目标:了解 Claude Code 的企业级部署方案,满足安全、合规、管理需求
预计时间:35 分钟
对应官方文档:Admin Setup、Server-managed Settings、Legal and Compliance
企业部署架构
完整的生产级部署方案
详细组件交互流程
用户认证
SSO 集成
支持标准身份协议:
- SAML 2.0
- OIDC(OpenID Connect)
- SCIM 用户同步
配置示例(SAML)
# sso-config.yaml
idp:
metadata_url: https://company.okta.com/app/xxx/sso/saml/metadata
sp:
entity_id: claude-code-company
acs_url: https://claude.company.com/auth/saml/callback
mapping:
email: user.email
name: user.firstName + " " + user.lastName
groups: user.groups # 用于团队权限团队管理
# 创建团队
claude admin team create backend-team
# 添加成员
claude admin team add backend-team [email protected]
claude admin team add backend-team [email protected]
# 设置团队权限
claude admin team set-policy backend-team \
--max-daily-cost 100 \
--allowed-models sonnet,haiku \
--require-approval-for auto-mode策略管理
Server-managed Settings
管理员通过服务端配置文件统一管理所有客户端:
{
"version": "1.0.0",
"organization": "company-name",
"authentication": {
"require_sso": true,
"session_duration": "8h",
"mfa_required": true
},
"permissions": {
"default_mode": "ask",
"allow_auto_mode": false,
"allowed_mcp_servers": [
"postgres-internal",
"jira",
"slack"
],
"denied_mcp_servers": [
"*external*"
]
},
"plugins": {
"required": ["security-guidance", "audit-logger"],
"allowlist": ["company-*", "anthropic-*"],
"denylist": ["*unsanctioned*"]
},
"usage_limits": {
"daily_budget_per_user": 50,
"monthly_budget_per_team": 2000,
"alert_threshold": 0.8
},
"data_handling": {
"zero_data_retention": false,
"allowed_regions": ["us-east-1", "eu-west-1"],
"audit_log_retention": "90d"
}
}自动推送配置
# 更新策略
claude admin settings push settings-v2.json
# 所有客户端自动获取最新策略审计与合规
审计日志
记录所有操作:
{
"timestamp": "2025-06-18T10:30:00Z",
"user": "[email protected]",
"team": "backend-team",
"action": "file_write",
"details": {
"file": "src/auth.py",
"session_id": "sess_abc123",
"model": "claude-sonnet-4-6"
},
"cost": {
"input_tokens": 4520,
"output_tokens": 890,
"estimated_usd": 0.027
}
}合规认证
Claude Code 支持以下合规框架:
| 认证 | 说明 |
|---|---|
| SOC 2 Type II | 服务组织控制 |
| ISO 27001 | 信息安全管理 |
| GDPR | 欧盟数据保护 |
| HIPAA | 医疗信息保护(需 BAA) |
| FedRAMP | 美国政府云安全 |
数据驻留
# 配置数据存储区域
data_residency:
primary: eu-west-1 # 主存储
backup: eu-central-1 # 备份
restrictions:
- no_data_transfer_outside_eu: true
- encryption_at_rest: AES-256
- encryption_in_transit: TLS-1.3网络配置
企业代理
# 系统级代理
export HTTP_PROXY=http://proxy.company.com:8080
export HTTPS_PROXY=http://proxy.company.com:8080
export NO_PROXY=localhost,127.0.0.1,.company.internal
# Claude 专用配置
claude config set network.proxy.host proxy.company.com
claude config set network.proxy.port 8080
claude config set network.proxy.auth ntlm自定义 CA
# 企业自签名证书
claude config set network.ssl.ca_cert /etc/ssl/certs/company-ca.pem
# mTLS 双向认证
claude config set network.ssl.client_cert /etc/ssl/certs/client.pem
claude config set network.ssl.client_key /etc/ssl/private/client.key部署模式
模式一:云托管(最简单)
- Anthropic 托管 Claude Code
- 通过 SSO 集成企业身份
- 适合中小团队
模式二:混合部署
- 客户端本地运行
- 策略和数据由企业服务管理
- 适合大型企业
模式三:完全私有(Air-gapped)
- 通过 AWS/GCP/Azure 私有部署
- 无外网连接
- 适合高安全要求场景
监控与告警
用量监控
# 查看团队用量
claude admin usage --team backend-team --last-month
# 导出详细报告
claude admin usage export --format csv --output usage.csv异常检测
# alerts.yaml
alerts:
- name: unusual-spending
condition: "daily_cost > 200% of average"
action: notify_admin
- name: sensitive-file-access
condition: "file_path matches '/etc/*' or '*/secrets/*'"
action: block_and_alert
- name: after-hours-usage
condition: "hour < 7 or hour > 22"
action: require_additional_auth实战场景
场景 1:500 人研发团队统一接入
需求:
- 全员 SSO(Azure AD)登录
- 按团队分配预算和权限
- 所有操作审计留痕
- 敏感项目禁止 Auto 模式
部署配置:
// company-claude-config.json
{
"schema_version": "2.0",
"organization": {
"name": "TechCorp Inc.",
"id": "techcorp-prod"
},
"authentication": {
"sso": {
"provider": "azure_ad",
"tenant_id": "${AZURE_TENANT_ID}",
"client_id": "${AZURE_CLIENT_ID}",
"client_secret": "${AZURE_CLIENT_SECRET}",
"redirect_uri": "https://claude.techcorp.com/auth/callback"
},
"scim": {
"enabled": true,
"token": "${SCIM_TOKEN}",
"sync_interval": "15m"
},
"mfa": {
"required_for_roles": ["admin", "lead"],
"methods": ["totp", "webauthn"]
}
},
"teams": [
{
"name": "platform",
"budget": { "daily": 200, "monthly": 4000 },
"models": ["claude-sonnet", "claude-haiku"],
"modes": ["ask", "auto-edits"],
"mcp_allowlist": ["internal-jira", "internal-grafana"]
},
{
"name": "security",
"budget": { "daily": 100, "monthly": 2000 },
"models": ["claude-opus", "claude-sonnet"],
"modes": ["ask"],
"require_approval_for": ["auto-edits", "auto"]
},
{
"name": "interns",
"budget": { "daily": 20, "monthly": 400 },
"models": ["claude-haiku"],
"modes": ["ask"],
"readonly": true
}
],
"security": {
"data_retention": "standard",
"allowed_regions": ["us-east-1", "us-west-2"],
"blocked_file_patterns": [
"**/secrets/**",
"**/*.pem",
"**/*.key"
],
"required_hooks": ["audit-logger", "security-scanner"]
},
"audit": {
"retention_days": 365,
"export_to_siem": true,
"siem_endpoint": "https://splunk.techcorp.com:8088",
"siem_token": "${SPLUNK_TOKEN}"
}
}部署脚本:
#!/bin/bash
# deploy-claude-enterprise.sh
set -e
echo "🚀 开始部署 Claude Code 企业版..."
# 1. 创建命名空间
kubectl create namespace claude-enterprise --dry-run=client -o yaml | kubectl apply -f -
# 2. 创建 Secret
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: claude-config
namespace: claude-enterprise
type: Opaque
stringData:
AZURE_TENANT_ID: "$AZURE_TENANT_ID"
AZURE_CLIENT_ID: "$AZURE_CLIENT_ID"
AZURE_CLIENT_SECRET: "$AZURE_CLIENT_SECRET"
SCIM_TOKEN: "$SCIM_TOKEN"
SPLUNK_TOKEN: "$SPLUNK_TOKEN"
EOF
# 3. 部署策略服务
kubectl apply -f k8s/policy-service.yaml
kubectl apply -f k8s/audit-service.yaml
# 4. 部署网关
kubectl apply -f k8s/gateway.yaml
# 5. 验证
kubectl wait --for=condition=ready pod -l app=claude-policy -n claude-enterprise --timeout=300s
echo "✅ 部署完成!"场景 2:金融行业合规部署
需求:
- 零数据保留(ZDR)
- 所有操作实时审计
- 敏感操作双人审批
- 部署在私有 VPC
Terraform 配置:
# main.tf
module "claude_code" {
source = "anthropic/claude-code/aws"
version = "~> 1.0"
vpc_id = module.vpc.vpc_id
private_subnets = module.vpc.private_subnets
# 合规配置
compliance = {
zdr_enabled = true
soc2_scope = true
audit_retention_years = 7
}
# 网络隔离
network = {
public_access = false
vpn_required = true
allowed_cidrs = ["10.0.0.0/8"]
}
# 审批工作流
approval_workflows = {
file_write = "single_approval"
command_exec = "dual_approval"
mcp_connect = "admin_approval"
}
}企业级实战场景
场景一:大型金融企业部署(多团队 + Air-gapped + AWS GovCloud)
某银行在 AWS GovCloud 部署 Claude Code,服务 5000+ 开发者,需要严格合规(SOC 2 + ISO 27001 + PCI DSS)。
# settings/enterprise-bank-prod.yaml - 生产环境完整配置
version: "2.0.0"
organization: "global-bank"
environment: production
deployment:
mode: air-gapped
region: aws-govcloud-us-west
network:
vpc_id: vpc-0a1b2c3d4e5f
subnets: [subnet-private-1a, subnet-private-1b]
egress_proxy: https://forward-proxy.bank.internal:8443
allowed_anthropic_endpoints: [api.anthropic.com]
ha:
multi_az: true
auto_scaling:
min_replicas: 5
max_replicas: 50
target_cpu: 70
authentication:
provider: saml2
idp_metadata_url: https://adfs.bank.internal/federationmetadata.xml
require_sso: true
require_mfa: true
session_duration: 4h
idle_timeout: 30m
step_up_required_for:
- "file:write:/production/*"
- "bash:run:kubectl *"
- "plugin:install:*"
step_up_method: yubikey # 硬件令牌
permissions:
default_mode: ask
allow_auto_mode: false # 金融场景禁用自动模式
by_team:
"trading-engineering":
max_daily_cost: 200
allowed_models: [claude-sonnet-4-6]
file_access:
- read: ["/repos/trading/*"]
- write: ["/repos/trading/branches/*"]
- deny: ["/repos/trading/main", "/repos/trading/release/*"]
"core-banking":
max_daily_cost: 100
allowed_models: [claude-sonnet-4-6]
require_pair_review: true
global_denylist:
- "file:read:/etc/passwd"
- "file:read:/var/secrets/*"
- "bash:run:curl http://*"
- "bash:run:wget *"
plugins:
registry: https://plugins.bank.internal
required:
- {name: bank-security-policies, version: "^3.0.0", install_strategy: force}
- {name: pci-dss-compliance, version: "^1.0.0"}
- {name: audit-logger-enterprise, version: "^2.0.0"}
allowlist: ["bank-*", "anthropic-official-*"]
denylist: ["*"]
signature_verification:
required: true
trusted_keys: [/etc/claude/keys/bank-platform.pub]
data_handling:
zero_data_retention: true
encrypt_at_rest: AES-256-GCM
encrypt_in_transit: TLS-1.3-only
data_residency:
primary: aws-govcloud-us-west
backup: aws-govcloud-us-east
no_cross_region_transfer: true
pii_detection:
enabled: true
block_on_detection: true
patterns: [ssn, credit_card, bank_account, passport]
audit_log:
retention: "7y" # PCI DSS 要求
immutable: true
backup_to: s3://bank-audit-logs-immutable/
access_log_access: true
usage_limits:
org_monthly_budget: 500000
alert_thresholds: [50%, 80%, 95%]
alert_recipients: [[email protected], [email protected]]
rate_limits:
per_user_rpm: 60
per_team_rpm: 1000
org_rpm: 10000
compliance:
frameworks: [SOC2_TYPE_II, ISO_27001, PCI_DSS_4, SOX]
required_attestations: [quarterly_access_review, annual_security_training]
forbidden_data_in_prompts: [PCI_DATA, PHI_DATA, CLASSIFIED]#!/bin/bash
# scripts/deploy-enterprise.sh - 企业级部署脚本
set -euo pipefail
NAMESPACE=${NS:-claude-system}
for cmd in aws kubectl helm vault; do
command -v "$cmd" >/dev/null || { echo "❌ 缺少 $cmd"; exit 1; }
done
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: ${NAMESPACE}
labels:
pod-security.kubernetes.io/enforce: restricted
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: claude-egress-control
namespace: ${NAMESPACE}
spec:
podSelector: {}
policyTypes: [Egress]
egress:
- to:
- ipBlock: {cidr: 10.0.0.0/8}
- to:
- ipBlock:
cidr: 0.0.0.0/0
except: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
ports: [{protocol: TCP, port: 443}]
EOF
# 从 Vault 拉取密钥
ANTHROPIC_KEY=$(vault kv get -field=api_key secret/claude/prod)
kubectl create secret generic claude-secrets \
--namespace=${NAMESPACE} \
--from-literal=anthropic-api-key="${ANTHROPIC_KEY}" \
--dry-run=client -o yaml | kubectl apply -f -
helm upgrade --install claude-code anthropic/claude-code \
--namespace=${NAMESPACE} \
--values=settings/enterprise-bank-prod.yaml \
--set replicaCount=5 \
--wait --timeout=10m
kubectl rollout status deployment/claude-code -n ${NAMESPACE}
echo "✅ 部署完成"场景二:跨国集团多区域部署(GDPR + 中国数据本地化)
跨国企业需要同时满足 GDPR(欧盟)和《数据安全法》(中国)要求,数据必须在本地区域处理。
# multi-region-config.yaml - 多区域部署架构
version: "2.0.0"
organization: "global-corp"
deployment_topology:
type: federated
regions:
- id: eu-west-1
name: "欧洲(都柏林)"
compliance: [GDPR, ISO_27001]
anthropic_endpoint: https://api-eu.anthropic.com
data_residency: {strict: true, no_outbound_transfer: true}
teams: [emea-eng, emea-data]
- id: us-east-1
name: "美国(弗吉尼亚)"
compliance: [SOC2, HIPAA]
anthropic_endpoint: https://api.anthropic.com
teams: [americas-eng]
- id: cn-north-1
name: "中国(北京)"
compliance: [DSL, PIPL, MLPS_3]
anthropic_endpoint: https://api-cn.anthropic.com.cn
data_residency:
strict: true
no_outbound_transfer: true
require_local_review: true
teams: [china-eng]
- id: ap-southeast-1
name: "亚太(新加坡)"
compliance: [PDPA]
anthropic_endpoint: https://api-apac.anthropic.com
teams: [apac-eng, jp-eng]
federated_routing:
rule: user_region_match
fallback: deny
cross_region_collaboration:
allowed: false
exception_workflow: jira-ticket-required
data_classification_routing:
classifications:
- {level: PUBLIC, can_route_to: any}
- {level: INTERNAL, can_route_to: same_region}
- level: CONFIDENTIAL
can_route_to: same_region_strict
additional_controls: [encryption, dlp_scan]
- level: REGULATED
can_route_to: same_region_strict
additional_controls: [encryption, dlp_scan, manual_review]
audit_level: detailed
shared_services:
identity_federation:
type: SAML2_federation
primary_idp: https://corporate-idp.global-corp.com
regional_idps:
cn-north-1: https://idp.china.global-corp.com
audit_aggregation:
enabled: true
sanitize_pii_before_aggregation: true
central_siem: https://siem.global-corp.com# region_router.py - 区域路由实现
import os
import jwt
import re
from typing import Optional
from fastapi import FastAPI, Request, HTTPException
from fastapi.responses import RedirectResponse
app = FastAPI(title="Claude Code Region Router")
REGION_ENDPOINTS = {
"eu-west-1": "https://claude-eu.global-corp.com",
"us-east-1": "https://claude-us.global-corp.com",
"cn-north-1": "https://claude-cn.global-corp.com",
"ap-southeast-1": "https://claude-ap.global-corp.com",
}
USER_REGION_MAPPING = {
"@eu.global-corp.com": "eu-west-1",
"@us.global-corp.com": "us-east-1",
"@cn.global-corp.com": "cn-north-1",
"@apac.global-corp.com": "ap-southeast-1",
}
def get_user_region(user_email: str, user_groups: list) -> Optional[str]:
for suffix, region in USER_REGION_MAPPING.items():
if user_email.endswith(suffix):
return region
for group in user_groups:
if m := re.match(r"region-(\w+)", group):
return m.group(1)
return None
def detect_data_classification(content: str) -> str:
if re.search(r"\b(SSN|社会保障号|身份证号|护照号)\b", content, re.IGNORECASE):
return "REGULATED"
if re.search(r"\b(internal|confidential|机密|内部)\b", content, re.IGNORECASE):
return "CONFIDENTIAL"
if re.search(r"\binternal\b", content, re.IGNORECASE):
return "INTERNAL"
return "PUBLIC"
@app.middleware("http")
async def region_routing_middleware(request: Request, call_next):
auth_header = request.headers.get("Authorization", "")
if not auth_header.startswith("Bearer "):
raise HTTPException(401, "Missing authentication")
try:
token = auth_header.replace("Bearer ", "")
decoded = jwt.decode(token, os.environ["JWT_SECRET"], algorithms=["HS256"])
user_email = decoded["email"]
user_groups = decoded.get("groups", [])
except jwt.InvalidTokenError:
raise HTTPException(401, "Invalid token")
user_region = get_user_region(user_email, user_groups)
if not user_region:
raise HTTPException(403, "User region cannot be determined")
body = await request.body()
classification = detect_data_classification(body.decode("utf-8", errors="ignore"))
# 路由决策:高敏感数据严格限制在用户区域
if classification in ("REGULATED", "CONFIDENTIAL"):
target_region = user_region
else:
target_region = request.headers.get("X-Preferred-Region", user_region)
target = REGION_ENDPOINTS.get(target_region)
if not target:
raise HTTPException(503, f"Region {target_region} unavailable")
# 记录跨区域路由决策(用于合规审计)
print(f"AUDIT: user={user_email} from={user_region} -> {target_region} class={classification}")
return RedirectResponse(url=f"{target}{request.url.path}", status_code=307)
# 部署: uvicorn region_router:app --host 0.0.0.0 --port 443 --ssl-keyfile=/etc/ssl/key.pem