一、容器安全概述容器安全是云原生安全的基础安全层次镜像安全运行时安全网络安全供应链安全二、镜像安全1. 镜像扫描# Trivy扫描trivy image myapp:latest# Clair扫描clairctl analyze-lmyapp:latest# Docker扫描dockerscan myapp:latest2. 最小化基础镜像# ❌ 不推荐 FROM ubuntu:20.04 RUN apt-get update apt-get install -y python3 # ✅ 推荐 FROM python:3.11-slim # ✅ 最佳 FROM gcr.io/distroless/python:3.113. 安全构建# 使用非root用户 FROM node:18-alpine RUN addgroup -g 1001 appgroup \ adduser -u 1001 -G appgroup -s /bin/sh -D appuser USER appuser # 多阶段构建 FROM node:18 AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build FROM node:18-alpine WORKDIR /app COPY --frombuilder /app/dist ./dist COPY --frombuilder /app/node_modules ./node_modules USER node三、运行时安全1. Pod安全策略apiVersion:policy/v1beta1kind:PodSecurityPolicymetadata:name:restrictedspec:privileged:falseallowPrivilegeEscalation:falserequiredDropCapabilities:-ALLvolumes:-configMap-emptyDir-projected-secret-downwardAPI-persistentVolumeClaimrunAsUser:rule:MustRunAsNonRootseLinux:rule:RunAsAnyfsGroup:rule:RunAsAny2. 安全上下文apiVersion:v1kind:Podmetadata:name:secure-podspec:securityContext:runAsNonRoot:truerunAsUser:10000runAsGroup:10000fsGroup:10000containers:-name:appimage:myapp:latestsecurityContext:allowPrivilegeEscalation:falsereadOnlyRootFilesystem:truecapabilities:drop:-ALL四、网络安全1. 网络策略apiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:default-denyspec:podSelector:{}policyTypes:-Ingress-Egress---apiVersion:networking.k8s.io/v1kind:NetworkPolicymetadata:name:allow-frontendspec:podSelector:matchLabels:app:frontendpolicyTypes:-Ingressingress:-from:-podSelector:matchLabels:app:nginx-ingressports:-protocol:TCPport:802. 服务网格安全apiVersion:security.istio.io/v1beta1kind:PeerAuthenticationmetadata:name:defaultspec:mtls:mode:STRICT五、密钥管理1. Secret管理apiVersion:v1kind:Secretmetadata:name:db-credentialstype:OpaquestringData:username:adminpassword:${DB_PASSWORD}2. 外部密钥管理# 使用SealedSecretapiVersion:bitnami.com/v1alpha1kind:SealedSecretmetadata:name:db-credentialsspec:encryptedData:username:AgBy...password:AgBy...六、供应链安全1. 签名验证# Cosign签名cosign sign myapp:latest# 验证镜像cosign verify myapp:latest2. 准入控制apiVersion:admissionregistration.k8s.io/v1kind:ValidatingWebhookConfigurationmetadata:name:image-validatorwebhooks:-name:validate-images.example.comrules:-apiGroups:[]apiVersions:[v1]operations:[CREATE,UPDATE]resources:[pods]clientConfig:service:name:image-validatornamespace:defaultcaBundle:LS0t...admissionReviewVersions:[v1]sideEffects:NonefailurePolicy:Reject七、监控与审计1. 审计日志# kube-apiserver配置--audit-policy-file/etc/kubernetes/audit-policy.yaml--audit-log-path/var/log/kubernetes/audit.log# audit-policy.yamlapiVersion:audit.k8s.io/v1kind:Policyrules:-level:RequestResponseresources:-group:resources:[pods,secrets]-level:Metadataresources:-group:appsresources:[deployments]2. 运行时监控apiVersion:security.datadoghq.com/v1kind:RuntimeSecurityPolicymetadata:name:runtime-policyspec:meta:runtimeType:syscallrules:-name:spawn_shellcondition:evt.type exec evt.argv[0] /bin/shaction:type:block八、总结容器安全最佳实践镜像最小化、定期扫描运行时安全上下文、PSP网络NetworkPolicy供应链签名、准入个人观点仅供参考