镜像安全 → 运行时安全 → 网络安全 → 宿主机安全
# 不好的做法
FROM ubuntu:latest
# → 包含数百个不必要包, 攻击面大
# 推荐
FROM scratch # 空镜像 (Go 静态编译)
FROM alpine:3.19 # 5MB
FROM gcr.io/distroless/java # 仅 JRE, 无 shell
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
# Trivy — 漏洞扫描
trivy image myapp:latest
trivy image --severity HIGH,CRITICAL myapp:latest
# Docker Scout
docker scout quickview myapp:latest
spec:
containers:
- name: app
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE # 仅保留绑端口能力
| 级别 | 说明 |
|---|---|
| Privileged | 无限制 (尽量不用) |
| Baseline | 阻止已知提权 |
| Restricted | 最强限制, 遵循最佳实践 |
annotations:
container.seccomp.security.alpha.kubernetes.io/app: localhost/myprofile.json
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-ingress
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: backend
ports:
- port: 5432
# kube-apiserver 配置审计策略
# 记录所有请求元数据, 用于事后追溯
--audit-log-path=/var/log/k8s-audit.log
--audit-policy-file=/etc/kubernetes/audit-policy.yaml