|
1 | 1 | --- |
2 | 2 | title: "Segurança" |
3 | 3 | weight: 81 |
| 4 | +description: > |
| 5 | + Conceitos para manutenção das suas cargas de trabalho cloud native seguras. |
| 6 | +simple_list: true |
4 | 7 | --- |
5 | 8 |
|
| 9 | +Essa seção da documentação do Kubernetes busca ensinar a executar cargas de trabalho |
| 10 | +mais seguras e aspectos essenciais para a manutenção de um cluster Kubernetes seguro. |
| 11 | + |
| 12 | + |
| 13 | +Kubernetes is based on a cloud-native architecture, and draws on advice from the |
| 14 | +{{< glossary_tooltip text="CNCF" term_id="cncf" >}} about good practice for |
| 15 | +cloud native information security. |
| 16 | + |
| 17 | +Read [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/) |
| 18 | +for the broader context about how to secure your cluster and the applications that |
| 19 | +you're running on it. |
| 20 | + |
| 21 | +## Kubernetes security mechanisms {#security-mechanisms} |
| 22 | + |
| 23 | +Kubernetes includes several APIs and security controls, as well as ways to |
| 24 | +define [policies](#policies) that can form part of how you manage information security. |
| 25 | + |
| 26 | +### Control plane protection |
| 27 | + |
| 28 | +A key security mechanism for any Kubernetes cluster is to |
| 29 | +[control access to the Kubernetes API](/docs/concepts/security/controlling-access). |
| 30 | + |
| 31 | +Kubernetes expects you to configure and use TLS to provide |
| 32 | +[data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/) |
| 33 | +within the control plane, and between the control plane and its clients. |
| 34 | +You can also enable [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) |
| 35 | +for the data stored within Kubernetes control plane; this is separate from using |
| 36 | +encryption at rest for your own workloads' data, which might also be a good idea. |
| 37 | + |
| 38 | +### Secrets |
| 39 | + |
| 40 | +The [Secret](/docs/concepts/configuration/secret/) API provides basic protection for |
| 41 | +configuration values that require confidentiality. |
| 42 | + |
| 43 | +### Workload protection |
| 44 | + |
| 45 | +Enforce [Pod security standards](/docs/concepts/security/pod-security-standards/) to |
| 46 | +ensure that Pods and their containers are isolated appropriately. You can also use |
| 47 | +[RuntimeClasses](/docs/concepts/containers/runtime-class) to define custom isolation |
| 48 | +if you need it. |
| 49 | + |
| 50 | +[Network policies](/docs/concepts/services-networking/network-policies/) let you control |
| 51 | +network traffic between Pods, or between Pods and the network outside your cluster. |
| 52 | + |
| 53 | +You can deploy security controls from the wider ecosystem to implement preventative |
| 54 | +or detective controls around Pods, their containers, and the images that run in them. |
| 55 | + |
| 56 | +### Admission control {#admission-control} |
| 57 | + |
| 58 | +[Admission controllers](/docs/reference/access-authn-authz/admission-controllers/) |
| 59 | +are plugins that intercept Kubernetes API requests and can validate or mutate |
| 60 | +the requests based on specific fields in the request. Thoughtfully designing |
| 61 | +these controllers helps to avoid unintended disruptions as Kubernetes APIs |
| 62 | +change across version updates. For design considerations, see |
| 63 | +[Admission Webhook Good Practices](/docs/concepts/cluster-administration/admission-webhooks-good-practices/). |
| 64 | + |
| 65 | +### Auditing |
| 66 | + |
| 67 | +Kubernetes [audit logging](/docs/tasks/debug/debug-cluster/audit/) provides a |
| 68 | +security-relevant, chronological set of records documenting the sequence of actions |
| 69 | +in a cluster. The cluster audits the activities generated by users, by applications |
| 70 | +that use the Kubernetes API, and by the control plane itself. |
| 71 | + |
| 72 | +## Cloud provider security |
| 73 | + |
| 74 | +{{% thirdparty-content vendor="true" %}} |
| 75 | + |
| 76 | +If you are running a Kubernetes cluster on your own hardware or a different cloud provider, |
| 77 | +consult your documentation for security best practices. |
| 78 | +Here are links to some of the popular cloud providers' security documentation: |
| 79 | + |
| 80 | +{{< table caption="Cloud provider security" >}} |
| 81 | + |
| 82 | +IaaS Provider | Link | |
| 83 | +-------------------- | ------------ | |
| 84 | +Alibaba Cloud | https://www.alibabacloud.com/trust-center | |
| 85 | +Amazon Web Services | https://aws.amazon.com/security | |
| 86 | +Google Cloud Platform | https://cloud.google.com/security | |
| 87 | +Huawei Cloud | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety | |
| 88 | +IBM Cloud | https://www.ibm.com/cloud/security | |
| 89 | +Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security | |
| 90 | +Oracle Cloud Infrastructure | https://www.oracle.com/security | |
| 91 | +Tencent Cloud | https://www.tencentcloud.com/solutions/data-security-and-information-protection | |
| 92 | +VMware vSphere | https://www.vmware.com/solutions/security/hardening-guides | |
| 93 | + |
| 94 | +{{< /table >}} |
| 95 | + |
| 96 | +## Policies |
| 97 | + |
| 98 | +You can define security policies using Kubernetes-native mechanisms, |
| 99 | +such as [NetworkPolicy](/docs/concepts/services-networking/network-policies/) |
| 100 | +(declarative control over network packet filtering) or |
| 101 | +[ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) (declarative restrictions on what changes |
| 102 | +someone can make using the Kubernetes API). |
| 103 | + |
| 104 | +However, you can also rely on policy implementations from the wider |
| 105 | +ecosystem around Kubernetes. Kubernetes provides extension mechanisms |
| 106 | +to let those ecosystem projects implement their own policy controls |
| 107 | +on source code review, container image approval, API access controls, |
| 108 | +networking, and more. |
| 109 | + |
| 110 | +For more information about policy mechanisms and Kubernetes, |
| 111 | +read [Policies](/docs/concepts/policy/). |
| 112 | + |
| 113 | +## {{% heading "whatsnext" %}} |
| 114 | + |
| 115 | +Learn about related Kubernetes security topics: |
| 116 | + |
| 117 | +* [Securing your cluster](/docs/tasks/administer-cluster/securing-a-cluster/) |
| 118 | +* [Known vulnerabilities](/docs/reference/issues-security/official-cve-feed/) |
| 119 | + in Kubernetes (and links to further information) |
| 120 | +* [Data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/) for the control plane |
| 121 | +* [Data encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) |
| 122 | +* [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access) |
| 123 | +* [Network policies](/docs/concepts/services-networking/network-policies/) for Pods |
| 124 | +* [Secrets in Kubernetes](/docs/concepts/configuration/secret/) |
| 125 | +* [Pod security standards](/docs/concepts/security/pod-security-standards/) |
| 126 | +* [RuntimeClasses](/docs/concepts/containers/runtime-class) |
| 127 | + |
| 128 | +Learn the context: |
| 129 | + |
| 130 | +<!-- if changing this, also edit the front matter of content/en/docs/concepts/security/cloud-native-security.md to match; check the no_list setting --> |
| 131 | +* [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/) |
| 132 | + |
| 133 | +Get certified: |
| 134 | + |
| 135 | +* [Certified Kubernetes Security Specialist](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/) |
| 136 | + certification and official training course. |
| 137 | + |
| 138 | +Read more in this section: |
0 commit comments