kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh-cn] Resync pod security standards page

pull/34594/head
Qiming Teng 2022-06-25 17:25:36 +08:00
parent a9b7331f57
commit 49b01946ed
1 changed files with 122 additions and 442 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

564
content/zh-cn/docs/concepts/security/pod-security-standards.md
View File

@ -21,17 +21,18 @@ weight: 10
The Pod Security Standards define three different _policies_ to broadly cover the security
spectrum. These policies are _cumulative_ and range from highly-permissive to highly-restrictive.
This guide outlines the requirements of each policy.
-->
Pod 安全性标准定义了三种不同的 **策略Policy**,以广泛覆盖安全应用场景。
这些策略是 **叠加式的Cumulative**,安全级别从高度宽松至高度受限。
本指南概述了每个策略的要求。
<!--
| Profile | Description |
| ------ | ----------- |
| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations. |
| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration. |
| <strong style="white-space: nowrap">Restricted</strong> | Heavily restricted policy, following current Pod hardening best practices. |
-->
Pod 安全性标准定义了三种不同的 _策略Policy_,以广泛覆盖安全应用场景。
这些策略是 _渐进式的Cumulative_,安全级别从高度宽松至高度受限。
本指南概述了每个策略的要求。
| Profile | 描述 |
| ------ | ----------- |
| <strong style="white-space: nowrap">Privileged</strong> | 不受限制的策略,提供最大可能范围的权限许可。此策略允许已知的特权提升。 |
@ -97,151 +98,74 @@ fail validation.
<td>控制Control</td>
<td>策略Policy</td>
</tr>
<tr>
<tr>
<!-- <td style="white-space: nowrap">HostProcess</td> -->
<td style="white-space: nowrap">HostProcess</td>
<!-- <td>
<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an <strong>alpha</strong> feature as of Kubernetes <strong>v1.22</strong>.</p>
<p><strong>Restricted Fields</strong></p>
<td style="white-space: nowrap">HostProcess</td>
<td>
<p><!--Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. -->
Windows Pod 提供了运行 <a href="/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess 容器</a> 的能力,这使得对 Windows 节点的特权访问成为可能。Baseline 策略中禁止对宿主的特权访问。{{< feature-state for_k8s_version="v1.23" state="beta" >}}
</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>false</code></li>
</ul>
</td> -->
<td>
<p>Windows Pod 提供了运行
<a href="/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess 容器</a> 的能力,
这使得对 Windows 节点的特权访问成为可能。
基线策略中对宿主的特权访问是被禁止的。
HostProcess Pod 是 Kubernetes <strong>v1.22</strong> 版本的
<strong>alpha</strong> 特性。</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>false</code></li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Host Namespaces</td> -->
<td style="white-space: nowrap">宿主名字空间</td>
<!--
<td>
<p>Sharing the host namespaces must be disallowed.</p>
<p><strong>Restricted Fields</strong></p>
<td style="white-space: nowrap"><!--Host Namespaces-->宿主名字空间</td>
<td>
<p><!--Sharing the host namespaces must be disallowed.-->必须禁止共享宿主上的名字空间。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.hostNetwork</code></li>
<li><code>spec.hostPID</code></li>
<li><code>spec.hostIPC</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>false</code></li>
</ul>
</td>
-->
<td>
<p>必须禁止共享宿主名字空间。</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.hostNetwork</code></li>
<li><code>spec.hostPID</code></li>
<li><code>spec.hostIPC</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>false</code></li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Privileged Containers</td> -->
<td style="white-space: nowrap">特权容器</td>
<!-- <td>
<p>Privileged Pods disable most security mechanisms and must be disallowed.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.privileged</code></li>
<li><code>spec.initContainers[*].securityContext.privileged</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>false</code></li>
</ul>
</td> -->
<td style="white-space: nowrap"><!--Privileged Containers-->特权容器</td>
<td>
<p>特权 Pod 关闭了大多数安全性机制,必须被禁止。</p>
<p><strong>限制的字段</strong></p>
<p><!--Privileged Pods disable most security mechanisms and must be disallowed.-->特权 Pod 会使大多数安全性机制失效,必须被禁止。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.privileged</code></li>
<li><code>spec.initContainers[*].securityContext.privileged</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>false</code></li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Capabilities</td> -->
<td style="white-space: nowrap">权能</td>
<!-- <td>
<p>Adding additional capabilities beyond those listed below must be disallowed.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>AUDIT_WRITE</code></li>
<li><code>CHOWN</code></li>
<li><code>DAC_OVERRIDE</code></li>
<li><code>FOWNER</code></li>
<li><code>FSETID</code></li>
<li><code>KILL</code></li>
<li><code>MKNOD</code></li>
<li><code>NET_BIND_SERVICE</code></li>
<li><code>SETFCAP</code></li>
<li><code>SETGID</code></li>
<li><code>SETPCAP</code></li>
<li><code>SETUID</code></li>
<li><code>SYS_CHROOT</code></li>
</ul>
</td> -->
<td style="white-space: nowrap"><!--Capabilities-->权能</td>
<td>
<p>必须禁止添加除下列字段之外的权能。</p>
<p><strong>限制的字段</strong></p>
<p><!--Adding additional capabilities beyond those listed below must be disallowed.-->必须禁止添加除下列字段之外的权能。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Undefined/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>AUDIT_WRITE</code></li>
<li><code>CHOWN</code></li>
<li><code>DAC_OVERRIDE</code></li>
@ -259,150 +183,74 @@ fail validation.
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">HostPath Volumes</td>-->
<td style="white-space: nowrap">HostPath 卷</td>
<!-- <td>
<p>HostPath volumes must be forbidden.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.volumes[*].hostPath</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/nil</li>
</ul>
</td> -->
<td style="white-space: nowrap"><!--HostPath Volumes-->HostPath 卷</td>
<td>
<p>必须禁止 HostPath 卷。</p>
<p><strong>限制的字段</strong></p>
<p><!--HostPath volumes must be forbidden.-->必须禁止 HostPath 卷。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.volumes[*].hostPath</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
</ul>
</td>
<td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Host Ports</td> -->
<td style="white-space: nowrap">宿主端口</td>
<!-- <td>
<p>HostPorts should be disallowed, or at minimum restricted to a known list.</p>
<p><strong>Restricted Fields</strong></p>
<td style="white-space: nowrap"><!--Host Ports-->宿主端口</td>
<td>
<p><!--HostPorts should be disallowed, or at minimum restricted to a known list.-->应该禁止使用宿主端口,或者至少限制只能使用某确定列表中的端口。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].ports[*].hostPort</code></li>
<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Undefined/nil</li>
<li>Known list</li>
<li><code>0</code></li>
</ul>
</td>-->
<td>
<p>应禁止使用宿主端口,或者至少限定为已知列表。</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].ports[*].hostPort</code></li>
<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li>未定义/nil</li>
<li>已知列表</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><!--Known list-->已知列表</li>
<li><code>0</code></li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">AppArmor</td> -->
<td style="white-space: nowrap">AppArmor</td>
<!-- <td>
<p>On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>runtime/default</code></li>
<li><code>localhost/*</code></li>
</ul>
</td> -->
<td>
<p>在受支持的主机上,默认使用 <code>runtime/default</code> AppArmor Profile。
基线策略应避免覆盖或者禁用默认策略,以及限制覆盖一些 Profile 集合的权限。</p>
<p><strong>限制的字段</strong></p>
<p><!--On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.-->在受支持的主机上,默认使用 <code>runtime/default</code> AppArmor 配置。Baseline 策略应避免覆盖或者禁用默认策略,以及限制覆盖一些配置集合的权限。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>runtime/default</code></li>
<li><code>localhost/*</code></li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">SELinux</td> -->
<td style="white-space: nowrap">SELinux</td>
<!-- <td>
<p>Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.securityContext.seLinuxOptions.type</code></li>
<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/""</li>
<li><code>container_t</code></li>
<li><code>container_init_t</code></li>
<li><code>container_kvm_t</code></li>
</ul>
<hr />
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.securityContext.seLinuxOptions.user</code></li>
<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
<li><code>spec.initContainers[*].securityContext.seLinuxOptions.user</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.user</code></li>
<li><code>spec.securityContext.seLinuxOptions.role</code></li>
<li><code>spec.containers[*].securityContext.seLinuxOptions.role</code></li>
<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/""</li>
</ul>
</td>-->
<td>
<p>设置 SELinux 类型的操作是被限制的,设置自定义的 SELinux 用户或角色选项是被禁止的。</p>
<p><strong>限制的字段</strong></p>
<p><!--Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.-->设置 SELinux 类型的操作是被限制的,设置自定义的 SELinux 用户或角色选项是被禁止的。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.seLinuxOptions.type</code></li>
<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>未定义/""</li>
<li><!--Undefined/""-->未定义、""</li>
<li><code>container_t</code></li>
<li><code>container_init_t</code></li>
<li><code>container_kvm_t</code></li>
</ul>
<hr />
<p><strong>限制的字段</strong></p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.seLinuxOptions.user</code></li>
<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
@ -413,74 +261,43 @@ fail validation.
<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取</strong></p>
<ul>
<li>未定义/""</li>
<li><!--Undefined/""-->未定义、""</li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap"><code>/proc</code> Mount Type</td> -->
<td style="white-space: nowrap"><code>/proc</code> 挂载类型</td>
<!-- <td>
<p>The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.procMount</code></li>
<li><code>spec.initContainers[*].securityContext.procMount</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>Default</code></li>
</ul>
</td> -->
<td style="white-space: nowrap"><code>/proc</code><!--Mount Type-->挂载类型</td>
<td>
<p>要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
<p><strong>限制的字段</strong></p>
<p><!--The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.-->要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.procMount</code></li>
<li><code>spec.initContainers[*].securityContext.procMount</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>Default</code></li>
</ul>
</td>
</tr>
<tr>
<td>Seccomp</td>
<!-- <td>
<p>Seccomp profile must not be explicitly set to <code>Unconfined</code>.</p>
<p><strong>Restricted Fields</strong></p>
<td>
<p><!--Seccomp profile must not be explicitly set to <code>Unconfined</code>.-->Seccomp 配置必须不能显式设置为 <code>Unconfined</code></p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.seccompProfile.type</code></li>
<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>RuntimeDefault</code></li>
<li><code>Localhost</code></li>
</ul>
</td> -->
<td>
<p>Seccomp Profile 禁止被显式设置为 <code>Unconfined</code></p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.seccompProfile.type</code></li>
<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>RuntimeDefault</code></li>
<li><code>Localhost</code></li>
</ul>
@ -488,32 +305,15 @@ fail validation.
</tr>
<tr>
<td>Sysctls</td>
<!-- <td>
<p>Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.</p>
<p><strong>Restricted Fields</strong></p>
<ul>
<li><code>spec.securityContext.sysctls[*].name</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>kernel.shm_rmid_forced</code></li>
<li><code>net.ipv4.ip_local_port_range</code></li>
<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
<li><code>net.ipv4.tcp_syncookies</code></li>
<li><code>net.ipv4.ping_group_range</code></li>
</ul>
</td> -->
<td>
<p>Sysctls 可以禁用安全机制或影响宿主上所有容器,因此除了若干“安全”的子集之外,应该被禁止。
如果某 sysctl 是受容器或 Pod 的名字空间限制,且与节点上其他 Pod 或进程相隔离,可认为是安全的。</p>
<p><strong>限制的字段</strong></p>
<p><!--Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.-->Sysctls 可以禁用安全机制或影响宿主上所有容器,因此除了若干“安全”的子集之外,应该被禁止。如果某 sysctl 是受容器或 Pod 的名字空间限制,且与节点上其他 Pod 或进程相隔离,可认为是安全的。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.sysctls[*].name</code></li>
</ul>
<p><strong>允许的</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>kernel.shm_rmid_forced</code></li>
<li><code>net.ipv4.ip_local_port_range</code></li>
<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
@ -532,66 +332,43 @@ fail validation.
expense of some compatibility.** It is targeted at operators and developers of security-critical
applications, as well as lower-trust users. The following listed controls should be
enforced/disallowed:
In this table, wildcards (`*`) indicate all elements in a list. For example,
`spec.containers[*].securityContext` refers to the Security Context object for _all defined
containers_. If any of the listed containers fails to meet the requirements, the entire pod will
fail validation.
-->
**_Restricted_ 策略旨在实施当前保护 Pod 的最佳实践,尽管这样作可能会牺牲一些兼容性。**
该类策略主要针对运维人员和安全性很重要的应用的开发人员,以及不太被信任的用户。
下面列举的控制需要被实施(禁止):
{{< note >}}
<!--
In this table, wildcards (`*`) indicate all elements in a list. For example,
`spec.containers[*].securityContext` refers to the Security Context object for _all defined
containers_. If any of the listed containers fails to meet the requirements, the entire pod will
fail validation.
-->
在下述表格中,通配符(`*`)意味着一个列表中的所有元素。
例如 `spec.containers[*].securityContext` 表示 _所定义的所有容器_ 的安全性上下文对象。
例如 `spec.containers[*].securityContext` 表示 **所定义的所有容器** 的安全性上下文对象。
如果所列出的任一容器不能满足要求,整个 Pod 将无法通过校验。
{{< /note >}}
<table>
<!-- caption style="display:none">Restricted policy specification</caption -->
<caption style="display:none">Restricted 策略规范</caption>
<caption style="display:none"><!--Restricted policy specification-->Restricted 策略规范</caption>
<tbody>
<tr>
<!-- td><strong>Control</strong></td -->
<td width="30%"><strong>控制Control</strong></td>
<!-- td><strong>Policy</strong></td -->
<td><strong>策略Policy</strong></td>
<td width="30%"><strong><!--Control-->控制</strong></td>
<td><strong><!--Policy-->策略</strong></td>
</tr>
<tr>
<!-- <td colspan="2"><em>Everything from the baseline profile.</em></td> -->
<td colspan="2"><em>基线策略的所有要求。</em></td>
<td colspan="2"><em><!--Everything from the baseline profile.-->Baseline 策略的所有要求。</em></td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Volume Types</td>
<td style="white-space: nowrap"><!--Volume Types-->卷类型</td>
<td>
<p>In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.</p>
<p><strong>Restricted Fields</strong></p>
<p><!--In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.-->除了限制 HostPath 卷之外,此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.volumes[*]</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
Every item in the <code>spec.volumes[*]</code> list must set one of the following fields to a non-null value:
<ul>
<li><code>spec.volumes[*].configMap</code></li>
<li><code>spec.volumes[*].csi</code></li>
<li><code>spec.volumes[*].downwardAPI</code></li>
<li><code>spec.volumes[*].emptyDir</code></li>
<li><code>spec.volumes[*].ephemeral</code></li>
<li><code>spec.volumes[*].persistentVolumeClaim</code></li>
<li><code>spec.volumes[*].projected</code></li>
<li><code>spec.volumes[*].secret</code></li>
</ul>
</td> -->
<td>卷类型</td>
<td>
<p>除了限制 HostPath 卷之外,此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.volumes[*]</code></li>
</ul>
<p><strong>允许的值</strong></p>
<code>spec.volumes[*]</code> 列表中的每个条目必须将下面字段之一设置为非空值:
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<!--Every item in the <code>spec.volumes[*]</code> list must set one of the following fields to a non-null value:--><code>spec.volumes[*]</code> 列表中的每个条目必须将下面字段之一设置为非空值:
<ul>
<li><code>spec.volumes[*].configMap</code></li>
<li><code>spec.volumes[*].csi</code></li>
@ -605,210 +382,107 @@ fail validation.
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Privilege Escalation (v1.8+)</td>
<td style="white-space: nowrap"><!--Privilege Escalation (v1.8+)-->特权提升v1.8+</td>
<td>
<p>Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.</p>
<p><strong>Restricted Fields</strong></p>
<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.-->禁止(通过 SetUID 或 SetGID 文件模式)获得特权提升。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<ul>
<li><code>false</code></li>
</ul>
</td> -->
<td style="white-space: nowrap">特权提升v1.8+</td>
<td>
<p>禁止(通过 SetUID 或 SetGID 文件模式)获得特权提升。</p>
<br>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
</ul>
<p><strong>允许的值</strong></p>
<p><strong><!--Allowed Values-->允许的取值</strong></p>
<ul>
<li><code>false</code></li>
</ul>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Running as Non-root</td> -->
<td style="white-space: nowrap">以非 root 账号运行 </td>
<!-- <td>
<p>Containers must be required to run as non-root users.</p>
<p><strong>Restricted Fields</strong></p>
<td style="white-space: nowrap"><!--Running as Non-root-->以非 root 账号运行</td>
<td>
<p><!--Containers must be required to run as non-root users.-->容器必须以非 root 账号运行。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.runAsNonRoot</code></li>
<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li><code>true</code></li>
</ul>
<small>
The container fields may be undefined/<code>nil</code> if the pod-level
<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.
</small>
</td> -->
<td>
<p>必须要求容器以非 root 用户运行。</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.runAsNonRoot</code></li>
<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li><code>true</code></li>
</ul>
<small>
如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为
<code>true</code>,则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>
<!--The container fields may be undefined/<code>nil</code> if the pod-level
<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.-->如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 <code>true</code>,则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>
</small>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Running as Non-root user (v1.23+)</td> -->
<td style="white-space: nowrap">非 root 用户v1.23+</td>
<td style="white-space: nowrap"><!--Running as Non-root user (v1.23+)-->非 root 用户v1.23+</td>
<td>
<!--
<p>Containers must not set <tt>runAsUser</tt> to 0</p>
<p><strong>Restricted Fields</strong></p>
<p><!--Containers must not set <tt>runAsUser</tt> to 0-->容器不可以将 <tt>runAsUser</tt> 设置为 0</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.runAsUser</code></li>
<li><code>spec.containers[*].securityContext.runAsUser</code></li>
<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>any non-zero value</li>
<li><!--any non-zero value-->所有的非零值</li>
<li><code>undefined/null</code></li>
</ul>
</td> -->
<p>Containers 不可以将 <tt>runAsUser</tt> 设置为 0</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.runAsUser</code></li>
<li><code>spec.containers[*].securityContext.runAsUser</code></li>
<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
</ul>
<p><strong>允许的字段</strong></p>
<ul>
<li>any non-zero value</li>
<li><code>未定义/空值</code></li>
</ul>
</td>
</tr>
<tr>
<td style="white-space: nowrap">Seccomp (v1.19+)</td>
<td>
<!-- <td>
<p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.</p>
<p><strong>Restricted Fields</strong></p>
<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。</p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.seccompProfile.type</code></li>
<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li><code>RuntimeDefault</code></li>
<li><code>Localhost</code></li>
</ul>
<small>
The container fields may be undefined/<code>nil</code> if the pod-level
<code>spec.securityContext.seccompProfile.type</code> field is set appropriately.
Conversely, the pod-level field may be undefined/<code>nil</code> if _all_ container-
level fields are set.
<!--The container fields may be undefined/<code>nil</code> if the pod-level <code>spec.securityContext.seccompProfile.type</code> field is set appropriately. Conversely, the pod-level field may be undefined/<code>nil</code> if _all_ container- level fields are set.-->如果 Pod 级别的 <code>spec.securityContext.seccompProfile.type</code> 已设置得当,容器级别的安全上下文字段可以为 未定义/<code>nil</code>。反而言之,如果 <bold>所有的</bold> 容器级别的安全上下文字段已设置,则 Pod 级别的字段可为 未定义/<code>nil</code>
</small>
</td> -->
<p>Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code>
Profile 或者指定 <em>不存在的</em> Profile。</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.securityContext.seccompProfile.type</code></li>
<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li><code>RuntimeDefault</code></li>
<li><code>Localhost</code></li>
</ul>
<small>
如果 Pod 级别的 <code>spec.securityContext.seccompProfile.type</code>
已设置得当,容器级别的安全上下文字段可以为 未定义/<code>nil</code>
反过来说,如果 _所有的_ 容器级别的安全上下文字段已设置,则 Pod 级别的字段可为 未定义/<code>nil</code>
</small>
</td>
</td>
</tr>
<tr>
<!-- <td style="white-space: nowrap">Capabilities (v1.22+)</td> -->
<td style="white-space: nowrap">权能v1.22+</td>
<!-- <td>
<tr>
<td style="white-space: nowrap"><!--Capabilities (v1.22+) -->权能v1.22+</td>
<td>
<p>
Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
the <code>NET_BIND_SERVICE</code> capability.
<!--Containers must drop <code>ALL</code> capabilities, and are only permitted to add back the <code>NET_BIND_SERVICE</code> capability.-->容器必须弃用 <code>ALL</code> 权能,并且只允许添加 <code>NET_BIND_SERVICE</code> 权能。
</p>
<p><strong>Restricted Fields</strong></p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Any list of capabilities that includes <code>ALL</code></li>
<li><!--Any list of capabilities that includes <code>ALL</code>-->包括 <code>ALL</code> 在内的任意权能列表。</li>
</ul>
<hr />
<p><strong>Restricted Fields</strong></p>
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
</ul>
<p><strong>Allowed Values</strong></p>
<p><strong><!--Allowed Values-->准许的取值</strong></p>
<ul>
<li>Undefined/nil</li>
<li><code>NET_BIND_SERVICE</code></li>
</ul>
</td> -->
<td>
<p>
容器组必须弃用 <code>ALL</code> 权能,并且只允许添加 <code>NET_BIND_SERVICE</code> 权能。
</p>
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li>包含 <code>ALL</code> 的任何一种权能列表。</li>
</ul>
<hr />
<p><strong>限制的字段</strong></p>
<ul>
<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
</ul>
<p><strong>允许的值</strong></p>
<ul>
<li>未定义/nil</li>
<li><!--Undefined/nil-->未定义、nil</li>
<li><code>NET_BIND_SERVICE</code></li>
</ul>
</td>
@ -833,12 +507,18 @@ of individual policies are not defined here.
随着相关机制的成熟,这些机制会按策略分别定义在下面。特定策略的实施方法不在这里定义。
<!--
[**Pod Security Admission Controller**](/docs/concepts/security/pod-security-admission/)
-->
[**Pod 安全性准入控制器**](/zh-cn/docs/concepts/security/pod-security-admission/)
- {{< example file="security/podsecurity-privileged.yaml" >}}Privileged 名字空间{{< /example >}}
- {{< example file="security/podsecurity-baseline.yaml" >}}Baseline 名字空间{{< /example >}}
- {{< example file="security/podsecurity-restricted.yaml" >}}Restricted 名字空间{{< /example >}}
<!--
[**PodSecurityPolicy**](/docs/concepts/security/pod-security-policy/) (Deprecated)
-->
[**PodSecurityPolicy**](/zh-cn/docs/concepts/security/pod-security-policy/) (已弃用)
- {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
@ -953,7 +633,7 @@ There is not currently an API standard that controls whether a Pod is considered
not. Sandbox Pods may be identified by the use of a sandboxed runtime (such as gVisor or Kata
Containers), but there is no standard definition of what a sandboxed runtime is.
-->
### 沙箱Sandboxed Pod 怎么处理?
### 沙箱SandboxedPod 怎么处理? {#what-about-sandboxed-pods}
现在还没有 API 标准来控制 Pod 是否被视作沙箱化 Pod。
沙箱 Pod 可以通过其是否使用沙箱化运行时(如 gVisor 或 Kata Container来辨别