Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Questo documento descrive come configurare il servizio Knative e i relativi componenti principali seguendo le best practice di sicurezza.
Protezione di Knative serving
Knative serving si basa sul progetto open source Knative e ne eredita la postura di sicurezza.
I carichi di lavoro in esecuzione su Knative Serving condividono la stessa rete e gli stessi nodi di calcolo.
Devi creare cluster separati per i carichi di lavoro che non dispongono della fiducia reciproca.
I cluster di servizi Knative non devono eseguire workload non correlati come l'infrastruttura o i database CI/CD.
Ecco alcuni motivi per cui creare più cluster per i carichi di lavoro di Knative serving:
Separazione degli ambienti di sviluppo da quelli di produzione.
Isolamento delle applicazioni di proprietà di team diversi.
Isolamento dei carichi di lavoro con privilegi elevati.
Dopo aver progettato i cluster, svolgi le seguenti azioni per proteggerli:
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-04 UTC."],[],[],null,["# Security best practices in Knative serving\n\nThis document describes how to configure Knative serving and its major\ncomponents following security best practices.\n\nSecuring Knative serving\n------------------------\n\nKnative serving is based on the open source\n[Knative](https://knative.dev/) project, and inherits its\nsecurity posture.\n\nWorkloads running on Knative serving share the same network and compute nodes.\nYou should create separate clusters for workloads that don't have mutual trust.\nKnative serving clusters should not run unrelated workloads like CI/CD\ninfrastructure or databases.\n\nReasons to create multiple clusters for Knative serving workloads include:\n\n- Separating development from production environments.\n- Isolating applications owned by different teams.\n- Isolating highly privileged workloads.\n\nOnce you've designed your clusters, take the following actions to help secure them:\n\n- [Restrict access to your cluster](/kubernetes-engine/enterprise/knative-serving/docs/securing/managing-access).\n- [Understand the Knative threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md).\n- [Read the Knative security reference if you plan to use community supported tooling](https://knative.dev/docs/reference/security/).\n\nSecuring components\n-------------------\n\nYou are responsible for securing components that aren't [part of Knative serving](/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#components_in_the_default_installation).\n\n### Cloud Service Mesh\n\nKnative serving relies on\n[Cloud Service Mesh for routing traffic](/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#components_in_the_default_installation).\n\nUse the following guides to help you secure Cloud Service Mesh:\n\n- [Cloud Service Mesh security overview and features](/service-mesh/v1.18/docs/security/security-overview).\n- [Cloud Service Mesh security best practices](/service-mesh/v1.18/docs/security/anthos-service-mesh-security-best-practices).\n\n### Google Kubernetes Engine\n\nKnative serving uses Google Kubernetes Engine (GKE) to schedule workloads.\nTake the following actions to help you secure your clusters:\n\n- [Follow the GKE Enterprise security tutorial](/anthos/docs/tutorials/security).\n- [Understand the Google Kubernetes Engine multi-tenancy model](/kubernetes-engine/docs/concepts/multitenancy-overview).\n- [Follow the Google Kubernetes Engine cluster hardening guide](/kubernetes-engine/docs/how-to/hardening-your-cluster).\n- [Understand the Google Kubernetes Engine shared responsibility model](/kubernetes-engine/docs/concepts/shared-responsibility).\n\nKnown vulnerabilities\n---------------------\n\nYou should subscribe to the security bulletins for Knative serving dependencies\nso you can keep up-to-date with known vulnerabilities:\n\n- [Cloud Service Mesh security bulletins](/service-mesh/v1.18/docs/security-bulletins).\n- [GKE Enterprise security bulletins](/anthos/clusters/docs/security-bulletins)."]]