Kubernetes CKS 安全专家认证5 大核心模块实战演练与 CIS 基准检查1. 监控、日志记录和运行时安全模块深度解析作为CKS认证中权重20%的核心模块监控、日志记录和运行时安全是保障Kubernetes集群安全的关键防线。这一模块要求工程师能够实施行为分析检测恶意活动通过审计日志监控访问行为确保容器运行时不可变性识别多层次的威胁向量Falco配置示例apiVersion: apps/v1 kind: DaemonSet metadata: name: falco spec: selector: matchLabels: app: falco template: metadata: labels: app: falco spec: hostNetwork: true containers: - name: falco image: falcosecurity/falco:latest securityContext: privileged: true volumeMounts: - mountPath: /var/run/docker.sock name: docker-socket - mountPath: /dev name: dev-fs - mountPath: /proc name: proc-fs readOnly: true volumes: - name: docker-socket hostPath: path: /var/run/docker.sock - name: dev-fs hostPath: path: /dev - name: proc-fs hostPath: path: /proc提示Falco默认规则集位于/etc/falco/falco_rules.yaml建议根据实际环境定制规则2. CIS Kubernetes基准检查实战CIS基准提供了Kubernetes安全配置的最佳实践标准。使用kube-bench进行自动化检查检查与修复流程下载并运行kube-benchdocker run --rm --pidhost -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest run --targetsmaster,node典型修复操作示例针对kube-apiserver# 修改/etc/kubernetes/manifests/kube-apiserver.yaml - --authorization-modeNode,RBAC - --enable-admission-pluginsNodeRestriction - --audit-log-path/var/log/apiserver/audit.log - --audit-log-maxage30 - --audit-log-maxbackup3重启服务systemctl restart kubelet关键检查项对照表检查项安全等级修复命令/配置1.2.1 确保--anonymous-auth设置为false高危--anonymous-authfalse1.2.6 确保--kubelet-https设置为true中危--kubelet-httpstrue4.2.1 确保使用最小权限的PSP高危创建限制性PSP并绑定3. 容器运行时安全加固Trivy镜像扫描实战# 扫描本地镜像 trivy image --severity HIGH,CRITICAL nginx:latest # 集成到CI/CD流水线 trivy image --exit-code 1 --severity CRITICAL --ignore-unfixed myapp:${BUILD_NUMBER}gVisor沙箱容器配置apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: gvisor handler: runsc --- apiVersion: v1 kind: Pod metadata: name: sandbox-pod spec: runtimeClassName: gvisor containers: - name: nginx image: nginx注意沙箱容器会增加约20%的性能开销建议仅对多租户场景中的不可信负载使用4. Pod安全策略(PSP)与安全上下文PSP配置案例apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - NET_RAW - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 65535安全上下文最佳实践securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 capabilities: drop: - ALL add: - NET_BIND_SERVICE seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false readOnlyRootFilesystem: true5. 网络策略与零信任架构网络策略配置模板apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: frontend-policy spec: podSelector: matchLabels: role: frontend policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: backend ports: - protocol: TCP port: 80 egress: - to: - podSelector: matchLabels: role: db ports: - protocol: TCP port: 3306 - to: - ipBlock: cidr: 8.8.8.8/32 ports: - protocol: UDP port: 53关键网络隔离策略默认拒绝所有流量白名单模式按业务微服务划分安全域控制Pod到外部的出口流量限制节点间不必要的通信实施服务网格级别的mTLS加密在实际项目中建议结合Istio或Cilium实现更细粒度的网络控制。例如CiliumNetworkPolicy支持L7规则apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: http-ingress spec: endpointSelector: matchLabels: app: web ingress: - fromEndpoints: - matchLabels: app: client toPorts: - ports: - port: 80 protocol: TCP rules: http: - method: GET path: /api/v1/*