diff --git a/content/zh-cn/docs/concepts/security/pod-security-standards.md b/content/zh-cn/docs/concepts/security/pod-security-standards.md
index 1aafe77bf2..243bd9529c 100644
--- a/content/zh-cn/docs/concepts/security/pod-security-standards.md
+++ b/content/zh-cn/docs/concepts/security/pod-security-standards.md
@@ -21,17 +21,18 @@ weight: 10
 The Pod Security Standards define three different _policies_ to broadly cover the security
 spectrum. These policies are _cumulative_ and range from highly-permissive to highly-restrictive.
 This guide outlines the requirements of each policy.
+-->
+Pod 安全性标准定义了三种不同的 **策略（Policy）**，以广泛覆盖安全应用场景。
+这些策略是 **叠加式的（Cumulative）**，安全级别从高度宽松至高度受限。
+本指南概述了每个策略的要求。
 
+<!--
 | Profile | Description |
 | ------ | ----------- |
 | <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations. |
 | <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration. |
 | <strong style="white-space: nowrap">Restricted</strong> | Heavily restricted policy, following current Pod hardening best practices. |
 -->
-Pod 安全性标准定义了三种不同的 _策略（Policy）_，以广泛覆盖安全应用场景。
-这些策略是 _渐进式的（Cumulative）_，安全级别从高度宽松至高度受限。
-本指南概述了每个策略的要求。
-
 | Profile | 描述 |
 | ------ | ----------- |
 | <strong style="white-space: nowrap">Privileged</strong> | 不受限制的策略，提供最大可能范围的权限许可。此策略允许已知的特权提升。 |
@@ -97,151 +98,74 @@ fail validation.
 			<td>控制（Control）</td>
 			<td>策略（Policy）</td>
 		</tr>
-    <tr>
+    		<tr>
 			<!-- <td style="white-space: nowrap">HostProcess</td> -->
-      <td style="white-space: nowrap">HostProcess</td>
-      <!-- <td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an <strong>alpha</strong> feature as of Kubernetes <strong>v1.22</strong>.</p>
-				<p><strong>Restricted Fields</strong></p>
+      			<td style="white-space: nowrap">HostProcess</td>
+      			<td>
+				<p><!--Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. -->
+                                Windows Pod 提供了运行 <a href="/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess 容器</a> 的能力，这使得对 Windows 节点的特权访问成为可能。Baseline 策略中禁止对宿主的特权访问。{{< feature-state for_k8s_version="v1.23" state="beta" >}}
+                                </p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
 					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
 					<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td> -->
-			<td>
-				<p>Windows Pod 提供了运行
-         <a href="/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess 容器</a> 的能力，
-         这使得对 Windows 节点的特权访问成为可能。 
-         基线策略中对宿主的特权访问是被禁止的。 
-         HostProcess Pod 是 Kubernetes <strong>v1.22</strong> 版本的
-          <strong>alpha</strong> 特性。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>false</code></li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">Host Namespaces</td> -->
-			<td style="white-space: nowrap">宿主名字空间</td>
-			<!-- 
-      <td>
-				<p>Sharing the host namespaces must be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
+			<td style="white-space: nowrap"><!--Host Namespaces-->宿主名字空间</td>
+                        <td>
+				<p><!--Sharing the host namespaces must be disallowed.-->必须禁止共享宿主上的名字空间。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.hostNetwork</code></li>
 					<li><code>spec.hostPID</code></li>
 					<li><code>spec.hostIPC</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-      -->
-			<td>
-        <p>必须禁止共享宿主名字空间。</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.hostNetwork</code></li>
-					<li><code>spec.hostPID</code></li>
-					<li><code>spec.hostIPC</code></li>
-				</ul>
-        <p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>false</code></li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">Privileged Containers</td> -->
-			<td style="white-space: nowrap">特权容器</td>
-			<!-- <td>
-				<p>Privileged Pods disable most security mechanisms and must be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.privileged</code></li>
-					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td> -->
+			<td style="white-space: nowrap"><!--Privileged Containers-->特权容器</td>
 			<td>
-        <p>特权 Pod 关闭了大多数安全性机制，必须被禁止。</p>
-				<p><strong>限制的字段</strong></p>
+				<p><!--Privileged Pods disable most security mechanisms and must be disallowed.-->特权 Pod 会使大多数安全性机制失效，必须被禁止。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.privileged</code></li>
 					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.privileged</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>false</code></li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">Capabilities</td> -->
-			<td style="white-space: nowrap">权能</td>
-			<!-- <td>
-				<p>Adding additional capabilities beyond those listed below must be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>AUDIT_WRITE</code></li>
-					<li><code>CHOWN</code></li>
-					<li><code>DAC_OVERRIDE</code></li>
-					<li><code>FOWNER</code></li>
-					<li><code>FSETID</code></li>
-					<li><code>KILL</code></li>
-					<li><code>MKNOD</code></li>
-					<li><code>NET_BIND_SERVICE</code></li>
-					<li><code>SETFCAP</code></li>
-					<li><code>SETGID</code></li>
-					<li><code>SETPCAP</code></li>
-					<li><code>SETUID</code></li>
-					<li><code>SYS_CHROOT</code></li>
-				</ul>
-			</td> -->
+			<td style="white-space: nowrap"><!--Capabilities-->权能</td>
 			<td>
-        <p>必须禁止添加除下列字段之外的权能。</p>
-				<p><strong>限制的字段</strong></p>
+				<p><!--Adding additional capabilities beyond those listed below must be disallowed.-->必须禁止添加除下列字段之外的权能。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
 					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>AUDIT_WRITE</code></li>
 					<li><code>CHOWN</code></li>
 					<li><code>DAC_OVERRIDE</code></li>
@@ -259,150 +183,74 @@ fail validation.
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">HostPath Volumes</td>-->
-			<td style="white-space: nowrap">HostPath 卷</td>
-			<!-- <td>
-				<p>HostPath volumes must be forbidden.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.volumes[*].hostPath</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-				</ul>
-			</td> -->
+			<td style="white-space: nowrap"><!--HostPath Volumes-->HostPath 卷</td>
 			<td>
-        <p>必须禁止 HostPath 卷。</p>
-				<p><strong>限制的字段</strong></p>
+				<p><!--HostPath volumes must be forbidden.-->必须禁止 HostPath 卷。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.volumes[*].hostPath</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 				</ul>
 			</td>
+			<td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">Host Ports</td> -->
-			<td style="white-space: nowrap">宿主端口</td>
-			<!-- <td>
-				<p>HostPorts should be disallowed, or at minimum restricted to a known list.</p>
-				<p><strong>Restricted Fields</strong></p>
+			<td style="white-space: nowrap"><!--Host Ports-->宿主端口</td>
+			<td>
+				<p><!--HostPorts should be disallowed, or at minimum restricted to a known list.-->应该禁止使用宿主端口，或者至少限制只能使用某确定列表中的端口。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].ports[*].hostPort</code></li>
 					<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
 					<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
-					<li>Known list</li>
-					<li><code>0</code></li>
-				</ul>
-			</td>-->
-			<td>
-        <p>应禁止使用宿主端口，或者至少限定为已知列表。</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].ports[*].hostPort</code></li>
-					<li><code>spec.initContainers[*].ports[*].hostPort</code></li>
-					<li><code>spec.ephemeralContainers[*].ports[*].hostPort</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
-					<li>已知列表</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
+					<li><!--Known list-->已知列表</li>
 					<li><code>0</code></li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">AppArmor</td> -->
 			<td style="white-space: nowrap">AppArmor</td>
-			<!-- <td>
-				<p>On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>runtime/default</code></li>
-					<li><code>localhost/*</code></li>
-				</ul>
-			</td> -->
 			<td>
-        <p>在受支持的主机上，默认使用 <code>runtime/default</code> AppArmor Profile。
-				基线策略应避免覆盖或者禁用默认策略，以及限制覆盖一些 Profile 集合的权限。</p>
-				<p><strong>限制的字段</strong></p>
+				<p><!--On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.-->在受支持的主机上，默认使用 <code>runtime/default</code> AppArmor 配置。Baseline 策略应避免覆盖或者禁用默认策略，以及限制覆盖一些配置集合的权限。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>runtime/default</code></li>
 					<li><code>localhost/*</code></li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">SELinux</td> -->
 			<td style="white-space: nowrap">SELinux</td>
-			<!-- <td>
-				<p>Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/""</li>
-					<li><code>container_t</code></li>
-					<li><code>container_init_t</code></li>
-					<li><code>container_kvm_t</code></li>
-				</ul>
-				<hr />
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.user</code></li>
-					<li><code>spec.securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/""</li>
-				</ul>
-			</td>-->
 			<td>
-        <p>设置 SELinux 类型的操作是被限制的，设置自定义的 SELinux 用户或角色选项是被禁止的。</p>
-        <p><strong>限制的字段</strong></p>
+				<p><!--Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.-->设置 SELinux 类型的操作是被限制的，设置自定义的 SELinux 用户或角色选项是被禁止的。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.seLinuxOptions.type</code></li>
 					<li><code>spec.containers[*].securityContext.seLinuxOptions.type</code></li>
 					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.type</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.type</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/""</li>
+					<li><!--Undefined/""-->未定义、""</li>
 					<li><code>container_t</code></li>
 					<li><code>container_init_t</code></li>
 					<li><code>container_kvm_t</code></li>
 				</ul>
 				<hr />
-				<p><strong>限制的字段</strong></p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.seLinuxOptions.user</code></li>
 					<li><code>spec.containers[*].securityContext.seLinuxOptions.user</code></li>
@@ -413,74 +261,43 @@ fail validation.
 					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.role</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.seLinuxOptions.role</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/""</li>
+					<li><!--Undefined/""-->未定义、""</li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap"><code>/proc</code> Mount Type</td> -->
-			<td style="white-space: nowrap"><code>/proc</code> 挂载类型</td>
-			<!-- <td>
-				<p>The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.procMount</code></li>
-					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>Default</code></li>
-				</ul>
-			</td> -->
+			<td style="white-space: nowrap"><code>/proc</code><!--Mount Type-->挂载类型</td>
 			<td>
-        <p>要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
-				<p><strong>限制的字段</strong></p>
+				<p><!--The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.-->要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.procMount</code></li>
 					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.procMount</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>Default</code></li>
 				</ul>
 			</td>
 		</tr>
     <tr>
   			<td>Seccomp</td>
-  			<!-- <td>
-  				<p>Seccomp profile must not be explicitly set to <code>Unconfined</code>.</p>
-  				<p><strong>Restricted Fields</strong></p>
+  			<td>
+  				<p><!--Seccomp profile must not be explicitly set to <code>Unconfined</code>.-->Seccomp 配置必须不能显式设置为 <code>Unconfined</code>。</p>
+  				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.seccompProfile.type</code></li>
 					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
 					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
-					<li><code>RuntimeDefault</code></li>
-					<li><code>Localhost</code></li>
-				</ul>
-  			</td> -->
-        <td>
-  				<p>Seccomp Profile 禁止被显式设置为 <code>Unconfined</code>。</p>
-  				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.type</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>RuntimeDefault</code></li>
 					<li><code>Localhost</code></li>
 				</ul>
@@ -488,32 +305,15 @@ fail validation.
   		</tr>
 		<tr>
 			<td>Sysctls</td>
-			<!-- <td>
-				<p>Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.sysctls[*].name</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>kernel.shm_rmid_forced</code></li>
-					<li><code>net.ipv4.ip_local_port_range</code></li>
-					<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
-					<li><code>net.ipv4.tcp_syncookies</code></li>
-					<li><code>net.ipv4.ping_group_range</code></li>
-				</ul>
-			</td> -->
 			<td>
-        <p>Sysctls 可以禁用安全机制或影响宿主上所有容器，因此除了若干“安全”的子集之外，应该被禁止。
-				如果某 sysctl 是受容器或 Pod 的名字空间限制，且与节点上其他 Pod 或进程相隔离，可认为是安全的。</p>
-				<p><strong>限制的字段</strong></p>
+				<p><!--Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.-->Sysctls 可以禁用安全机制或影响宿主上所有容器，因此除了若干“安全”的子集之外，应该被禁止。如果某 sysctl 是受容器或 Pod 的名字空间限制，且与节点上其他 Pod 或进程相隔离，可认为是安全的。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.sysctls[*].name</code></li>
 				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>kernel.shm_rmid_forced</code></li>
 					<li><code>net.ipv4.ip_local_port_range</code></li>
 					<li><code>net.ipv4.ip_unprivileged_port_start</code></li>
@@ -532,66 +332,43 @@ fail validation.
 expense of some compatibility.** It is targeted at operators and developers of security-critical
 applications, as well as lower-trust users. The following listed controls should be
 enforced/disallowed:
-
-In this table, wildcards (`*`) indicate all elements in a list. For example, 
-`spec.containers[*].securityContext` refers to the Security Context object for _all defined
-containers_. If any of the listed containers fails to meet the requirements, the entire pod will
-fail validation.
 -->
 **_Restricted_ 策略旨在实施当前保护 Pod 的最佳实践，尽管这样作可能会牺牲一些兼容性。**
 该类策略主要针对运维人员和安全性很重要的应用的开发人员，以及不太被信任的用户。
 下面列举的控制需要被实施（禁止）：
 
 {{< note >}}
+<!--
+In this table, wildcards (`*`) indicate all elements in a list. For example, 
+`spec.containers[*].securityContext` refers to the Security Context object for _all defined
+containers_. If any of the listed containers fails to meet the requirements, the entire pod will
+fail validation.
+-->
 在下述表格中，通配符（`*`）意味着一个列表中的所有元素。
-例如 `spec.containers[*].securityContext` 表示 _所定义的所有容器_ 的安全性上下文对象。
+例如 `spec.containers[*].securityContext` 表示 **所定义的所有容器** 的安全性上下文对象。
 如果所列出的任一容器不能满足要求，整个 Pod 将无法通过校验。
 {{< /note >}}
 
 <table>
-	<!-- caption style="display:none">Restricted policy specification</caption -->
-	<caption style="display:none">Restricted 策略规范</caption>
+	<caption style="display:none"><!--Restricted policy specification-->Restricted 策略规范</caption>
 	<tbody>
 		<tr>
-			<!-- td><strong>Control</strong></td -->
-			<td width="30%"><strong>控制（Control）</strong></td>
-			<!-- td><strong>Policy</strong></td -->
-			<td><strong>策略（Policy）</strong></td>
+			<td width="30%"><strong><!--Control-->控制</strong></td>
+			<td><strong><!--Policy-->策略</strong></td>
 		</tr>
 		<tr>
-			<!-- <td colspan="2"><em>Everything from the baseline profile.</em></td> -->
-			<td colspan="2"><em>基线策略的所有要求。</em></td>
+			<td colspan="2"><em><!--Everything from the baseline profile.-->Baseline 策略的所有要求。</em></td>
 		</tr>
 		<tr>
-      <!-- <td style="white-space: nowrap">Volume Types</td>
+      			<td style="white-space: nowrap"><!--Volume Types-->卷类型</td>
 			<td>
-				<p>In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.</p>
-				<p><strong>Restricted Fields</strong></p>
+				<p><!--In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes.-->除了限制 HostPath 卷之外，此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.volumes[*]</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
-				Every item in the <code>spec.volumes[*]</code> list must set one of the following fields to a non-null value:
-				<ul>
-					<li><code>spec.volumes[*].configMap</code></li>
-					<li><code>spec.volumes[*].csi</code></li>
-					<li><code>spec.volumes[*].downwardAPI</code></li>
-					<li><code>spec.volumes[*].emptyDir</code></li>
-					<li><code>spec.volumes[*].ephemeral</code></li>
-					<li><code>spec.volumes[*].persistentVolumeClaim</code></li>
-					<li><code>spec.volumes[*].projected</code></li>
-					<li><code>spec.volumes[*].secret</code></li>
-				</ul>
-			</td> -->
-			<td>卷类型</td>
-			<td>
-        <p>除了限制 HostPath 卷之外，此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.volumes[*]</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<code>spec.volumes[*]</code> 列表中的每个条目必须将下面字段之一设置为非空值：
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
+				<!--Every item in the <code>spec.volumes[*]</code> list must set one of the following fields to a non-null value:--><code>spec.volumes[*]</code> 列表中的每个条目必须将下面字段之一设置为非空值：
 				<ul>
 					<li><code>spec.volumes[*].configMap</code></li>
 					<li><code>spec.volumes[*].csi</code></li>
@@ -605,210 +382,107 @@ fail validation.
 			</td>
 		</tr>
 		<tr>
-      <!-- <td style="white-space: nowrap">Privilege Escalation (v1.8+)</td>
+      			<td style="white-space: nowrap"><!--Privilege Escalation (v1.8+)-->特权提升（v1.8+）</td>
 			<td>
-				<p>Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.</p>
-				<p><strong>Restricted Fields</strong></p>
+				<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.-->禁止（通过 SetUID 或 SetGID 文件模式）获得特权提升。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
 					<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li><code>false</code></li>
-				</ul>
-			</td> -->
-			<td style="white-space: nowrap">特权提升（v1.8+）</td>
-			<td>
-        <p>禁止（通过 SetUID 或 SetGID 文件模式）获得特权提升。</p>
-				<br>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
-					<li><code>spec.initContainers[*].securityContext.allowPrivilegeEscalation</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
+				<p><strong><!--Allowed Values-->允许的取值</strong></p>
 				<ul>
 					<li><code>false</code></li>
 				</ul>
 			</td>
 		</tr>
 		<tr>
-      <!-- <td style="white-space: nowrap">Running as Non-root</td> -->
-			<td style="white-space: nowrap">以非 root 账号运行 </td>
-      <!-- <td>
-				<p>Containers must be required to run as non-root users.</p>
-				<p><strong>Restricted Fields</strong></p>
+      			<td style="white-space: nowrap"><!--Running as Non-root-->以非 root 账号运行</td>
+      			<td>
+				<p><!--Containers must be required to run as non-root users.-->容器必须以非 root 账号运行。</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.runAsNonRoot</code></li>
 					<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
 					<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
 					<li><code>true</code></li>
 				</ul>
 				<small>
-					The container fields may be undefined/<code>nil</code> if the pod-level
-					<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.
-				</small>
-			</td> -->
-			<td>
-        <p>必须要求容器以非 root 用户运行。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.runAsNonRoot</code></li>
-					<li><code>spec.containers[*].securityContext.runAsNonRoot</code></li>
-					<li><code>spec.initContainers[*].securityContext.runAsNonRoot</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.runAsNonRoot</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li><code>true</code></li>
-				</ul>
-				<small>
-					如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 
-          <code>true</code>，则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>。
+					<!--The container fields may be undefined/<code>nil</code> if the pod-level
+					<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.-->如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 <code>true</code>，则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>。
 				</small>
 			</td>
 		</tr>
 		<tr>
-			<!-- <td style="white-space: nowrap">Running as Non-root user (v1.23+)</td> -->
-			<td style="white-space: nowrap">非 root 用户（v1.23+）</td>
+			<td style="white-space: nowrap"><!--Running as Non-root user (v1.23+)-->非 root 用户（v1.23+）</td>
 			<td>
-				<!--
-				<p>Containers must not set <tt>runAsUser</tt> to 0</p>
-				<p><strong>Restricted Fields</strong></p>
+				<p><!--Containers must not set <tt>runAsUser</tt> to 0-->容器不可以将 <tt>runAsUser</tt> 设置为 0</p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.runAsUser</code></li>
 					<li><code>spec.containers[*].securityContext.runAsUser</code></li>
 					<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>any non-zero value</li>
+					<li><!--any non-zero value-->所有的非零值</li>
 					<li><code>undefined/null</code></li>
 				</ul>
-			</td> -->
-				<p>Containers 不可以将 <tt>runAsUser</tt> 设置为 0</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.runAsUser</code></li>
-					<li><code>spec.containers[*].securityContext.runAsUser</code></li>
-					<li><code>spec.initContainers[*].securityContext.runAsUser</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.runAsUser</code></li>
-				</ul>
-				<p><strong>允许的字段</strong></p>
-				<ul>
-					<li>any non-zero value</li>
-					<li><code>未定义/空值</code></li>
-				</ul>
 			</td>
 		</tr>
 		<tr>
 			<td style="white-space: nowrap">Seccomp (v1.19+)</td>
 			<td>
-				<!-- <td>
-  				<p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.</p>
-  				<p><strong>Restricted Fields</strong></p>
+  				<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。</p>
+  				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.securityContext.seccompProfile.type</code></li>
 					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
 					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
 					<li><code>RuntimeDefault</code></li>
 					<li><code>Localhost</code></li>
 				</ul>
 				<small>
-					The container fields may be undefined/<code>nil</code> if the pod-level
-					<code>spec.securityContext.seccompProfile.type</code> field is set appropriately.
-					Conversely, the pod-level field may be undefined/<code>nil</code> if _all_ container-
-					level fields are set.
+					<!--The container fields may be undefined/<code>nil</code> if the pod-level <code>spec.securityContext.seccompProfile.type</code> field is set appropriately.  Conversely, the pod-level field may be undefined/<code>nil</code> if _all_ container- level fields are set.-->如果 Pod 级别的 <code>spec.securityContext.seccompProfile.type</code> 已设置得当，容器级别的安全上下文字段可以为 未定义/<code>nil</code>。反而言之，如果 <bold>所有的</bold> 容器级别的安全上下文字段已设置，则 Pod 级别的字段可为 未定义/<code>nil</code>。
 				</small>
-  			</td> -->
-        <p>Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> 
-        Profile 或者指定 <em>不存在的</em> Profile。</p>
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.type</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.type</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.seccompProfile.type</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li><code>RuntimeDefault</code></li>
-					<li><code>Localhost</code></li>
-				</ul>
-				<small>
-					如果 Pod 级别的 <code>spec.securityContext.seccompProfile.type</code> 
-          已设置得当，容器级别的安全上下文字段可以为 未定义/<code>nil</code>。
-          反过来说，如果 _所有的_ 容器级别的安全上下文字段已设置，则 Pod 级别的字段可为 未定义/<code>nil</code>。 
-				</small>
-			</td>
+  			</td>
 		</tr>
-    <tr>
-			<!-- <td style="white-space: nowrap">Capabilities (v1.22+)</td> -->
-      <td style="white-space: nowrap">权能（v1.22+）</td>
-      <!-- <td>
+    		<tr>
+			<td style="white-space: nowrap"><!--Capabilities (v1.22+) -->权能（v1.22+）</td>
+      			<td>
 				<p>
-					Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
-					the <code>NET_BIND_SERVICE</code> capability.
+					<!--Containers must drop <code>ALL</code> capabilities, and are only permitted to add back the <code>NET_BIND_SERVICE</code> capability.-->容器必须弃用 <code>ALL</code> 权能，并且只允许添加 <code>NET_BIND_SERVICE</code> 权能。
 				</p>
-				<p><strong>Restricted Fields</strong></p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
 					<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Any list of capabilities that includes <code>ALL</code></li>
+					<li><!--Any list of capabilities that includes <code>ALL</code>-->包括 <code>ALL</code> 在内的任意权能列表。</li>
 				</ul>
 				<hr />
-				<p><strong>Restricted Fields</strong></p>
+				<p><strong><!--Restricted Fields-->限制的字段</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
 					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
 					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
 				</ul>
-				<p><strong>Allowed Values</strong></p>
+				<p><strong><!--Allowed Values-->准许的取值</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
-					<li><code>NET_BIND_SERVICE</code></li>
-				</ul>
-			</td> -->
-			<td>
-        <p>
-					容器组必须弃用 <code>ALL</code> 权能，并且只允许添加 <code>NET_BIND_SERVICE</code> 权能。
-				</p>
-        <p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.drop</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.drop</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.drop</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>包含 <code>ALL</code> 的任何一种权能列表。</li>
-				</ul>
-				<hr />
-				<p><strong>限制的字段</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.ephemeralContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-				<p><strong>允许的值</strong></p>
-				<ul>
-					<li>未定义/nil</li>
+					<li><!--Undefined/nil-->未定义、nil</li>
 					<li><code>NET_BIND_SERVICE</code></li>
 				</ul>
 			</td>
@@ -833,12 +507,18 @@ of individual policies are not defined here.
 
 随着相关机制的成熟，这些机制会按策略分别定义在下面。特定策略的实施方法不在这里定义。
 
+<!--
+[**Pod Security Admission Controller**](/docs/concepts/security/pod-security-admission/)
+-->
 [**Pod 安全性准入控制器**](/zh-cn/docs/concepts/security/pod-security-admission/)
 
 - {{< example file="security/podsecurity-privileged.yaml" >}}Privileged 名字空间{{< /example >}}
 - {{< example file="security/podsecurity-baseline.yaml" >}}Baseline 名字空间{{< /example >}}
 - {{< example file="security/podsecurity-restricted.yaml" >}}Restricted 名字空间{{< /example >}}
 
+<!--
+[**PodSecurityPolicy**](/docs/concepts/security/pod-security-policy/) (Deprecated)
+-->
 [**PodSecurityPolicy**](/zh-cn/docs/concepts/security/pod-security-policy/) （已弃用）
 
 - {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
@@ -953,7 +633,7 @@ There is not currently an API standard that controls whether a Pod is considered
 not. Sandbox Pods may be identified by the use of a sandboxed runtime (such as gVisor or Kata
 Containers), but there is no standard definition of what a sandboxed runtime is.
 -->
-### 沙箱（Sandboxed） Pod 怎么处理？
+### 沙箱（Sandboxed）Pod 怎么处理？  {#what-about-sandboxed-pods}
 
 现在还没有 API 标准来控制 Pod 是否被视作沙箱化 Pod。
 沙箱 Pod 可以通过其是否使用沙箱化运行时（如 gVisor 或 Kata Container）来辨别，

控制（Control）	策略（Policy）	控制	策略
基线策略的所有要求。		Baseline 策略的所有要求。
- In addition to restricting HostPath volumes, the restricted policy limits usage of non-core volume types to those defined through PersistentVolumes. - Restricted Fields + 除了限制 HostPath 卷之外，此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。 + 限制的字段 `spec.volumes[]` - Allowed Values* - Every item in the `spec.volumes[]` list must set one of the following fields to a non-null value: - - `spec.volumes[].configMap` - `spec.volumes[].csi` - `spec.volumes[].downwardAPI` - `spec.volumes[].emptyDir` - `spec.volumes[].ephemeral` - `spec.volumes[].persistentVolumeClaim` - `spec.volumes[].projected` - `spec.volumes[*].secret` - -	卷类型	- 除了限制 HostPath 卷之外，此类策略还限制可以通过 PersistentVolumes 定义的非核心卷类型。 - 限制的字段 - - `spec.volumes[]` - - 允许的值* - `spec.volumes[]` 列表中的每个条目必须将下面字段之一设置为非空值： + 准许的取值* + `spec.volumes[]` 列表中的每个条目必须将下面字段之一设置为非空值： `spec.volumes[].configMap` `spec.volumes[*].csi` @@ -605,210 +382,107 @@ fail validation.
- Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. - Restricted Fields + 禁止（通过 SetUID 或 SetGID 文件模式）获得特权提升。 + 限制的字段 `spec.containers[].securityContext.allowPrivilegeEscalation` `spec.initContainers[].securityContext.allowPrivilegeEscalation` `spec.ephemeralContainers[].securityContext.allowPrivilegeEscalation` - Allowed Values* - - `false` - -	特权提升（v1.8+）	- 禁止（通过 SetUID 或 SetGID 文件模式）获得特权提升。 - - 限制的字段 - - `spec.containers[].securityContext.allowPrivilegeEscalation` - `spec.initContainers[].securityContext.allowPrivilegeEscalation` - `spec.ephemeralContainers[].securityContext.allowPrivilegeEscalation` - - 允许的值* + 允许的取值 `false`
以非 root 账号运行	+ 容器必须以非 root 账号运行。 + 限制的字段 `spec.securityContext.runAsNonRoot` `spec.containers[].securityContext.runAsNonRoot` `spec.initContainers[].securityContext.runAsNonRoot` `spec.ephemeralContainers[].securityContext.runAsNonRoot` - Allowed Values* + 准许的取值 `true` - The container fields may be undefined/`nil` if the pod-level - `spec.securityContext.runAsNonRoot` is set to `true`. - -	- 必须要求容器以非 root 用户运行。 - 限制的字段 - - `spec.securityContext.runAsNonRoot` - `spec.containers[].securityContext.runAsNonRoot` - `spec.initContainers[].securityContext.runAsNonRoot` - `spec.ephemeralContainers[].securityContext.runAsNonRoot` - - 允许的值* - - `true` - - - 如果 Pod 级别 `spec.securityContext.runAsNonRoot` 设置为 - `true`，则允许容器组的安全上下文字段设置为未定义/`nil`。 + 如果 Pod 级别 `spec.securityContext.runAsNonRoot` 设置为 `true`，则允许容器组的安全上下文字段设置为未定义/`nil`。
非 root 用户（v1.23+）	非 root 用户（v1.23+）	- 容器不可以将 `runAsUser` 设置为 0 + 限制的字段 `spec.securityContext.runAsUser` `spec.containers[].securityContext.runAsUser` `spec.initContainers[].securityContext.runAsUser` `spec.ephemeralContainers[].securityContext.runAsUser` - Allowed Values* + 准许的取值 - any non-zero value + 所有的非零值 `undefined/null` -
Seccomp (v1.19+)	- Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 `Unconfined` Profile 或者指定不存在的 Profile。 + 限制的字段 `spec.securityContext.seccompProfile.type` `spec.containers[].securityContext.seccompProfile.type` `spec.initContainers[].securityContext.seccompProfile.type` `spec.ephemeralContainers[].securityContext.seccompProfile.type` - Allowed Values* + 准许的取值 `RuntimeDefault` `Localhost` - The container fields may be undefined/`nil` if the pod-level - `spec.securityContext.seccompProfile.type` field is set appropriately. - Conversely, the pod-level field may be undefined/`nil` if _all_ container- - level fields are set. + 如果 Pod 级别的 `spec.securityContext.seccompProfile.type` 已设置得当，容器级别的安全上下文字段可以为未定义/`nil`。反而言之，如果所有的容器级别的安全上下文字段已设置，则 Pod 级别的字段可为未定义/`nil`。 -
权能（v1.22+）	- Containers must drop `ALL` capabilities, and are only permitted to add back - the `NET_BIND_SERVICE` capability. + 容器必须弃用 `ALL` 权能，并且只允许添加 `NET_BIND_SERVICE` 权能。 - Restricted Fields + 限制的字段 `spec.containers[].securityContext.capabilities.drop` `spec.initContainers[].securityContext.capabilities.drop` `spec.ephemeralContainers[].securityContext.capabilities.drop` - Allowed Values* + 准许的取值 - Any list of capabilities that includes `ALL` + 包括 `ALL` 在内的任意权能列表。 - Restricted Fields + 限制的字段 `spec.containers[].securityContext.capabilities.add` `spec.initContainers[].securityContext.capabilities.add` `spec.ephemeralContainers[].securityContext.capabilities.add` - Allowed Values* + 准许的取值 - Undefined/nil - `NET_BIND_SERVICE` - -	- - 容器组必须弃用 `ALL` 权能，并且只允许添加 `NET_BIND_SERVICE` 权能。 - - 限制的字段 - - `spec.containers[].securityContext.capabilities.drop` - `spec.initContainers[].securityContext.capabilities.drop` - `spec.ephemeralContainers[].securityContext.capabilities.drop` - - 允许的值* - - 包含 `ALL` 的任何一种权能列表。 - - - 限制的字段 - - `spec.containers[].securityContext.capabilities.add` - `spec.initContainers[].securityContext.capabilities.add` - `spec.ephemeralContainers[].securityContext.capabilities.add` - - 允许的值* - - 未定义/nil + 未定义、nil `NET_BIND_SERVICE`