[译]Kubernetes最佳实践:安全性
By robot-v1.0
本文链接 https://www.kyfws.com/best-practices/kubernetes-best-practices-security-zh/
版权声明 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
- 5 分钟阅读 - 2414 个词 阅读量 0[译]Kubernetes最佳实践:安全性
原文地址:https://www.codeproject.com/Articles/5273778/Kubernetes-Best-Practices-Security
原文作者:Robert_Brennan
译文由本站 robot-v1.0 翻译
前言
In this article let’s look at three common security challenges, and how to overcome them. 在本文中,我们来看三个常见的安全挑战,以及如何克服这些挑战. The genius of Kubernetes is its ability to provide you with a framework to run distributed systems resiliently. However, it introduces a level of complexity that can be overwhelming. By following Kubernetes best practices around security, reliability, efficiency and monitoring, teams can set themselves up for a successful transition. In a series of blog posts, we’ll cover each of these topics, starting with security. Kubernetes的天才在于它能够为您提供一个框架来弹性地运行分布式系统.但是,它引入了一定程度的复杂性.通过遵循有关安全性,可靠性,效率和监控的Kubernetes最佳实践,团队可以为成功过渡做好准备.在一系列博客文章中,我们将从安全性开始讨论每个主题.
Kubernetes最佳实践:安全性(Kubernetes Best Practices: Security)
Kubernetes仅对基础架构层进行了足够的抽象,以便开发人员可以自由部署,而运维团队则保留对重要治理和风险控制的访问权限.挑战在于,Kubernetes的新开发团队可能会忽略一些关键的安全功能.通常,使某项功能正常运行的最简单方法是增强其安全性.(Kubernetes abstracts away just enough of the infrastructure layer so that developers can freely deploy, while ops teams retain access to important governance and risk controls. The challenge is that development teams new to Kubernetes may neglect some critical security features. Often the easiest way to get something working is to soften its security.) 让我们看一下三个常见的安全挑战,以及如何克服它们.(Let’s look at three common security challenges, and how to overcome them.)
好爆与坏爆(A Good Burst vs. a Bad Burst)
Kubernetes能够很好地应对流量激增(无论好坏).如果您看到合法的流量激增,Kubernetes将扩大规模以满足需求的增长.您的应用程序将消耗群集中的更多资源,而不会降低性能.这是一个主要好处.但是,如果发生拒绝服务(DoS)攻击,Kubernetes会做完全相同的事情,您需要为流量过多支付费用.(Kubernetes responds well to bursts in traffic – whether good or bad. In the event you see a legitimate burst of traffic, Kubernetes will scale up to meet the increase in demand. Your application will consume more resources in your cluster without any degradation of performance. That’s a major benefit. However, in the event of a denial-of-service (DoS) attack, Kubernetes will do exactly the same thing, and you’ll pay for that traffic overload.)
K8S最佳做法#1-设置限制(K8S Best Practice #1 – Set limits against)
- 每个IP地址的并发连接数(the number of concurrent connections per IP address)
- 每个用户每秒,每分钟或每小时可发出的请求数(the number of requests each user can make per second, minute, or hour)
- 请求主体的大小(the size of request bodies)
- 并针对各个主机名和路径调整这些限制(and tune these limits for individual hostnames and paths)
授予安全访问级别(Granting Safe Levels of Access)
部署新应用程序或提供新用户的最简单方法是放弃管理员权限.但这也是最危险的方式-如果攻击者获得了对该帐户的访问权限,则他们将有权访问所有内容.(The easiest way to deploy a new application or provision a new user is to give away admin permissions. But it’s also the most dangerous way - if an attacker gains access to that account, they’ll have access to everything.)
K8S最佳实践2 –使用基于角色的访问控制(RBAC)遵守最小特权原则(K8S Best Practice #2 – Employ role based access controls (RBAC) to adhere to the principle of least privilege)
RBAC允许您授予用户对Kubernetes API资源的细粒度访问权限.您应该使用以下命令定义访问配置文件(RBAC allows you to grant users granular access to Kubernetes API resources. You should define access profiles using) Roles
要么(or) ClusterRoles
.使用(. Using) Roles
,您将授予对单个名称空间的访问权限.用(, you’ll grant access to a single namespace. With) ClusterRoles
,您可以授予对不带名称空间的资源的访问权限,例如(, you can grant access to resources without namespaces, like) Nodes
和(and) PersistentVolumes
以及所有命名空间资源.(as well as all namespaced resources.)
尽管RBAC配置可能令人困惑和冗长,但诸如(While RBAC configuration can be confusing and verbose, tools like) bac经理(rbac-manager) 可以帮助简化语法.这有助于防止错误,并使谁可以访问哪些内容更清晰.(can help simplify the syntax. This helps prevent mistakes and provides a clearer sense for who has access to what.)
最终结果?通过仅向工作负载授予执行工作所需的权限,可以限制攻击者对Kubernetes环境造成的损害.(The end result? By only granting workloads the permissions they need to do their job, you’ll limit the amount of damage an attacker can do to your Kubernetes environment.)
保守Kubernetes的秘密(Keep Kubernetes Secrets, Secret)
如果您正在使用Kubernetes基础架构代码(IaC)模式,则可以从完全可复制的环境中受益.但是有一个陷阱-您的基础架构的一部分可能包括Kubernetes(If you are using Kubernetes infrastructure-as-code (IaC) patterns, you benefit from having a completely reproducible environment. But there’s a catch - part of your infrastructure likely includes Kubernetes) Secrets
,用于存储和管理敏感信息,例如密码,OAuth令牌和ssh密钥.而且你不应该添加(, which store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. And you shouldn’t be adding) Secrets
到您的IaC存储库.(to your IaC repository.)
检查您的Kubernetes很诱人(It’s tempting to check your Kubernetes) Secrets
到您的"基础结构即代码"存储库中,以便您的构建可以100%复制.但是,如果您关心安全性,那就不用了.签入后,您的(into your infrastructure-as-code repository so that your builds are 100% reproducible. But if you care about security, don’t. Once checked in, your) Secrets
永久暴露给有权访问您的Git存储库的任何人.(are permanently exposed to anyone with access to your Git repository.)
K8S最佳做法#3-在将机密检入基础结构存储库之前对其进行加密(K8S Best Practice #3 - Encrypt your secrets before checking them into your infrastructure repository)
解决方案是消除差异:对所有机密进行加密,以便您可以安全地将其检入到存储库中,而不必担心暴露它们.然后,您只需要访问一个加密密钥即可"解锁"您的IaC存储库,并拥有可完美复制的基础结构.开源工具,例如(The solution is to split the difference: encrypt all your secrets so you can safely check them into your repository without fear of exposing them. Then you’ll then only need access to a single encryption key to “unlock” your IaC repository, and have perfectly reproducible infrastructure. Open source tools like) Mozilla的SOPS(Mozilla’s SOPS) 可以帮助您.(can help with this.) 您可以(You can) 阅读更多有关k8s安全的最佳实践(read more best practices for k8s security) 了解我们如何为客户的托管Kubernetes部署实施安全性.(by checking out how we implement security for our customer’s managed Kubernetes deployments.) 您也可以退房(You can also check out) Kubernetes关于效率的最佳实践(Kubernetes Best Practices around efficiency) .(.)
许可
本文以及所有相关的源代码和文件均已获得The Code Project Open License (CPOL)的许可。
Kubernetes security 新闻 翻译