1) RBAC 最小權限實作

反模式：給人或 CI/CD cluster-admin。

建議：職能導向角色 + 命名空間邊界。

# 只能讀取同 NS 的 Pod
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: ephi-core
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bind-dev-to-pod-reader
  namespace: ephi-core
subjects:
- kind: Group
  name: devs
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

2) Admission Policy（Gatekeeper / Kyverno）

禁止特權、HostPath、要求資源與探針（Kyverno 範例）

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged-and-hostpath
spec:
  validationFailureAction: enforce
  rules:
  - name: no-privileged
    match:
      resources:
        kinds: [Pod]
    validate:
      message: "Privileged containers are not allowed"
      pattern:
        spec:
          containers:
          - =(securityContext):
              =(privileged): false
  - name: no-hostpath
    match:
      resources:
        kinds: [Pod]
    validate:
      message: "HostPath volumes are forbidden"
      deny:
        conditions:
          any:
          - key: "{{ request.object.spec.volumes[].hostPath }}"
            operator: NotEquals
            value: null
  - name: require-requests-limits-and-probes
    match:
      resources:
        kinds: [Deployment,StatefulSet,DaemonSet,Job,CronJob]
    validate:
      message: "Containers must set resources and liveness/readiness probes"
      foreach:
      - list: "request.object.spec.template.spec.containers[]"
        deny:
          conditions:
            any:
            - key: "{{ element.resources.requests.cpu }}"
              operator: Equals
              value: null
            - key: "{{ element.livenessProbe }}"
              operator: Equals
              value: null
            - key: "{{ element.readinessProbe }}"
           

鏡像簽章驗證（Cosign）

apiVersion: kyverno.io/v2
kind: ClusterPolicy
metadata:
  name: verify-image-signatures
spec:
  validationFailureAction: enforce
  rules:
    - name: verify-signature
      match:
        resources:
          kinds: [Pod]
      verifyImages:
      - imageReferences:
        - "registry.example.com/*"
        attestors:
        - entries:
          - keys:
              publicKeys: |
                -----BEGIN PUBLIC KEY-----
                ...
                -----END PUBLIC KEY-----

3) K8s 審計（Audit Policy）與留痕

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets"]
- level: RequestResponse
  verbs: ["update","patch","create","delete"]
  resources:
  - group: "rbac.authorization.k8s.io"
    resources: ["roles","rolebindings","clusterroles","clusterrolebindings"]
- level: Metadata
  userGroups: ["system:authenticated"]

審計日誌需送往集中式 SIEM（可用 OTel Collector → Kafka/ELK/Cloud SIEM）。

4) Runtime 偵測（Falco）與基線檢查（CIS/kube‑bench）

• Falco：偵測容器逃逸、寫可執行檔、shell 啟動等異常行為。
• kube‑bench：對照 CIS Kubernetes Benchmark 產出報告，納入每季檢核。

5) 相關連結（Part 3）

• RBAC 授權：https://kubernetes.io/docs/reference/access-authn-authz/rbac/
• Admission Controllers（總覽）：https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
• Pod Security Admission：https://kubernetes.io/docs/concepts/security/pod-security-admission/
• OPA Gatekeeper：https://open-policy-agent.github.io/gatekeeper/website/docs/
• Kyverno（Sigstore 驗簽）：https://main.kyverno.io/docs/policy-types/cluster-policy/verify-images/sigstore/
• Cosign 與 Policy Controller：
• https://docs.sigstore.dev/policy-controller/overview/
• https://kubernetes.io/blog/2023/06/29/container-image-signature-verification/
• Kubernetes Auditing（文件與 flags）：
• https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
• https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
• Falco（Runtime Security）：https://falco.org/docs/
• kube‑bench（CIS 檢查）：https://github.com/aquasecurity/kube-bench