1. 准入控制器

其实就是kuberntes的功能控制,可以开启、关闭一些功能

查看支持的准入控制器
kubectl exec -it kube-apiserver-vms71 -n kube-system – kube-apiserver -h | grep enableadmission-plugins

可以关闭准入控制器

#- --disable-admission-plugins=LimitRanger,ResourceQuot

1.1 资源限制

1.1.1 限制svc

1
2
3
4
5
6
7
apiVersion: v1
kind: ResourceQuota
metadata:
name: myrq
spec:
hard:
services: "4"

1.1.2 名称空间限制资源

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: v1
kind: LimitRange
metadata:
name: mem-min-max-demo-lr
namespace: demo4
spec:
limits:
- max:
memory: 1Gi
min:
memory: 512Mi
type: Container

2. 扫描镜像的安全

利用trivy检测镜像的安全性

扫描nginx镜像

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@vms41:/etc/containerd# trivy image nginx:latest
2022-09-26T18:05:39.742+0800 WARN You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2022-09-26T18:05:39.769+0800 INFO Need to update DB
2022-09-26T18:05:39.769+0800 INFO Downloading DB...
29.62 MiB / 29.62 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 4.87 MiB p/s 7s
2022-09-26T18:06:09.560+0800 INFO Detecting Debian vulnerabilities...
2022-09-26T18:06:09.568+0800 INFO Trivy skips scanning programming language libraries because no supported file was detected

nginx:latest (debian 11.5)
==========================
Total: 123 (UNKNOWN: 0, LOW: 13, MEDIUM: 63, HIGH: 42, CRITICAL: 5)

+------------------+------------------+----------+-------------------------+------------------+-----------------------------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | URL |
+------------------+------------------+----------+-------------------------+------------------+-----------------------------------+--------------------------------------+
| apt | CVE-2011-3374 | LOW | 2.2.4 | | It was found that apt-key | avd.aquasec.com/nvd/cve-2011-3374 |
| | | | | | in apt, all versions, do not | |
| | | | | | correctly... | |
+------------------+------------------+----------+-------------------------+------------------
...

3. 扫描yum安全

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@vms40:~/demo5# ./kubesec scan ../demo4/pod3.yaml 
[
{
"object": "Pod/pod3.default",
"valid": true,
"message": "Passed with a score of 0 points",
"score": 0,
"scoring": {
"advise": [
{
"selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
"reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
"points": 3
},
...