06-安全与治理
Kubernetes RBAC、PodSecurity、多租户隔离全解析
学习目标
通过本模块学习,你将掌握:
- Kubernetes 安全体系架构
- RBAC 权限控制机制
- PodSecurity 容器安全策略
- 多租户隔离方案
- 网络安全策略
- 安全故障排查技能
一、安全体系架构
安全控制分层
┌─────────────────────────────────────────────────────────────┐
│ Kubernetes 安全体系 │
├─────────────────────────────────────────────────────────────┤
│ API 访问层 │ RBAC 授权 │ 限制 kubectl 操作权限 │
├─────────────────────────────────────────────────────────────┤
│ Pod 行为层 │ PodSecurity │ 限制容器运行特权、挂载、权限 │
├─────────────────────────────────────────────────────────────┤
│ 网络通信层 │ NetworkPolicy │ 限制 Pod 之间流量 │
├─────────────────────────────────────────────────────────────┤
│ 运行时层 │ seccomp/AppArmor │ 防止系统调用攻击 │
├─────────────────────────────────────────────────────────────┤
│ 节点层 │ NodeRestriction │ 控制 kubelet 权限范围 │
└─────────────────────────────────────────────────────────────┘
安全原则
- 最小权限原则:只授予必要的权限
- 零信任模型:默认拒绝,显式允许
- 深度防御:多层安全防护
- 持续监控:实时监控安全状态
二、RBAC 权限控制
2.1 RBAC 核心概念
RBAC(Role-Based Access Control) 基于角色的访问控制
核心对象关系
User/ServiceAccount → Role/ClusterRole → RoleBinding/ClusterRoleBinding → Resources
对象类型说明
| 类型 | 作用范围 | 说明 |
|---|---|---|
| Role | 单命名空间 | 定义命名空间内权限 |
| ClusterRole | 集群级 | 定义集群级权限 |
| RoleBinding | 单命名空间 | 绑定 Role 到用户/SA |
| ClusterRoleBinding | 集群级 | 绑定 ClusterRole 到用户/SA |
2.2 Role 配置示例
基本 Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: dev
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list"]
高级 Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: app-manager
rules:
# Pod 管理权限
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Service 管理权限
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# ConfigMap 管理权限
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Secret 管理权限
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Deployment 管理权限
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
2.3 ClusterRole 配置示例
集群管理员
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
节点查看者
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-viewer
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes/status"]
verbs: ["get", "list", "watch"]
存储管理员
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: storage-admin
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
2.4 RoleBinding 配置示例
用户绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: dev
subjects:
- kind: User
name: devuser
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ServiceAccount 绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-rb
namespace: dev
subjects:
- kind: ServiceAccount
name: app-sa
namespace: dev
roleRef:
kind: Role
name: app-manager
apiGroup: rbac.authorization.k8s.io
多用户绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: team-binding
namespace: production
subjects:
- kind: User
name: alice
apiGroup: rbac.authorization.k8s.io
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: developers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app-manager
apiGroup: rbac.authorization.k8s.io
2.5 ClusterRoleBinding 配置示例
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-binding
subjects:
- kind: User
name: admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
三、ServiceAccount 管理
3.1 ServiceAccount 核心概念
ServiceAccount 是 Pod 访问 Kubernetes API 的身份标识
默认 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
自定义 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
namespace: dev
annotations:
kubernetes.io/service-account.name: "app-sa"
3.2 ServiceAccount 与 Pod 绑定
在 Pod 中使用 ServiceAccount
apiVersion: v1
kind: Pod
metadata:
name: demo-pod
namespace: dev
spec:
serviceAccountName: app-sa
containers:
- name: busybox
image: busybox
command: ["sleep", "3600"]
禁用 ServiceAccount Token
apiVersion: v1
kind: Pod
metadata:
name: no-token-pod
spec:
automountServiceAccountToken: false
containers:
- name: app
image: nginx
3.3 ServiceAccount 权限管理
为 ServiceAccount 绑定权限
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-sa-binding
namespace: dev
subjects:
- kind: ServiceAccount
name: app-sa
namespace: dev
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
️ 四、PodSecurity 容器安全
4.1 PodSecurity 核心概念
PodSecurity 替代已废弃的 PodSecurityPolicy,提供容器安全策略
安全级别
| 级别 | 说明 | 限制程度 |
|---|---|---|
| Privileged | 完全信任,无限制 | 无 |
| Baseline | 阻止明显危险行为 | 中等 |
| Restricted | 严格沙箱化 | 高 |
4.2 PodSecurity 配置
为命名空间启用安全级别
# 启用 restricted 模式
kubectl label namespace dev pod-security.kubernetes.io/enforce=restricted
kubectl label namespace dev pod-security.kubernetes.io/audit=baseline
kubectl label namespace dev pod-security.kubernetes.io/warn=baseline
验证安全策略
# 尝试创建特权 Pod(应该被拒绝)
kubectl run privpod --image=busybox --privileged
# Error: violates PodSecurity "restricted:latest"
4.3 安全 Pod 配置示例
符合 restricted 模式的 Pod
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx
command: ["sleep", "3600"]
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop: ["ALL"]
volumeMounts:
- name: tmp
mountPath: /tmp
- name: var-run
mountPath: /var/run
volumes:
- name: tmp
emptyDir: {}
- name: var-run
emptyDir: {}
4.4 安全上下文配置
Pod 级别安全上下文
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
sysctls:
- name: net.core.somaxconn
value: "1024"
容器级别安全上下文
spec:
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
add: ["NET_BIND_SERVICE"]
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
五、多租户隔离
5.1 命名空间隔离
创建租户命名空间
apiVersion: v1
kind: Namespace
metadata:
name: tenant-a
labels:
tenant: a
pod-security.kubernetes.io/enforce: restricted
---
apiVersion: v1
kind: Namespace
metadata:
name: tenant-b
labels:
tenant: b
pod-security.kubernetes.io/enforce: restricted
为租户设置资源配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: tenant-a-quota
namespace: tenant-a
spec:
hard:
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
pods: "20"
persistentvolumeclaims: "10"
services: "5"
secrets: "10"
configmaps: "10"
5.2 网络隔离
租户间网络隔离
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: tenant-a-isolation
namespace: tenant-a
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
tenant: a
egress:
- to:
- namespaceSelector:
matchLabels:
tenant: a
- to: []
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
5.3 存储隔离
租户存储类隔离
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: tenant-a-storage
annotations:
storageclass.kubernetes.io/is-default-class: "false"
provisioner: example.com/nfs
parameters:
server: nfs-server.example.com
path: /tenant-a
reclaimPolicy: Delete
allowVolumeExpansion: true
六、网络安全策略
6.1 NetworkPolicy 配置
默认拒绝策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
允许特定流量
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-web
namespace: production
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: frontend
- podSelector:
matchLabels:
app: api
ports:
- protocol: TCP
port: 80
egress:
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 3306
- to: []
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
6.2 服务网格安全
Istio 安全策略
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: web-authz
namespace: production
spec:
selector:
matchLabels:
app: web
rules:
- from:
- source:
principals: ["cluster.local/ns/frontend/sa/frontend-sa"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/*"]
️ 七、命令速记
RBAC 相关命令
# 查看角色和绑定
kubectl get roles,clusterroles,rolebindings,clusterrolebindings
# 查看用户权限
kubectl auth can-i get pods --as devuser -n dev
kubectl auth can-i create deployments --as devuser -n dev
# 查看 ServiceAccount
kubectl get serviceaccounts
kubectl describe serviceaccount app-sa
# 创建 ServiceAccount
kubectl create serviceaccount app-sa
安全相关命令
# 查看 Pod 安全上下文
kubectl get pod <pod-name> -o yaml | grep -A 20 securityContext
# 查看命名空间安全级别
kubectl get ns --show-labels | grep pod-security
# 查看网络策略
kubectl get networkpolicy
kubectl describe networkpolicy <name>
# 测试网络连通性
kubectl exec <pod> -- curl <service-name>
多租户相关命令
# 查看命名空间
kubectl get namespaces --show-labels
# 查看资源配额
kubectl get resourcequota
kubectl describe resourcequota <name>
# 查看限制范围
kubectl get limitrange
kubectl describe limitrange <name>
八、面试核心问答
Q1: RBAC 的工作原理是什么?
答案要点:
- 基于角色的访问控制
- 用户/SA → 角色 → 权限 → 资源
- 支持命名空间和集群级别
- 最小权限原则
Q2: PodSecurity 的作用是什么?
答案要点:
- 替代已废弃的 PSP
- 提供容器安全策略
- 三个安全级别:Privileged、Baseline、Restricted
- 限制容器特权行为
Q3: 如何实现多租户隔离?
答案要点:
- 命名空间隔离
- 网络策略隔离
- 资源配额限制
- 存储隔离
Q4: NetworkPolicy 如何工作?
答案要点:
- 默认拒绝所有流量
- 显式允许特定流量
- 支持 Pod、Namespace、IP 选择器
- 需要 CNI 插件支持
Q5: 如何确保容器安全?
答案要点:
- 使用非 root 用户运行
- 只读根文件系统
- 禁用特权升级
- 使用 seccomp 和 AppArmor
九、故障排查
常见安全问题
1. 权限不足
# 检查用户权限
kubectl auth can-i get pods --as <user> -n <namespace>
# 查看角色绑定
kubectl get rolebindings,clusterrolebindings
# 检查 ServiceAccount
kubectl describe serviceaccount <sa-name>
2. Pod 创建被拒绝
# 查看 Pod 状态
kubectl describe pod <pod-name>
# 检查安全策略
kubectl get ns --show-labels | grep pod-security
# 查看事件
kubectl get events --sort-by=.lastTimestamp
3. 网络连通性问题
# 检查网络策略
kubectl get networkpolicy
kubectl describe networkpolicy <name>
# 测试连通性
kubectl exec <pod> -- ping <target-ip>
kubectl exec <pod> -- curl <service-name>
# 检查 CNI 插件
kubectl get pods -n kube-system | grep calico
4. 资源配额问题
# 检查资源配额
kubectl get resourcequota
kubectl describe resourcequota <name>
# 检查资源使用
kubectl top pods
kubectl top nodes
# 查看限制范围
kubectl get limitrange
kubectl describe limitrange <name>
十、最佳实践
安全设计建议
权限管理
- 遵循最小权限原则
- 定期审查权限
- 使用 ServiceAccount 而非用户
容器安全
- 使用非 root 用户
- 只读根文件系统
- 禁用特权升级
网络安全
- 实施零信任网络
- 使用网络策略隔离
- 监控网络流量
多租户设计
- 命名空间隔离
- 资源配额限制
- 网络策略隔离
生产环境建议
安全基线
- 启用 PodSecurity
- 配置网络策略
- 设置资源配额
监控告警
- 监控权限变更
- 监控安全事件
- 设置告警规则
定期审计
- 审查权限配置
- 检查安全策略
- 更新安全补丁
十一、总结
通过本模块学习,你已经掌握了:
- Kubernetes 安全体系架构
- RBAC 权限控制机制
- PodSecurity 容器安全策略
- 多租户隔离方案
- 网络安全策略
- 安全故障排查技能
- 安全最佳实践
下一步建议:继续学习 07-观测与SRE,深入了解 Kubernetes 监控、日志和可观测性体系。