保护 Kubernetes 工作负载Protect your Kubernetes workloads

本页介绍了如何使用 Azure 安全中心提供的一组专用于 Kubernetes 工作负载保护的安全建议。This page describes how to use Azure Security Center's set of security recommendations dedicated to Kubernetes workload protection.

可以在使用 Kubernetes 准入控制实现工作负载保护的最佳做法中更详细地了解这些功能。Learn more about these features in Workload protection best-practices using Kubernetes admission control

如果你启用了 Azure Defender,则安全中心会提供更多的容器安全功能。Security Center offers more container security features if you enable Azure Defender. 具体而言:Specifically:

提示

有关可能会针对 Kubernetes 群集和节点显示的所有安全建议的列表,请参阅建议参考表的计算部分For a list of all security recommendations that might appear for Kubernetes clusters and nodes, see the compute section of the recommendations reference table.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布版 (GA)General Availability (GA)
定价:Pricing: 免费Free
所需角色和权限:Required roles and permissions: 所有者安全管理员,用以编辑分配Owner or Security admin to edit an assignment
读者,用以查看建议Reader to view the recommendations
环境要求:Environment requirements: 需要 Kubernetes v1.14(或更高版本)Kubernetes v1.14 (or higher) is required
群集上没有 PodSecurityPolicy 资源(旧的 PSP 模型)No PodSecurityPolicy resource (old PSP model) on the clusters
不支持 Windows 节点Windows nodes are not supported
云:Clouds: 是 中国云China cloud

设置工作负载保护Set up your workload protection

Azure 安全中心包含一系列建议,安装 适用于 Kubernetes 的 Azure Policy 加载项 后可以获得这些建议。Azure Security Center includes a bundle of recommendations that are available when you've installed the Azure Policy add-on for Kubernetes.

步骤 1:部署加载项Step 1: Deploy the add-on

若要配置建议,请安装 适用于 Kubernetes 的 Azure Policy 加载项To configure the recommendations, install the Azure Policy add-on for Kubernetes.

  • 可以根据启用 Log Analytics 代理和扩展的自动预配中的说明,自动部署此加载项。You can auto deploy this add-on as explained in Enable auto provisioning of the Log Analytics agent and extensions. 将加载项的自动预配设置为“启用”时,默认情况下会在所有现有和未来的群集(满足加载项安装要求)中启用该扩展。When auto provisioning for the add-on is set to "on", the extension is enabled by default in all existing and future clusters (that meet the add-on installation requirements).

    使用安全中心的自动预配工具安装适用于 Kubernetes 的 Policy 加载项

  • 若要手动部署此加载项,请执行以下操作:To manually deploy the add-on:

    1. 在“建议”页上,搜索“应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项”建议。From the recommendations page, search for the recommendation "Azure Policy add-on for Kubernetes should be installed and enabled on your clusters".

      建议 **应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项**

      提示

      建议包括在五个不同的安全控件中,在下一步中选择哪个控件都无关紧要。The recommendation is included in five different security controls and it doesn't matter which one you select in the next step.

    2. 从任何安全控件中,选择建议来查看可在其上安装加载项的资源。From any of the security controls, select the recommendation to see the resources on which you can install the add-on.

    3. 选择相关群集并进行 修正Select the relevant cluster, and Remediate.

      **应在群集上安装并启用适用于 Kubernetes 的 Azure Policy 加载项** 的建议详细信息页面

步骤 2:查看并配置包含 13 个建议的捆绑包Step 2: View and configure the bundle of 13 recommendations

  1. 在加载项安装完成大约 30 分钟后,安全中心会显示以下建议的群集运行状况状态,每个建议都显示在相关安全控件中,如下所示:Approximately 30 minutes after the add-on installation completes, Security Center shows the clusters’ health status for the following recommendations, each in the relevant security control as shown:

    提示

    某些建议包含参数,必须通过 Azure Policy 自定义参数才能有效地使用这些建议。Some recommendations have parameters that must be customized via Azure Policy to use them effectively. 例如,若要利用“应当只从受信任的注册表部署容器映像”建议,必须定义受信任的注册表。For example, to benefit from the recommendation Container images should be deployed only from trusted registries, you'll have to define your trusted registries.

    如果没有为建议输入需要进行配置的必需参数,则工作负载将显示为“不正常”。If you don't enter the necessary parameters for the recommendations that require configuration, your workloads will be shown as unhealthy.

    建议名称Recommendation name 安全控制Security control 需要进行配置Configuration required
    应强制执行容器 CPU 和内存限制Container CPU and memory limits should be enforced 保护应用程序免受 DDoS 攻击Protect applications against DDoS attack No
    应避免特权容器Privileged containers should be avoided 管理访问和权限Manage access and permissions No
    应强制对容器使用不可变(只读)根文件系统Immutable (read-only) root filesystem should be enforced for containers 管理访问和权限Manage access and permissions No
    应避免使用特权提升的容器Container with privilege escalation should be avoided 管理访问和权限Manage access and permissions No
    应避免以根用户身份运行容器Running containers as root user should be avoided 管理访问和权限Manage access and permissions No
    应避免使用共享敏感主机命名空间的容器Containers sharing sensitive host namespaces should be avoided 管理访问和权限Manage access and permissions No
    应强制对容器使用最低权限 Linux 功能Least privileged Linux capabilities should be enforced for containers 管理访问和权限Manage access and permissions Yes
    Pod HostPath 卷装载的使用应仅限于已知列表Usage of pod HostPath volume mounts should be restricted to a known list 管理访问和权限Manage access and permissions Yes
    容器应只侦听允许的端口Containers should listen on allowed ports only 限制未经授权的网络访问Restrict unauthorized network access Yes
    服务应只侦听允许的端口Services should listen on allowed ports only 限制未经授权的网络访问Restrict unauthorized network access Yes
    应限制对主机网络和端口的使用Usage of host networking and ports should be restricted 限制未经授权的网络访问Restrict unauthorized network access Yes
    应限制替代或禁用容器 AppArmor 配置文件Overriding or disabling of containers AppArmor profile should be restricted 修正安全配置Remediate security configurations Yes
    应只从受信任的注册表部署容器映像Container images should be deployed only from trusted registries 修正漏洞Remediate vulnerabilities Yes
  1. 若要强制实施任何建议,请执行以下操作:To enforce any of the recommendations,

    1. 打开建议详细信息页,然后选择“拒绝”:Open the recommendation details page and select Deny:

      Azure Policy 参数的拒绝选项

      这会打开一个窗格,你可以在其中设置作用域。This will open the pane where you set the scope.

    2. 设置作用域后,选择“更改为拒绝”。When you've set the scope, select Change to deny.

  2. 若要查看适用于你的群集的建议,请执行以下操作:To see which recommendations apply to your clusters:

    1. 打开安全中心的 资产清单页,并对 Kubernetes 服务 使用资源类型筛选器。Open Security Center's asset inventory page and use the resource type filter to Kubernetes services.

    2. 选择要调查的群集,并查看可用于该群集的可用建议。Select a cluster to investigate and review the available recommendations available for it.

  3. 查看工作负载保护集提供的建议时,你会看到受影响的 pod(“Kubernetes 组件”)的数目随群集一起列出。When viewing a recommendation from the workload protection set, you'll see the number of affected pods ("Kubernetes components") listed alongside the cluster. 有关特定 pod 的列表,请选择该群集,然后选择“采取操作”。For a list of the specific pods, select the cluster and then select Take action.

    查看 K8s 建议针对的受影响 pod

  4. 若要测试强制实施,请使用下面的两个 Kubernetes 部署:To test the enforcement, use the two Kubernetes deployments below:

    • 一个是正常的部署,遵循工作负载保护建议捆绑包。One is for a healthy deployment, compliant with the bundle of workload protection recommendations.
    • 另一个是非正常的部署,不遵循任何建议。The other is for an unhealthy deployment, non-compliant with any of the recommendations.

    按原样部署示例 yaml 文件,或参考它们来修正你自己的工作负载(步骤 VIII)。Deploy the example .yaml files as-is, or use them as a reference to remediate your own workload (step VIII)

正常的部署示例 .yaml 文件Healthy deployment example .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis-healthy-deployment
  labels:
    app: redis
spec:
  replicas: 3
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
      annotations:
        apparmor.security.beta.kubernetes.io/pod: runtime/default
        container.apparmor.security.beta.kubernetes.io/redis: runtime/default
    spec:
      containers:
      - name: redis
        image: healthyClusterRegistry.azurecr.io/redis:latest
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 100m
            memory: 250Mi
        securityContext:
          privileged: false
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1000
---
apiVersion: v1
kind: Service
metadata:
  name: redis-healthy-service
spec:
  type: LoadBalancer
  selector:
    app: redis
  ports:
  - port: 80
    targetPort: 80

非正常的部署示例 .yaml 文件Unhealthy deployment example .yaml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-unhealthy-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:      
      labels:
        app: nginx
    spec:
      hostNetwork: true
      hostPID: true 
      hostIPC: true
      containers:
      - name: nginx
        image: nginx:1.15.2
        ports:
        - containerPort: 9001
          hostPort: 9001
        securityContext:
          privileged: true
          readOnlyRootFilesystem: false
          allowPrivilegeEscalation: true
          runAsUser: 0
          capabilities:
            add:
              - NET_ADMIN
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
          readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /tmp
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-unhealthy-service
spec:
  type: LoadBalancer
  selector:
    app: nginx
  ports:
  - port: 6001
    targetPort: 9001

后续步骤Next steps

在本文中,你已了解了如何配置 Kubernetes 工作负载保护。In this article, you learned how to configure Kubernetes workload protection.

有关其他相关材料,请参阅以下页面:For other related material, see the following pages: