Kubernetes Prow Robot
GitHub
commit
1575e1e208
|
|
@ -215,7 +215,7 @@ You can also use the deprecated [PodSecurityPolicy](/docs/concepts/policy/pod-se
|
|||
to restrict users' abilities to create privileged Pods (N.B. PodSecurityPolicy is scheduled for removal
|
||||
in version 1.25).
|
||||
-->
|
||||
你还可以使用已弃用的 [PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/)
|
||||
你还可以使用已弃用的 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/)
|
||||
机制以限制用户创建特权 Pod 的能力 (特别注意:PodSecurityPolicy 已计划在版本 1.25 中删除)。
|
||||
|
||||
<!--
|
||||
|
|
@ -235,7 +235,7 @@ PersistentVolumes, and constrained users should use PersistentVolumeClaims to ac
|
|||
-->
|
||||
### 持久卷的创建 {#persistent-volume-creation}
|
||||
|
||||
如 [PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)
|
||||
如 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/#volumes-and-file-systems)
|
||||
文档中所述,创建 PersistentVolumes 的权限可以提权访问底层主机。
|
||||
如果需要访问 PersistentVolume,受信任的管理员应该创建 `PersistentVolume`,
|
||||
受约束的用户应该使用 `PersistentVolumeClaim` 访问该存储。
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ This page describes security considerations and best practices specific to the W
|
|||
<!--
|
||||
## Protection for Secret data on nodes
|
||||
-->
|
||||
## 保护节点上的 Secret 数据
|
||||
## 保护节点上的 Secret 数据 {#protection-for-secret-data-on-nodes}
|
||||
|
||||
<!--
|
||||
On Windows, data from Secrets are written out in clear text onto the node's local
|
||||
|
|
@ -48,7 +48,7 @@ operator, you should take both of the following additional measures:
|
|||
<!--
|
||||
## Container users
|
||||
-->
|
||||
## 容器用户
|
||||
## 容器用户 {#container-users}
|
||||
|
||||
<!--
|
||||
[RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername)
|
||||
|
|
@ -57,7 +57,7 @@ processes as specific user. This is roughly equivalent to
|
|||
[RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups).
|
||||
-->
|
||||
可以为 Windows Pod 或容器指定 [RunAsUsername](/zh/docs/tasks/configure-pod-container/configure-runasusername)
|
||||
以作为特定用户执行容器进程。这大致相当于 [RunAsUser](/zh/docs/concepts/policy/pod-security-policy/#users-and-groups)。
|
||||
以作为特定用户执行容器进程。这大致相当于 [RunAsUser](/zh-cn/docs/concepts/security/pod-security-policy/#users-and-groups)。
|
||||
|
||||
<!--
|
||||
Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator.
|
||||
|
|
@ -92,7 +92,7 @@ Active Directory 身份运行。
|
|||
<!--
|
||||
## Pod-level security isolation
|
||||
-->
|
||||
## Pod 级安全隔离
|
||||
## Pod 级安全隔离 {#pod-level-security-isolation}
|
||||
|
||||
<!--
|
||||
Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom
|
||||
|
|
|
|||
|
|
@ -268,7 +268,7 @@ to the metadata API, and avoid using provisioning data to deliver secrets.
|
|||
-->
|
||||
### 限制云元数据 API 访问
|
||||
|
||||
云平台(AWS, Azure, GCE 等)经常将 metadata 本地服务暴露给实例。
|
||||
云平台(AWS、Azure、GCE 等)经常将 metadata 本地服务暴露给实例。
|
||||
默认情况下,这些 API 可由运行在实例上的 Pod 访问,并且可以包含
|
||||
该云节点的凭据或配置数据(如 kubelet 凭据)。
|
||||
这些凭据可以用于在集群内升级或在同一账户下升级到其他云服务。
|
||||
|
|
@ -413,7 +413,7 @@ or run with elevated permissions if those service accounts are granted access to
|
|||
如果执行 Pod 创建操作的组件能够在 `kube-system` 这类名字空间中创建 Pod,
|
||||
则这类组件也可能获得意外的权限,因为这些 Pod 可以访问服务账户的 Secret,
|
||||
或者,如果对应服务帐户被授权访问宽松的
|
||||
[PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/),
|
||||
[PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/),
|
||||
它们就能以较高的权限运行。
|
||||
|
||||
<!--
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ admission controller. This can be done effectively using a combination of dry-ru
|
|||
<!--
|
||||
- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
|
||||
-->
|
||||
- 确保 `PodSecurity` [特性门控](/docs/reference/command-line-tools-reference/feature-gates/)被启用。
|
||||
- 确保 `PodSecurity` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)被启用。
|
||||
|
||||
<!--
|
||||
This page assumes you are already familiar with the basic [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
|
||||
|
|
@ -307,7 +307,7 @@ need to be handled on a case-by-case basis later:
|
|||
- `.spec.allowPrivilegeEscalation` - (Only mutating if set to `false`) required for the Restricted
|
||||
profile.
|
||||
-->
|
||||
- `.spec.requiredDropCapabilities` - 需要此字段来为 Restricted 配置去掉 `ALL` 设置。
|
||||
- `.spec.requiredDropCapabilities` - 需要此字段来为 Restricted 配置去掉 `ALL` 设置。
|
||||
- `.spec.seLinux` - (仅针对带有 `MustRunAs` 规则的变更性设置)需要此字段来满足
|
||||
Baseline 和 Restricted 配置所需要的 SELinux 需求。
|
||||
- `.spec.runAsUser` - (仅针对带有 `RunAsAny` 规则的非变更性设置)需要此字段来为
|
||||
|
|
@ -556,7 +556,7 @@ Finally, you can effectively bypass PodSecurityPolicy at the namespace level by
|
|||
accounts in the namespace.
|
||||
-->
|
||||
最后,你可以通过将
|
||||
{{< example file="policy/privileged-psp.yaml" >}}完全特权的 PSP{{< /example >}}
|
||||
{{< example file="policy/privileged-psp.yaml" >}}完全特权的 PSP{{< /example >}}
|
||||
绑定到某名字空间中所有服务账户上,在名字空间层面绕过所有 PodSecurityPolicy。
|
||||
|
||||
```sh
|
||||
|
|
@ -594,7 +594,7 @@ kubectl delete -n $NAMESPACE rolebinding disable-psp
|
|||
<!--
|
||||
## 4. Review namespace creation processes {#review-namespace-creation-process}
|
||||
-->
|
||||
## 4. 审阅名字空间创建过程 {#review-namespace-creation-process}
|
||||
## 4. 审阅名字空间创建过程 {#review-namespace-creation-process}
|
||||
|
||||
<!--
|
||||
Now that existing namespaces have been updated to enforce Pod Security Admission, you should ensure
|
||||
|
|
@ -639,7 +639,7 @@ controller plugins:
|
|||
-->
|
||||
如果需要验证 PodSecurityPolicy 准入控制器不再被启用,你可以通过扮演某个无法访问任何
|
||||
PodSecurityPolicy 的用户来执行测试(参见
|
||||
[PodSecurityPolicy 示例](/zh/docs/concepts/policy/pod-security-policy/#example)),
|
||||
[PodSecurityPolicy 示例](/zh-cn/docs/concepts/security/pod-security-policy/#example)),
|
||||
或者通过检查 API 服务器的日志来进行验证。在启动期间,API
|
||||
服务器会输出日志行,列举所挂载的准入控制器插件。
|
||||
|
||||
|
|
|
|||
|
|
@ -162,6 +162,7 @@
|
|||
|
||||
/docs/concepts/policy/pod-security-policy/ /docs/concepts/security/pod-security-policy/ 301
|
||||
/docs/consumer-guideline/pod-security-coverage/ /docs/concepts/security/pod-security-policy/ 301
|
||||
/zh-cn/docs/concepts/policy/pod-security-policy/ /zh-cn/docs/concepts/security/pod-security-policy/ 301
|
||||
|
||||
/docs/contribute/create-pull-request/ /docs/home/contribute/create-pull-request/ 301
|
||||
/docs/contribute/page-templates/ /docs/home/contribute/page-templates/ 301
|
||||
|
|
@ -248,7 +249,7 @@
|
|||
/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/ /docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/ 301
|
||||
/docs/tasks/access-kubernetes-api/setup-extension-api-server/ /docs/tasks/extend-kubernetes/setup-extension-api-server/ 301
|
||||
|
||||
/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/ /docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/ 301
|
||||
/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/ /docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/ 301
|
||||
/docs/tasks/administer-cluster/access-cluster-services/ /docs/tasks/access-application-cluster/access-cluster-services/ 301
|
||||
/docs/tasks/administer-cluster/apply-resource-quota-limit/ /docs/tasks/administer-cluster/quota-api-object/ 301
|
||||
/docs/tasks/administer-cluster/assign-pods-nodes/ /docs/tasks/configure-pod-container/assign-pods-nodes/ 301
|
||||
|
|
|
|||
Loading…
Reference in New Issue