您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

群集和应用程序安全性Cluster and application security

熟悉 Kubernetes security essentials,查看群集和应用程序安全指南的安全设置。Familiarize yourself with Kubernetes security essentials and review the secure setup for clusters and application security guidance. 由于 Kubernetes 群集的分布式动态性质,Kubernetes 安全性在整个容器生命周期中都很重要。Kubernetes security is important throughout the container lifecycle because of the distributed, dynamic nature of a Kubernetes cluster. 应用程序的安全性不如构成应用程序安全的服务链中的最薄弱环节。Applications are only as secure as the weakest link in the chain of services that comprise the application’s security.

规划、训练和证明Plan, train, and proof

开始时,下面的 security essentials 清单和 Kubernetes 安全资源将帮助你规划群集操作和应用程序安全。As you get started, the security essentials checklist and Kubernetes security resources below will help you plan for cluster operations and application security. 本部分结束后,你将能够回答以下问题:By the end of this section, you'll be able to answer these questions:

  • 你是否已查看 Kubernetes 群集的安全和威胁模型?Have you reviewed the security and threat model of Kubernetes clusters?
  • 你的群集是否已启用 Kubernetes 基于角色的访问控制?Is your cluster enabled for Kubernetes role-based access control?

安全清单:Security checklist:

部署到生产环境,并应用 Kubernetes 安全最佳做法Deploy to production and apply Kubernetes security best practices

在为生产准备应用程序时,实现一组最小的最佳实践。As you prepare the application for production, implement a minimum set of best practices. 在此阶段使用此核对清单。Use this checklist at this stage. 本部分结束后,你将能够回答以下问题:By the end of this section, you'll be able to answer these questions:

  • 是否为入口、出口和 pod 内通信设置网络安全规则?Have you set up network security rules for ingress, egress, and intra-pod communication?
  • 群集是否设置为自动应用节点安全更新?Is your cluster set up to automatically apply node security updates?
  • 是否为群集和容器服务运行安全扫描解决方案?Are you running a security scanning solution for your cluster and container services?

安全清单:Security checklist:

优化和缩放Optimize and scale

现在,应用程序已投入生产,如何优化工作流并准备应用程序和团队进行缩放?Now that the application is in production, how can you optimize your workflow and prepare your application and team to scale? 使用优化和缩放清单来准备。Use the optimization and scaling checklist to prepare. 本部分结束后,你将能够回答此问题:By the end of this section, you'll be able to answer this question:

  • 是否可以大规模地强制实施调控和群集策略?Can you enforce governance and cluster policies at scale?

安全清单:Security checklist:

  • 强制实施群集管理策略。Enforce cluster governance policies. 以集中、一致的方式在群集上应用大规模操作和安全措施。Apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. 若要了解详细信息,请参阅 利用 Azure 策略控制部署To learn more, see Control deployments with Azure Policy.

  • 定期轮替群集证书。Rotate cluster certificates periodically. Kubernetes 使用证书进行身份验证,其中包含许多组件。Kubernetes uses certificates for authentication with many of its components. 出于安全或策略原因,你可能需要定期轮换这些证书。You might want to periodically rotate those certificates for security or policy reasons. 若要了解详细信息,请参阅 在 Azure Kubernetes 服务中轮替证书 (AKS) To learn more, see Rotate certificates in Azure Kubernetes Service (AKS).