本文主要基于Kubernetes1.22.2和Linux操作系统Ubuntu 18.04。

Kubernetes集群架构：k8scludes1作为master节点，k8scludes2，k8scludes3作为worker节点。

前言

在当今的云计算时代，Kubernetes已经成为容器化应用部署和管理的事实标准。然而，随着Kubernetes集群的规模不断扩大，如何确保集群的安全性成为了一个重要的问题。YAML文件是Kubernetes配置的主要载体，因此，检查YAML文件的安全性对于确保Kubernetes集群的安全至关重要。本文将介绍如何使用Kubesec工具来检查YAML文件的安全性。

使用Kubesec检查YAML文件安全的 前提 是已经有一套可以正常运行的Kubernetes集群，关于Kubernetes(k8s)集群的安装部署，可以查看博客《Ubuntu 安装部署Kubernetes(k8s)集群》 https://www.cnblogs.com/renshengdezheli/p/17632858.html 。

Kubesec简介

Kubesec是一个开源的Kubernetes安全评估工具，由controlplaneio公司开发。它可以帮助用户发现和修复Kubernetes配置文件中的安全问题，从而提高集群的安全性。Kubesec通过分析YAML文件中的配置信息，识别潜在的安全风险，并提供修复建议。Kubesec官网为： https://kubesec.io/ ，在github上的网址为： https://github.com/controlplaneio/kubesec ，Kubesec安装包下载网址为： https://github.com/controlplaneio/kubesec/releases 。
Kubesec基于一组安全最佳实践和规则，对YAML文件进行深度分析。它采用了多种技术手段，包括正则表达式、字符串匹配和模式匹配等，来识别不安全配置。Kubesec还对Kubernetes API进行监控，以确保配置文件与API的兼容性。

使用Kubesec检查YAML文件安全

使用--dry-run=client生成一份创建pod的yaml文件，--dry-run 表示模拟运行，并不会真的创建一个pod ， --dry-run=client输出信息少 ，--dry-run=server输出信息多， -o yaml表示以yaml文件的格式输出。

生成的pod yaml文件是最基本的yaml文件，很多安全设置并没有设置。

root@k8scludes1:~# kubectl run podyamlsafe --image=hub.c.163.com/library/centos:latest --image-pull-policy=IfNotPresent --dry-run=client -o yaml >podyamlsafe.yaml

下载好kubesec安装包。

root@k8scludes1:~# ll -h kubesec_linux_amd64.tar.gz 
-rw-r--r-- 1 root root 3.9M Jun 18 22:27 kubesec_linux_amd64.tar.gz

解压安装包。

root@k8scludes1:~# tar xf kubesec_linux_amd64.tar.gz 

root@k8scludes1:~# ll -h kubesec*
-rwxr-xr-x 1 1001 docker  11M Sep 22  2021 kubesec*
-rw-r--r-- 1 root root   3.9M Jun 18 22:27 kubesec_linux_amd64.tar.gz

移动kubesec可执行文件到/usr/local/bin/目录下。

root@k8scludes1:~# mv kubesec /usr/local/bin/

使用kubesec扫描yaml文件，显示出来的就是提高pod安全性的意见。

可以看到给出了很多安全建议，比如设置AppArmor策略，配置ServiceAccount，还有Seccomp系统调用等等。

root@k8scludes1:~# kubesec scan podyamlsafe.yaml 
[
  {
    "object": "Pod/podyamlsafe.default",
    "valid": true,
    "fileName": "podyamlsafe.yaml",
    "message": "Passed with a score of 0 points",
    "score": 0,
    "scoring": {
      "advise": [
        {
          "id": "ApparmorAny",
          "selector": ".metadata .annotations .\"container.apparmor.security.beta.kubernetes.io/nginx\"",
          "reason": "Well defined AppArmor policies may provide greater protection from unknown threats. WARNING: NOT PRODUCTION READY",
          "points": 3
        },
        {
          "id": "ServiceAccountName",
          "selector": ".spec .serviceAccountName",
          "reason": "Service accounts restrict Kubernetes API access and should be configured with least privilege",
          "points": 3
        },
        {
          "id": "SeccompAny",
          "selector": ".metadata .annotations .\"container.seccomp.security.alpha.kubernetes.io/pod\"",
          "reason": "Seccomp profiles set minimum privilege and secure against unknown threats",
          "points": 1
        },
        {
          "id": "LimitsCPU",
          "selector": "containers[] .resources .limits .cpu",
          "reason": "Enforcing CPU limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "LimitsMemory",
          "selector": "containers[] .resources .limits .memory",
          "reason": "Enforcing memory limits prevents DOS via resource exhaustion",
          "points": 1
        },
        {
          "id": "RequestsCPU",
          "selector": "containers[] .resources .requests .cpu",
          "reason": "Enforcing CPU requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "RequestsMemory",
          "selector": "containers[] .resources .requests .memory",
          "reason": "Enforcing memory requests aids a fair balancing of resources across the cluster",
          "points": 1
        },
        {
          "id": "CapDropAny",
          "selector": "containers[] .securityContext .capabilities .drop",
          "reason": "Reducing kernel capabilities available to a container limits its attack surface",
          "points": 1
        },
        {
          "id": "CapDropAll",
          "selector": "containers[] .securityContext .capabilities .drop | index(\"ALL\")",
          "reason": "Drop all capabilities and add only those required to reduce syscall attack surface",
          "points": 1
        },
        {
          "id": "ReadOnlyRootFilesystem",
          "selector": "containers[] .securityContext .readOnlyRootFilesystem == true",
          "reason": "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
          "points": 1
        },
        {
          "id": "RunAsNonRoot",
          "selector": "containers[] .securityContext .runAsNonRoot == true",
          "reason": "Force the running image to run as a non-root user to ensure least privilege",
          "points": 1
        },
        {
          "id": "RunAsUser",
          "selector": "containers[] .securityContext .runAsUser -gt 10000",
          "reason": "Run as a high-UID user to avoid conflicts with the host's user table",
          "points": 1
        }
      ]
    }
  }
]

总结

使用Kubesec检查YAML文件安全性是一个简单而有效的方法，可以帮助识别和修复潜在的安全问题。通过遵循Kubesec的修复建议，可以显著提高Kubernetes集群的安全性。