Merge pull request #51612 from my-git9/npa-28879
[zh-cn]sync linux-security secrets-good-practices labels-annotations-taintspull/51669/head
Kubernetes Prow Robot
GitHub
commit
2f6f8f1756
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
title: Linux 节点的安全性
|
||||
content_type: concept
|
||||
weight: 40
|
||||
---
|
||||
<!--
|
||||
reviewers:
|
||||
- lmktfy
|
||||
title: Security For Linux Nodes
|
||||
content_type: concept
|
||||
weight: 40
|
||||
-->
|
||||
|
||||
<!-- overview -->
|
||||
|
||||
<!--
|
||||
This page describes security considerations and best practices specific to the Linux operating system.
|
||||
-->
|
||||
本篇介绍特定于 Linux 操作系统的安全注意事项和最佳实践。
|
||||
|
||||
<!-- body -->
|
||||
|
||||
<!--
|
||||
## Protection for Secret data on nodes
|
||||
-->
|
||||
## 保护节点上的 Secret 数据 {#protection-for-secret-data-on-nodes}
|
||||
|
||||
<!--
|
||||
On Linux nodes, memory-backed volumes (such as [`secret`](/docs/concepts/configuration/secret/)
|
||||
volume mounts, or [`emptyDir`](/docs/concepts/storage/volumes/#emptydir) with `medium: Memory`)
|
||||
are implemented with a `tmpfs` filesystem.
|
||||
-->
|
||||
在 Linux 节点上,由内存支持的卷(例如 [`secret`](/zh-cn/docs/concepts/configuration/secret/)
|
||||
卷挂载,或带有 `medium: Memory` 的 [`emptyDir`](/zh-cn/docs/concepts/storage/volumes/#emptydir))
|
||||
使用 `tmpfs` 文件系统实现。
|
||||
|
||||
<!--
|
||||
If you have swap configured and use an older Linux kernel (or a current kernel and an unsupported configuration of Kubernetes),
|
||||
**memory** backed volumes can have data written to persistent storage.
|
||||
-->
|
||||
如果你配置了交换分区并且使用较旧的 Linux 内核(或者内核是最新的,但其中某项配置是 Kubernetes 所不支持的),
|
||||
**内存**支持的卷可能会将数据写入持久存储。
|
||||
|
||||
<!--
|
||||
The Linux kernel officially supports the `noswap` option from version 6.3,
|
||||
therefore it is recommended the used kernel version is 6.3 or later,
|
||||
or supports the `noswap` option via a backport, if swap is enabled on the node.
|
||||
-->
|
||||
Linux 内核从 6.3 版本开始正式支持 `noswap` 选项,
|
||||
因此建议使用 6.3 或更新版本的内核,
|
||||
或者如果节点上启用了交换分区,确保内核通过补丁向下移植支持 `noswap` 选项。
|
||||
|
||||
<!--
|
||||
Read [swap memory management](/docs/concepts/cluster-administration/swap-memory-management/#memory-backed-volumes)
|
||||
for more info.
|
||||
-->
|
||||
更多信息参阅[交换内存管理](/zh-cn/docs/concepts/cluster-administration/swap-memory-management/#memory-backed-volumes)。
|
||||
|
|
@ -161,6 +161,17 @@ For a list of supported providers, refer to
|
|||
有关支持的提供商列表,请参阅
|
||||
[Secret 存储 CSI 驱动的提供商](https://secrets-store-csi-driver.sigs.k8s.io/concepts.html#provider-for-the-secrets-store-csi-driver)。
|
||||
|
||||
<!--
|
||||
## Good practices for using swap memory
|
||||
|
||||
For best practices for setting swap memory for Linux nodes, please refer to
|
||||
[swap memory management](/docs/concepts/cluster-administration/swap-memory-management/#good-practice-for-using-swap-in-a-kubernetes-cluster).
|
||||
-->
|
||||
## 使用交换内存的良好实践 {#good-practices-for-using-swap-memory}
|
||||
|
||||
对于为 Linux 节点设置交换内存的最佳实践,
|
||||
请参阅[交换内存管理](/zh-cn/docs/concepts/cluster-administration/swap-memory-management/#good-practice-for-using-swap-in-a-kubernetes-cluster)。
|
||||
|
||||
<!--
|
||||
## Developers
|
||||
|
||||
|
|
|
|||
|
|
@ -2745,8 +2745,6 @@ Type: Label
|
|||
Example: `service.kubernetes.io/service-proxy-name: "foo-bar"`
|
||||
|
||||
Used on: Service
|
||||
|
||||
The kube-proxy has this label for custom proxy, which delegates service control to custom proxy.
|
||||
-->
|
||||
### service.kubernetes.io/service-proxy-name {#servicekubernetesioservice-proxy-name}
|
||||
|
||||
|
|
@ -2756,7 +2754,17 @@ The kube-proxy has this label for custom proxy, which delegates service control
|
|||
|
||||
用于:Service
|
||||
|
||||
kube-proxy 自定义代理会使用这个标签,它将服务控制委托给自定义代理。
|
||||
<!--
|
||||
Setting a value for this label tells kube-proxy to ignore this service for proxying purposes.
|
||||
This allows for use of alternative proxy implementations for this service (e.g. running
|
||||
a DaemonSet that manages nftables its own way). Multiple alternative proxy implementations
|
||||
could be active simultaneously using this field, e.g. by having a value unique to each
|
||||
alternative proxy implementation to be responsible for their respective services.
|
||||
-->
|
||||
为这个标签设置一个值会告诉 kube-proxy 在执行代理操作时忽略此 Service。
|
||||
这一标签使得用户能够为此 Service 使用替代的代理实现(例如,运行管理 nftables 的 DaemonSet)。
|
||||
通过此字段,可以同时激活多个替代代理实现,例如,为每个替代代理实现设置唯一值,
|
||||
以负责各自的 Service。
|
||||
|
||||
<!--
|
||||
### experimental.windows.kubernetes.io/isolation-type (deprecated) {#experimental-windows-kubernetes-io-isolation-type}
|
||||
|
|
@ -3375,13 +3383,6 @@ Type: Annotation
|
|||
Example: `scheduler.alpha.kubernetes.io/tolerationsWhitelist: '[{"operator": "Exists", "effect": "NoSchedule", "key": "dedicated-node"}]'`
|
||||
|
||||
Used on: Namespace
|
||||
|
||||
This annotation is only useful when the (Alpha)
|
||||
[PodTolerationRestriction](/docs/reference/access-authn-authz/admission-controllers/#podtolerationrestriction)
|
||||
admission controller is enabled. The annotation value is a JSON document that defines a list of
|
||||
allowed tolerations for the namespace it annotates. When you create a Pod or modify its
|
||||
tolerations, the API server checks the tolerations to see if they are mentioned in the allow list.
|
||||
The pod is admitted only if the check succeeds.
|
||||
-->
|
||||
### scheduler.alpha.kubernetes.io/tolerationsWhitelist {#schedulerkubernetestolerations-whitelist}
|
||||
|
||||
|
|
@ -3391,6 +3392,14 @@ The pod is admitted only if the check succeeds.
|
|||
|
||||
用于:命名空间
|
||||
|
||||
<!--
|
||||
This annotation is only useful when the (Alpha)
|
||||
[PodTolerationRestriction](/docs/reference/access-authn-authz/admission-controllers/#podtolerationrestriction)
|
||||
admission controller is enabled. The annotation value is a JSON document that defines a list of
|
||||
allowed tolerations for the namespace it annotates. When you create a Pod or modify its
|
||||
tolerations, the API server checks the tolerations to see if they are mentioned in the allow list.
|
||||
The pod is admitted only if the check succeeds.
|
||||
-->
|
||||
此注解只有在启用(Alpha)
|
||||
[PodTolerationRestriction](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podtolerationrestriction)
|
||||
控制器时才生效。注解值是一个 JSON 文档,它为它所注解的命名空间定义了一个允许容忍的列表。
|
||||
|
|
@ -4878,10 +4887,6 @@ Used on: Pod
|
|||
This annotation was only relevant if you were using
|
||||
[PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) objects.
|
||||
Kubernetes v{{< skew currentVersion >}} does not support the PodSecurityPolicy API.
|
||||
|
||||
When the PodSecurityPolicy admission controller admitted a Pod, the admission controller
|
||||
modified the Pod to have this annotation.
|
||||
The value of the annotation was the name of the PodSecurityPolicy that was used for validation.
|
||||
-->
|
||||
### kubernetes.io/psp(已弃用) {#kubernetes-io-psp}
|
||||
|
||||
|
|
@ -4894,6 +4899,11 @@ The value of the annotation was the name of the PodSecurityPolicy that was used
|
|||
这个注解只在你使用 [PodSecurityPolicies](/zh-cn/docs/concepts/security/pod-security-policy/) 时才有意义。
|
||||
Kubernetes v{{< skew currentVersion >}} 不支持 PodSecurityPolicy API。
|
||||
|
||||
<!--
|
||||
When the PodSecurityPolicy admission controller admitted a Pod, the admission controller
|
||||
modified the Pod to have this annotation.
|
||||
The value of the annotation was the name of the PodSecurityPolicy that was used for validation.
|
||||
-->
|
||||
当 PodSecurityPolicy 准入控制器接受一个 Pod 时,会修改该 Pod,并给这个 Pod 添加此注解。
|
||||
注解的值是用来对 Pod 进行验证检查的 PodSecurityPolicy 的名称。
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue