Kubernetes Prow Robot
GitHub
commit
5a115ba1af
|
|
@ -151,7 +151,7 @@ Kubernetes 默认提供访问权限并非是每个集群都需要的。
|
||||||
It is vital to periodically review the Kubernetes RBAC settings for redundant entries and
|
It is vital to periodically review the Kubernetes RBAC settings for redundant entries and
|
||||||
possible privilege escalations.
|
possible privilege escalations.
|
||||||
If an attacker is able to create a user account with the same name as a deleted user,
|
If an attacker is able to create a user account with the same name as a deleted user,
|
||||||
they can automatically inherit all the rights of the deleted user, especially the
|
they can automatically inherit all the rights of the deleted user, specially the
|
||||||
rights assigned to that user.
|
rights assigned to that user.
|
||||||
-->
|
-->
|
||||||
### 定期检查 {#periodic-review}
|
### 定期检查 {#periodic-review}
|
||||||
|
|
@ -260,8 +260,8 @@ You should only allow access to create PersistentVolume objects for:
|
||||||
你应该只允许以下实体具有创建 PersistentVolume 对象的访问权限:
|
你应该只允许以下实体具有创建 PersistentVolume 对象的访问权限:
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
- users (cluster operators) that need this access for their work, and who you trust,
|
- Users (cluster operators) that need this access for their work, and who you trust,
|
||||||
- the Kubernetes control plane components which creates PersistentVolumes based on PersistentVolumeClaims
|
- The Kubernetes control plane components which creates PersistentVolumes based on PersistentVolumeClaims
|
||||||
that are configured for automatic provisioning.
|
that are configured for automatic provisioning.
|
||||||
This is usually setup by the Kubernetes provider or by the operator when installing a CSI driver.
|
This is usually setup by the Kubernetes provider or by the operator when installing a CSI driver.
|
||||||
-->
|
-->
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue