Kubernetes安全管理:PSP与PSA完全指南
categories: - Kubernetes安全 tags: - Kubernetes - - 安全 - PSP - PSA - 加密 - Pod安全策略
PodSecurityContext
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
containers:
- name: app
image: myapp:v1
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
PodSecurityStandards (PSS)
# Baseline策略
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
NetworkPolicy基础
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Secrets加密
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
metadata:
name: encryption
spec:
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret:
- identity: {}
镜像安全
# ImagePolicyWebhook
apiVersion: apiserver.config.k8s.io/v1
kind: ImagePolicyWebhook
metadata:
name: image-policy
容器运行时安全
# 运行时安全策略示例(Cilium Tetragon)
kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/operator-config.yaml
安全扫描
# Trivy镜像扫描
trivy image myapp:latest
# Falco运行时安全
kubectl apply -f https://raw.githubusercontent.com/falcosecurity/charts/master/falco/templates/falco.yaml
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。
