Back to Details

kubernetes-security-policies

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Kubernetes Security Policies

Kubernetes安全策略

Comprehensive guidance for implementing security policies in Kubernetes clusters, covering Pod Security Standards, Network Policies, RBAC, Security Contexts, admission control, secrets management, and runtime security for production-grade hardened deployments.
为在Kubernetes集群中实施安全策略提供全面指导,涵盖Pod安全标准、网络策略、RBAC、安全上下文、准入控制、密钥管理以及用于生产级强化部署的运行时安全。

When to Use This Skill

何时使用此技能

  • Implementing Pod Security Standards (PSS/PSA) across namespaces
  • Designing and enforcing Network Policies for micro-segmentation
  • Configuring RBAC with least-privilege access control
  • Setting Security Contexts for container hardening
  • Deploying admission controllers (OPA/Gatekeeper, Kyverno)
  • Managing secrets and sensitive data securely
  • Implementing image security and vulnerability scanning
  • Enforcing runtime security policies and threat detection
  • Meeting compliance requirements (CIS, NIST, PCI-DSS, SOC2)
  • Conducting security audits and hardening assessments
  • 在所有命名空间中实施Pod Security Standards (PSS/PSA)
  • 设计并执行用于微分段的网络策略
  • 配置遵循最小权限原则的RBAC访问控制
  • 设置用于容器强化的安全上下文
  • 部署准入控制器(OPA/Gatekeeper、Kyverno)
  • 安全管理密钥和敏感数据
  • 实施镜像安全与漏洞扫描
  • 执行运行时安全策略与威胁检测
  • 满足合规要求(CIS、NIST、PCI-DSS、SOC2)
  • 开展安全审计与强化评估

Core Security Concepts

核心安全概念

Pod Security Standards (PSS): Three progressive security levels enforced via Pod Security Admission (PSA):
  • Privileged: Unrestricted (default)
  • Baseline: Prevents known privilege escalations
  • Restricted: Pod hardening best practices (production recommended)
Network Policies: Zero-trust micro-segmentation controlling pod-to-pod and pod-to-external traffic using label selectors and namespace isolation.
RBAC (Role-Based Access Control): Least-privilege access control using ServiceAccounts, Roles, RoleBindings for namespace-scoped permissions, and ClusterRoles for cluster-wide access.
Security Contexts: Container and pod-level security settings including user/group IDs, capabilities, seccomp profiles, and filesystem restrictions.
Admission Control: Policy enforcement at API admission time using OPA Gatekeeper (Rego) or Kyverno (YAML) to validate, mutate, or reject resources.
Secrets Management: External secret storage integration (Vault, AWS Secrets Manager, Sealed Secrets) instead of native Kubernetes secrets.
Image Security: Vulnerability scanning, signature verification, digest-based immutability, and private registry authentication.
Pod Security Standards (PSS): 通过Pod Security Admission (PSA)强制执行的三个递进安全级别:
  • **Privileged(特权级):**无限制(默认)
  • **Baseline(基线级):**防止已知的权限提升风险
  • **Restricted(限制级):**Pod强化最佳实践(推荐生产环境使用)
网络策略: 基于零信任的微分段,使用标签选择器和命名空间隔离控制Pod间及Pod与外部的流量。
RBAC(基于角色的访问控制): 遵循最小权限原则的访问控制,使用ServiceAccount、Role、RoleBinding实现命名空间级权限,ClusterRole实现集群级权限。
安全上下文: 容器和Pod级别的安全设置,包括用户/组ID、权限能力、seccomp配置文件和文件系统限制。
准入控制: 在API准入阶段执行策略,使用OPA Gatekeeper(Rego)或Kyverno(YAML)验证、修改或拒绝资源。
密钥管理: 集成外部密钥存储(Vault、AWS Secrets Manager、Sealed Secrets),替代原生Kubernetes密钥。
镜像安全: 漏洞扫描、签名验证、基于摘要的不可变性,以及私有镜像仓库认证。

Quick Reference

快速参考

TaskLoad reference
Pod Security Standards (PSS/PSA)
skills/kubernetes-security-policies/references/pod-security-standards.md
Network Policies
skills/kubernetes-security-policies/references/network-policies.md
RBAC (Roles, ServiceAccounts)
skills/kubernetes-security-policies/references/rbac.md
Security Contexts (capabilities, seccomp)
skills/kubernetes-security-policies/references/security-contexts.md
Admission Control (OPA, Kyverno)
skills/kubernetes-security-policies/references/admission-control.md
Secrets Management (Vault, ESO)
skills/kubernetes-security-policies/references/secrets-management.md
Image Security (scanning, signing)
skills/kubernetes-security-policies/references/image-security.md
Best Practices & Compliance
skills/kubernetes-security-policies/references/best-practices.md
任务参考文档路径
Pod Security Standards (PSS/PSA)
skills/kubernetes-security-policies/references/pod-security-standards.md
网络策略
skills/kubernetes-security-policies/references/network-policies.md
RBAC(角色、ServiceAccount)
skills/kubernetes-security-policies/references/rbac.md
安全上下文(权限能力、seccomp)
skills/kubernetes-security-policies/references/security-contexts.md
准入控制(OPA、Kyverno)
skills/kubernetes-security-policies/references/admission-control.md
密钥管理(Vault、ESO)
skills/kubernetes-security-policies/references/secrets-management.md
镜像安全(扫描、签名)
skills/kubernetes-security-policies/references/image-security.md
最佳实践与合规
skills/kubernetes-security-policies/references/best-practices.md

Security Implementation Workflow

安全实施工作流

Phase 1: Baseline Assessment

阶段1:基线评估

  1. Audit current security posture with kube-bench or kubescape
  2. Identify gaps against CIS Kubernetes Benchmark
  3. Document compliance requirements (PCI-DSS, NIST, SOC2)
  1. 使用kube-bench或kubescape审计当前安全状态
  2. 对照CIS Kubernetes基准识别差距
  3. 记录合规要求(PCI-DSS、NIST、SOC2)

Phase 2: Pod Security Standards

阶段2:Pod安全标准

  1. Enable PSA audit mode on all namespaces
  2. Identify violations using 
    kubectl get pods -A --show-labels
  3. Remediate workloads to meet baseline/restricted standards
  4. Progressively enforce: dev (warn) → staging (baseline) → prod (restricted)
  1. 在所有命名空间中启用PSA审计模式
  2. 使用
    kubectl get pods -A --show-labels
    识别违规项
  3. 修复工作负载以满足基线/限制级标准
  4. 逐步强制执行:开发环境(警告)→预发布环境(基线)→生产环境(限制级)

Phase 3: Network Segmentation

阶段3:网络分段

  1. Deploy default-deny NetworkPolicy to all namespaces
  2. Create explicit allow rules for required traffic flows
  3. Implement database isolation policies
  4. Add monitoring/observability exceptions
  1. 在所有命名空间中部署默认拒绝的网络策略
  2. 为所需流量创建明确的允许规则
  3. 实施数据库隔离策略
  4. 添加监控/可观测性例外规则

Phase 4: Access Control (RBAC)

阶段4:访问控制(RBAC)

  1. Audit existing RBAC with 
    kubectl auth can-i --list
  2. Create dedicated ServiceAccounts per application
  3. Define least-privilege Roles with specific resource/verb restrictions
  4. Disable 
    automountServiceAccountToken
    by default
  5. Minimize ClusterRole usage
  1. 使用
    kubectl auth can-i --list
    审计现有RBAC配置
  2. 为每个应用创建专用的ServiceAccount
  3. 定义具有特定资源/操作限制的最小权限Role
  4. 默认禁用
    automountServiceAccountToken
  5. 尽量减少ClusterRole的使用

Phase 5: Admission Control

阶段5:准入控制

  1. Choose policy engine: OPA Gatekeeper (Rego) or Kyverno (YAML)
  2. Implement validation policies: require labels, resource limits, non-root
  3. Add mutation policies: inject security contexts, sidecar containers
  4. Enforce image policies: disallow latest tag, require signatures
  1. 选择策略引擎:OPA Gatekeeper(Rego)或Kyverno(YAML)
  2. 实施验证策略:要求标签、资源限制、非根用户运行
  3. 添加修改策略:注入安全上下文、Sidecar容器
  4. 执行镜像策略:禁止使用latest标签、要求签名

Phase 6: Secrets Management

阶段6:密钥管理

  1. Deploy External Secrets Operator or Vault integration
  2. Migrate native Secrets to external secret stores
  3. Enable encryption at rest for etcd
  4. Implement secret rotation policies
  1. 部署External Secrets Operator或集成Vault
  2. 将原生Secrets迁移到外部密钥存储
  3. 为etcd启用静态加密
  4. 实施密钥轮换策略

Phase 7: Image Security

阶段7:镜像安全

  1. Integrate vulnerability scanning in CI/CD (Trivy, Snyk)
  2. Implement image signing with Sigstore/Cosign
  3. Enforce signature verification via admission control
  4. Use immutable image digests instead of tags
  1. 在CI/CD中集成漏洞扫描(Trivy、Snyk)
  2. 使用Sigstore/Cosign实施镜像签名
  3. 通过准入控制强制执行签名验证
  4. 使用不可变的镜像摘要替代标签

Phase 8: Runtime Security

阶段8:运行时安全

  1. Deploy Falco for runtime threat detection
  2. Enable Kubernetes audit logging
  3. Configure alerts for security events
  4. Implement intrusion detection policies
  1. 部署Falco用于运行时威胁检测
  2. 启用Kubernetes审计日志
  3. 配置安全事件告警
  4. 实施入侵检测策略

Common Mistakes

常见错误

Pod Security:
  • Running containers as root (always set 
    runAsNonRoot: true
    )
  • Using privileged containers (avoid unless absolutely necessary)
  • Writable root filesystem (set 
    readOnlyRootFilesystem: true
    )
  • Missing resource limits (required for restricted PSS)
Network Policies:
  • No default-deny policy (unrestricted pod-to-pod traffic)
  • Overly permissive egress rules (allow all external traffic)
  • Forgetting DNS egress (pods can't resolve names)
  • Missing monitoring/observability exceptions
RBAC:
  • Overly broad ClusterRole permissions (violates least privilege)
  • Sharing ServiceAccounts across applications
  • Using 
    *
    verbs or resources in Roles
  • Not auditing RBAC permissions regularly
Secrets:
  • Committing secrets to Git repositories
  • Using environment variables instead of mounted files
  • Relying on base64 encoding as encryption
  • No secret rotation policy
Admission Control:
  • Enforcing policies without audit phase first
  • Blocking kube-system namespace accidentally
  • No policy testing in staging environment
  • Missing exemptions for system components
Images:
  • Using 
    latest
    tag (not immutable, breaks reproducibility)
  • No vulnerability scanning in CI/CD
  • Unsigned images in production
  • Large base images (use distroless or Alpine)
Pod安全:
  • 以root用户运行容器(始终设置
    runAsNonRoot: true
  • 使用特权容器(除非绝对必要,否则避免)
  • 可写根文件系统(设置
    readOnlyRootFilesystem: true
  • 缺少资源限制(限制级PSS要求必须设置)
网络策略:
  • 未配置默认拒绝策略(Pod间流量不受限制)
  • 过于宽松的出口规则(允许所有外部流量)
  • 忘记DNS出口规则(Pod无法解析域名)
  • 缺少监控/可观测性例外规则
RBAC:
  • 过于宽泛的ClusterRole权限(违反最小权限原则)
  • 跨应用共享ServiceAccount
  • 在Role中使用
    *
    操作或资源
  • 未定期审计RBAC权限
密钥:
  • 将密钥提交到Git仓库
  • 使用环境变量而非挂载文件
  • 依赖base64编码作为加密手段
  • 未制定密钥轮换策略
准入控制:
  • 未经过审计阶段就直接强制执行策略
  • 意外阻止kube-system命名空间
  • 未在预发布环境中测试策略
  • 缺少针对系统组件的豁免规则
镜像:
  • 使用
    latest
    标签(不具备不可变性,破坏可重复性)
  • CI/CD中未集成漏洞扫描
  • 生产环境使用未签名的镜像
  • 使用大型基础镜像(推荐使用distroless或Alpine)

Resources

资源