# 第二十八章:云原生安全 > "云原生不是更安全,而是安全的方式不同了。" ```{mermaid} mindmap root((云原生安全)) 4C 模型 Cloud Cluster Container Code 容器安全 镜像扫描 运行时安全 镜像签名 SBOM K8s 安全 RBAC PSS Network Policy Admission Control 合规 SOC 2 ISO 27001 CIS Benchmarks ``` ## 28.1 4C 安全模型 ``` ┌─────────────────────────────────────────┐ │ Code(代码) │ │ SAST、SCA、安全编码 │ │ ┌─────────────────────────────────────┐ │ │ │ Container(容器) │ │ │ │ 镜像扫描、最小基础镜像、非 root │ │ │ │ ┌─────────────────────────────────┐ │ │ │ │ │ Cluster(集群) │ │ │ │ │ │ RBAC、PSS、Network Policy │ │ │ │ │ │ ┌─────────────────────────────┐ │ │ │ │ │ │ │ Cloud(云平台) │ │ │ │ │ │ │ │ IAM、VPC、加密、审计 │ │ │ │ │ │ │ └─────────────────────────────┘ │ │ │ │ │ └─────────────────────────────────┘ │ │ │ └─────────────────────────────────────┘ │ └─────────────────────────────────────────┘ ``` ## 28.2 容器安全 ### 镜像扫描 ```bash # Trivy — 容器镜像漏洞扫描 trivy image myapp:latest trivy image --severity HIGH,CRITICAL myapp:latest # Grype — 另一个流行的扫描工具 grype myapp:latest ``` ### 安全 Dockerfile ```dockerfile # ✅ 使用最小基础镜像 FROM python:3.12-slim AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt FROM python:3.12-slim WORKDIR /app # ✅ 创建非 root 用户 RUN groupadd -r appuser && useradd -r -g appuser appuser COPY --from=builder /usr/local/lib/python3.12 /usr/local/lib/python3.12 COPY . . # ✅ 以非 root 用户运行 USER appuser # ✅ 只读文件系统 # docker run --read-only myapp:latest EXPOSE 8000 CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0"] ``` ### 镜像签名(Cosign) ```bash # 签名镜像 cosign sign --key cosign.key myregistry.com/myapp:latest # 验证签名 cosign verify --key cosign.pub myregistry.com/myapp:latest ``` ## 28.3 Kubernetes 安全 ### RBAC ```yaml # 最小权限 Role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: app-reader namespace: production rules: - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: app-reader-binding namespace: production subjects: - kind: ServiceAccount name: my-app namespace: production roleRef: kind: Role name: app-reader apiGroup: rbac.authorization.k8s.io ``` ### Pod Security Standards(PSS) ```yaml # 限制 Pod 安全配置 apiVersion: v1 kind: Namespace metadata: name: production labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted ``` ### Network Policy ```yaml # 只允许 frontend 访问 backend apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: backend-policy namespace: production spec: podSelector: matchLabels: app: backend policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - port: 8080 ``` ### Admission Control(OPA Gatekeeper) ```yaml # 禁止使用 latest 标签 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: no-latest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: tags: ["latest"] --- # 要求所有容器设置资源限制 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: require-limits spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] ``` ## 28.4 K8s 安全加固清单 ``` ✅ RBAC:最小权限,避免 cluster-admin ✅ PSS:生产命名空间使用 restricted ✅ Network Policy:默认拒绝,显式允许 ✅ Admission Control:OPA Gatekeeper / Kyverno ✅ 镜像安全:扫描 + 签名 + 私有仓库 ✅ Secrets:External Secrets Operator + 加密 ✅ 审计日志:启用 K8s Audit Logging ✅ etcd 加密:加密静态数据 ✅ Service Mesh:自动 mTLS(Istio/Cilium) ✅ 运行时安全:Falco / Tetragon ``` ## 28.5 小结 - **4C 模型** 从云平台到代码,每一层都需要安全措施 - **容器安全**:最小镜像 + 非 root + 漏洞扫描 + 签名 - **K8s 安全**:RBAC + PSS + Network Policy + Admission Control - **OPA Gatekeeper** 在 Admission 阶段强制执行安全策略 - 安全是**分层**的,每一层都不能缺少