第十二章:安全配置

详细介绍 Prometheus 安全配置,包括 TLS 加密、认证、授权、API 安全等

最后更新: 2024-01-01
页面目录

第十二章:安全配置

12.1 安全概述

Prometheus 安全配置涉及多个层面,包括网络通信加密、身份认证、访问授权和 API 安全。

12.1.1 安全层级

层级 组件 风险
网络层 TLS/SSL 数据窃听、中间人攻击
认证层 Basic Auth、TLS 客户端证书 未授权访问
授权层 RBAC 权限过大
API 层 速率限制 API 滥用

12.1.2 安全配置矩阵

功能 Prometheus 原生 Grafana 集成 推荐方案
TLS 加密 强制启用
Basic Auth 配合 TLS
客户端证书 生产环境
RBAC 外部网关
API Token ⚠️ Webhook/Alerting

12.2 TLS 配置

12.2.1 服务器 TLS

# prometheus.yml
web:
  # 监听地址
  listen-address: ":9090"
  
  # TLS 配置
  tls_config:
    # 证书文件
    cert_file: /etc/prometheus/tls/server.crt
    # 私钥文件
    key_file: /etc/prometheus/tls/server.key
    # 最小 TLS 版本
    min_version: 1.2
    # 密码套件
    cipher_suites:
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

12.2.2 生成证书

# 创建 CA
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha256 -key ca.key -days 3650 -out ca.crt \
  -subj "/CN=Prometheus CA"

# 生成服务器证书
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out server.csr \
  -subj "/CN=prometheus.example.com"

# 签署证书
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out server.crt -days 365 -extfile server.ext

# 验证证书
openssl verify -CAfile ca.crt server.crt

12.2.3 客户端证书认证

# prometheus.yml
web:
  tls_config:
    cert_file: /etc/prometheus/tls/server.crt
    key_file: /etc/prometheus/tls/server.key
    # 客户端 CA (用于验证客户端证书)
    client_ca_file: /etc/prometheus/tls/ca.crt
    # 要求客户端证书
    client_auth_type: RequireAndVerifyClientCert

12.3 认证配置

12.3.1 Basic Auth

# prometheus.yml
web:
  basic_auth_users:
    admin: $2b$12$...  # bcrypt 哈希密码
    readonly: $2b$12$...

# 生成密码
htpasswd -nBC 12 admin

12.3.2 Alertmanager 认证

# alertmanager.yml
global:
  smtp_auth_password: 'password'

route:
  receivers:
    - name: 'default'
      webhook_configs:
        - url: 'https://webhook.example.com/alerts'
          http_config:
            basic_auth:
              username: 'alertmanager'
              password_file: '/etc/alertmanager/secrets/webhook_password'

receivers:
  - name: 'default'
    slack_configs:
      - api_url: 'https://hooks.slack.com/services/xxx'
        http_config:
          basic_auth:
            username: 'slack'
            password_file: '/etc/alertmanager/secrets/slack_password'

12.3.3 Remote Read/Write 认证

remote_write:
  - url: https://remote-storage:9200/write
    # Basic Auth
    basic_auth:
      username: admin
      password: password
    # 或者使用密码文件
    basic_auth:
      username: admin
      password_file: /etc/prometheus/secrets/remote_password

remote_read:
  - url: https://remote-storage:9200/read
    # OAuth2
    oauth2:
      client_id: prometheus
      client_secret: secret
      token_url: https://auth.example.com/oauth2/token

12.3.4 OAuth2 配置

remote_write:
  - url: https://thanos.example.com/api/v1/receive
    oauth2:
      client_id: prometheus
      client_secret_file: /etc/prometheus/secrets/oauth2_secret
      token_url: https://auth.example.com/oauth2/token
      scopes:
        - prometheus
      tls_config:
        ca_file: /etc/prometheus/certs/ca.crt
        cert_file: /etc/prometheus/certs/client.crt
        key_file: /etc/prometheus/certs/client.key

12.4 Scrape 配置安全

12.4.1 HTTPS Scrape

scrape_configs:
  - job_name: 'secure-target'
    scheme: https
    # TLS 配置
    tls_config:
      # CA 证书
      ca_file: /etc/prometheus/certs/ca.crt
      # 跳过证书验证 (不推荐生产环境)
      insecure_skip_verify: false
      # 客户端证书
      cert_file: /etc/prometheus/certs/client.crt
      key_file: /etc/prometheus/certs/client.key
      # 服务器名称
      server_name: target.example.com
    static_configs:
      - targets: ['target.example.com:9100']

12.4.2 私有 CA

scrape_configs:
  - job_name: 'internal-service'
    scheme: https
    tls_config:
      ca_file: /etc/prometheus/certs/internal-ca.crt
    static_configs:
      - targets: ['internal-app:9100']

12.5 API 安全

12.5.1 API 认证

# 带 Basic Auth 查询
curl -u admin:password http://localhost:9090/api/v1/query?query=up

# 带 Bearer Token
curl -H "Authorization: Bearer $TOKEN" http://localhost:9090/api/v1/query?query=up

12.5.2 API 端点权限

端点 方法 认证 说明
/api/v1/query GET Basic Auth 即时查询
/api/v1/query_range GET Basic Auth 范围查询
/api/v1/series GET Basic Auth 系列查询
/api/v1/label GET Basic Auth 标签查询
/-/healthy GET 健康检查
/-/ready GET 就绪检查
/-/reload POST 配置重载
/api/v1/admin/tsdb/... POST Basic Auth 管理操作

12.5.3 速率限制

web:
  # 请求超时
  get_timeout: 60s
  
  # 最大请求大小
  max_samples: 50000000

12.6 敏感信息管理

12.6.1 环境变量

# 使用环境变量
web:
  basic_auth_users:
    admin: ${PROMETHEUS_ADMIN_PASSWORD}

remote_write:
  - url: ${REMOTE_WRITE_URL}
    basic_auth:
      username: ${REMOTE_WRITE_USERNAME}
      password: ${REMOTE_WRITE_PASSWORD}

12.6.2 Kubernetes Secret

# prometheus-config.yaml
apiVersion: v1
kind: Secret
metadata:
  name: prometheus-secrets
  namespace: monitoring
type: Opaque
stringData:
  admin-password: "encrypted_password"
  slack-webhook: "https://hooks.slack.com/xxx"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: prometheus-config
  namespace: monitoring
data:
  prometheus.yml: |
    global:
      external_labels:
        cluster: prod
    remote_write:
      - url: http://thanos-receive:19291/api/v1/receive
        basic_auth:
          username: admin
          password_file: /etc/secrets/admin-password

12.6.3 Vault 集成

# prometheus.yml
web:
  tls_config:
    cert_file: /etc/certs/tls.crt
    key_file: /etc/certs/tls.key
    # Vault 动态密钥
    ca_file: /etc/certs/vault-ca.crt

# Vault Agent 注入
# vault agent -config=/etc/vault/vault-agent.hcl

12.7 网络策略

12.7.1 Kubernetes NetworkPolicy

# prometheus-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: prometheus-policy
  namespace: monitoring
spec:
  podSelector:
    matchLabels:
      app: prometheus
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # 允许 Prometheus UI 访问
    - from:
        - namespaceSelector:
            matchLabels:
              name: ingress-nginx
        - podSelector:
            matchLabels:
              app: grafana
      ports:
        - protocol: TCP
          port: 9090
  egress:
    # 允许抓取 targets
    - to:
        - podSelector:
            matchLabels:
              app: node-exporter
      ports:
        - protocol: TCP
          port: 9100
    # 允许 DNS
    - to:
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53

12.7.2 防火墙规则

# iptables 规则示例
# 允许 Prometheus 访问 Exporter
iptables -A OUTPUT -p tcp -d 192.168.0.0/24 --dport 9100 -j ACCEPT

# 允许 Prometheus 访问 Alertmanager
iptables -A OUTPUT -p tcp -d 192.168.1.0/24 --dport 9093 -j ACCEPT

# 允许 Web UI 访问
iptables -A INPUT -p tcp --dport 9090 -s 10.0.0.0/8 -j ACCEPT

# 拒绝其他访问
iptables -A INPUT -p tcp --dport 9090 -j DROP

12.8 安全加固清单

12.8.1 部署加固

# security_context
securityContext:
  runAsNonRoot: true
  runAsUser: 65534
  fsGroup: 65534
  readOnlyRootFilesystem: true

# Pod 安全策略
podSecurityContext:
  seccompProfile:
    type: RuntimeDefault
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

12.8.2 配置检查清单

检查项 建议
TLS 版本 ≥ 1.2
TLS 证书 使用受信任 CA
认证 启用 Basic Auth
密码强度 bcrypt cost ≥ 10
API 访问 限制 IP
端口暴露 只暴露必要端口
日志审计 启用查询日志
Secret 管理 使用 Vault/K8s Secret

12.8.3 审计日志

web:
  # 查询日志
  query_log_file: /var/log/prometheus/query.log
  
  # 日志格式
  log_format: json

12.9 本章小结

本章介绍了 Prometheus 安全配置:

  1. 安全概述 - 安全层级和风险
  2. TLS 配置 - 服务器和客户端证书
  3. 认证配置 - Basic Auth、OAuth2
  4. Scrape 安全 - HTTPS 和证书认证
  5. API 安全 - 认证和速率限制
  6. 敏感信息管理 - 环境变量和 Secret
  7. 网络策略 - K8s NetworkPolicy
  8. 安全加固 - 部署加固和检查清单

📖 下一步