SecurityContext
概述
SecurityContext是Kubernetes中用于定义Pod或容器安全配置的核心机制。通过SecurityContext,可以控制容器的运行用户、文件系统权限、能力(Capabilities)、特权模式等安全相关设置,从而实现细粒度的安全控制。
核心概念
1. Pod级别SecurityContext
在Pod spec中定义的安全配置,应用于Pod中的所有容器。
2. 容器级别SecurityContext
在容器spec中定义的安全配置,只应用于特定容器,会覆盖Pod级别的配置。
3. 关键安全配置
- runAsUser/runAsGroup:容器运行的用户和组ID
- runAsNonRoot:是否允许以root用户运行
- fsGroup:文件系统组ID
- privileged:是否以特权模式运行
- capabilities:Linux能力控制
- allowPrivilegeEscalation:是否允许特权提升
- readOnlyRootFilesystem:是否使用只读文件系统
- seccompProfile:Seccomp配置
- selinuxOptions:SELinux配置
SecurityContext工作原理
┌─────────────────────────────────────────────┐
│ Pod Spec │
│ │
│ ┌───────────────────────────────────────┐ │
│ │ Pod SecurityContext │ │
│ │ - runAsUser: 1000 │ │
│ │ - runAsNonRoot: true │ │
│ │ - fsGroup: 2000 │ │
│ └───────────────────────────────────────┘ │
│ │
│ ┌───────────────────────────────────────┐ │
│ │ Container 1 │ │
│ │ ┌─────────────────────────────────┐ │ │
│ │ │ Container SecurityContext │ │ │
│ │ │ - readOnlyRootFilesystem: true │ │ │
│ │ │ - capabilities: drop ALL │ │ │
│ │ └─────────────────────────────────┘ │ │
│ └───────────────────────────────────────┘ │
│ │
│ ┌───────────────────────────────────────┐ │
│ │ Container 2 │ │
│ │ ┌─────────────────────────────────┐ │ │
│ │ │ Container SecurityContext │ │ │
│ │ │ - runAsUser: 2000 (覆盖Pod级别) │ │ │
│ │ │ - privileged: true │ │ │
│ │ └─────────────────────────────────┘ │ │
│ └───────────────────────────────────────┘ │
└─────────────────────────────────────────────┘YAML配置示例
示例1:Pod级别SecurityContext
yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-security-context
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
containers:
- name: app
image: nginx:latest
command: ["sh", "-c", "sleep 3600"]示例2:容器级别SecurityContext
yaml
apiVersion: v1
kind: Pod
metadata:
name: container-security-context
spec:
containers:
- name: app
image: nginx:latest
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true示例3:特权容器
yaml
apiVersion: v1
kind: Pod
metadata:
name: privileged-pod
spec:
containers:
- name: app
image: nginx:latest
securityContext:
privileged: true示例4:能力管理
yaml
apiVersion: v1
kind: Pod
metadata:
name: capabilities-pod
spec:
containers:
- name: app
image: nginx:latest
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
- CHOWN
drop:
- ALL示例5:只读文件系统
yaml
apiVersion: v1
kind: Pod
metadata:
name: readonly-pod
spec:
containers:
- name: app
image: nginx:latest
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: cache
mountPath: /var/cache
- name: tmp
mountPath: /tmp
volumes:
- name: cache
emptyDir: {}
- name: tmp
emptyDir: {}示例6:Seccomp配置
yaml
apiVersion: v1
kind: Pod
metadata:
name: seccomp-pod
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx:latest示例7:SELinux配置
yaml
apiVersion: v1
kind: Pod
metadata:
name: selinux-pod
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- name: app
image: nginx:latest示例8:完整的SecurityContext配置
yaml
apiVersion: v1
kind: Pod
metadata:
name: complete-security-context
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
runAsNonRoot: true
fsGroup: 2000
fsGroupChangePolicy: "OnRootMismatch"
seccompProfile:
type: RuntimeDefault
supplementalGroups:
- 4000
- 5000
sysctls:
- name: net.core.somaxconn
value: "1024"
containers:
- name: app
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1000
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
volumeMounts:
- name: cache
mountPath: /var/cache
volumes:
- name: cache
emptyDir: {}示例9:多容器Pod的不同SecurityContext
yaml
apiVersion: v1
kind: Pod
metadata:
name: multi-container-security
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
image: myapp:latest
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
- name: sidecar
image: log-collector:latest
securityContext:
runAsUser: 2000
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL示例10:Windows容器SecurityContext
yaml
apiVersion: v1
kind: Pod
metadata:
name: windows-pod
spec:
securityContext:
windowsOptions:
runAsUserName: "ContainerUser"
gmsaCredentialSpecName: "gmsa-webapp"
containers:
- name: app
image: mcr.microsoft.com/windows/servercore:ltsc2019kubectl操作命令
查看SecurityContext配置
bash
# 查看Pod的SecurityContext
kubectl get pod <pod-name> -o yaml | grep -A 30 "securityContext"
# 查看Pod级别的SecurityContext
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext}' | jq
# 查看容器级别的SecurityContext
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext}' | jq
# 查看特定容器的SecurityContext
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[?(@.name=="app")].securityContext}' | jq
# 查看Pod的运行用户
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.runAsUser}'
# 检查是否以非root运行
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.runAsNonRoot}'
# 检查是否为特权容器
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.privileged}'验证SecurityContext
bash
# 进入容器验证用户
kubectl exec -it <pod-name> -- id
# 查看容器内的用户
kubectl exec -it <pod-name> -- whoami
# 查看文件权限
kubectl exec -it <pod-name> -- ls -la /var/cache
# 查看进程用户
kubectl exec -it <pod-name> -- ps aux
# 查看能力
kubectl exec -it <pod-name> -- cat /proc/self/status | grep Cap
# 查看Seccomp配置
kubectl exec -it <pod-name> -- cat /proc/self/status | grep Seccomp测试SecurityContext
bash
# 测试只读文件系统
kubectl exec -it <pod-name> -- touch /test-file
# 应该失败:Read-only file system
# 测试特权操作
kubectl exec -it <pod-name> -- mount
# 非特权容器应该失败
# 测试网络能力
kubectl exec -it <pod-name> -- ip link
# 需要NET_ADMIN能力
# 测试文件写入
kubectl exec -it <pod-name> -- sh -c "echo test > /tmp/test.txt"调试SecurityContext
bash
# 查看Pod事件
kubectl describe pod <pod-name>
# 查看容器日志
kubectl logs <pod-name>
# 查看容器状态
kubectl get pod <pod-name> -o jsonpath='{.status.containerStatuses}'
# 检查容器是否因为安全配置失败
kubectl get events --field-selector reason=Failed
# 查看容器运行时信息
crictl inspect <container-id> | grep -A 20 "security"真实场景实践示例
场景1:Web应用安全配置
需求:Web应用需要安全的运行环境,禁止特权操作。
解决方案:
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: web-app
template:
metadata:
labels:
app: web-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: web
image: nginx:1.21
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: cache
mountPath: /var/cache/nginx
- name: run
mountPath: /var/run
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "250m"
memory: "256Mi"
volumes:
- name: cache
emptyDir: {}
- name: run
emptyDir: {}验证:
bash
# 应用配置
kubectl apply -f web-app-security.yaml
# 验证用户
kubectl exec -it deployment/web-app -- id
# 应该显示: uid=1000 gid=3000 groups=2000
# 验证只读文件系统
kubectl exec -it deployment/web-app -- touch /test
# 应该失败: Read-only file system场景2:数据库应用安全配置
需求:数据库需要特定的用户和组权限,需要访问持久化存储。
解决方案:
yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql
namespace: default
spec:
serviceName: mysql
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
securityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
fsGroupChangePolicy: "OnRootMismatch"
containers:
- name: mysql
image: mysql:8.0
ports:
- containerPort: 3306
securityContext:
allowPrivilegeEscalation: false
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
volumeMounts:
- name: data
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi场景3:系统监控工具
需求:监控工具需要访问节点资源,但需要最小权限。
解决方案:
yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-exporter
namespace: monitoring
spec:
selector:
matchLabels:
app: node-exporter
template:
metadata:
labels:
app: node-exporter
spec:
hostNetwork: true
hostPID: true
securityContext:
runAsUser: 0
runAsNonRoot: false
containers:
- name: node-exporter
image: prom/node-exporter:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: proc
mountPath: /host/proc
readOnly: true
- name: sys
mountPath: /host/sys
readOnly: true
volumes:
- name: proc
hostPath:
path: /proc
- name: sys
hostPath:
path: /sys场景4:需要特定能力的应用
需求:应用需要绑定特权端口(< 1024),但不需要完全特权。
解决方案:
yaml
apiVersion: v1
kind: Pod
metadata:
name: privileged-port-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
ports:
- containerPort: 80
hostPort: 80场景5:多租户隔离
需求:不同租户的应用使用不同的用户ID,实现文件系统隔离。
解决方案:
yaml
---
# 租户A的应用
apiVersion: apps/v1
kind: Deployment
metadata:
name: tenant-a-app
namespace: tenant-a
spec:
replicas: 2
selector:
matchLabels:
app: tenant-a-app
template:
metadata:
labels:
app: tenant-a-app
spec:
securityContext:
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
---
# 租户B的应用
apiVersion: apps/v1
kind: Deployment
metadata:
name: tenant-b-app
namespace: tenant-b
spec:
replicas: 2
selector:
matchLabels:
app: tenant-b-app
template:
metadata:
labels:
app: tenant-b-app
spec:
securityContext:
runAsUser: 20000
runAsGroup: 20000
fsGroup: 20000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL场景6:CI/CD构建容器
需求:CI/CD需要构建Docker镜像,需要访问Docker socket。
解决方案:
yaml
apiVersion: v1
kind: Pod
metadata:
name: docker-builder
namespace: ci-cd
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
fsGroup: 1000
containers:
- name: docker
image: docker:latest
securityContext:
allowPrivilegeEscalation: false
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
- name: workspace
mountPath: /workspace
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: Socket
- name: workspace
emptyDir: {}故障排查指南
问题1:容器无法启动 - 用户权限问题
症状:
Error: container has runAsNonRoot and image will run as root排查步骤:
bash
# 1. 检查Pod的SecurityContext
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext}'
# 2. 检查镜像的默认用户
docker inspect <image> | grep User
# 3. 查看Pod事件
kubectl describe pod <pod-name>解决方案:
yaml
# 方案1:指定非root用户
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: nginx
# 方案2:修改镜像Dockerfile
# Dockerfile
FROM nginx
USER 1000:1000问题2:文件权限错误
症状:
Error: Permission denied排查步骤:
bash
# 1. 检查文件权限
kubectl exec -it <pod-name> -- ls -la /path/to/file
# 2. 检查fsGroup配置
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.fsGroup}'
# 3. 检查当前用户
kubectl exec -it <pod-name> -- id
# 4. 查看挂载的卷
kubectl exec -it <pod-name> -- mount | grep /path解决方案:
yaml
# 配置正确的fsGroup
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000
fsGroupChangePolicy: "OnRootMismatch"
containers:
- name: app
image: myapp
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: my-pvc问题3:无法执行特权操作
症状:
Error: Operation not permitted排查步骤:
bash
# 1. 检查特权配置
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.privileged}'
# 2. 检查能力配置
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.capabilities}'
# 3. 查看容器内的能力
kubectl exec -it <pod-name> -- cat /proc/self/status | grep Cap
# 4. 测试操作
kubectl exec -it <pod-name> -- <command>解决方案:
yaml
# 添加必要的能力
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: app
image: myapp
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_TIME
drop:
- ALL问题4:只读文件系统导致应用失败
症状:应用无法写入文件。
排查步骤:
bash
# 1. 检查只读文件系统配置
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext.readOnlyRootFilesystem}'
# 2. 查看应用日志
kubectl logs <pod-name>
# 3. 测试文件写入
kubectl exec -it <pod-name> -- touch /test解决方案:
yaml
# 添加可写卷
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: app
image: myapp
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: cache
mountPath: /var/cache
- name: tmp
mountPath: /tmp
- name: logs
mountPath: /var/log
volumes:
- name: cache
emptyDir: {}
- name: tmp
emptyDir: {}
- name: logs
emptyDir: {}问题5:Seccomp配置导致应用失败
症状:应用因系统调用被阻止而失败。
排查步骤:
bash
# 1. 检查Seccomp配置
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.seccompProfile}'
# 2. 查看系统日志
dmesg | grep seccomp
# 3. 检查应用日志
kubectl logs <pod-name>
# 4. 使用strace跟踪系统调用
strace -p <pid>解决方案:
yaml
# 使用Unconfined或自定义配置
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
seccompProfile:
type: Unconfined
containers:
- name: app
image: myapp问题6:SELinux配置问题
症状:
Error: SELinux context mismatch排查步骤:
bash
# 1. 检查SELinux配置
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.seLinuxOptions}'
# 2. 查看SELinux日志
ausearch -m avc -ts recent
# 3. 检查文件SELinux上下文
ls -Z /path/to/file
# 4. 查看容器SELinux上下文
kubectl exec -it <pod-name> -- ls -Z /解决方案:
yaml
# 配置正确的SELinux选项
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
user: "system_u"
role: "system_r"
type: "svirt_lxc_net_t"
containers:
- name: app
image: myapp最佳实践建议
1. 始终使用非root用户
yaml
apiVersion: v1
kind: Pod
metadata:
name: non-root-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
containers:
- name: app
image: nginx2. 禁止特权提升
yaml
apiVersion: v1
kind: Pod
metadata:
name: no-privilege-escalation
spec:
containers:
- name: app
image: nginx
securityContext:
allowPrivilegeEscalation: false3. 使用只读文件系统
yaml
apiVersion: v1
kind: Pod
metadata:
name: readonly-filesystem
spec:
containers:
- name: app
image: nginx
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}4. 限制容器能力
yaml
apiVersion: v1
kind: Pod
metadata:
name: minimal-capabilities
spec:
containers:
- name: app
image: nginx
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE5. 使用Seccomp配置
yaml
apiVersion: v1
kind: Pod
metadata:
name: seccomp-enabled
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: nginx6. 配置fsGroup
yaml
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-pod
spec:
securityContext:
fsGroup: 2000
fsGroupChangePolicy: "OnRootMismatch"
containers:
- name: app
image: nginx
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: my-pvc7. 使用补充组
yaml
apiVersion: v1
kind: Pod
metadata:
name: supplemental-groups
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000
supplementalGroups:
- 3000
- 4000
containers:
- name: app
image: nginx8. 为不同容器设置不同用户
yaml
apiVersion: v1
kind: Pod
metadata:
name: multi-user-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: app
image: myapp
securityContext:
runAsUser: 1000
- name: sidecar
image: log-collector
securityContext:
runAsUser: 20009. 使用Pod和容器级别组合
yaml
apiVersion: v1
kind: Pod
metadata:
name: combined-security
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL10. 定期审计SecurityContext
bash
# 审计脚本
cat > audit-security-context.sh << 'EOF'
#!/bin/bash
echo "=== SecurityContext Audit ==="
echo ""
# 检查以root运行的Pod
echo "Pods running as root:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.securityContext.runAsNonRoot!=true) | "\(.metadata.namespace)/\(.metadata.name)"'
echo ""
# 检查特权Pod
echo "Privileged pods:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.containers[].securityContext.privileged==true) | "\(.metadata.namespace)/\(.metadata.name)"'
echo ""
# 检查没有只读文件系统的Pod
echo "Pods without read-only filesystem:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.containers[].securityContext.readOnlyRootFilesystem!=true) | "\(.metadata.namespace)/\(.metadata.name)"'
echo ""
# 检查允许特权提升的Pod
echo "Pods allowing privilege escalation:"
kubectl get pods --all-namespaces -o json | \
jq -r '.items[] | select(.spec.containers[].securityContext.allowPrivilegeEscalation==true) | "\(.metadata.namespace)/\(.metadata.name)"'
EOF
chmod +x audit-security-context.sh
./audit-security-context.shSecurityContext配置速查表
Pod级别配置
| 配置项 | 说明 | 示例值 |
|---|---|---|
| runAsUser | 运行用户ID | 1000 |
| runAsGroup | 运行组ID | 3000 |
| runAsNonRoot | 是否非root运行 | true |
| fsGroup | 文件系统组ID | 2000 |
| fsGroupChangePolicy | 文件系统组变更策略 | OnRootMismatch |
| supplementalGroups | 补充组ID | [3000, 4000] |
| seccompProfile | Seccomp配置 | type: RuntimeDefault |
| seLinuxOptions | SELinux选项 | level: "s0:c123" |
| sysctls | 内核参数 | name: net.core.somaxconn |
容器级别配置
| 配置项 | 说明 | 示例值 |
|---|---|---|
| runAsUser | 运行用户ID(覆盖Pod级别) | 1000 |
| runAsNonRoot | 是否非root运行 | true |
| privileged | 是否特权模式 | false |
| allowPrivilegeEscalation | 是否允许特权提升 | false |
| readOnlyRootFilesystem | 是否只读文件系统 | true |
| capabilities.add | 添加的能力 | [NET_BIND_SERVICE] |
| capabilities.drop | 删除的能力 | [ALL] |
| seccompProfile | Seccomp配置 | type: RuntimeDefault |
| seLinuxOptions | SELinux选项 | level: "s0:c123" |
常用能力(Capabilities)
| 能力 | 说明 |
|---|---|
| NET_BIND_SERVICE | 绑定特权端口(< 1024) |
| NET_ADMIN | 网络管理操作 |
| SYS_ADMIN | 系统管理操作 |
| SYS_TIME | 系统时间操作 |
| CHOWN | 修改文件所有者 |
| DAC_OVERRIDE | 覆盖文件权限检查 |
| SETUID | 设置用户ID |
| SETGID | 设置组ID |
总结
SecurityContext是Kubernetes安全配置的核心机制,通过合理配置可以实现:
- 用户隔离:使用非root用户运行容器
- 文件系统安全:只读文件系统和权限控制
- 能力限制:精确控制容器能力
- 系统调用过滤:Seccomp配置
- 强制访问控制:SELinux配置
关键要点
- 优先使用Pod级别SecurityContext
- 容器级别配置会覆盖Pod级别
- 始终使用非root用户运行
- 禁用特权提升
- 使用只读文件系统
- 删除所有不必要的能力
- 启用Seccomp配置
- 定期审计安全配置
下一步学习
- RBAC基础 - 深入了解权限管理
- ServiceAccount - 学习Pod身份认证
- 网络安全 - 学习网络策略和安全隔离
- Pod安全 - 掌握Pod安全策略