像扫描
# .gitlab-ci.yml示例
# scan:
#   stage: security
#   script:
#     - trivy image --exit-code 1 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

# 安全的Dockerfile最佳实践
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

FROM gcr.io/distroless/nodejs20-debian12
COPY --from=builder /app/node_modules ./node_modules
COPY . .
USER nonroot:nonroot
EXPOSE 3000
CMD ["server.js"]

运行时安全监控

使用Falco进行运行时异常行为检测:

# falco-rules.yaml
- rule: Terminal shell in container
  desc: 检测容器内的交互式shell
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name shell=%proc.name)
  priority: WARNING

- rule: Write below root filesystem
  desc: 检测容器根文件系统的写操作
  condition: >
    write and container
    and not fd.directory in (/tmp, /var/log)
  output: >
    File write to root filesystem
    (user=%user.name file=%fd.name container=%container.name)
  priority: ERROR

安全审计检查

# 使用kube-bench检查CIS基准合规性
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml

# 查看结果
kubectl logs job/kube-bench

# 使用kubeaudit进行安全审计
kubeaudit all -n production

配合服务器安全加固中的操作系统层面安全措施,以及安全审计工具的定期扫描,可以构建完整的容器安全防护体系。

总结

Kubernetes安全是一个多层次的系统工程。从集群配置到Pod安全,从网络隔离到运行时监控,每一层都需要适当的安全控制。遵循最小权限原则,使用安全默认配置,持续监控和审计——这些是保障Kubernetes环境安全的关键实践。