K8S
1、项目总览
1.1、最终架构方案
1.2、IP分配规划
1.3、域名规划
1.4、CPU优化指南
1.5、云C部署指南
1.6、部署检查清单
1.7、快速参考手册
2.1、API-VIP高可用配置
2.2、Calico网络配置
2.3、存储方案配置
2.4、Ingress入口配置
2.5、安全加固配置
2.6、etcd优化配置
2.7、灾难恢复配置
2.8、公司网络配置
K8s部署
本文档使用 MrDoc 发布
-
+
首页
2.5、安全加固配置
# K8s安全加固配置 ## 📖 说明 本文档提供Kubernetes生产环境安全加固的完整配置方案。 ## 🎯 安全策略 1. **Pod Security Standards**:替代已废弃的PSP 2. **Network Policy**:网络隔离和访问控制 3. **OPA/Gatekeeper**:策略即代码 4. **RBAC**:最小权限原则 5. **Secrets管理**:外部密钥管理 6. **审计日志**:记录所有关键操作 7. **镜像安全**:扫描和签名验证 8. **节点加固**:CIS Benchmark ## 📄 完整配置 由于配置内容较长(约500行),已提取关键部分,完整配置请查看原始文件。 ### 1. Pod Security Standards ```yaml # 为生产环境Namespace启用Restricted策略 apiVersion: v1 kind: Namespace metadata: name: production labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted env: prod --- # 灰度环境Baseline策略 apiVersion: v1 kind: Namespace metadata: name: staging labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/audit: restricted env: gray ``` ### 2. Network Policy(默认拒绝) ```yaml # 生产环境默认拒绝所有流量 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress --- # 允许同Namespace内部通信 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-same-namespace namespace: production spec: podSelector: {} policyTypes: - Ingress ingress: - from: - podSelector: {} --- # 允许访问DNS apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-dns namespace: production spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: UDP port: 53 ``` ### 3. OPA/Gatekeeper策略 ```yaml # 强制使用可信镜像仓库 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sTrustedImages metadata: name: trusted-images-prod spec: match: namespaces: ["production", "staging"] parameters: repos: - "harbor.ktnet.cc/" - "registry.k8s.io/" - "ghcr.io/" --- # 禁止特权容器 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPrivilegedContainer metadata: name: deny-privileged-containers spec: match: namespaces: ["production", "staging"] excludedNamespaces: ["kube-system", "monitoring", "ingress-nginx"] --- # 强制资源限制 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: require-resources-prod spec: match: namespaces: ["production"] ``` ### 4. RBAC最小权限 ```yaml # 开发人员角色(只读) apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer-readonly namespace: development rules: - apiGroups: ["", "apps", "batch"] resources: ["pods", "deployments", "services", "jobs", "cronjobs"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get", "list"] --- # 运维人员角色(管理生产) apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: operator-prod namespace: production rules: - apiGroups: ["", "apps", "batch", "networking.k8s.io"] resources: ["*"] verbs: ["*"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] # 允许exec进入容器 ``` ### 5. API审计日志 ```yaml # API Server审计策略(/etc/kubernetes/audit-policy.yaml) apiVersion: audit.k8s.io/v1 kind: Policy rules: # 记录所有Secret操作 - level: RequestResponse resources: - group: "" resources: ["secrets"] # 记录所有RBAC变更 - level: RequestResponse verbs: ["create", "update", "patch", "delete"] resources: - group: "rbac.authorization.k8s.io" # 记录exec/port-forward(高风险操作) - level: Metadata verbs: ["create"] resources: - group: "" resources: ["pods/exec", "pods/portforward"] # 记录所有拒绝的请求 - level: Metadata omitStages: - RequestReceived ``` ### 6. 节点安全加固 ```bash #!/bin/bash # 节点加固脚本(CIS Benchmark) # 1. 关闭不必要的服务 systemctl disable --now cups avahi-daemon # 2. 内核安全参数 cat >> /etc/sysctl.conf << 'EOF' kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 EOF sysctl -p # 3. 限制core dump echo "* hard core 0" >> /etc/security/limits.conf # 4. 审计关键文件 apt install -y auditd cat >> /etc/audit/rules.d/k8s.rules << 'EOF' -w /etc/kubernetes/ -p wa -k k8s-config -w /var/lib/kubelet/ -p wa -k kubelet EOF systemctl restart auditd # 5. 定期更新系统 apt update && apt upgrade -y ``` ## 🔧 部署步骤 ### 1. 安装Gatekeeper ```bash kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.14.0/deploy/gatekeeper.yaml # 等待就绪 kubectl wait --for=condition=ready pod -l gatekeeper.sh/system=yes -n gatekeeper-system --timeout=300s ``` ### 2. 应用安全策略 ```bash # 应用所有安全配置 kubectl apply -f solutions/security-hardening.yaml # 验证 kubectl get constraints kubectl get networkpolicy --all-namespaces ``` ### 3. 启用API审计 ```bash # 创建审计策略文件 cat > /etc/kubernetes/audit-policy.yaml <<'EOF' # 复制上面的审计策略配置 EOF # 修改kube-apiserver配置 # 在 /etc/kubernetes/manifests/kube-apiserver.yaml 添加: # --audit-policy-file=/etc/kubernetes/audit-policy.yaml # --audit-log-path=/var/log/kubernetes/audit.log # 重启API Server(自动重启) ``` ### 4. 节点加固 ```bash # 所有节点执行加固脚本 bash /path/to/hardening.sh ``` ## ⚠️ 注意事项 - **生产环境必须**:启用所有安全策略 - **测试环境**:可适当放宽策略便于开发 - **审计日志**:定期归档,避免磁盘占满 - **镜像安全**:使用Harbor的Trivy扫描功能 - **定期审查**:每月review安全策略和权限 ## 📁 原始文件 原始YAML配置文件位于:`solutions/security-hardening.yaml`(完整500行配置) ## 🔗 相关文档 - 架构方案:[1.1、最终架构方案.md](./1.1、最终架构方案.md) - 部署指南:[1.5、云C部署指南.md](./1.5、云C部署指南.md) --- **更新时间:** 2025-01-22
arise
2025年11月22日 09:49
转发文档
收藏文档
‹‹
‹
13
/ 17
›
››
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
PDF文档(打印)
分享
链接
类型
密码
更新密码