合规与审计
合规与审计
合规框架
| 框架 | 说明 | 适用场景 |
|---|---|---|
| SOC 2 | 服务组织控制 | SaaS服务 |
| ISO 27001 | 信息安全管理 | 国际标准 |
| GDPR | 通用数据保护 | 欧盟用户 |
| PCI DSS | 支付卡行业 | 支付系统 |
| HIPAA | 健康保险 | 医疗行业 |
Kubernetes合规
Pod安全标准
# Pod安全准入策略
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
审计日志
# 审计策略
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
resources:
- group: ""
resources: ["pods", "services"]
users: ["system:anonymous"]
- level: Metadata
resources:
- group: ""
resources: ["secrets", "configmaps"]
- level: None
resources:
- group: ""
resources: ["events"]
AWS合规
CloudTrail配置
# 启用CloudTrail
aws cloudtrail create-trail \
--name my-trail \
--s3-bucket-name my-cloudtrail-bucket \
--is-multi-region-trail
aws cloudtrail start-logging --name my-trail
Config规则
# 合规规则
resource "aws_config_config_rule" "encrypted_volumes" {
name = "encrypted-volumes"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
scope {
compliance_resource_types = ["AWS::EC2::Volume"]
}
}
实践:合规检查脚本
#!/bin/bash
echo "=== 合规检查 ==="
# 1. 检查加密
echo "1. 检查加密..."
kubectl get pods -A -o json | jq -r '
.items[] |
select(.spec.containers[].volumeMounts[]?.name != null) |
{
namespace: .metadata.namespace,
pod: .metadata.name
}'
# 2. 检查网络策略
echo "2. 检查网络策略..."
for ns in $(kubectl get namespaces -o jsonpath='{.items[*].metadata.name}'); do
if kubectl get networkpolicy -n $ns 2>/dev/null | grep -q .; then
echo " ✓ $ns has network policies"
else
echo " ✗ $ns missing network policies"
fi
done
# 3. 检查Pod安全标准
echo "3. 检查Pod安全标准..."
kubectl get namespaces -o json | jq -r '
.items[] |
select(.metadata.labels["pod-security.kubernetes.io/enforce"] != null) |
{
name: .metadata.name,
enforce: .metadata.labels["pod-security.kubernetes.io/enforce"]
}'
审计报告
# 审计报告模板
report:
period: 2024-Q1
auditor: "Security Team"
scope:
- "Kubernetes集群"
- "AWS账号"
- "应用程序"
findings:
- category: "访问控制"
status: "compliant"
details: "RBAC配置正确"
- category: "数据加密"
status: "non-compliant"
details: "部分PVC未加密"
recommendation: "启用存储类加密"
- category: "网络安全"
status: "compliant"
details: "网络策略已配置"
recommendations:
- priority: "high"
action: "启用PVC加密"
deadline: "2024-04-30"
- priority: "medium"
action: "实施Pod安全标准"
deadline: "2024-06-30"
持续合规
# OPA Gatekeeper策略
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing required labels: %v", [missing])
}
最佳实践
- 建立合规基线
- 自动化检查
- 定期审计
- 持续监控
- 文档化流程
总结
合规与审计是企业级运维的重要组成部分。通过建立合规框架、自动化检查和定期审计,可以确保系统符合安全和法规要求。