#网络安全策略
本指南演示如何配置 Kyverno 以强制执行网络安全策略,控制容器的网络访问并防止基于网络的攻击。
#目录
#什么是网络安全?
网络安全涉及控制容器如何访问和交互网络资源。适当的网络安全可以防止:
- 主机网络访问:容器访问主机网络接口
- 通过网络的权限提升:利用网络访问获得提升权限
- 端口扫描和侦察:未经授权的网络发现活动
- 横向移动:容器访问非预期的网络资源
- 数据外泄:未经授权的网络通信
#快速开始
#1. 禁止主机网络访问
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-network
annotations:
policies.kyverno.io/title: Disallow Host Network
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Access to the host network allows potential snooping of network traffic and should not be allowed.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: host-network
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Use of host network is disallowed. The field spec.hostNetwork must be unset or set to false.
pattern:
spec:
=(hostNetwork): "false"#2. 测试策略
# 应用策略
kubectl apply -f disallow-host-network.yaml
# 尝试创建使用主机网络的 pod(应失败)
kubectl run test-hostnet --image=nginx --overrides='{"spec":{"hostNetwork":true}}'
# 尝试创建普通 pod(应成功)
kubectl run test-normal --image=nginx#核心网络安全策略
#策略 1:禁止主机端口
防止容器绑定主机网络端口:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-ports
annotations:
policies.kyverno.io/title: Disallow Host Ports
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: host-ports-none
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort,
spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to 0.
pattern:
spec:
=(ephemeralContainers):
- =(ports):
- =(hostPort): 0
=(initContainers):
- =(ports):
- =(hostPort): 0
containers:
- =(ports):
- =(hostPort): 0#策略 2:限制主机端口范围
允许特定的主机端口范围以实现受控访问:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-host-port-range
annotations:
policies.kyverno.io/title: Restrict Host Port Range
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host ports, if used, must be within an allowed range to prevent conflicts and security issues.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: host-port-range
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.object.spec.containers[].ports[?hostPort] | length(@) }}"
operator: GreaterThan
value: 0
validate:
message: >-
Host ports must be within the allowed range 30000-32767.
foreach:
- list: request.object.spec.[ephemeralContainers, initContainers, containers][].ports[]
preconditions:
any:
- key: "{{ element.hostPort }}"
operator: GreaterThan
value: 0
deny:
conditions:
any:
- key: "{{ element.hostPort }}"
operator: LessThan
value: 30000
- key: "{{ element.hostPort }}"
operator: GreaterThan
value: 32767#策略 3:要求网络策略
确保 Pod 关联有 NetworkPolicies 以控制流量:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-network-policies
annotations:
policies.kyverno.io/title: Require Network Policies
policies.kyverno.io/category: Network Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod,NetworkPolicy
policies.kyverno.io/description: >-
Pods should have associated NetworkPolicies to control network traffic.
spec:
validationFailureAction: Enforce
background: false
rules:
- name: require-netpol
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
context:
- name: netpols
apiCall:
urlPath: "/apis/networking.k8s.io/v1/namespaces/{{ request.namespace }}/networkpolicies"
jmesPath: "items[?spec.podSelector.matchLabels.app == '{{ request.object.metadata.labels.app }}'] | length(@)"
validate:
message: >-
Pods must have an associated NetworkPolicy. Create a NetworkPolicy that selects this pod.
deny:
conditions:
all:
- key: "{{ netpols }}"
operator: Equals
value: 0#策略 4:限制 Service 类型
控制允许创建的 Service 类型:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-service-types
annotations:
policies.kyverno.io/title: Restrict Service Types
policies.kyverno.io/category: Network Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Service
policies.kyverno.io/description: >-
Restrict Service types to prevent exposure of services to external networks.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: restrict-nodeport
match:
any:
- resources:
kinds:
- Service
validate:
message: >-
NodePort services are not allowed. Use ClusterIP or LoadBalancer instead.
pattern:
spec:
type: "!NodePort"
- name: restrict-loadbalancer
match:
any:
- resources:
kinds:
- Service
namespaces:
- development
- dev-*
- staging
validate:
message: >-
LoadBalancer services are not allowed in development environments.
pattern:
spec:
type: "!LoadBalancer"#策略 5:控制 Ingress 配置
强制安全的 Ingress 配置:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secure-ingress-configuration
annotations:
policies.kyverno.io/title: Secure Ingress Configuration
policies.kyverno.io/category: Network Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
Ingress resources must be configured securely with TLS and proper annotations.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-tls
match:
any:
- resources:
kinds:
- Ingress
validate:
message: >-
Ingress must use TLS. The field spec.tls must be specified.
pattern:
spec:
tls:
- hosts:
- "*"
- name: require-security-annotations
match:
any:
- resources:
kinds:
- Ingress
validate:
message: >-
Ingress must have security annotations for SSL redirect and HSTS.
pattern:
metadata:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"#策略 6:限制 DNS 配置
控制 DNS 设置以防止基于 DNS 的攻击:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-dns-configuration
annotations:
policies.kyverno.io/title: Restrict DNS Configuration
policies.kyverno.io/category: Network Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Restrict DNS configuration to prevent DNS hijacking and data exfiltration.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: restrict-dns-policy
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Custom DNS policy is not allowed. Use Default or ClusterFirst only.
pattern:
spec:
=(dnsPolicy): "Default | ClusterFirst"
- name: restrict-custom-dns
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Custom DNS configuration is not allowed in production environments.
pattern:
spec:
X(dnsConfig): "null"#高级场景
#场景 1:环境特定的网络策略
针对不同环境的不同网络限制:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: environment-network-security
spec:
validationFailureAction: Enforce
background: true
rules:
# 生产环境:严格的网络控制
- name: production-network-restrictions
match:
any:
- resources:
kinds:
- Pod
namespaces:
- production
- prod-*
validate:
message: "Production environments require strict network security"
pattern:
spec:
hostNetwork: "false"
dnsPolicy: "ClusterFirst"
containers:
- ports:
- =(hostPort): 0
# 开发环境:基础网络安全
- name: development-network-restrictions
match:
any:
- resources:
kinds:
- Pod
namespaces:
- development
- dev-*
- staging
validate:
message: "Development environments require basic network security"
pattern:
spec:
hostNetwork: "false"#场景 2:应用特定的网络策略
针对不同应用类型的不同网络策略:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: application-network-policies
spec:
validationFailureAction: Enforce
background: true
rules:
# 数据库应用:禁止外部网络访问
- name: database-network-policy
match:
any:
- resources:
kinds:
- Pod
selector:
matchLabels:
app.type: database
validate:
message: "Database applications cannot use host network or host ports"
pattern:
spec:
hostNetwork: "false"
containers:
- ports:
- =(hostPort): 0
# Web 应用:受控端口访问
- name: web-app-network-policy
match:
any:
- resources:
kinds:
- Pod
selector:
matchLabels:
app.type: web
validate:
message: "Web applications can only use standard HTTP/HTTPS ports"
foreach:
- list: request.object.spec.containers[].ports[]
deny:
conditions:
any:
- key: "{{ element.containerPort }}"
operator: AnyNotIn
value:
- 80
- 443
- 8080
- 8443#场景 3:网络分段强制执行
强制不同层级之间的网络分段:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: network-segmentation-enforcement
spec:
validationFailureAction: Enforce
background: true
rules:
- name: frontend-backend-separation
match:
any:
- resources:
kinds:
- Pod
selector:
matchLabels:
tier: frontend
validate:
message: "Frontend pods cannot access backend network directly"
deny:
conditions:
any:
- key: "{{ request.object.metadata.labels.tier }}"
operator: Equals
value: backend
- name: require-network-labels
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
validate:
message: "Pods must have network tier labels for segmentation"
pattern:
metadata:
labels:
tier: "frontend | backend | database"#测试与验证
#测试主机网络访问(应失败)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: test-host-network
spec:
hostNetwork: true
containers:
- name: test
image: nginx
EOF#测试主机端口绑定(应失败)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: test-host-port
spec:
containers:
- name: test
image: nginx
ports:
- containerPort: 80
hostPort: 8080
EOF#测试 NodePort Service(应失败)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: test-nodeport
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30080
selector:
app: test
EOF#测试有效的网络配置(应通过)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: test-secure-network
labels:
app: web-app
tier: frontend
spec:
dnsPolicy: ClusterFirst
containers:
- name: test
image: nginx
ports:
- containerPort: 80
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: test-service
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
selector:
app: web-app
EOF