引言
跟着云打算跟容器技巧的疾速开展,Kubernetes(K8s)曾经成为容器编排范畴的领导者。K8s集群的保险设置与防护对保证容器化利用的保险至关重要。本文将深刻探究K8s集群的保险设置与防护之道,帮助你构建一个保险无忧的容器化利用情况。
K8s集群保险概述
Kubernetes集群的保险性重要涉及以下多少个方面:
- 认证(Authentication):确保只有受权用户才干拜访K8s API。
- 受权(Authorization):把持用户对资本的拜访权限。
- 准入把持(Admission Control):在资本被创建或修改之行停止检查,确保其符合保险战略。
- 收集战略(Network Policies):把持Pod之间的通信。
- 容器镜像保险:确保容器镜像的保险性。
- 集群审计与监控:及时监控集群状况,及时发明并处理保险变乱。
K8s集群保险设置
1. 基本体系保险设置
- 体系时光同步:安装NTP效劳并设置坚固的NTP效劳器,确保体系时光同步。
sudo apt update
sudo apt install ntpdate ntp
sudo ntpdate ntp1.aliyun.com
- 禁用Swap功能:Kubernetes请求全部节点禁用Swap,经由过程编辑
/etc/fstab文件并解释掉落Swap行实现,然后履行swapoff --all命令。
sudo swapoff --all
- 设置容器运转时情况:推荐利用Docker或Containerd作为容器运转时。
sudo apt-get update
sudo apt-get install docker.io
2. 收集战略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backend-to-frontend
namespace: default
spec:
podSelector:
matchLabels:
role: frontend
policyTypes:
- Ingress
- Egress
3. 镜像保险
- 利用ImagePolicyWebhook战略管理镜像来源:避免利用未经验证的镜像。
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
name: strict-image-policy
spec:
podSecurityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seLinux: {}
supplementalGroups: [3000]
allowedCapabilities: ['NET_ADMIN', 'SYS_ADMIN']
forbiddenCapabilities: ['ALL']
volumes:
- configMap
- emptyDir
- secret
- persistentVolumeClaim
- projected
- downwardAPI
- gitRepo
- all
imagePolicyWebhook:
enabled: true
allowedScopes:
- 'image-pullers'
- 'system:authenticated'
- 'system:unauthenticated'
- 'system:serviceaccount'
- 'system:serviceaccount:kube-system:kubelet'
- 'system:serviceaccount:kube-system:statefulset-nginx'
- 'system:serviceaccount:kube-system:replica-set-nginx'
- 'system:serviceaccount:kube-system:deployment-nginx'
- 'system:serviceaccount:kube-system:daemonset-nginx'
- 'system:serviceaccount:kube-system:deployment-nginx-ingress'
- 'system:serviceaccount:kube-system:replica-set-nginx-ingress'
- 'system:serviceaccount:kube-system:daemonset-nginx-ingress'
4. 集群审计与监控
”`yaml
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: default
spec:
# The Policy and its Rules specify what events are logged, and under what conditions.
# Rules are applied in order, and the first matching rule is used.
# If no rules match, the default behavior is to log all requests.
rules:
- level: Request
resources:
- groups: [“”]
resources: [“pods”, “services”, “nodes”, “persistentvolumes”, “persistentvolumeclaims”]
- groups: [“apps”]
resources: [“deployments”, “replicasets”, “statefulsets”]
- groups: [“rbac.authorization.k8s.io”]
resources: [“roles”, “rolebindings”, “clusterroles”, “clusterrolebindings”]
- groups: [“extensions”]
resources: [“ingresses”]
- groups: [“batch”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“admissionregistration.k8s.io”]
resources: [“validatingwebhookconfigurations”, “mutatingwebhookconfigurations”]
- groups: [“policy”]
resources: [“podsecuritypolicies”]
- groups: [“networking.k8s.io”]
resources: [“networkpolicies”]
- groups: [“authentication.k8s.io”]
resources: [“tokenreviews”, “selfsubjectaccessreviews”, “selfsubjectrulesreviews”]
- groups: [“authorization.k8s.io”]
resources: [“selfsubjectaccessreviews”, “selfsubjectrulesreviews”, “subjectaccessreviews”, “subjectrulesreviews”]
- groups: [“apiextensions.k8s.io”]
resources: [“customresourcedefinitions”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
- groups: [“autoscaling.k8s.io”]
resources: [“horizontalpodautoscalers”]
- groups: [“batch”, “extensions”]
resources: [“jobs”, “cronjobs”]
- groups: [“storage.k8s.io”]
resources: [“storageclasses”, “volumeattachments”, “storagepods”]
- groups: [“coordination.k8s.io”]
resources: [“leases”, “configmaps”]
-