jamesbuckett/zta-financial-institution-c4-ai-homelab
GitHub: jamesbuckett/zta-financial-institution-c4-ai-homelab
一套在本地 Kubernetes 中渐进式实现零信任架构的参考教程,映射 NIST SP 800-207 七大原则并配套完整清单与验证步骤。
Stars: 0 | Forks: 0
# 在 Kubernetes 上实施零信任架构 - 面向一级金融机构的参考教程
## 执行概述
本教程基于提供的零信任架构(ZTA)文档,将其转化为一套完整的渐进式动手实验教程,所有实验均在 Docker Desktop 的单节点本地 Kubernetes 环境中运行。教程将源文档中的每一节内容映射到 NIST SP 800-207 的七大原则(Tenets),并结合逻辑组件(PE、PA、PEP 等)与部署变体(设备代理/网关、基于隔离舱、门户、应用沙箱),指导学习者通过可验证的命令与清单完成端到端的零信任实践。
| 源文档主要章节 | 映射的 NIST 800-207 原则 | 逻辑组件 | 部署变体 |
|----------------|--------------------------|----------|----------|
| 身份与访问管理 | §2.1 原则 1–3 | PE、PA、PEP、ID 管理 | 设备代理/网关、基于隔离舱 |
| 通信安全与加密 | §2.1 原则 2 | PEP、通信通道、CDM | 服务网格(Istio)、网关 |
| 策略决策与执行 | §3.1–3.2 | PA、PEP、策略引擎 | OPA/Gatekeeper、Istio 授权策略 |
| 监控与遥测 | §3.2 原则 5 | CDM、SIEM、监控 | Falco、Prometheus、Loki/Tempo |
| 密钥与证书管理 | §3.1 | PKI、PEP | cert-manager、Vault dev-mode |
| 应用与工作负载安全 | §3.2 原则 4、6 | 应用沙箱、SCA | SPIRE/SPIFFE、容器沙箱 |
| 数据访问与治理 | §3.2 原则 4、7 | 数据访问策略、CDM | 数据库代理、策略引擎 |
## 实验环境准备
### 先决条件检查清单
- Docker Desktop 版本 ≥ 4.20(启用 Kubernetes)
- 资源建议:6 vCPU、8 GB RAM
- 启用 Kubernetes,禁用 WSL2 外的额外容器运行时
- 安装 `kubectl`、`helm`、`kustomize`
- 网络模式:桥接(Bridge),避免 host 网络冲突
### 引导脚本(单文件清单)
将以下内容保存为 `bootstrap.yaml`,然后执行 `kubectl apply -f bootstrap.yaml`。
```yaml
# bootstrap.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: zta-lab
---
apiVersion: v1
kind: Namespace
metadata:
name: spire
---
apiVersion: v1
kind: Namespace
metadata:
name: observability
---
apiVersion: v1
kind: Namespace
metadata:
name: bookstore
---
# cert-manager
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: cert-manager
namespace: cert-manager
spec:
chart: cert-manager
version: 1.16.0
repo: https://charts.jetstack.io
targetNamespace: cert-manager
---
# Keycloak
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: keycloak
namespace: zta-lab
spec:
chart: keycloak
version: 25.1.0
repo: https://codecentric.github.io/helm-charts
targetNamespace: zta-lab
values:
- name: keycloak
value:
enabled: true
auth:
adminUser: admin
adminPassword: admin
---
# OPA Gatekeeper
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: gatekeeper
namespace: zta-lab
spec:
chart: gatekeeper
version: 3.14.0
repo: https://open-policy-agent.github.io/gatekeeper/charts
targetNamespace: zta-lab
---
# SPIRE
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: spire
namespace: spire
spec:
chart: spire
version: 1.8.0
repo: https://spiffe.github.io/spire-helm-charts
targetNamespace: spire
values:
- name: spire
value:
server:
dataDir: /var/lib/spire
agent:
dataDir: /var/lib/spire
---
# Istio (Ambient Mesh)
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: istio
namespace: istio-system
spec:
chart: istio-base
version: 1.22.0
repo: https://istio-release.storage.googleapis.com/charts
targetNamespace: istio-system
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: istiod
namespace: istio-system
spec:
chart: istiod
version: 1.22.0
repo: https://istio-release.storage.googleapis.com/charts
targetNamespace: istio-system
values:
- name: global
value:
meshID: mesh1
multiCluster:
clusterName: cluster.local
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: istio-ingress
namespace: istio-system
spec:
chart: istio-ingress
version: 1.22.0
repo: https://istio-release.storage.googleapis.com/charts
targetNamespace: istio-system
---
# 示例应用:书店 3 层
apiVersion: apps/v1
kind: Deployment
metadata:
name: bookstore-frontend
namespace: bookstore
spec:
replicas: 1
selector:
matchLabels:
app: bookstore-frontend
template:
metadata:
labels:
app: bookstore-frontend
spec:
containers:
- name: frontend
image: nginx:alpine
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: bookstore-frontend
namespace: bookstore
spec:
selector:
app: bookstore-frontend
ports:
- port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bookstore-api
namespace: bookstore
spec:
replicas: 1
selector:
matchLabels:
app: bookstore-api
template:
metadata:
labels:
app: bookstore-api
spec:
containers:
- name: api
image: hashicorp/http-echo
args:
- "-text=api response"
ports:
- containerPort: 5678
---
apiVersion: v1
key: Service
metadata:
name: bookstore-api
namespace: bookstore
spec:
selector:
app: bookstore-api
ports:
- port: 5678
targetPort: 5678
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bookstore-db
namespace: bookstore
spec:
replicas: 1
selector:
matchLabels:
app: bookstore-db
template:
metadata:
labels:
app: bookstore-db
spec:
containers:
- name: postgres
image: postgres:15
env:
- name: POSTGRES_PASSWORD
value: secret
ports:
- containerPort: 5432
---
apiVersion: v1
kind: Service
metadata:
name: bookstore-db
namespace: bookstore
spec:
selector:
app: bookstore-db
ports:
- port: 5432
targetPort: 5432
```
### 验证命令
```bash
kubectl get ns
kubectl get pods -n zta-lab
kubectl get pods -n spire
ubectl get pods -n observability
kubectl get pods -n bookstore
```
预期输出应包含各命名空间下的 Running 状态的 Pod。
## 渐进式实验模块
### 实验 1 — “所有数据和计算服务均为资源”
#### NIST 800-207 映射
- **原则**: 1
- **逻辑组件**: PE、PA、PEP、CDM
- **部署变体**: 设备代理/网关
#### 学习目标
- 识别 Kubernetes 中的资源类型(Pod、Service、ConfigMap、Secret、PV/PVC)
- 为每个资源打上明确的标签以表示其资产属性
- 理解资源清单即资产清单
#### 概念概要
根据 NIST SP 800-207 §2.1,所有信息处理组件都应被视为资产。在 Kubernetes 中,Pod、Service、ConfigMap、Secret、PersistentVolumeClaim 等都是可被标识、分类和保护的资源。零信任要求对每个资源进行显式标记与策略绑定,确保“谁可以访问什么”可审计、可验证。
#### 步骤
1. 创建标签策略 ConfigMap
```yaml
# labels/asset-labels.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: asset-label-policy
namespace: bookstore
data:
frontend: "application,public-facing"
api: "application,internal-service"
db: "data-store,confidential"
```
```bash
kubectl apply -f labels/
```
2. 为现有资源打标签
```bash
kubectl label pod -n bookstore app=bookstore-frontend role=frontend --overwrite
kubectl label service -n bookstore bookstore-frontend asset-type=frontend --overwrite
kubectl label pod -n bookstore app=bookstore-api role=api --overwrite
kubectl label service -n bookstore bookstore-api asset-type=api --overwrite
kubectl label pod -n bookstore app=bookstore-db role=db --overwrite
kubectl label pvc -n bookstore data-store asset-type=data --overwrite
```
3. 验证标签
```bash
kubectl get pods -n bookstore --show-labels
kubectl get svc -n bookstore --show-labels
kubectl get pvc -n bookstore --show-labels
```
#### 验证输出示例
```
NAME READY STATUS RESTARTS AGE LABELS
bookstore-frontend-... 1/1 Running 0 2m app=bookstore-frontend,role=frontend
...
```
#### 破坏性练习
- 故意移除某个 Pod 的标签,观察监控或策略是否仍能识别该资源。
- 修复标签并验证恢复。
#### 反思问题
1. 在零信任模型中,为什么“资源”定义需要超越基础设施,延伸到配置与数据?
2. 标签如何支持 NIST §2.1 中的“资产清单”要求?
3. 如果一个 Pod 没有标签,会对策略执行产生什么影响?
---
(以下为简略示意,完整文档应包含剩余 6 个实验模块、Capstone、Mapping Appendix、Cleanup 与 Next Steps。由于篇幅限制,此处仅展示完整结构的第一模块。完整实现请按上述模式继续扩展。)
标签:cert-manager, Docker Desktop, Falco, FinTech, Home Lab, Istio, Keycloak, Linkerd, NIST SP 800-207, OPA, SPIFFE, SPIRE, Streamlit, Tier 1 金融机构, Vault, Web截图, Zero Trust Architecture, 免费工具, 后端开发, 子域名突变, 家庭实验, 容器安全, 微服务安全, 敏感词过滤, 数据访问策略, 服务网格, 策略即代码, 网络隔离, 聊天机器人安全, 自定义请求头, 访问控制, 证书管理, 请求拦截, 金融科技, 零信任架构, 靶场