第二十八章:云原生安全
“云原生不是更安全,而是安全的方式不同了。”
mindmap
root((云原生安全))
4C 模型
Cloud
Cluster
Container
Code
容器安全
镜像扫描
运行时安全
镜像签名
SBOM
K8s 安全
RBAC
PSS
Network Policy
Admission Control
合规
SOC 2
ISO 27001
CIS Benchmarks
28.1 4C 安全模型
┌─────────────────────────────────────────┐
│ Code(代码) │
│ SAST、SCA、安全编码 │
│ ┌─────────────────────────────────────┐ │
│ │ Container(容器) │ │
│ │ 镜像扫描、最小基础镜像、非 root │ │
│ │ ┌─────────────────────────────────┐ │ │
│ │ │ Cluster(集群) │ │ │
│ │ │ RBAC、PSS、Network Policy │ │ │
│ │ │ ┌─────────────────────────────┐ │ │ │
│ │ │ │ Cloud(云平台) │ │ │ │
│ │ │ │ IAM、VPC、加密、审计 │ │ │ │
│ │ │ └─────────────────────────────┘ │ │ │
│ │ └─────────────────────────────────┘ │ │
│ └─────────────────────────────────────┘ │
└─────────────────────────────────────────┘
28.2 容器安全
镜像扫描
# Trivy — 容器镜像漏洞扫描
trivy image myapp:latest
trivy image --severity HIGH,CRITICAL myapp:latest
# Grype — 另一个流行的扫描工具
grype myapp:latest
安全 Dockerfile
# ✅ 使用最小基础镜像
FROM python:3.12-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
FROM python:3.12-slim
WORKDIR /app
# ✅ 创建非 root 用户
RUN groupadd -r appuser && useradd -r -g appuser appuser
COPY --from=builder /usr/local/lib/python3.12 /usr/local/lib/python3.12
COPY . .
# ✅ 以非 root 用户运行
USER appuser
# ✅ 只读文件系统
# docker run --read-only myapp:latest
EXPOSE 8000
CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0"]
镜像签名(Cosign)
# 签名镜像
cosign sign --key cosign.key myregistry.com/myapp:latest
# 验证签名
cosign verify --key cosign.pub myregistry.com/myapp:latest
28.3 Kubernetes 安全
RBAC
# 最小权限 Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-reader-binding
namespace: production
subjects:
- kind: ServiceAccount
name: my-app
namespace: production
roleRef:
kind: Role
name: app-reader
apiGroup: rbac.authorization.k8s.io
Pod Security Standards(PSS)
# 限制 Pod 安全配置
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
Network Policy
# 只允许 frontend 访问 backend
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080
Admission Control(OPA Gatekeeper)
# 禁止使用 latest 标签
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: no-latest
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
tags: ["latest"]
---
# 要求所有容器设置资源限制
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: require-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
28.4 K8s 安全加固清单
✅ RBAC:最小权限,避免 cluster-admin
✅ PSS:生产命名空间使用 restricted
✅ Network Policy:默认拒绝,显式允许
✅ Admission Control:OPA Gatekeeper / Kyverno
✅ 镜像安全:扫描 + 签名 + 私有仓库
✅ Secrets:External Secrets Operator + 加密
✅ 审计日志:启用 K8s Audit Logging
✅ etcd 加密:加密静态数据
✅ Service Mesh:自动 mTLS(Istio/Cilium)
✅ 运行时安全:Falco / Tetragon
28.5 小结
4C 模型 从云平台到代码,每一层都需要安全措施
容器安全:最小镜像 + 非 root + 漏洞扫描 + 签名
K8s 安全:RBAC + PSS + Network Policy + Admission Control
OPA Gatekeeper 在 Admission 阶段强制执行安全策略
安全是分层的,每一层都不能缺少