Kubernetes 安全与 RBAC

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

368 字

1 分钟

Kubernetes 安全与 RBAC

2023-12-25

面试

/

底层原理

一、RBAC 权限模型#

1.1 核心概念#

概念	说明
Subject	被授权的主体（User、Group、ServiceAccount）
Verb	操作动作（get、list、create、delete）
Resource	资源类型（pods、services、deployments）
Role/ClusterRole	权限定义
RoleBinding/ClusterRoleBinding	权限绑定

1.2 Role 与 RoleBinding#

1
# Role - 命名空间级别权限
2
apiVersion: rbac.authorization.k8s.io/v1
3
kind: Role
4
metadata:
5
  namespace: default
6
  name: pod-reader
7
rules:
8
  - apiGroups: [""]
9
    resources: ["pods"]
10
    verbs: ["get", "list", "watch"]
11
  - apiGroups: [""]
12
    resources: ["pods/log"]
13
    verbs: ["get"]
14

15
---
16

17
apiVersion: rbac.authorization.k8s.io/v1
18
kind: RoleBinding
19
metadata:
20
  name: read-pods
21
  namespace: default
22
subjects:
23
  - kind: ServiceAccount
24
    name: default
25
    namespace: default
26
  - kind: User
27
    name: alice
28
    apiGroup: rbac.authorization.k8s.io
29
roleRef:
30
  kind: Role
31
  name: pod-reader
32
  apiGroup: rbac.authorization.k8s.io

1.3 ClusterRole 与 ClusterRoleBinding#

1
# ClusterRole - 集群级别权限
2
apiVersion: rbac.authorization.k8s.io/v1
3
kind: ClusterRole
4
metadata:
5
  name: node-reader
6
rules:
7
  - apiGroups: [""]
8
    resources: ["nodes"]
9
    verbs: ["get", "list", "watch"]
10

11
---
12

13
apiVersion: rbac.authorization.k8s.io/v1
14
kind: ClusterRoleBinding
15
metadata:
16
  name: node-reader-binding
17
subjects:
18
  - kind: Group
19
    name: system:nodes
20
    apiGroup: rbac.authorization.k8s.io
21
roleRef:
22
  kind: ClusterRole
23
  name: node-reader
24
  apiGroup: rbac.authorization.k8s.io

1.4 常用 RBAC 操作#

1
# 查看 Role
2
kubectl get roles -n namespace
3
kubectl describe role role-name -n namespace
4

5
# 查看 RoleBinding
6
kubectl get rolebindings -n namespace
7
kubectl describe rolebinding binding-name -n namespace
8

9
# 测试权限
10
kubectl auth can-i get pods --as=alice
11
kubectl auth can-i create pods --as=system:serviceaccount:default:default
12

13
# 编辑 RBAC
14
kubectl edit role pod-reader -n namespace

1.5 内置角色#

角色	说明
view	只读访问命名空间资源
edit	大部分资源读写，不能修改 RBAC
admin	命名空间级别的管理权限
cluster-admin	集群完全管理权限

二、Security Context#

2.1 Pod 级别 Security Context#

1
apiVersion: v1
2
kind: Pod
3
spec:
4
  securityContext:
5
    runAsNonRoot: true # 必须以非 root 运行
6
    runAsUser: 10000 # 指定用户 ID
7
    runAsGroup: 10000 # 指定组 ID
8
    fsGroup: 10000 # 文件系统组
9
    seccompProfile:
10
      type: RuntimeDefault # 使用默认 seccomp 配置
11
  containers:
12
    - name: app
13
      image: app:latest

2.2 Container 级别 Security Context#

1
apiVersion: v1
2
kind: Pod
3
spec:
4
  containers:
5
    - name: app
6
      image: app:latest
7
      securityContext:
8
        allowPrivilegeEscalation: false # 禁止特权提升
9
        readOnlyRootFilesystem: true # 只读根文件系统
10
        capabilities:
11
          drop: # 删除能力
12
            - ALL
13
          add: # 添加能力
14
            - NET_ADMIN

2.3 常用 Linux 能力#

能力	说明
NET_ADMIN	网络管理（修改路由、防火墙）
SYS_ADMIN	系统管理（挂载文件系统）
SYS_MODULE	加载内核模块
DAC_READ_SEARCH	绕过文件权限检查
ALL	所有能力（危险！）

三、Pod Security Standards#

3.1 安全策略级别#

级别	说明
privileged	完全不受限制
baseline	最低安全要求
restricted	严格安全要求

3.2 PSP Baseline 要求#

1
apiVersion: policy/v1beta1
2
kind: PodSecurityPolicy
3
metadata:
4
  name: baseline
5
spec:
6
  privileged: false # 禁止特权容器
7
  hostPID: false # 禁止使用宿主 PID
8
  hostIPC: false # 禁止使用宿主 IPC
9
  hostNetwork: false # 禁止使用宿主机网络
10
  seLinux:
11
    rule: RunAsAny
12
  runAsUser:
13
    rule: MustRunAsNonRoot # 必须非 root
14
  fsGroup:
15
    rule: RunAsAny
16
  volumes:
17
    - "configMap"
18
    - "emptyDir"
19
    - "projected"
20
    - "secret"
21
    - "downwardAPI"
22
    - "persistentVolumeClaim"

四、网络安全#

4.1 默认网络策略#

1
# 拒绝所有入站流量
2
apiVersion: networking.k8s.io/v1
3
kind: NetworkPolicy
4
metadata:
5
  name: default-deny-ingress
6
spec:
7
  podSelector: {}
8
  policyTypes:
9
    - Ingress

4.2 命名空间级别策略#

1
# 允许命名空间内流量
2
apiVersion: networking.k8s.io/v1
3
kind: NetworkPolicy
4
metadata:
5
  name: allow-namespace
6
spec:
7
  podSelector: {}
8
  policyTypes:
9
    - Ingress
10
  ingress:
11
    - from:
12
        - namespaceSelector:
13
            matchLabels:
14
              name: production

4.3 应用网络策略#

1
# 只允许前端访问后端
2
apiVersion: networking.k8s.io/v1
3
kind: NetworkPolicy
4
metadata:
5
  name: backend-policy
6
spec:
7
  podSelector:
8
    matchLabels:
9
      app: backend
10
  policyTypes:
11
    - Ingress
12
    - Egress
13
  ingress:
14
    - from:
15
        - podSelector:
16
            matchLabels:
17
              app: frontend
18
      ports:
19
        - protocol: TCP
20
          port: 8080
21
  egress:
22
    - to:
23
        - podSelector:
24
            matchLabels:
25
              app: database
26
      ports:
27
        - protocol: TCP
28
          port: 5432
29
    - to:
30
        - namespaceSelector: {}
31
      ports:
32
        - protocol: UDP
33
          port: 53

五、Secret 管理#

5.1 Secret 类型#

类型	说明
Opaque	通用密钥值对
kubernetes.io/tls	TLS 证书
kubernetes.io/dockerconfigjson	Docker 配置
kubernetes.io/service-account-token	ServiceAccount token

5.2 创建 Secret#

1
# 从文件创建
2
kubectl create secret generic db-password \
3
  --from-literal=password=secret123
4

5
# 从文件
6
kubectl create secret generic tls-cert \
7
  --from-file=tls.crt=cert.pem \
8
  --from-file=tls.key=key.pem
9

10
# 从 .env 文件
11
kubectl create secret generic env-secrets \
12
  --from-env-file=secrets.env

5.3 Secret 使用方式#

1
# 环境变量方式（易被日志暴露）
2
apiVersion: v1
3
kind: Pod
4
spec:
5
  containers:
6
    - name: app
7
      image: app:latest
8
      env:
9
        - name: DB_PASSWORD
10
          valueFrom:
11
            secretKeyRef:
12
              name: db-password
13
              key: password
14

15
---
16

17
apiVersion: v1
18
kind: Pod
19
spec:
20
  containers:
21
    - name: app
22
      image: app:latest
23
      volumeMounts:
24
        - name: secrets
25
          mountPath: /etc/secrets
26
          readOnly: true
27
  volumes:
28
    - name: secrets
29
      secret:
30
        secretName: db-password

六、ServiceAccount#

6.1 默认 ServiceAccount#

1
# 每个命名空间有一个 default ServiceAccount
2
kubectl get serviceaccount -n default
3
kubectl describe serviceaccount default -n default

6.2 自定义 ServiceAccount#

1
apiVersion: v1
2
kind: ServiceAccount
3
metadata:
4
  name: my-app-sa
5
  namespace: production
6
---
7

8
apiVersion: v1
9
kind: Pod
10
metadata:
11
  name: my-app
12
spec:
13
  serviceAccountName: my-app-sa
14
  containers:
15
    - name: app
16
      image: app:latest

6.3 RBAC 配合 ServiceAccount#

1
# 限制 Pod 权限
2
apiVersion: rbac.authorization.k8s.io/v1
3
kind: Role
4
metadata:
5
  name: my-app-role
6
rules:
7
  - apiGroups: [""]
8
    resources: ["configmaps"]
9
    verbs: ["get"]
10

11
---
12
apiVersion: rbac.authorization.k8s.io/v1
13
kind: RoleBinding
14
metadata:
15
  name: my-app-role-binding
16
subjects:
17
  - kind: ServiceAccount
18
    name: my-app-sa
19
    namespace: production
20
roleRef:
21
  kind: Role
22
  name: my-app-role

七、安全最佳实践#

7.1 镜像安全#

1
# 1. 使用私有镜像仓库
2
imagePullSecrets:
3
  - name: my-registry-secret
4

5
# 2. 禁止使用 latest 标签
6
# 3. 定期扫描镜像漏洞
7
# 4. 使用可信基础镜像

7.2 运行时安全#

1
# 使用 Falco 监控容器行为
2
# 使用 Tracee 追踪系统调用
3
# 使用 Sysdig 检查容器活动

7.3 审计日志#

1
apiVersion: audit.k8s.io/v1
2
kind: Policy
3
rules:
4
  # 不记录只读请求到某些路径
5
  - level: None
6
    users: ["system:kube-proxy"]
7
    verbs: ["watch"]
8
    resources:
9
      - group: ""
10
        resources: ["endpoints", "services"]
11

12
  # 记录所有变更
13
  - level: RequestResponse
14
    resources:
15
      - group: ""
16
        resources: ["pods"]
17
        verbs: ["create", "update", "delete"]