【揭秘K8s集群】安全配置与防护之道，保障容器化应用安全无忧

最佳答案

引言

跟着云打算跟容器技巧的疾速开展，Kubernetes（K8s）曾经成为容器编排范畴的领导者。K8s集群的保险设置与防护对保证容器化利用的保险至关重要。本文将深刻探究K8s集群的保险设置与防护之道，帮助你构建一个保险无忧的容器化利用情况。

K8s集群保险概述

Kubernetes集群的保险性重要涉及以下多少个方面：

认证（Authentication）：确保只有受权用户才干拜访K8s API。
受权（Authorization）：把持用户对资本的拜访权限。
准入把持（Admission Control）：在资本被创建或修改之行停止检查，确保其符合保险战略。
收集战略（Network Policies）：把持Pod之间的通信。
容器镜像保险：确保容器镜像的保险性。
集群审计与监控：及时监控集群状况，及时发明并处理保险变乱。

K8s集群保险设置

1. 基本体系保险设置

体系时光同步：安装NTP效劳并设置坚固的NTP效劳器，确保体系时光同步。

sudo apt update
sudo apt install ntpdate ntp
sudo ntpdate ntp1.aliyun.com

禁用Swap功能：Kubernetes请求全部节点禁用Swap，经由过程编辑/etc/fstab文件并解释掉落Swap行实现，然后履行swapoff --all命令。

sudo swapoff --all

设置容器运转时情况：推荐利用Docker或Containerd作为容器运转时。

sudo apt-get update
sudo apt-get install docker.io

2. 收集战略

创建收集战略：限制Pod之间的通信。

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-backend-to-frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: frontend
  policyTypes:
  - Ingress
  - Egress

3. 镜像保险

利用ImagePolicyWebhook战略管理镜像来源：避免利用未经验证的镜像。

apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
  name: strict-image-policy
spec:
  podSecurityContext:
    runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  seLinux: {}
  supplementalGroups: [3000]
  allowedCapabilities: ['NET_ADMIN', 'SYS_ADMIN']
  forbiddenCapabilities: ['ALL']
  volumes:
  - configMap
  - emptyDir
  - secret
  - persistentVolumeClaim
  - projected
  - downwardAPI
  - gitRepo
  - all
  imagePolicyWebhook:
    enabled: true
  allowedScopes:
  - 'image-pullers'
  - 'system:authenticated'
  - 'system:unauthenticated'
  - 'system:serviceaccount'
  - 'system:serviceaccount:kube-system:kubelet'
  - 'system:serviceaccount:kube-system:statefulset-nginx'
  - 'system:serviceaccount:kube-system:replica-set-nginx'
  - 'system:serviceaccount:kube-system:deployment-nginx'
  - 'system:serviceaccount:kube-system:daemonset-nginx'
  - 'system:serviceaccount:kube-system:deployment-nginx-ingress'
  - 'system:serviceaccount:kube-system:replica-set-nginx-ingress'
  - 'system:serviceaccount:kube-system:daemonset-nginx-ingress'

4. 集群审计与监控

设置集群审计：记录集群操纵日记，便于过后分析。

”`yaml apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: default spec: # The Policy and its Rules specify what events are logged, and under what conditions. # Rules are applied in order, and the first matching rule is used. # If no rules match, the default behavior is to log all requests. rules:

level: Request resources:
- groups: [“”] resources: [“pods”, “services”, “nodes”, “persistentvolumes”, “persistentvolumeclaims”]
- groups: [“apps”] resources: [“deployments”, “replicasets”, “statefulsets”]
- groups: [“rbac.authorization.k8s.io”] resources: [“roles”, “rolebindings”, “clusterroles”, “clusterrolebindings”]
- groups: [“extensions”] resources: [“ingresses”]
- groups: [“batch”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“admissionregistration.k8s.io”] resources: [“validatingwebhookconfigurations”, “mutatingwebhookconfigurations”]
- groups: [“policy”] resources: [“podsecuritypolicies”]
- groups: [“networking.k8s.io”] resources: [“networkpolicies”]
- groups: [“authentication.k8s.io”] resources: [“tokenreviews”, “selfsubjectaccessreviews”, “selfsubjectrulesreviews”]
- groups: [“authorization.k8s.io”] resources: [“selfsubjectaccessreviews”, “selfsubjectrulesreviews”, “subjectaccessreviews”, “subjectrulesreviews”]
- groups: [“apiextensions.k8s.io”] resources: [“customresourcedefinitions”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”] -