Security Policies - Kubernetes Security Hardening
Tổng quan
Security policies enforce security controls trong Kubernetes clusters. Bao gồm Pod Security Standards, Network Policies, và admission controllers.
Pod Security Standards
Pod Security Levels
- Privileged: Unrestricted policy
- Baseline: Minimally restrictive
- Restricted: Heavily restricted
Pod Security Policy (Deprecated)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
Pod Security Admission (New)
apiVersion: v1
kind: Namespace
metadata:
name: secure-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Network Policies
Default Deny Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
RBAC Security
Service Account Security
apiVersion: v1
kind: ServiceAccount
metadata:
name: secure-sa
automountServiceAccountToken: false
Minimal Permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
resourceNames: ["specific-pod"]
Admission Controllers
OPA Gatekeeper
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
required := input.parameters.labels
provided := input.review.object.metadata.labels
missing := required[_]
not provided[missing]
msg := sprintf("Missing required label: %v", [missing])
}
Falco Runtime Security
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: falco
spec:
selector:
matchLabels:
app: falco
template:
metadata:
labels:
app: falco
spec:
serviceAccount: falco
hostNetwork: true
hostPID: true
containers:
- name: falco
image: falcosecurity/falco:latest
securityContext:
privileged: true
volumeMounts:
- name: dev
mountPath: /host/dev
- name: proc
mountPath: /host/proc
readOnly: true
Container Security
Security Context
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: secure-container
image: nginx:alpine
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
Image Security
apiVersion: v1
kind: Pod
spec:
containers:
- name: app
image: myregistry/myapp:v1.2.3@sha256:abc123...
imagePullPolicy: Always
Secrets Management
External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "https://vault.example.com"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "example-role"
Sealed Secrets
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
spec:
encryptedData:
password: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEQAx...
Compliance & Auditing
CIS Kubernetes Benchmark
- Control plane security configuration
- Worker node security configuration
- Policies
Audit Logging
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
- level: RequestResponse
resources:
- group: ""
resources: ["pods"]
Best Practices
- Enable audit logging
- Use least privilege principle
- Regularly scan images for vulnerabilities
- Implement network segmentation
- Use admission controllers
- Monitor runtime security events
- Keep Kubernetes updated
- Use service mesh for mTLS
Security Tools
| Tool | Purpose | Use Case |
|---|---|---|
| Falco | Runtime security | Threat detection |
| OPA Gatekeeper | Policy enforcement | Admission control |
| Twistlock/Prisma | Image scanning | Vulnerability management |
| Aqua Security | Container security | Complete platform |
Nội dung đã được mở rộng với hands-on security implementations và threat modeling, cùng các ví dụ Java.