Azure Kubernetes 服务 (AKS) 中应用程序和群集的安全性相关概念Security concepts for applications and clusters in Azure Kubernetes Service (AKS)

当你在 Azure Kubernetes Service (AKS) 中运行应用程序工作负载时,群集安全将保护你的客户数据。Cluster security protects your customer data as you run application workloads in Azure Kubernetes Service (AKS).

Kubernetes 包括安全组件,如网络策略和机密 。Kubernetes includes security components, such as network policies and Secrets. 同时,Azure 包括网络安全组和编排的群集升级等组件。Meanwhile, Azure includes components like network security groups and orchestrated cluster upgrades. AKS 结合这些安全组件,以便:AKS combines these security components to:

  • 让 AKS 群集一直运行最新的 OS 安全更新和 Kubernetes 版本。Keep your AKS cluster running the latest OS security updates and Kubernetes releases.
  • 为敏感凭据提供安全的 pod 流量和访问。Provide secure pod traffic and access to sensitive credentials.

本文介绍用于保护 AKS 中应用程序的核心概念:This article introduces the core concepts that secure your applications in AKS:

主组件安全Master security

在 AKS 中,Kubernetes 主组件是 Azure 提供、管理和维护的托管服务的一部分。In AKS, the Kubernetes master components are part of the managed service provided, managed, and maintained by Azure. 每个 AKS 群集都有其自己的单租户专用 Kubernetes 主组件,用于提供 API 服务器、计划程序等。Each AKS cluster has its own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc.

默认情况下,Kubernetes API 服务器使用公共 IP 地址和完全限定域名 (FQDN)。By default, the Kubernetes API server uses a public IP address and a fully qualified domain name (FQDN). 可以使用经授权的 IP 范围将访问范围限制为 API 服务器终结点。You can limit access to the API server endpoint using authorized IP ranges. 还可以创建完整的专用群集,以限制 API 服务器对虚拟网络的访问。You can also create a fully private cluster to limit API server access to your virtual network.

可使用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC) 和 Azure RBAC 控制对 API 服务器的访问。You can control access to the API server using Kubernetes role-based access control (Kubernetes RBAC) and Azure RBAC. 有关详细信息,请参阅 Azure AD 与 AKS 集成For more information, see Azure AD integration with AKS.

节点安全性Node security

AKS 节点是由你管理和维护的 Azure 虚拟机 (VM)。AKS nodes are Azure virtual machines (VMs) that you manage and maintain.

  • Linux 节点使用 containerd 或 Moby 容器运行时运行经过优化的 Ubuntu 发行版。Linux nodes run an optimized Ubuntu distribution using the containerd or Moby container runtime.
  • Windows Server 节点使用 containerd 或 Moby 容器运行时运行经过优化的 Windows Server 2019 版本。Windows Server nodes run an optimized Windows Server 2019 release using the containerd or Moby container runtime.

创建或纵向扩展了 AKS 群集时,会自动使用最新的 OS 安全更新和配置来部署节点。When an AKS cluster is created or scaled up, the nodes are automatically deployed with the latest OS security updates and configurations.

备注

AKS 群集使用:AKS clusters using:

  • Kubernetes 1.19 及更高版本的节点池使用 containerd 作为其容器运行时。Kubernetes version 1.19 node pools and greater use containerd as its container runtime.
  • 早于 v1.19 的 Kubernetes 节点池使用 Moby (上游 Docker)作为其容器运行时。Kubernetes prior to v1.19 node pools use Moby (upstream docker) as its container runtime.

节点安全修补程序Node security patches

Linux 节点Linux nodes

Azure 平台会在夜间自动将 OS 安全修补程序应用于 Linux 节点。The Azure platform automatically applies OS security patches to Linux nodes on a nightly basis. 如果 Linux OS 安全更新需要重启主机,则其不会自动执行重启。If a Linux OS security update requires a host reboot, it won't automatically reboot. 可以:You can either:

  • 手动重启 Linux 节点。Manually reboot the Linux nodes.
  • 使用 Kured,这是一种适用于 Kubernetes 的开放源代码重启守护程序。Use Kured, an open-source reboot daemon for Kubernetes. Kured 作为 DaemonSet 运行并监视每个节点,用于文件指示需要进行重启。Kured runs as a DaemonSet and monitors each node for a file indicating that a reboot is required.

通过使用相同的 cordon 和 drain 进程作为群集升级,来跨群集管理重启。Reboots are managed across the cluster using the same cordon and drain process as a cluster upgrade.

Windows Server 节点Windows Server nodes

对于 Windows Server 节点,Windows 更新不会自动运行和应用最新的更新。For Windows Server nodes, Windows Update doesn't automatically run and apply the latest updates. 在定期 Windows 更新发布周期和你自己的验证过程中,在 AKS 群集中计划 Windows Server 节点池升级。Schedule Windows Server node pool upgrades in your AKS cluster around the regular Windows Update release cycle and your own validation process. 此升级过程会创建运行最新 Windows Server 映像和修补程序的节点,然后删除旧节点。This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the older nodes. 有关此过程的详细信息,请参阅升级 AKS 中的节点池For more information on this process, see Upgrade a node pool in AKS.

节点部署Node deployment

系统将节点部署到专用虚拟网络子网中,且不分配公共 IP 地址。Nodes are deployed into a private virtual network subnet, with no public IP addresses assigned. 为进行故障排除和管理,默认启用 SSH,并只能使用内部 IP 地址进行访问。For troubleshooting and management purposes, SSH is enabled by default and only accessible using the internal IP address.

节点存储Node storage

为提供存储,节点使用 Azure 托管磁盘。To provide storage, the nodes use Azure Managed Disks. Azure 托管磁盘是由高性能 SSD 支持的高级磁盘,适用于大多数规模的 VM 节点。For most VM node sizes, Azure Managed Disks are Premium disks backed by high-performance SSDs. 托管磁盘上存储的数据在 Azure 平台内会自动静态加密。The data stored on managed disks is automatically encrypted at rest within the Azure platform. 为提高冗余,会在 Azure 数据中心内安全复制 Azure 托管磁盘。To improve redundancy, Azure Managed Disks are securely replicated within the Azure datacenter.

恶意多租户工作负载Hostile multi-tenant workloads

目前,Kubernetes 环境并不安全,因为可能存在恶意的多租户使用情况。Currently, Kubernetes environments aren't safe for hostile multi-tenant usage. 其他安全性功能(如 Pod 安全策略或用于节点的 Kubernetes RBAC)可有效阻止攻击。Extra security features, like Pod Security Policies or Kubernetes RBAC for nodes, efficiently block exploits. 若要在运行恶意多租户工作负载时获得真正的安全性,请只信任虚拟机监控程序。For true security when running hostile multi-tenant workloads, only trust a hypervisor. Kubernetes 的安全域成为整个群集,而不是单个节点。The security domain for Kubernetes becomes the entire cluster, not an individual node.

对于这些类型的恶意多租户工作负荷,应使用物理隔离的群集。For these types of hostile multi-tenant workloads, you should use physically isolated clusters. 有关如何隔离工作负载的详细信息,请参阅 AKS 中的群集隔离最佳做法For more information on ways to isolate workloads, see Best practices for cluster isolation in AKS.

计算隔离Compute isolation

由于合规性或法规要求,某些工作负载可能需要与其他客户工作负载高度隔离。Because of compliance or regulatory requirements, certain workloads may require a high degree of isolation from other customer workloads. 对于这些工作负载,Azure 提供独立 VM,以将其用作 AKS 群集中的代理节点。For these workloads, Azure provides isolated VMs to use as the agent nodes in an AKS cluster. 这些 VM 独立于特定硬件类型,并专用于单个客户。These VMs are isolated to a specific hardware type and dedicated to a single customer.

创建 AKS 群集或添加节点池时,请选择其中一个独立 VM 大小作为节点大小。Select one of the isolated VMs sizes as the node size when creating an AKS cluster or adding a node pool.

群集升级Cluster upgrades

Azure 提供升级业务流程工具以升级 AKS 群集和组件、维护安全性和合规性以及访问最新功能。Azure provides upgrade orchestration tools to upgrade of an AKS cluster and components, maintain security and compliance, and access the latest features. 此升级业务流程同时包括 Kubernetes 主组件和代理组件。This upgrade orchestration includes both the Kubernetes master and agent components.

若要开始进行升级,先指定一个列出的可用 Kubernetes 版本To start the upgrade process, specify one of the listed available Kubernetes versions. 接着 Azure 会安全隔离和排空每个 AKS 节点并进行升级。Azure then safely cordons and drains each AKS node and upgrades.

隔离和排空Cordon and drain

在升级过程中,AKS 节点会单独从群集中隔离出来,以防止在其上计划新 Pod。During the upgrade process, AKS nodes are individually cordoned from the cluster to prevent new pods from being scheduled on them. 然后将节点排空并进行升级,操作如下:The nodes are then drained and upgraded as follows:

  1. 将新节点部署到节点池中。A new node is deployed into the node pool.

    • 此节点运行最新的 OS 映像和修补程序。This node runs the latest OS image and patches.
  2. 其中一个现有的节点已确定要升级。One of the existing nodes is identified for upgrade.

  3. 妥善终止此标识的节点上的 Pod 并在节点池中的其他节点上对其进行安排。Pods on the identified node are gracefully terminated and scheduled on the other nodes in the node pool.

  4. 从 AKS 群集中删除此清空节点。The emptied node is deleted from the AKS cluster.

  5. 重复步骤 1-4,直到在升级过程中成功替换所有节点。Steps 1-4 are repeated until all nodes are successfully replaced as part of the upgrade process.

有关详细信息,请参阅升级 AKS 群集For more information, see Upgrade an AKS cluster.

网络安全性Network security

如需实现本地网络的连接和安全性,可将 AKS 群集部署到现有 Azure 虚拟网络子网。For connectivity and security with on-premises networks, you can deploy your AKS cluster into existing Azure virtual network subnets. 这些虚拟网络通过 Azure 站点到站点 VPN 或 Express Route 连接回本地网络。These virtual networks connect back to your on-premises network using Azure Site-to-Site VPN or Express Route. 使用专用的内部 IP 地址定义 Kubernetes 入口控制器,以限制服务对内部网络连接的访问。Define Kubernetes ingress controllers with private, internal IP addresses to limit services access to the internal network connection.

Azure 网络安全组Azure network security groups

为筛选虚拟网络流量流,Azure 使用网络安全组规则。To filter virtual network traffic flow, Azure uses network security group rules. 这些规则定义要允许或拒绝哪些源和目标 IP 范围、端口和协议访问资源。These rules define the source and destination IP ranges, ports, and protocols allowed or denied access to resources. 会创建默认规则以允许 TLS 流量流向 Kubernetes API 服务器。Default rules are created to allow TLS traffic to the Kubernetes API server. 创建具有负载平衡器、端口映射或入口路由的服务。You create services with load balancers, port mappings, or ingress routes. AKS 会自动修改流量流的网络安全组。AKS automatically modifies the network security group for traffic flow.

如果为 AKS 群集提供了自己的子网,请不要修改 AKS 管理的子网级网络安全组。If you provide your own subnet for your AKS cluster, do not modify the subnet-level network security group managed by AKS. 请改为创建更多子网级网络安全组来修改流量流。Instead, create more subnet-level network security groups to modify the flow of traffic. 确保其不会干扰管理群集所需的流量,例如负载平衡器访问、与控制平面的通信以及流出量Make sure they don't interfere with necessary traffic managing the cluster, such as load balancer access, communication with the control plane, and egress.

Kubernetes 网络策略Kubernetes network policy

为了限制群集中 Pod 之间的网络流量,AKS 提供了对 Kubernetes 网络策略的支持。To limit network traffic between pods in your cluster, AKS offers support for Kubernetes network policies. 使用网络策略,可以基于命名空间和标签选择器来允许或拒绝群集中的特定网络路径。With network policies, you can allow or deny specific network paths within the cluster based on namespaces and label selectors.

Kubernetes 机密Kubernetes Secrets

通过 Kubernetes 机密,将敏感数据注入到 pod,例如访问凭据或密钥。With a Kubernetes Secret, you inject sensitive data into pods, such as access credentials or keys.

  1. 使用 Kubernetes API 创建机密。Create a Secret using the Kubernetes API.
  2. 定义 pod 或部署,并请求特定机密。Define your pod or deployment and request a specific Secret.
    • 机密只会提供给具有需要它们的计划 pod 的节点。Secrets are only provided to nodes with a scheduled pod that requires them.
    • 机密存储在 tmpfs 中,而不是写入磁盘。The Secret is stored in tmpfs, not written to disk.
  3. 删除节点上最后一个需要机密的 pod 后,会从节点的 tmpfs 中删除机密。When you delete the last pod on a node requiring a Secret, the Secret is deleted from the node's tmpfs.
    • 机密存储在给定的命名空间中,只有同一命名空间中的 pod 能访问该机密。Secrets are stored within a given namespace and can only be accessed by pods within the same namespace.

使用机密会减少 pod 或服务 YAML 清单中定义的敏感信息。Using Secrets reduces the sensitive information defined in the pod or service YAML manifest. 可以请求存储在 Kubernetes API 服务器中的机密,作为 YAML 清单的一部分。Instead, you request the Secret stored in Kubernetes API Server as part of your YAML manifest. 此方法仅为 pod 提供特定的机密访问权限。This approach only provides the specific pod access to the Secret.

备注

原始机密清单文件包含 base64 格式的机密数据(如需更多详细信息,请参阅官方文档)。The raw secret manifest files contain the secret data in base64 format (see the official documentation for more details). 将这些文件视为敏感信息,切勿将其提交到源代码管理。Treat these files as sensitive information, and never commit them to source control.

Kubernetes 机密存储在分布式密钥-值存储 etcd 中。Kubernetes secrets are stored in etcd, a distributed key-value store. Etcd 存储由 AKS 完全托管,并且数据在 Azure 平台中静态加密Etcd store is fully managed by AKS and data is encrypted at rest within the Azure platform.

后续步骤Next steps

若要开始为 AKS 群集提供保护,请参阅升级 AKS 群集To get started with securing your AKS clusters, see Upgrade an AKS cluster.

如需相关的最佳做法,请参阅 AKS 中群集安全性和升级的最佳做法AKS 中的 Pod 安全的最佳做法For associated best practices, see Best practices for cluster security and upgrades in AKS and Best practices for pod security in AKS.

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅:For more information on core Kubernetes and AKS concepts, see: