容器安全加固
容器安全加固
安全层次
1. 镜像安全
2. 运行时安全
3. 网络安全
4. 集群安全
5. 数据安全
镜像安全
使用可信镜像
# 使用官方镜像
FROM node:18-alpine
# 固定版本
FROM node:18.17.0-alpine
# 使用SHA256
FROM node@sha256:abc123...
镜像扫描
# 使用Trivy扫描
trivy image myapp:latest
# 在CI/CD中集成
trivy image --severity HIGH,CRITICAL myapp:latest
# 使用Snyk
snyk container test myapp:latest
最小化镜像
# 多阶段构建
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:18-alpine
WORKDIR /app
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER appuser
CMD ["node", "dist/index.js"]
运行时安全
Pod安全策略
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
容器运行时安全
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: myapp
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
网络安全
网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
egress:
- to:
- podSelector: {}
服务网格mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: default
spec:
mtls:
mode: STRICT
集群安全
RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
实践:安全加固脚本
#!/bin/bash
echo "=== Kubernetes安全加固 ==="
# 1. 启用RBAC
echo "启用RBAC..."
kubectl config set-context --current --authorization-mode=RBAC
# 2. 网络策略
echo "应用网络策略..."
kubectl apply -f network-policies/
# 3. Pod安全策略
echo "应用Pod安全策略..."
kubectl apply -f pod-security-policies/
# 4. Secret加密
echo "配置Secret加密..."
kubectl apply -f encryption-config.yaml
# 5. 审计日志
echo "配置审计日志..."
cp audit-policy.yaml /etc/kubernetes/audit/
echo "安全加固完成!"
安全扫描工具
# kube-bench - CIS基准检查
kube-bench run
# kube-hunter - 集群安全扫描
kube-hunter --remote 192.168.1.100
# Falco - 运行时安全监控
falco
最佳实践
- 使用最小权限原则
- 镜像签名和验证
- 网络隔离
- Secret加密
- 定期安全审计
- 启用审计日志
总结
容器安全需要多层次的防护。通过镜像安全、运行时安全、网络安全和集群安全的综合措施,可以构建安全的容器化环境。