Prácticas recomendadas de seguridad en Knative serving
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
En este documento, se describe cómo configurar Knative serving y sus principales componentes según las prácticas recomendadas de seguridad.
Protege Knative serving
Knative serving se basa en el proyecto de código abierto Knative y hereda su postura de seguridad.
Las cargas de trabajo que se ejecutan en Knative serving comparten los mismos nodos de red y de procesamiento.
Debes crear clústeres independientes para las cargas de trabajo que no tengan confianza mutua.
Los clústeres de Knative serving no deben ejecutar cargas de trabajo no relacionadas, como la infraestructura o las bases de datos de CI/CD.
Entre los motivos para crear varios clústeres para cargas de trabajo de Knative serving, se incluyen los siguientes:
Separación del entorno de desarrollo del de producción.
Aislar aplicaciones que pertenecen a diferentes equipos.
Aislar cargas de trabajo con muchos privilegios.
Una vez que hayas diseñado tus clústeres, sigue estas acciones para protegerlos:
Debes suscribirte a los boletines de seguridad de las dependencias de Knative serving a fin de poder mantenerte al día con las vulnerabilidades conocidas:
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-04 (UTC)"],[],[],null,["# Security best practices in Knative serving\n\nThis document describes how to configure Knative serving and its major\ncomponents following security best practices.\n\nSecuring Knative serving\n------------------------\n\nKnative serving is based on the open source\n[Knative](https://knative.dev/) project, and inherits its\nsecurity posture.\n\nWorkloads running on Knative serving share the same network and compute nodes.\nYou should create separate clusters for workloads that don't have mutual trust.\nKnative serving clusters should not run unrelated workloads like CI/CD\ninfrastructure or databases.\n\nReasons to create multiple clusters for Knative serving workloads include:\n\n- Separating development from production environments.\n- Isolating applications owned by different teams.\n- Isolating highly privileged workloads.\n\nOnce you've designed your clusters, take the following actions to help secure them:\n\n- [Restrict access to your cluster](/kubernetes-engine/enterprise/knative-serving/docs/securing/managing-access).\n- [Understand the Knative threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md).\n- [Read the Knative security reference if you plan to use community supported tooling](https://knative.dev/docs/reference/security/).\n\nSecuring components\n-------------------\n\nYou are responsible for securing components that aren't [part of Knative serving](/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#components_in_the_default_installation).\n\n### Cloud Service Mesh\n\nKnative serving relies on\n[Cloud Service Mesh for routing traffic](/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#components_in_the_default_installation).\n\nUse the following guides to help you secure Cloud Service Mesh:\n\n- [Cloud Service Mesh security overview and features](/service-mesh/v1.18/docs/security/security-overview).\n- [Cloud Service Mesh security best practices](/service-mesh/v1.18/docs/security/anthos-service-mesh-security-best-practices).\n\n### Google Kubernetes Engine\n\nKnative serving uses Google Kubernetes Engine (GKE) to schedule workloads.\nTake the following actions to help you secure your clusters:\n\n- [Follow the GKE Enterprise security tutorial](/anthos/docs/tutorials/security).\n- [Understand the Google Kubernetes Engine multi-tenancy model](/kubernetes-engine/docs/concepts/multitenancy-overview).\n- [Follow the Google Kubernetes Engine cluster hardening guide](/kubernetes-engine/docs/how-to/hardening-your-cluster).\n- [Understand the Google Kubernetes Engine shared responsibility model](/kubernetes-engine/docs/concepts/shared-responsibility).\n\nKnown vulnerabilities\n---------------------\n\nYou should subscribe to the security bulletins for Knative serving dependencies\nso you can keep up-to-date with known vulnerabilities:\n\n- [Cloud Service Mesh security bulletins](/service-mesh/v1.18/docs/security-bulletins).\n- [GKE Enterprise security bulletins](/anthos/clusters/docs/security-bulletins)."]]