安全配置
零信任安全原则
网络安全
防火墙配置
bash
# UFW 基础配置
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# EasyTier 端口
sudo ufw allow 51820/udp
# 启用防火墙
sudo ufw enableKubernetes 网络策略
yaml
# 限制 Pod 间的访问
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
namespace: default
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- port: 5432身份认证
SSH 密钥认证
bash
# 生成密钥
ssh-keygen -t ed25519 -C "your-email@example.com"
# 复制公钥到服务器
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# 禁用密码认证
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshdGitea 用户权限
Secrets 管理
Kubernetes Secrets
bash
# 创建 Secret
kubectl create secret generic db-credentials \
--from-literal=username=admin \
--from-literal=password=<password>
# 使用 Secret
kubectl apply -f - << 'EOF'
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
containers:
- name: myapp
image: myapp:latest
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
EOFExternal Secrets Operator
yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: db-credentials
data:
- secretKey: password
remoteRef:
key: database/password容器安全
Dockerfile 最佳实践
dockerfile
# 使用最小化基础镜像
FROM alpine:3.18
# 创建非 root 用户
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# 复制文件
COPY --chown=appuser:appgroup . /app
# 切换用户
USER appuser
# 设置只读文件系统
ReadonlyRootfs: true
# 不使用 root 运行
USER 1000Kubernetes 安全上下文
yaml
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
readOnlyRootFilesystem: true
capabilities:
drop:
- ALLPod 安全策略
yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny证书管理
Let's Encrypt 自动续期
bash
# 安装 Certbot
sudo apt-get install -y certbot python3-certbot-nginx
# 获取证书
sudo certbot --nginx -d your-domain.com
# 自动续期测试
sudo certbot renew --dry-run
# Cron 任务
sudo crontab -e
# 添加: 0 0 * * * /usr/bin/certbot renew --quietHarbor 证书配置
bash
# 复制证书
sudo cp your-cert.crt /etc/docker/certs.d/harbor.your-domain.com/ca.crt
sudo cp your-cert.key /etc/docker/certs.d/harbor.your-domain.com/ca.key
# 重启 Docker
sudo systemctl restart docker审计日志
Kubernetes 审计策略
yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["pods", "services"]
- level: RequestResponse
resources:
- group: "apps"
resources: ["deployments"]
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]Gitea 审计日志
在 Gitea 管理设置中启用审计日志功能。
备份策略
关键数据备份
| 数据 | 备份频率 | 存储位置 |
|---|---|---|
| Kubernetes etcd | 每小时 | 本地 + NFS |
| 数据库 | 每日 | 本地 + 云端 |
| 配置文件 | 每次变更 | Git 仓库 |
| SSL 证书 | 自动续期时 | 本地 |
备份脚本
bash
#!/bin/bash
# backup.sh
DATE=$(date +%Y%m%d)
BACKUP_DIR=/exports/backups
# 数据库备份
docker exec postgres pg_dump -U gitea gitea > $BACKUP_DIR/gitea_db_$DATE.sql
# Kubernetes 备份
kubectl get all -A -o yaml > $BACKUP_DIR/k8s_resources_$DATE.yaml
# 清理旧备份(保留 7 天)
find $BACKUP_DIR -mtime +7 -delete