k8s-security-policies
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseKubernetes Security Policies
Kubernetes 安全策略
Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.
本指南详细介绍如何在Kubernetes中实施NetworkPolicy、PodSecurityPolicy、RBAC以及Pod安全标准。
Purpose
目标
Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.
利用网络策略、Pod安全标准和RBAC为Kubernetes集群实施纵深防御安全体系。
When to Use This Skill
适用场景
- Implement network segmentation
- Configure pod security standards
- Set up RBAC for least-privilege access
- Create security policies for compliance
- Implement admission control
- Secure multi-tenant clusters
- 实施网络分段
- 配置Pod安全标准
- 基于最小权限原则设置RBAC访问控制
- 创建符合合规要求的安全策略
- 实施准入控制
- 保障多租户集群安全
Pod Security Standards
Pod安全标准
1. Privileged (Unrestricted)
1. 特权模式(无限制)
yaml
apiVersion: v1
kind: Namespace
metadata:
name: privileged-ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privilegedyaml
apiVersion: v1
kind: Namespace
metadata:
name: privileged-ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged2. Baseline (Minimally restrictive)
2. 基线模式(最低限制)
yaml
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baselineyaml
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baseline3. Restricted (Most restrictive)
3. 严格模式(最高限制)
yaml
apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedyaml
apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restrictedNetwork Policies
网络策略
Default Deny All
默认拒绝所有流量
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egressyaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressAllow Frontend to Backend
允许前端访问后端
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080Allow DNS
允许DNS访问
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53Reference: See
assets/network-policy-template.yamlyaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53参考文档: 请查看
assets/network-policy-template.yamlRBAC Configuration
RBAC配置
Role (Namespace-scoped)
Role(命名空间级)
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]ClusterRole (Cluster-wide)
ClusterRole(集群级)
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]RoleBinding
RoleBinding
yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioReference: See
references/rbac-patterns.mdyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: default
namespace: production
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io参考文档: 请查看
references/rbac-patterns.mdPod Security Context
Pod安全上下文
Restricted Pod
受限Pod
yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALLyaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:1.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALLPolicy Enforcement with OPA Gatekeeper
使用OPA Gatekeeper实施策略
ConstraintTemplate
ConstraintTemplate
yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("missing required labels: %v", [missing])
}yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("missing required labels: %v", [missing])
}Constraint
Constraint
yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
labels: ["app", "environment"]yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
labels: ["app", "environment"]Service Mesh Security (Istio)
服务网格安全(Istio)
PeerAuthentication (mTLS)
PeerAuthentication(mTLS)
yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICTyaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICTAuthorizationPolicy
AuthorizationPolicy
yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
namespace: production
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend"]yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
namespace: production
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend"]Best Practices
最佳实践
- Implement Pod Security Standards at namespace level
- Use Network Policies for network segmentation
- Apply least-privilege RBAC for all service accounts
- Enable admission control (OPA Gatekeeper/Kyverno)
- Run containers as non-root
- Use read-only root filesystem
- Drop all capabilities unless needed
- Implement resource quotas and limit ranges
- Enable audit logging for security events
- Regular security scanning of images
- 在命名空间级别实施Pod安全标准
- 使用网络策略实现网络分段
- 为所有服务账户应用最小权限RBAC
- 启用准入控制(OPA Gatekeeper/Kyverno)
- 以非root用户运行容器
- 使用只读根文件系统
- 移除所有不必要的权限
- 实施资源配额和限制范围
- 启用安全事件审计日志
- 定期扫描镜像安全
Compliance Frameworks
合规框架
CIS Kubernetes Benchmark
CIS Kubernetes基准
- Use RBAC authorization
- Enable audit logging
- Use Pod Security Standards
- Configure network policies
- Implement secrets encryption at rest
- Enable node authentication
- 使用RBAC授权
- 启用审计日志
- 使用Pod安全标准
- 配置网络策略
- 实施静态加密密钥
- 启用节点认证
NIST Cybersecurity Framework
NIST网络安全框架
- Implement defense in depth
- Use network segmentation
- Configure security monitoring
- Implement access controls
- Enable logging and monitoring
- 实施纵深防御
- 使用网络分段
- 配置安全监控
- 实施访问控制
- 启用日志记录和监控
Troubleshooting
故障排查
NetworkPolicy not working:
bash
undefinedNetworkPolicy不生效:
bash
undefinedCheck if CNI supports NetworkPolicy
检查CNI是否支持NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>
**RBAC permission denied:**
```bashkubectl get nodes -o wide
kubectl describe networkpolicy <name>
**RBAC权限拒绝:**
```bashCheck effective permissions
检查有效权限
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '' '' --as system:serviceaccount:default:my-sa
undefinedkubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '' '' --as system:serviceaccount:default:my-sa
undefinedReference Files
参考文件
- - Network policy examples
assets/network-policy-template.yaml - - Pod security policies
assets/pod-security-template.yaml - - RBAC configuration patterns
references/rbac-patterns.md
- - 网络策略示例
assets/network-policy-template.yaml - - Pod安全策略示例
assets/pod-security-template.yaml - - RBAC配置模式
references/rbac-patterns.md
Related Skills
相关技能
- - For creating secure manifests
k8s-manifest-generator - - For automated policy deployment
gitops-workflow
- - 用于创建安全的清单文件
k8s-manifest-generator - - 用于自动化策略部署
gitops-workflow