---
title: "安全"
weight: 85
description: 确保云原生工作负载安全的一组概念。
simple_list: true
---

<!--
title: "Security"
weight: 85
description: >
  Concepts for keeping your cloud-native workload secure.
simple_list: true
-->

<!--
This section of the Kubernetes documentation aims to help you learn to run
workloads more securely, and about the essential aspects of keeping a
Kubernetes cluster secure.

Kubernetes is based on a cloud-native architecture, and draws on advice from the
{{< glossary_tooltip text="CNCF" term_id="cncf" >}} about good practice for
cloud native information security.
-->
Kubernetes 文档的这一部分内容的旨在引导你学习如何更安全地运行工作负载，
以及维护 Kubernetes 集群的基本安全性。

Kubernetes 基于云原生架构，并借鉴了
{{< glossary_tooltip text="CNCF" term_id="cncf" >}} 有关云原生信息安全良好实践的建议。

<!--
Read [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/)
for the broader context about how to secure your cluster and the applications that
you're running on it.
-->
请阅读[云原生安全和 Kubernetes](/zh-cn/docs/concepts/security/cloud-native-security/)，
了解有关如何保护集群及其上运行的应用程序的更广泛背景信息。

<!--
## Kubernetes security mechanisms {#security-mechanisms}

Kubernetes includes several APIs and security controls, as well as ways to
define [policies](#policies) that can form part of how you manage information security.
-->
## Kubernetes 安全机制 {#security-mechanisms}

Kubernetes 包含多个 API 和安全组件，
以及定义[策略](#policies)的方法，这些策略可以作为你的信息安全管理的一部分。

<!--
### Control plane protection

A key security mechanism for any Kubernetes cluster is to
[control access to the Kubernetes API](/docs/concepts/security/controlling-access).
-->
### 控制平面保护

任何 Kubernetes 集群的一个关键安全机制是[控制对 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access)。

<!--
Kubernetes expects you to configure and use TLS to provide
[data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/)
within the control plane, and between the control plane and its clients.
You can also enable [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/)
for the data stored within Kubernetes control plane; this is separate from using
encryption at rest for your own workloads' data, which might also be a good idea.
-->
Kubernetes 希望你配置并使用 TLS，
以便在控制平面内以及控制平面与其客户端之间提供[传输中的数据加密](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/)。
你还可以为 Kubernetes 控制平面中存储的数据启用静态加密；
这与对你自己的工作负载数据使用静态加密不同，后者可能也是一个好主意。

<!--
### Secrets

The [Secret](/docs/concepts/configuration/secret/) API provides basic protection for
configuration values that require confidentiality.
-->
### Secret

[Secret](/zh-cn/docs/concepts/configuration/secret/) API
为需要保密的配置值提供基本保护。

<!--
### Workload protection

Enforce [Pod security standards](/docs/concepts/security/pod-security-standards/) to
ensure that Pods and their containers are isolated appropriately. You can also use
[RuntimeClasses](/docs/concepts/containers/runtime-class) to define custom isolation
if you need it.
-->
### 工具负载保护

实施 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)以确保
Pod 及其容器得到适当隔离。如果需要，你还可以使用
[RuntimeClass](/zh-cn/docs/concepts/containers/runtime-class) 来配置自定义隔离。

<!--
[Network policies](/docs/concepts/services-networking/network-policies/) let you control
network traffic between Pods, or between Pods and the network outside your cluster.

You can deploy security controls from the wider ecosystem to implement preventative
or detective controls around Pods, their containers, and the images that run in them.
-->
[网络策略（NetworkPolicy)](/zh-cn/docs/concepts/services-networking/network-policies/)
可让控制 Pod 之间或 Pod 与集群外部网络之间的网络流量。

<!--
### Auditing

Kubernetes [audit logging](/docs/tasks/debug/debug-cluster/audit/) provides a
security-relevant, chronological set of records documenting the sequence of actions
in a cluster. The cluster audits the activities generated by users, by applications
that use the Kubernetes API, and by the control plane itself.
-->
### 审计

Kubernetes [审计日志记录](/zh-cn/docs/tasks/debug/debug-cluster/audit/)提供了一组与安全相关、
按时间顺序排列的记录，记录了集群中的操作序列。
集群审计用户、使用 Kubernetes API 的应用程序以及控制平面本身生成的活动。

<!--
## Cloud provider security

{{% thirdparty-content vendor="true" %}}

If you are running a Kubernetes cluster on your own hardware or a different cloud provider,
consult your documentation for security best practices.
Here are links to some of the popular cloud providers' security documentation:
-->
## 云提供商安全

{{% thirdparty-content vendor="true" %}}

如果你在自己的硬件或不同的云平台上运行 Kubernetes 集群，请参阅对应云平台的文档以了解安全最佳实践。
以下是一些流行云提供商的安全文档的链接：

<!--
{{< table caption="Cloud provider security" >}}

IaaS Provider        | Link |
-------------------- | ------------ |
Alibaba Cloud | https://www.alibabacloud.com/trust-center |
Amazon Web Services | https://aws.amazon.com/security |
Google Cloud Platform | https://cloud.google.com/security |
Huawei Cloud | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety |
IBM Cloud | https://www.ibm.com/cloud/security |
Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security |
Oracle Cloud Infrastructure | https://www.oracle.com/security |
VMware vSphere | https://www.vmware.com/security/hardening-guides |

{{< /table >}}
-->
{{< table caption="Cloud provider security" >}}

IaaS 提供商        | 链接 |
-------------------- | ------------ |
阿里云 | https://www.alibabacloud.com/trust-center |
亚马逊网络服务 | https://aws.amazon.com/security |
谷歌云平台 | https://cloud.google.com/security |
华为云 | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety |
IBM 云 | https://www.ibm.com/cloud/security |
微软 Azure | https://docs.microsoft.com/en-us/azure/security/azure-security |
Oracle 云基础设施| https://www.oracle.com/security |
VMware vSphere | https://www.vmware.com/security/hardening-guides |

{{< /table >}}

<!--
## Policies

You can define security policies using Kubernetes-native mechanisms,
such as [NetworkPolicy](/docs/concepts/services-networking/network-policies/)
(declarative control over network packet filtering) or
[ValidatingAdmisisonPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) (declarative restrictions on what changes
someone can make using the Kubernetes API).
-->
## 策略

你可以使用 Kubernetes 原生机制定义安全策略，例如
[NetworkPolicy](/zh-cn/docs/concepts/services-networking/network-policies/)（对网络数据包过滤的声明式控制）
或 [ValidatingAdmisisonPolicy](/zh-cn/docs/reference/access -authn-authz/validating-admission-policy/)
（对某人可以使用 Kubernetes API 进行哪些更改的声明性限制）。

<!--
However, you can also rely on policy implementations from the wider
ecosystem around Kubernetes. Kubernetes provides extension mechanisms
to let those ecosystem projects implement their own policy controls
on source code review, container image approval, API access controls,
networking, and more.
-->
你还可以依赖 Kubernetes 周边更广泛的生态系统的策略实现。
Kubernetes 提供了扩展机制，让这些生态系统项目在源代码审查、
容器镜像审批、API 访问控制、网络等方面实施自己的策略控制。

<!--
For more information about policy mechanisms and Kubernetes,
read [Policies](/docs/concepts/policy/).
-->
有关策略机制和 Kubernetes 的更多信息，请阅读[策略](/zh-cn/docs/concepts/policy/)。

## {{% heading "whatsnext" %}}

<!--
Learn about related Kubernetes security topics:

* [Securing your cluster](/docs/tasks/administer-cluster/securing-a-cluster/)
* [Known vulnerabilities](/docs/reference/issues-security/official-cve-feed/)
  in Kubernetes (and links to further information)
* [Data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/) for the control plane
* [Data encryption at rest](/docs/tasks/administer-cluster/encrypt-data/)
* [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access)
* [Network policies](/docs/concepts/services-networking/network-policies/) for Pods
* [Secrets in Kubernetes](/docs/concepts/configuration/secret/)
* [Pod security standards](/docs/concepts/security/pod-security-standards/)
* [RuntimeClasses](/docs/concepts/containers/runtime-class)
-->
了解相关的 Kubernetes 安全主题：

* [保护集群](/zh-cn/docs/tasks/administer-cluster/secure-a-cluster/)
* Kubernetes 中的[已知漏洞](/zh-cn/docs/reference/issues-security/official-cve-feed/)（以及更多信息的链接）
* [传输中的数据加密](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/)（针对控制平面）
* [静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)
* [控制对 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access)
* Pod 的 [网络策略](/zh-cn/docs/concepts/services-networking/network-policies/)
* [Kubernetes 中的 Secret](/zh-cn/docs/concepts/configuration/secret/)
* [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
* [运行时类](/zh-cn/docs/concepts/containers/runtime-class)

<!--
Learn the context:
-->
了解上下文：

<!-- if changing this, also edit the front matter of content/en/docs/concepts/security/cloud-native-security.md to match; check the no_list setting -->
<!--
* [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/)
-->
* [云原生安全和 Kubernetes](/zh-cn/docs/concepts/security/cloud-native-security/)

<!--
Get certified:

* [Certified Kubernetes Security Specialist](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/)
  certification and official training course.

Read more in this section:
-->
获取认证：

* [Kubernetes 安全专家认证](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/)和官方培训课程。

阅读本节的更多内容：