Kubernetes CKS 安全专家认证:5 大核心模块实战演练与 CIS 基准检查
1. 监控、日志记录和运行时安全模块深度解析
作为CKS认证中权重20%的核心模块,监控、日志记录和运行时安全是保障Kubernetes集群安全的关键防线。这一模块要求工程师能够:
- 实施行为分析检测恶意活动
- 通过审计日志监控访问行为
- 确保容器运行时不可变性
- 识别多层次的威胁向量
Falco配置示例:
apiVersion: apps/v1 kind: DaemonSet metadata: name: falco spec: selector: matchLabels: app: falco template: metadata: labels: app: falco spec: hostNetwork: true containers: - name: falco image: falcosecurity/falco:latest securityContext: privileged: true volumeMounts: - mountPath: /var/run/docker.sock name: docker-socket - mountPath: /dev name: dev-fs - mountPath: /proc name: proc-fs readOnly: true volumes: - name: docker-socket hostPath: path: /var/run/docker.sock - name: dev-fs hostPath: path: /dev - name: proc-fs hostPath: path: /proc提示:Falco默认规则集位于/etc/falco/falco_rules.yaml,建议根据实际环境定制规则
2. CIS Kubernetes基准检查实战
CIS基准提供了Kubernetes安全配置的最佳实践标准。使用kube-bench进行自动化检查:
检查与修复流程:
- 下载并运行kube-bench:
docker run --rm --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest run --targets=master,node- 典型修复操作示例(针对kube-apiserver):
# 修改/etc/kubernetes/manifests/kube-apiserver.yaml - --authorization-mode=Node,RBAC - --enable-admission-plugins=NodeRestriction - --audit-log-path=/var/log/apiserver/audit.log - --audit-log-maxage=30 - --audit-log-maxbackup=3- 重启服务:
systemctl restart kubelet关键检查项对照表:
| 检查项 | 安全等级 | 修复命令/配置 |
|---|---|---|
| 1.2.1 确保--anonymous-auth设置为false | 高危 | --anonymous-auth=false |
| 1.2.6 确保--kubelet-https设置为true | 中危 | --kubelet-https=true |
| 4.2.1 确保使用最小权限的PSP | 高危 | 创建限制性PSP并绑定 |
3. 容器运行时安全加固
Trivy镜像扫描实战:
# 扫描本地镜像 trivy image --severity HIGH,CRITICAL nginx:latest # 集成到CI/CD流水线 trivy image --exit-code 1 --severity CRITICAL --ignore-unfixed myapp:${BUILD_NUMBER}gVisor沙箱容器配置:
apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: gvisor handler: runsc --- apiVersion: v1 kind: Pod metadata: name: sandbox-pod spec: runtimeClassName: gvisor containers: - name: nginx image: nginx注意:沙箱容器会增加约20%的性能开销,建议仅对多租户场景中的不可信负载使用
4. Pod安全策略(PSP)与安全上下文
PSP配置案例:
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - NET_RAW - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAs' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAs' ranges: - min: 1 max: 65535安全上下文最佳实践:
securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 capabilities: drop: - ALL add: - NET_BIND_SERVICE seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false readOnlyRootFilesystem: true5. 网络策略与零信任架构
网络策略配置模板:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: frontend-policy spec: podSelector: matchLabels: role: frontend policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: backend ports: - protocol: TCP port: 80 egress: - to: - podSelector: matchLabels: role: db ports: - protocol: TCP port: 3306 - to: - ipBlock: cidr: 8.8.8.8/32 ports: - protocol: UDP port: 53关键网络隔离策略:
- 默认拒绝所有流量(白名单模式)
- 按业务微服务划分安全域
- 控制Pod到外部的出口流量
- 限制节点间不必要的通信
- 实施服务网格级别的mTLS加密
在实际项目中,建议结合Istio或Cilium实现更细粒度的网络控制。例如CiliumNetworkPolicy支持L7规则:
apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: http-ingress spec: endpointSelector: matchLabels: app: web ingress: - fromEndpoints: - matchLabels: app: client toPorts: - ports: - port: "80" protocol: TCP rules: http: - method: "GET" path: "/api/v1/*"