akhiladarsh/eks-security-baseline
GitHub: akhiladarsh/eks-security-baseline
为 AWS EKS 提供生产级安全加固方案,整合 Falco 运行时检测、OPA Gatekeeper 准入策略和 Network Policy 网络分段,满足 HIPAA/SOC2 合规要求。
Stars: 0 | Forks: 0
# eks-security-baseline
适用于 AWS EKS 的生产级 Kubernetes 安全加固 - Falco 运行时威胁检测、OPA Gatekeeper 策略执行以及 Network Policies 基线。
## 功能说明
- **Falco** - 实时运行时安全。检测容器逃逸、权限提升、异常 shell 以及 PHI 访问模式
- **OPA Gatekeeper** - 准入阶段的策略即代码执行。在非合规工作负载运行前将其拦截
- **Network Policies** - namespace 和 Pod 之间的零信任网络分段
- 所有策略均针对 **HIPAA/SOC2** 受监管工作负载进行了调优
## 架构
```
kubectl apply / Helm install
│
▼
API Server Admission
│
├── OPA Gatekeeper (MutatingWebhook + ValidatingWebhook)
│ ├── Block: containers running as root
│ ├── Block: privileged containers
│ ├── Block: images without digest pin
│ ├── Block: missing resource limits
│ └── Block: host network/PID/IPC access
│
▼ (admitted)
Pod running on Node
│
▼
Falco (DaemonSet)
├── Detect: shell spawned inside container
├── Detect: unexpected outbound connection
├── Detect: sensitive file read (/etc/shadow, /proc/*)
├── Detect: privilege escalation attempt
└── Alert → CloudWatch Logs → Splunk/Kinesis
```
## 仓库结构
```
.
├── falco/
│ └── rules/
│ └── custom-rules.yaml # HIPAA-tuned Falco rules
├── opa/
│ ├── policies/
│ │ ├── require-non-root.rego # Block root containers
│ │ └── require-limits.rego # Enforce resource limits
│ └── constraints/
│ ├── require-non-root.yaml # Gatekeeper ConstraintTemplate
│ └── require-limits.yaml # Gatekeeper ConstraintTemplate
├── k8s/
│ ├── network-policy-baseline.yaml
│ └── namespace-isolation.yaml
├── scripts/
│ └── eks_security_audit.py # boto3 EKS config auditor
└── README.md
```
## 前置条件
- AWS EKS 集群 (1.28+)
- 已配置的 `kubectl`
- Helm 3
## 安装
### 1. 安装 Falco
```
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
--namespace falco \
--create-namespace \
--set driver.kind=ebpf \
--set falco.grpc.enabled=true \
--set falcoctl.artifact.follow.enabled=true \
-f falco/values.yaml
```
### 2. 安装 OPA Gatekeeper
```
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
helm install gatekeeper gatekeeper/gatekeeper \
--namespace gatekeeper-system \
--create-namespace \
--set replicas=2 \
--set auditInterval=30
# 应用 constraint templates 和 constraints
kubectl apply -f opa/policies/
kubectl apply -f opa/constraints/
```
### 3. 应用 Network Policies
```
kubectl apply -f k8s/network-policy-baseline.yaml
kubectl apply -f k8s/namespace-isolation.yaml
```
## Falco 告警示例
```
11:32:14.891653285: Warning Shell spawned in container (user=root
user_loginuid=-1 k8s.ns=prod k8s.pod=api-deployment-7d9f8c-xkp2n
container=api-container shell=bash parent=runc cmdline=bash
pid=28341 terminal=34816 container_id=a3d9b2c1f4e8
image=myapp:1.2.3)
```
## OPA Gatekeeper 违规示例
```
Error from server ([require-non-root] Container api-container must
not run as root. Set securityContext.runAsNonRoot: true and
securityContext.runAsUser to a non-zero UID): error when creating
"deployment.yaml": admission webhook "validation.gatekeeper.sh"
denied the request
```
## 背景
基于实际的 EKS 生产经验构建,在这些经验中,患者数据安全和 HIPAA 合规性驱动了每一项架构决策。这些策略反映了在保护支持家庭血液透析设备的平台时所积累的真实经验。
**作者:** Akhil Adarsh Suryapagula
**LinkedIn:** [linkedin.com/in/akhiladarsh](https://linkedin.com/in/akhiladarsh)
**网站:** [akhiladarsh.com](https://akhiladarsh.com)
标签:AWS, CloudWatch, CSV导出, DevSecOps, Docker镜像, DPI, EKS, Falco, GitHub Advanced Security, Helm, HIPAA, JSONLines, OPA Gatekeeper, SOC2, Web截图, 上游代理, 人工智能安全, 协议分析, 合规性, 子域名突变, 安全加固, 安全基线, 容器安全, 容器逃逸, 微服务安全, 敏感词过滤, 教学环境, 权限提升, 策略即代码, 结构化提示词, 网络安全审计, 网络策略, 聊天机器人安全, 逆向工具, 零信任