Pod安全
概述
Pod安全是Kubernetes安全体系的重要组成部分。通过Pod安全策略(Pod Security Policies,PSP,已弃用)和Pod安全标准(Pod Security Standards,PSS),可以控制Pod的安全配置,限制Pod可以执行的操作和访问的资源,从而提高集群的安全性。
核心概念
1. Pod安全标准(PSS)
Pod安全标准定义了三个安全级别:
- Privileged(特权):不受限制的策略,提供最大权限
- Baseline(基准):最小限制的策略,禁止明显的提权
- Restricted(受限):严格限制的策略,遵循最佳实践
2. Pod安全准入控制器
Kubernetes 1.23+引入的内置准入控制器,用于实施Pod安全标准。支持三种模式:
- enforce:违反策略时拒绝Pod
- audit:记录审计事件但允许Pod
- warn:显示警告但允许Pod
3. 安全上下文(SecurityContext)
定义Pod或容器的安全配置,包括:
- 运行用户和组
- 特权模式
- 能力(Capabilities)
- 只读文件系统
- SELinux策略
4. Pod安全策略(PSP,已弃用)
Kubernetes 1.25中已移除,建议使用Pod安全标准替代。
Pod安全标准详解
Privileged(特权级别)
允许所有配置,适用于:
- 系统 Pods(kube-system)
- 网络插件
- 存储插件
yaml
apiVersion: v1
kind: Namespace
metadata:
name: privileged-ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latestBaseline(基准级别)
禁止明显的提权,适用于:
- 大多数应用Pod
- 需要基本安全但不严格的场景
yaml
apiVersion: v1
kind: Namespace
metadata:
name: baseline-ns
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latestRestricted(受限级别)
严格限制,遵循最佳实践,适用于:
- 安全敏感的应用
- 生产环境
- 需要最高安全级别的场景
yaml
apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latestYAML配置示例
示例1:符合Restricted标准的Pod
yaml
apiVersion: v1
kind: Pod
metadata:
name: restricted-pod
namespace: restricted-ns
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}示例2:符合Baseline标准的Pod
yaml
apiVersion: v1
kind: Pod
metadata:
name: baseline-pod
namespace: baseline-ns
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false示例3:特权Pod(仅用于系统组件)
yaml
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
namespace: kube-system
spec:
securityContext:
runAsUser: 0
containers:
- name: app
image: nginx:latest
securityContext:
privileged: true示例4:完整的Deployment安全配置
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
namespace: production
spec:
replicas: 3
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: cache
mountPath: /var/cache
- name: tmp
mountPath: /tmp
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "250m"
memory: "256Mi"
volumes:
- name: cache
emptyDir: {}
- name: tmp
emptyDir: {}示例5:命名空间级别的Pod安全配置
yaml
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest示例6:多容器Pod的安全配置
yaml
apiVersion: v1
kind: Pod
metadata:
name: multi-container-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: shared-data
mountPath: /data
- name: sidecar
image: log-collector:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: shared-data
mountPath: /logs
readOnly: true
volumes:
- name: shared-data
emptyDir: {}kubectl操作命令
查看Pod安全配置
bash
# 查看Pod的安全上下文
kubectl get pod <pod-name> -o yaml | grep -A 20 "securityContext"
# 查看命名空间的Pod安全标签
kubectl get namespace <namespace> --show-labels
# 查看所有命名空间的Pod安全配置
kubectl get namespaces -o json | \
jq -r '.items[] | select(.metadata.labels["pod-security.kubernetes.io/enforce"] != null) | "\(.metadata.name): \(.metadata.labels["pod-security.kubernetes.io/enforce"])"
# 检查Pod是否符合安全标准
kubectl apply -f pod.yaml --dry-run=server设置命名空间Pod安全标准
bash
# 设置命名空间为restricted级别
kubectl label namespace production \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latest
# 设置命名空间为baseline级别
kubectl label namespace development \
pod-security.kubernetes.io/enforce=baseline \
pod-security.kubernetes.io/enforce-version=latest
# 设置命名空间为privileged级别
kubectl label namespace kube-system \
pod-security.kubernetes.io/enforce=privileged \
pod-security.kubernetes.io/enforce-version=latest
# 设置多个模式
kubectl label namespace production \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/warn=restricted验证Pod安全配置
bash
# 测试Pod配置是否符合安全标准
kubectl apply -f pod.yaml --dry-run=server -n production
# 查看Pod的安全警告
kubectl apply -f pod.yaml -n production
# 检查Pod的运行用户
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.runAsUser}'
# 检查Pod是否以非root用户运行
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.runAsNonRoot}'
# 检查容器是否为特权模式
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.privileged}'调试Pod安全问题
bash
# 查看Pod事件
kubectl describe pod <pod-name> -n <namespace>
# 查看Pod创建失败的原因
kubectl get events -n <namespace> --sort-by='.lastTimestamp'
# 检查Pod安全准入控制器日志
kubectl logs -n kube-system <kube-apiserver-pod> | grep "PodSecurity"
# 测试Pod安全配置
kubectl run test-pod --image=nginx --dry-run=server -o yaml | \
kubectl apply -f - -n production真实场景实践示例
场景1:生产环境严格安全配置
需求:生产环境需要最高级别的安全配置,所有Pod必须符合restricted标准。
解决方案:
yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
namespace: production
spec:
replicas: 3
selector:
matchLabels:
app: web-app
template:
metadata:
labels:
app: web-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: web
image: nginx:1.21
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: cache
mountPath: /var/cache/nginx
- name: run
mountPath: /var/run
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "250m"
memory: "256Mi"
volumes:
- name: cache
emptyDir: {}
- name: run
emptyDir: {}验证:
bash
# 应用配置
kubectl apply -f production-secure.yaml
# 验证Pod安全配置
kubectl get pod -n production -o yaml | grep -A 10 "securityContext"
# 测试不符合标准的Pod会被拒绝
kubectl run test --image=nginx -n production
# 应该显示警告或拒绝场景2:开发环境宽松安全配置
需求:开发环境需要一定的灵活性,但禁止明显的提权。
解决方案:
yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dev-app
namespace: development
spec:
replicas: 1
selector:
matchLabels:
app: dev-app
template:
metadata:
labels:
app: dev-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: myapp:dev
securityContext:
allowPrivilegeEscalation: false场景3:系统组件特权配置
需求:系统组件(如网络插件、存储插件)需要特权访问。
解决方案:
yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: kube-system
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: network-plugin
namespace: kube-system
spec:
selector:
matchLabels:
app: network-plugin
template:
metadata:
labels:
app: network-plugin
spec:
hostNetwork: true
hostPID: true
securityContext:
runAsUser: 0
containers:
- name: plugin
image: network-plugin:latest
securityContext:
privileged: true
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: modules
mountPath: /lib/modules
volumes:
- name: cni
hostPath:
path: /etc/cni/net.d
- name: modules
hostPath:
path: /lib/modules场景4:多租户环境安全隔离
需求:多租户环境中,每个租户使用不同的安全级别。
解决方案:
yaml
---
# 租户A:高安全级别
apiVersion: v1
kind: Namespace
metadata:
name: tenant-a
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
tenant: tenant-a
---
# 租户B:基准安全级别
apiVersion: v1
kind: Namespace
metadata:
name: tenant-b
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
tenant: tenant-b
---
# 租户A的应用
apiVersion: apps/v1
kind: Deployment
metadata:
name: tenant-a-app
namespace: tenant-a
spec:
replicas: 2
selector:
matchLabels:
app: tenant-a-app
template:
metadata:
labels:
app: tenant-a-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL场景5:CI/CD环境安全配置
需求:CI/CD环境需要构建镜像,需要一定的特权但需要控制。
解决方案:
yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: ci-cd
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
---
apiVersion: v1
kind: Pod
metadata:
name: builder
namespace: ci-cd
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: builder
image: docker:latest
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: Socket场景6:监控和日志收集
需求:监控和日志收集需要访问节点资源,但需要最小权限。
解决方案:
yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: log-collector
namespace: monitoring
spec:
selector:
matchLabels:
app: log-collector
template:
metadata:
labels:
app: log-collector
spec:
serviceAccountName: log-collector
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: collector
image: fluentd:latest
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- name: varlog
mountPath: /var/log
readOnly: true
- name: dockerlogs
mountPath: /var/lib/docker/containers
readOnly: true
volumes:
- name: varlog
hostPath:
path: /var/log
- name: dockerlogs
hostPath:
path: /var/lib/docker/containers故障排查指南
问题1:Pod创建失败 - 违反安全策略
症状:
Error from server (Forbidden): error when creating "pod.yaml": pods "my-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "app" must set securityContext.allowPrivilegeEscalation=false)排查步骤:
bash
# 1. 检查命名空间的安全标签
kubectl get namespace <namespace> --show-labels
# 2. 查看Pod的安全配置
kubectl get pod <pod-name> -o yaml | grep -A 20 "securityContext"
# 3. 测试Pod配置
kubectl apply -f pod.yaml --dry-run=server -n <namespace>
# 4. 查看详细的错误信息
kubectl describe pod <pod-name> -n <namespace>解决方案:
yaml
# 添加必要的安全配置
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL问题2:Pod无法写入文件系统
症状:应用无法写入文件,提示只读文件系统。
排查步骤:
bash
# 1. 检查Pod的安全配置
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.readOnlyRootFilesystem}'
# 2. 进入Pod检查文件系统
kubectl exec -it <pod-name> -- mount | grep "ro,"
# 3. 查看应用日志
kubectl logs <pod-name>解决方案:
yaml
# 添加可写卷
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: app
image: nginx
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: cache
mountPath: /var/cache
- name: tmp
mountPath: /tmp
volumes:
- name: cache
emptyDir: {}
- name: tmp
emptyDir: {}问题3:Pod无法以root用户运行
症状:
Error: container has runAsNonRoot and image will run as root排查步骤:
bash
# 1. 检查Pod的runAsNonRoot配置
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.runAsNonRoot}'
# 2. 检查镜像的默认用户
docker inspect <image> | grep User
# 3. 查看Pod事件
kubectl describe pod <pod-name>解决方案:
yaml
# 方案1:指定非root用户
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: nginx
# 方案2:使用支持非root的镜像
# 在Dockerfile中设置USER指令问题4:应用需要特定能力
症状:应用无法执行需要特权的操作。
排查步骤:
bash
# 1. 检查Pod的能力配置
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.capabilities}'
# 2. 查看应用日志中的权限错误
kubectl logs <pod-name>
# 3. 检查系统调用
strace -p <pid>解决方案:
yaml
# 添加必要的能力
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: app
image: myapp
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL问题5:Pod安全标准版本不兼容
症状:
Error: pod-security.kubernetes.io/enforce-version: Invalid value: "v1.22"排查步骤:
bash
# 1. 检查Kubernetes版本
kubectl version
# 2. 检查命名空间标签
kubectl get namespace <namespace> -o yaml | grep pod-security
# 3. 查看支持的版本
kubectl explain pod-security.kubernetes.io解决方案:
bash
# 使用latest或支持的版本
kubectl label namespace <namespace> \
pod-security.kubernetes.io/enforce-version=latest \
--overwrite问题6:Seccomp配置问题
症状:应用因seccomp配置无法正常运行。
排查步骤:
bash
# 1. 检查seccomp配置
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.seccompProfile}'
# 2. 查看系统日志
dmesg | grep seccomp
# 3. 检查运行时配置
crictl inspect <container-id> | grep seccomp解决方案:
yaml
# 使用RuntimeDefault或Unconfined
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
seccompProfile:
type: RuntimeDefault # 或 Unconfined
containers:
- name: app
image: myapp最佳实践建议
1. 使用最小权限原则
yaml
# 不推荐:过于宽松的配置
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: app
image: nginx
securityContext:
privileged: true
# 推荐:最小权限配置
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL2. 为不同环境设置不同安全级别
yaml
# 生产环境:restricted
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
---
# 开发环境:baseline
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
pod-security.kubernetes.io/enforce: baseline
---
# 测试环境:warn模式
apiVersion: v1
kind: Namespace
metadata:
name: testing
labels:
pod-security.kubernetes.io/warn: restricted3. 使用只读文件系统
yaml
apiVersion: v1
kind: Pod
metadata:
name: readonly-pod
spec:
containers:
- name: app
image: nginx
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: cache
mountPath: /var/cache
- name: tmp
mountPath: /tmp
volumes:
- name: cache
emptyDir: {}
- name: tmp
emptyDir: {}4. 禁止特权提升
yaml
apiVersion: v1
kind: Pod
metadata:
name: no-privilege-escalation
spec:
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false5. 使用非root用户运行
yaml
apiVersion: v1
kind: Pod
metadata:
name: non-root-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: app
image: nginx6. 限制能力
yaml
apiVersion: v1
kind: Pod
metadata:
name: minimal-capabilities
spec:
containers:
- name: app
image: nginx
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE # 只添加必要的能力7. 使用Seccomp配置
yaml
apiVersion: v1
kind: Pod
metadata:
name: seccomp-pod
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx8. 定期审计Pod安全配置
bash
# 审计脚本
cat > audit-pod-security.sh << 'EOF'
#!/bin/bash
echo "=== Pod Security Audit ==="
echo ""
# 检查所有命名空间的安全标签
echo "Namespace Security Labels:"
kubectl get namespaces -o json | \
jq -r '.items[] | "\(.metadata.name): \(.metadata.labels["pod-security.kubernetes.io/enforce"] // "none")"'
echo ""
# 检查特权Pod
echo "Privileged Pods:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.containers[].securityContext.privileged==true) | "\(.metadata.namespace)/\(.metadata.name)"'
echo ""
# 检查以root运行的Pod
echo "Pods running as root:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.securityContext.runAsNonRoot!=true) | "\(.metadata.namespace)/\(.metadata.name)"'
echo ""
# 检查没有只读文件系统的Pod
echo "Pods without read-only filesystem:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.containers[].securityContext.readOnlyRootFilesystem!=true) | "\(.metadata.namespace)/\(.metadata.name)"'
EOF
chmod +x audit-pod-security.sh
./audit-pod-security.sh9. 使用Pod安全策略模板
yaml
# 创建安全Pod模板
apiVersion: v1
kind: PodTemplate
metadata:
name: secure-pod-template
namespace: default
template:
metadata:
labels:
security: restricted
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL10. 监控和告警
yaml
# Prometheus规则
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-rules
namespace: monitoring
data:
pod-security.rules: |
groups:
- name: pod-security
rules:
- alert: PrivilegedPodRunning
expr: kube_pod_container_security_context_privileged{condition="true"} > 0
for: 5m
labels:
severity: warning
annotations:
summary: "Privileged pod running"
description: "Pod {{ $labels.pod }} in namespace {{ $labels.namespace }} is running with privileged security context"
- alert: PodRunningAsRoot
expr: kube_pod_security_context_run_as_non_root{condition="false"} > 0
for: 5m
labels:
severity: warning
annotations:
summary: "Pod running as root"
description: "Pod {{ $labels.pod }} in namespace {{ $labels.namespace }} is running as root"Pod安全标准对照表
Restricted级别要求
| 配置项 | 要求 |
|---|---|
| runAsNonRoot | 必须为true |
| runAsUser | 必须指定非0用户 |
| allowPrivilegeEscalation | 必须为false |
| readOnlyRootFilesystem | 必须为true |
| capabilities.drop | 必须包含ALL |
| seccompProfile.type | 必须为RuntimeDefault或Localhost |
| hostNetwork | 必须为false |
| hostPID | 必须为false |
| hostIPC | 必须为false |
Baseline级别要求
| 配置项 | 要求 |
|---|---|
| privileged | 必须为false或不设置 |
| hostNetwork | 必须为false或不设置 |
| hostPID | 必须为false或不设置 |
| hostIPC | 必须为false或不设置 |
| hostPath | 不能使用 |
| capabilities.add | 不能添加特权能力 |
总结
Pod安全是Kubernetes集群安全的基础,通过Pod安全标准可以实现:
- 安全隔离:限制Pod的权限和能力
- 最小权限:只授予必要的权限
- 合规性:满足安全合规要求
- 防护:防止提权和横向移动
关键要点
- 使用Pod安全标准替代PSP
- 为不同环境设置不同的安全级别
- 遵循最小权限原则
- 使用非root用户运行容器
- 启用只读文件系统
- 限制容器能力
- 定期审计Pod安全配置
下一步学习
- RBAC基础 - 深入了解权限管理
- ServiceAccount - 学习Pod身份认证
- 网络安全 - 学习网络策略和安全隔离
- SecurityContext - 配置容器安全上下文