【揭秘K8s集群】安全配置與防護之道,保障容器化應用安全無憂

提問者:用戶JGZZ 發布時間: 2025-05-23 00:32:50 閱讀時間: 3分鐘

最佳答案

引言

隨着雲打算跟容器技巧的疾速開展,Kubernetes(K8s)曾經成為容器編排範疇的領導者。K8s集群的保險設置與防護對保證容器化利用的保險至關重要。本文將深刻探究K8s集群的保險設置與防護之道,幫助妳構建一個保險無憂的容器化利用情況。

K8s集群保險概述

Kubernetes集群的保險性重要涉及以下多少個方面:

  1. 認證(Authentication):確保只有受權用戶才幹拜訪K8s API。
  2. 受權(Authorization):把持用戶對資本的拜訪權限。
  3. 准入把持(Admission Control):在資本被創建或修改之行停止檢查,確保其符合保險戰略。
  4. 收集戰略(Network Policies):把持Pod之間的通信。
  5. 容器鏡像保險:確保容器鏡像的保險性。
  6. 集群審計與監控:及時監控集群狀況,及時發明並處理保險變亂。

K8s集群保險設置

1. 基本體系保險設置

  • 體系時光同步:安裝NTP效勞並設置堅固的NTP效勞器,確保體系時光同步。
sudo apt update
sudo apt install ntpdate ntp
sudo ntpdate ntp1.aliyun.com
  • 禁用Swap功能:Kubernetes請求全部節點禁用Swap,經由過程編輯/etc/fstab文件並注釋掉落Swap行實現,然後履行swapoff --all命令。
sudo swapoff --all
  • 設置容器運轉時情況:推薦利用Docker或Containerd作為容器運轉時。
sudo apt-get update
sudo apt-get install docker.io

2. 收集戰略

  • 創建收集戰略:限制Pod之間的通信。
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-backend-to-frontend
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: frontend
  policyTypes:
  - Ingress
  - Egress

3. 鏡像保險

  • 利用ImagePolicyWebhook戰略管理鏡像來源:避免利用未經驗證的鏡像。
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
  name: strict-image-policy
spec:
  podSecurityContext:
    runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  seLinux: {}
  supplementalGroups: [3000]
  allowedCapabilities: ['NET_ADMIN', 'SYS_ADMIN']
  forbiddenCapabilities: ['ALL']
  volumes:
  - configMap
  - emptyDir
  - secret
  - persistentVolumeClaim
  - projected
  - downwardAPI
  - gitRepo
  - all
  imagePolicyWebhook:
    enabled: true
  allowedScopes:
  - 'image-pullers'
  - 'system:authenticated'
  - 'system:unauthenticated'
  - 'system:serviceaccount'
  - 'system:serviceaccount:kube-system:kubelet'
  - 'system:serviceaccount:kube-system:statefulset-nginx'
  - 'system:serviceaccount:kube-system:replica-set-nginx'
  - 'system:serviceaccount:kube-system:deployment-nginx'
  - 'system:serviceaccount:kube-system:daemonset-nginx'
  - 'system:serviceaccount:kube-system:deployment-nginx-ingress'
  - 'system:serviceaccount:kube-system:replica-set-nginx-ingress'
  - 'system:serviceaccount:kube-system:daemonset-nginx-ingress'

4. 集群審計與監控

  • 設置集群審計:記錄集群操縱日記,便於過後分析。

”`yaml apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: default spec: # The Policy and its Rules specify what events are logged, and under what conditions. # Rules are applied in order, and the first matching rule is used. # If no rules match, the default behavior is to log all requests. rules:

  • level: Request resources:
    • groups: [“”] resources: [“pods”, “services”, “nodes”, “persistentvolumes”, “persistentvolumeclaims”]
    • groups: [“apps”] resources: [“deployments”, “replicasets”, “statefulsets”]
    • groups: [“rbac.authorization.k8s.io”] resources: [“roles”, “rolebindings”, “clusterroles”, “clusterrolebindings”]
    • groups: [“extensions”] resources: [“ingresses”]
    • groups: [“batch”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“admissionregistration.k8s.io”] resources: [“validatingwebhookconfigurations”, “mutatingwebhookconfigurations”]
    • groups: [“policy”] resources: [“podsecuritypolicies”]
    • groups: [“networking.k8s.io”] resources: [“networkpolicies”]
    • groups: [“authentication.k8s.io”] resources: [“tokenreviews”, “selfsubjectaccessreviews”, “selfsubjectrulesreviews”]
    • groups: [“authorization.k8s.io”] resources: [“selfsubjectaccessreviews”, “selfsubjectrulesreviews”, “subjectaccessreviews”, “subjectrulesreviews”]
    • groups: [“apiextensions.k8s.io”] resources: [“customresourcedefinitions”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”]
    • groups: [“autoscaling.k8s.io”] resources: [“horizontalpodautoscalers”]
    • groups: [“batch”, “extensions”] resources: [“jobs”, “cronjobs”]
    • groups: [“storage.k8s.io”] resources: [“storageclasses”, “volumeattachments”, “storagepods”]
    • groups: [“coordination.k8s.io”] resources: [“leases”, “configmaps”] -
相關推薦

    碎星旗下的主播都有誰

    发布时间:2024-11-11
    有青莲忘川、花泽、三月妖孽等人简介:杭州碎星网络科技有限公司成立于2017-05-11,法定代表人为何义超,注册资本为100万元人民币,统一社会信用代码为91330106MA28RR5X0L,企业地址位于浙江省杭州市拱墅区莫干山路116

    廣西高中語文書是哪個版的

    发布时间:2024-11-11
    人教版,广西高中语文书全都是人教版的,以上广西的高中识本不统一,各地有各地的版本,有人教版也有沪教版,现在统一使用人教版的了。

    簡短好聽的情侶名

    发布时间:2024-11-11
    1、微微一笑很倾城 、 奈何桥边笑奈何。2、橘子味儿的猫 、 草莓味儿的狗。3、稚于最初 、 安于情长。4、七年凉城空浮生 、 三年空城已离殇。5、生物毁了我的清白 、 数学毁了我的未来。6、沐北清歌寒 、 沐南伊人舞

    東北鰲蝦怎麼養

    发布时间:2024-11-11
    1、注意密度饲养鳌虾之前,首先要选择好虾缸,并计划好饲养的密度,以及是否混养其它的观赏虾类。鳌虾是比较具有攻击性的观赏虾,鳌虾有较强的领地意识,若是不想要自己养的鳌虾经常打架受伤的话,最好减小饲养密度。2、缸内造景建立一个良好的生

    華圖所謂的面試基地班靠譜嗎

    发布时间:2024-11-11
    华图的面试基地班靠谱。面试基地班一般是以封闭的形式去培训,这样可以保证学习效果以及更有针对性,上岸率也非常高,而且报名之前会签协议,面试通过协议生效,没有通过是可以退费的。而且基地班的老师都是优中选优的,是华图最好的老师可以放心。

    女孩經常喝奶茶的危害

    发布时间:2024-11-11
    1、女生经常喝奶茶容易导致摄入了过多的糖分和蛋白质,堵塞了毛孔,引发痤疮。2、奶茶它主要是一种奶制品,里边添加了少量的茶叶成分,经常喝会导致体内血糖升高,引发糖尿病,并且这个糖分在体内堆积又不容易排出,容易形成肥胖的现象。并且奶茶都是

    15款邁騰大燈原廠什麼品牌

    发布时间:2024-11-11
    15款大众迈腾第一代车型的大灯品牌为Hella。Hella是全球知名的照明与电子技术领域的企业,其产品涉及汽车、物流和工业等多个领域。Hella的汽车灯具以高品质、高性能和高稳定性著称。因此,选择Hella成为大众迈腾第一代车型的大灯品牌

    孕婦能喝玫瑰花茶嗎

    发布时间:2024-11-11
    孕妇一般是要注意饮食,尤其是药物更应该注意,玫瑰花,是可以活血化瘀疏肝。对于临床上女性月经期月经不调,腹疼,痛经等有很好作用,还可以治疗肝气郁结导致的心情不好,烦躁易怒,还有一定美容作用,所以在孕期是不能服用的,一定要注意。

    更年期滋陰的食物

    发布时间:2024-11-11
    1、何首乌:何首乌是滋阴补肾第一品。也是被当做医家第一的保健品。女性有筋骨酸痛,早衰等问题,都可以通过服用何首乌起到一定很好的改善作用。2、枸杞子:枸杞子性平味甘,具有清心明目养肝的功效,其实枸杞子也是滋阴补肾的最好选择之一。尤其对于

    王者榮耀雲中君專精裝備

    发布时间:2024-11-11
    巨人之握+抵抗之靴+暗影战斧+无尽战刃+破军+破甲弓出装思路首先打野刀出门,升到二级巨人之握即可。再来是鞋子,大家可以根据情况出装,抵抗之靴、影刃之足和疾步之靴都是可以的,影刃之足加强生存能力,疾步之靴gank效率更高。再来是暗影战斧

Copyright © 2020-2024,Powered By 答答問 滇ICP备2020007400号-21