【架构实战】容器安全最佳实践

一、容器安全概述

容器安全是云原生安全的基础：

安全层次：

• 镜像安全
• 运行时安全
• 网络安全
• 供应链安全

二、镜像安全

1. 镜像扫描

# Trivy扫描trivy image myapp:latest# Clair扫描clairctl analyze-lmyapp:latest# Docker扫描dockerscan myapp:latest

2. 最小化基础镜像

# ❌ 不推荐 FROM ubuntu:20.04 RUN apt-get update && apt-get install -y python3 # ✅ 推荐 FROM python:3.11-slim # ✅ 最佳 FROM gcr.io/distroless/python:3.11

3. 安全构建

# 使用非root用户 FROM node:18-alpine RUN addgroup -g 1001 appgroup && \ adduser -u 1001 -G appgroup -s /bin/sh -D appuser USER appuser # 多阶段构建 FROM node:18 AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM node:18-alpine WORKDIR /app COPY --from=builder /app/dist ./dist COPY --from=builder /app/node_modules ./node_modules USER node

三、运行时安全

1. Pod安全策略

apiVersion:policy/v1beta1kind:PodSecurityPolicymetadata:name:restrictedspec:privileged:falseallowPrivilegeEscalation:falserequiredDropCapabilities:-ALLvolumes:-'configMap'-'emptyDir'-'projected'-'secret'-'downwardAPI'-'persistentVolumeClaim'runAsUser:rule:'MustRunAsNonRoot'seLinux:rule:'RunAsAny'fsGroup:rule:'RunAsAny'

2. 安全上下文

apiVersion:v1kind:Podmetadata:name:secure-podspec:securityContext:runAsNonRoot:truerunAsUser:10000runAsGroup:10000fsGroup:10000containers:-name:appimage:myapp:latestsecurityContext:allowPrivilegeEscalation:falsereadOnlyRootFilesystem:truecapabilities:drop:-ALL

四、网络安全

1. 网络策略

apiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:default-denyspec:podSelector:{}policyTypes:-Ingress-Egress---apiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:allow-frontendspec:podSelector:matchLabels:app:frontendpolicyTypes:-Ingressingress:-from:-podSelector:matchLabels:app:nginx-ingressports:-protocol:TCPport:80

2. 服务网格安全

apiVersion:security.istio.io/v1beta1kind:PeerAuthenticationmetadata:name:defaultspec:mtls:mode:STRICT

五、密钥管理

1. Secret管理

apiVersion:v1kind:Secretmetadata:name:db-credentialstype:OpaquestringData:username:adminpassword:${DB_PASSWORD}

2. 外部密钥管理

# 使用SealedSecretapiVersion:bitnami.com/v1alpha1kind:SealedSecretmetadata:name:db-credentialsspec:encryptedData:username:AgBy...==password:AgBy...==

六、供应链安全

1. 签名验证

# Cosign签名cosign sign myapp:latest# 验证镜像cosign verify myapp:latest

2. 准入控制

apiVersion:admissionregistration.k8s.io/v1kind:ValidatingWebhookConfigurationmetadata:name:image-validatorwebhooks:-name:validate-images.example.comrules:-apiGroups:[""]apiVersions:["v1"]operations:["CREATE","UPDATE"]resources:["pods"]clientConfig:service:name:image-validatornamespace:defaultcaBundle:LS0t...admissionReviewVersions:["v1"]sideEffects:NonefailurePolicy:Reject

七、监控与审计

1. 审计日志

# kube-apiserver配置--audit-policy-file=/etc/kubernetes/audit-policy.yaml--audit-log-path=/var/log/kubernetes/audit.log

# audit-policy.yamlapiVersion:audit.k8s.io/v1kind:Policyrules:-level:RequestResponseresources:-group:""resources:["pods","secrets"]-level:Metadataresources:-group:"apps"resources:["deployments"]

2. 运行时监控

apiVersion:security.datadoghq.com/v1kind:RuntimeSecurityPolicymetadata:name:runtime-policyspec:meta:runtimeType:syscallrules:-name:spawn_shellcondition:evt.type == "exec" evt.argv[0]== "/bin/sh"action:type:block

八、总结

容器安全最佳实践：

• 镜像：最小化、定期扫描
• 运行时：安全上下文、PSP
• 网络：NetworkPolicy
• 供应链：签名、准入

个人观点，仅供参考