一张图《Kubernetes 加固指南》
美国国家安全局(National Security Agency)
美国网络安全和基础设施安全局(Cybersecurity and Infrastructure Security Agency)
《网络安全报告》(Cybersecurity Technical Report)之
《Kubernetes 加固指南》(Kubernetes Hardening Guidance)
2021年8月
(英文原版 PDF:https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF)
Kubernetes 常见的 3 个攻击方式 (compromise):
供应链风险(supply chain risks)- 影响到容器构建周期或基础设施回收(acquisition)
恶意威胁者(malicious threat actors)- 利用 Kubernetes 架构组件中的漏洞和错误配置
内部威胁(insider threats)- 可能会针对 Kubernetes 基础设施滥用权限
Kubernetes 可能被窃取的资源:数据 和/或 算力
建议:Kubernetes Pod 安全
构建用于以非 root 用户身份运行应用程序的容器
如果可能,使用不可变(immutable)文件系统运行容器
扫描容器镜像,以找出可能存在的漏洞或错误配置
使用 Pod 安全策略(Pod Security Policy)执行最低安全级别,包括:
防止特权容器 拒绝经常被利用来攻击的容器功能,如hostPID、hostIPC、hostNetwork、allowedHostPath 拒绝以 root 用户身份运行或允许升级为 root 用户身份的容器 使用特定的安全服务来加固应用程序以应对攻击,例如 SELinux, AppArmor, 和 seccomp
建议:网络隔离和加固
使用防火墙和基于角色的访问控制 (Role-Based Access Control, RBAC) 锁定控制平面节点的访问权限
进一步限制对 Kubernetes 服务器的访问
配置控制平面组件,使用运输层安全(Transport Layer Security, TLS)证书进行认证的加密通信
建立网络策略来隔离资源。除非强制实施其它隔离措施(如网络策略),否则不同名称空间(namespaces)中的 Pod 和服务仍然可以相互通信
将所有凭据和敏感信息放在 Kubernetes Secrets 中,而不是配置文件中。然后使用强加密方法对 Kubernetes Secrets 进行加密
建议:身份验证和授权
禁用匿名登录(默认启用)
使用强用户身份(strong user authentication)验证
创建 RBAC 策略以限制管理员、用户和服务帐户活动
建议:日志审计
启用审核日志(默认禁用)
持续保存日志,以确保日志在节点、Pod 或容器级别故障的情况下可用
配置指标记录器(metrics logger)
建议:升级和应用安全实践
立即运行安全补丁和更新
定期进行漏洞扫描和渗透测试
从环境中删除不再需要组件
英文版目录:
Kubernetes Hardening Guidance ……………………………………………………..i
Executive summary ................................................................................................................. iv
Introduction ............................................................................................................................... 1
Recommendations ................................................................................................................... 2
Architectural overview ............................................................................................................. 3
Threat model ............................................................................................................................. 5
Kubernetes Pod security .......................................................................................................... 7
“Non-root” containers and “rootless” container engines ........................................................... 7
Immutable container file systems ............................................................................................. 8
Building secure container images ............................................................................................ 8
Pod Security Policies ............................................................................................................. 10
Protecting Pod service account tokens .................................................................................. 11
Hardening container engines ................................................................................................. 12
Network separation and hardening ....................................................................................... 13
Namespaces ......................................................................................................................... 13
Network policies .................................................................................................................... 14
Resource policies .................................................................................................................. 14
Control plane hardening ........................................................................................................ 15
Etcd ................................................................................................................................... 16
Kubeconfig Files ................................................................................................................ 16
Worker node segmentation .................................................................................................... 16
Encryption ............................................................................................................................. 17
Secrets .................................................................................................................................. 17
Protecting sensitive cloud infrastructure ................................................................................ 18
Authentication and authorization .......................................................................................... 18
Authentication ........................................................................................................................ 19
Role-based access control .................................................................................................... 20
Log auditing ............................................................................................................................ 22
Logging ................................................................................................................................. 22
Kubernetes native audit logging configuration .................................................................... 24
Worker node and container logging ................................................................................... 25
Seccomp: audit mode ........................................................................................................ 26
SYSLOG ............................................................................................................................ 27
SIEM platforms ...................................................................................................................... 27
Alerting .................................................................................................................................. 28
Service meshes ..................................................................................................................... 29
Fault tolerance ....................................................................................................................... 30
Tools ..................................................................................................................................... 31
Upgrading and application security practices ...................................................................... 32
Works cited ............................................................................................................................. 33
Appendix A: Example Dockerfile for non-root application .................................................. 34
Appendix B: Example deployment template for read-only file systemfilesystem .............. 35
Appendix C: Example Pod Security Policy ........................................................................... 36
Appendix D: Example namespace ......................................................................................... 38
Appendix E: Example network policy .................................................................................... 39
Appendix F: Example LimitRange ......................................................................................... 40
Appendix G: Example ResourceQuota .................................................................................. 41
Appendix H: Example encryption .......................................................................................... 42
Appendix I: Example KMS configuration .............................................................................. 43
Appendix J: Example pod-reader RBAC Role ....................................................................... 45
Appendix K: Example RBAC RoleBinding and ClusterRoleBinding ................................... 46
Appendix L: Audit Policy ........................................................................................................ 48
Appendix M: Example flags with which to submit Audit Policy file to kube-apiserver ...... 49
Appendix N: Webhook configuration .................................................................................... 51