云原生安全:零信任架构与服务网格安全 零信任架构 核心原则 永不信任,始终验证 身份认证 mTLS 双向认证 服务账户 OIDC 集成 网络安全 网络策略 白名单模式 Egress 控制 应用安全 容器安全 最小权限 只读根文件系统 安全镜像 安全扫描 服务网格安全 授权策略 基于角色的访问控制 服务间 mTLS 流量镜像 安装 Falco kubectl apply -f https://raw.githubusercontent.com/falcosec/falco/latest/falco.
永不信任,始终验证
# 每个请求都必须经过认证 # 即使来自内部网络
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: STRICT # 强制 mTLS
apiVersion: v1 kind: ServiceAccount metadata: name: my-app --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader rules: - apiGroups: [\"apps\", \"extensions\"] resources: [\"pods\", \"pods/log\"] verbs: [\"get\", \"list\"]
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: oidc spec: jwtRules: - issuer: \"https://keycloak.example.com/auth/realms/master\"
apiVersion: networking.` kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespace: \"*\" source: namespaces: [\"kube-system\"] \"message\": \"所有的 ingress 流量都被拒绝\"
apiVersion: networking.istio.io/v1beta1 kind: NetworkPolicy metadata: name: ingress-whitelist spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespace: \"prod\" - source: namespaces: [\"prod\", \"kube-system\"] \"message\": \"只允许特定命名空间的流量\"
apiVersion: networking.istio.io/v1beta1 kind: NetworkPolicy metadata: name: egress-policy spec: podSelector: {} policyTypes: - Egress egress: - to: - namespace: \"external\" ports: - number: 443 protocol: TCP \"message\": \"只允许访问外部 HTTPS\"
# Security Context securityContext: runAsUser: 1000 # 非 root 用户 runAsGroup: 3000 # 非 root 组 readOnlyRootFilesystem: true capabilities: drop: - ALL add: - NET_BIND_SERVICE CHOWN SETGID SETUID privileged: false
securityContext: readOnlyRootFilesystem: true
# 使用官方基础镜像 FROM python:3.11-slim # 非 root 用户运行 RUN groupadd -r appuser && useradd -r -g appuser appuser USER appuser # 只读文件系统 RUN chmod 444 /app /app
# 使用 Trivy 扫描镜像 trivy image nginx:1.24 # 使用 Grypek 检查漏洞 grypek scan --login username:password \ --severity medium,high,critical \ --show-vuln \ python:trivy-image-offensive --token trivy-img.yaml
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ingress-policy spec: selector: matchLabels: app: api rules: - from: source: namespaces: [\"test\"] to: - operation: - methods: [\"GET\", \"POST\"] operation: - paths: [\"/api/public/*\"]
# 强制所有服务间 mTLS apiVersion: security.istio.io/v1beta1 kind: \"PeerAuthentication\" metadata: name: default spec: mtls: mode: STRICT
kubectl apply -f https://raw.githubusercontent.com/falcosec/falco/latest/falco.yaml
kubectl falcoctl allow all
## 密钥管理 ### 1. Secrets 管理 ```yaml # Secret 示例 apiVersion: v1 kind: Secret metadata: name: database-credentials type: Opaque stringData: username: dXNlcmFtYW5k password: cGFzd29kZCg== # base64 编码
# 使用 Vault helm install vault # 存储数据库密码 vault kv put secret/database password \"secure-password\" # 生成临时证书 vault secrets enable -path=postgres-cred
apiVersion: audit-policy kind: AuditPolicy apiVersion: audit-policy/v1 rules: - level: RequestResponse verbs: [\"create\", \"update\", \"delete\"] resources: - \"pods\" - \"secrets\" \"\"configmaps\"
# Envoy 配置 containers: - name: istio-proxy env: - PILOT_ENABLE_AUDIT_LOGGING: \"true\"
# 查看审计日志 kubectl logs -l -n istio-proxy -c istio-proxy -n app=app # 使用 EFK 收集日志 kubectl apply -f https://raw.githubusercontent.com/fluentd/fluent-bit-twelve/rafiki
检测异常流量模式、频繁的 404、异常 User-Agent 等。
基于机器学习检测 SQL 注入、XSS、目录遍历等攻击。
云原生安全关键:
构建安全的云原生应用!"