Kubernetes 与安全合规最佳实践 Kubernetes 与安全合规最佳实践一、前言哥们别整那些花里胡哨的。安全合规是 Kubernetes 生产环境的重要要求今天直接上硬货教你如何在 Kubernetes 中实现安全合规。二、安全合规框架框架适用场景核心要求CIS Kubernetes Benchmark通用安全配置安全基线PCI DSS支付行业数据保护GDPR欧盟数据数据隐私HIPAA医疗行业医疗数据保护三、实战配置1. CIS 基准配置apiVersion: policy/v1 kind: PodSecurityPolicy metadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 655352. 网络安全配置apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: default spec: podSelector: {} policyTypes: - Ingress - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: app-network-policy namespace: default spec: podSelector: matchLabels: app: app ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80 egress: - to: - podSelector: matchLabels: app: backend ports: - protocol: TCP port: 90003. 密钥管理apiVersion: v1 kind: Secret metadata: name: app-secret namespace: default type: Opaque data: password: cGFzc3dvcmQ api-key: YXBpLWtleQ --- apiVersion: apps/v1 kind: Deployment metadata: name: app namespace: default spec: replicas: 3 selector: matchLabels: app: app template: metadata: labels: app: app spec: containers: - name: app image: nginx:latest env: - name: PASSWORD valueFrom: secretKeyRef: name: app-secret key: password - name: API_KEY valueFrom: secretKeyRef: name: app-secret key: api-key4. 审计日志配置apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: RequestResponse resources: - group: resources: [secrets, configmaps] - level: Metadata resources: - group: resources: [pods, services] - level: None resources: - group: resources: [events]四、安全合规优化1. 镜像安全# 安装 trivy curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.49.1 # 扫描镜像 trivy image nginx:latest # 集成到 CI/CD cat .gitlab-ci.yml EOF image_scanning: stage: test script: - trivy image --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA allow_failure: true EOF2. 运行时监控apiVersion: apps/v1 kind: DaemonSet metadata: name: falco namespace: falco spec: selector: matchLabels: app: falco template: metadata: labels: app: falco spec: containers: - name: falco image: falcosecurity/falco:latest securityContext: privileged: true volumeMounts: - name: falco-config mountPath: /etc/falco volumes: - name: falco-config configMap: name: falco-config3. 权限管理apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: restricted-pod-reader rules: - apiGroups: [] resources: [pods] verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: restricted-pod-reader-binding subjects: - kind: Group name: developers apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: restricted-pod-reader apiGroup: rbac.authorization.k8s.io五、常见问题1. 安全漏洞解决方案定期扫描镜像及时更新依赖实施代码审查2. 权限滥用解决方案实施最小权限原则定期审计权限使用 RBAC 严格控制访问3. 合规审计解决方案配置审计日志定期进行安全评估保持合规文档更新六、最佳实践总结安全基线遵循 CIS Kubernetes Benchmark网络安全配置网络策略和隔离密钥管理使用 Secrets 管理敏感信息镜像安全定期扫描镜像漏洞运行时监控使用 Falco 监控异常行为权限管理实施 RBAC 和最小权限原则审计日志配置全面的审计日志合规评估定期进行安全合规评估七、总结Kubernetes 安全合规是生产环境的基本要求。按照本文的最佳实践你可以构建一个安全、合规的 Kubernetes 集群炸了