Merge pull request #34600 from windsonsea/docsite7

[zh-cn] resync audit/audit-policy.yaml
2022-06-25 20:48:57 -07:00 · 2022-06-25 20:48:57 -07:00 · 2e215f0088
parent 3d9123a363 8683ad081f
commit 2e215f0088
1 changed files with 23 additions and 23 deletions
--- a/content/zh-cn/examples/audit/audit-policy.yaml
+++ b/content/zh-cn/examples/audit/audit-policy.yaml
@ -1,68 +1,68 @@
-apiVersion: audit.k8s.io/v1 # This is required.
+apiVersion: audit.k8s.io/v1 # 这是必填项。
 kind: Policy
-# Don't generate audit events for all requests in RequestReceived stage.
+# 不要在 RequestReceived 阶段为任何请求生成审计事件。
 omitStages:
  - "RequestReceived"
 rules:
-  # Log pod changes at RequestResponse level
+  # 在日志中用 RequestResponse 级别记录 Pod 变化。
  - level: RequestResponse
    resources:
    - group: ""
-      # Resource "pods" doesn't match requests to any subresource of pods,
-      # which is consistent with the RBAC policy.
+      # 资源 "pods" 不匹配对任何 Pod 子资源的请求，
+      # 这与 RBAC 策略一致。
      resources: ["pods"]
-  # Log "pods/log", "pods/status" at Metadata level
+  # 在日志中按 Metadata 级别记录 "pods/log"、"pods/status" 请求
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

-  # Don't log requests to a configmap called "controller-leader"
+  # 不要在日志中记录对名为 "controller-leader" 的 configmap 的请求。
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

-  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
+  # 不要在日志中记录由 "system:kube-proxy" 发出的对端点或服务的监测请求。
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
-    - group: "" # core API group
+    - group: "" # core API 组
      resources: ["endpoints", "services"]

-  # Don't log authenticated requests to certain non-resource URL paths.
+  # 不要在日志中记录对某些非资源 URL 路径的已认证请求。
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
-    - "/api*" # Wildcard matching.
+    - "/api*" # 通配符匹配。
    - "/version"

-  # Log the request body of configmap changes in kube-system.
+  # 在日志中记录 kube-system 中 configmap 变更的请求消息体。
  - level: Request
    resources:
-    - group: "" # core API group
+    - group: "" # core API 组
      resources: ["configmaps"]
-    # This rule only applies to resources in the "kube-system" namespace.
-    # The empty string "" can be used to select non-namespaced resources.
+    # 这个规则仅适用于 "kube-system" 名字空间中的资源。
+    # 空字符串 "" 可用于选择非名字空间作用域的资源。
    namespaces: ["kube-system"]

-  # Log configmap and secret changes in all other namespaces at the Metadata level.
+  # 在日志中用 Metadata 级别记录所有其他名字空间中的 configmap 和 secret 变更。
  - level: Metadata
    resources:
-    - group: "" # core API group
+    - group: "" # core API 组
      resources: ["secrets", "configmaps"]

-  # Log all other resources in core and extensions at the Request level.
+  # 在日志中以 Request 级别记录所有其他 core 和 extensions 组中的资源操作。
  - level: Request
    resources:
-    - group: "" # core API group
-    - group: "extensions" # Version of group should NOT be included.
+    - group: "" # core API 组
+    - group: "extensions" # 不应包括在内的组版本。

-  # A catch-all rule to log all other requests at the Metadata level.
+  # 一个抓取所有的规则，将在日志中以 Metadata 级别记录所有其他请求。
  - level: Metadata
-    # Long-running requests like watches that fall under this rule will not
-    # generate an audit event in RequestReceived.
+    # 符合此规则的 watch 等长时间运行的请求将不会
+    # 在 RequestReceived 阶段生成审计事件。
    omitStages:
      - "RequestReceived"