我应该在Kubernetes前面添加DMZ吗? [英] Should I add a DMZ in front of Kubernetes?

问题描述

Kubernetes Ingress是否足够安全，可以避免在Kubernetes前面添加DMZ来暴露Pod和Services? 如果有人入侵"了Pod，会发生什么?

Is Kubernetes Ingress secure enough to avoid adding a DMZ in front of Kubernetes to expose Pods and Services ? What would happen if someone "hacked" into a Pod ?

谢谢.

推荐答案

这是一个意见问题，因此我将提供一个选项.

This is an opinion question so I'll answer with an option.

如果您遵循标准安全做法用于您的集群.但是，没有什么是100％安全的.因此，添加DMZ将有助于减少攻击向量.

It's very secure if you follow standard security practices for your cluster. But nothing is 100% secure. So adding a DMZ would help reduce your attack vectors.

就保护您的Ingress不受外界影响而言，您可以将外部负载均衡器的访问权限限制为仅使用HTTPS，大多数人都这样做，但是请注意，HTTPS和您的应用程序本身也可能存在漏洞.

In terms of protecting your Ingress from outside, you can limit your access for your external load balancer just to HTTPS, and most people do that but note that HTTPS and your application itself can also have vulnerabilities.

对于pod和工作负载，您可以使用精心设计的 AppArmor 或添加更多的安全性 SELinux ，但很多人没有，因为它可能变得非常复杂

As for your pods and workloads, you can increase security (at some performance cost) using things like a well-crafted seccomp profile and or adding the right capabilities in your pod security context. You can also add more security with AppArmor or SELinux, but lots of people don't since it can get very complicated.

还有其他Docker替代方案，可以更轻松地沙盒化Pod(在撰写本文时仍处于生命周期的早期): Kata Containers ， Nabla Containers 和

There are also other alternatives to Docker in order to more easily sandbox your pods (still early in their lifecycle as of this writing): Kata Containers, Nabla Containers and gVisor.

这篇关于我应该在Kubernetes前面添加DMZ吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！