kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #41018 from windsonsea/encryv1 

[zh] sync apiserver-encryption.v1.md
pull/41059/head
Kubernetes Prow Robot 2023-05-10 05:58:59 -07:00 committed by GitHub
parent 52df2b3061 dbb9796685
commit a5cbdf0808
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 173 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
content/zh-cn/docs/reference/config-api/apiserver-encryption.v1.md
View File

@ -12,8 +12,12 @@ package: apiserver.config.k8s.io/v1
auto_generated: true
-->
<p><!--Package v1 is the v1 version of the API.-->
包 v1 是 API 的 v1 版本。</p>
<p>
<!--
Package v1 is the v1 version of the API.
-->
包 v1 是 API 的 v1 版本。
</p>
<!--
## Resource Types
@ -24,9 +28,59 @@ auto_generated: true
## `EncryptionConfiguration` {#apiserver-config-k8s-io-v1-EncryptionConfiguration}
<p><!--EncryptionConfiguration stores the complete configuration for encryption providers.-->
<!--
EncryptionConfiguration stores the complete configuration for encryption providers.
It also allows the use of wildcards to specify the resources that should be encrypted.
Use <code>&ast;.&lt;group&gt;</code> to encrypt all resources within a group or <code>&ast;.&ast;</code> to encrypt all resources.
<code>&ast;.</code> can be used to encrypt all resource in the core group. <code>&ast;.&ast;</code> will encrypt all
resources, even custom resources that are added after API server start.
Use of wildcards that overlap within the same resource list or across multiple
entries are not allowed since part of the configuration would be ineffective.
Resource lists are processed in order, with earlier lists taking precedence.
-->
<p>
EncryptionConfiguration 为加密驱动保存完整的配置信息。
它还允许使用通配符指定应加密的资源。
使用 <code>&ast;.&lt;group&gt;</code> 加密组内的所有资源,或使用 <code>&ast;.&ast;</code> 加密所有资源。
<code>&ast;.</code> 可用于加密核心组内的所有资源。
<code>&ast;.&ast;</code> 将加密所有资源,甚至是 API 服务器启动后添加的自定义资源。
不允许在同一资源列表内或跨多个条目中使用重叠的通配符,因为部分配置将无效。
按顺序处理资源列表,列在前面的被优先处理。
</p>
<!--
Example:
-->
<p>例如:</p>
<pre><code>kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- events
providers:
- identity: {} # do not encrypt events even though *.* is specified below
- resources:
- secrets
- configmaps
- pandas.awesome.bears.example
providers:
- aescbc:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- resources:
- '*.apps'
providers:
- aescbc:
keys:
- name: key2
secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
- resources:
- '*.*'
providers:
- aescbc:
keys:
- name: key3
secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw==</code></pre>
<table class="table">
<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
@ -38,7 +92,10 @@ EncryptionConfiguration 为加密驱动保存完整的配置信息。
<a href="#apiserver-config-k8s-io-v1-ResourceConfiguration"><code>[]ResourceConfiguration</code></a>
</td>
<td>
<p><!--resources is a list containing resources, and their corresponding encryption providers.-->
<p>
<!--
resources is a list containing resources, and their corresponding encryption providers.
-->
<code>resources</code> 是一个包含资源及其对应的加密驱动的列表。
</p>
</td>
@ -55,7 +112,10 @@ EncryptionConfiguration 为加密驱动保存完整的配置信息。
- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
<p><!--AESConfiguration contains the API configuration for an AES transformer.-->
<p>
<!--
AESConfiguration contains the API configuration for an AES transformer.
-->
AESConfiguration 包含 AES 转换器的 API 配置信息。
</p>
@ -67,10 +127,13 @@ AESConfiguration 包含 AES 转换器的 API 配置信息。
<a href="#apiserver-config-k8s-io-v1-Key"><code>[]Key</code></a>
</td>
<td>
<p><!--keys is a list of keys to be used for creating the AES transformer.
Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.-->
<code>keys</code> 是一组用于创建 AES 转换器的秘钥。
对于 AES-CBC每个秘钥必须是 32 字节长;对于 AES-GCM每个秘钥可以是 16、24、32 字节长。
<p>
<!--
keys is a list of keys to be used for creating the AES transformer.
Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.
-->
<code>keys</code> 是一组用于创建 AES 转换器的密钥。
对于 AES-CBC每个密钥必须是 32 字节长;对于 AES-GCM每个密钥可以是 16、24、32 字节长。
</p>
</td>
</tr>
@ -86,7 +149,10 @@ Each key has to be 32 bytes long for AES-CBC and 16, 24 or 32 bytes for AES-GCM.
- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
<p><!--IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.-->
<p>
<!--
IdentityConfiguration is an empty struct to allow identity transformer in provider configuration.
-->
IdentityConfiguration 是一个空的结构,用来支持在驱动配置中支持标识转换器。
</p>
@ -99,7 +165,10 @@ IdentityConfiguration 是一个空的结构,用来支持在驱动配置中支
- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
<p><!--KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.-->
<p>
<!--
KMSConfiguration contains the name, cache size and path to configuration file for a KMS based envelope transformer.
-->
KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以及配置文件路径信息。
</p>
@ -107,13 +176,14 @@ KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以
<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
<tbody>
<tr><td><code>apiVersion</code><br/>
<code>string</code>
</td>
<td>
<p>
<!--apiVersion of KeyManagementService-->
<!--
apiVersion of KeyManagementService
-->
KeyManagementService 的 apiVersion
</p>
</td>
@ -122,7 +192,10 @@ KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以
<code>string</code>
</td>
<td>
<p><!--name is the name of the KMS plugin to be used.-->
<p>
<!--
name is the name of the KMS plugin to be used.
-->
<code>name</code> 是要使用的 KMS 插件名称。
</p>
</td>
@ -131,8 +204,13 @@ KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以
<code>int32</code>
</td>
<td>
<p><!--cachesize is the maximum number of secrets which are cached in memory. The default value is 1000. Set to a negative value to disable caching.-->
<code>cachesize</code> 是可在内存中缓存的 Secret 数量上限。默认值是 1000。将此字段设置为负值会禁用缓存。
<p>
<!--
cachesize is the maximum number of secrets which are cached in memory. The default value is 1000.
Set to a negative value to disable caching. This field is only allowed for KMS v1 providers.
-->
<code>cachesize</code> 是可在内存中缓存的 Secret 数量上限。默认值是 1000。
将此字段设置为负值会禁用缓存。此字段仅允许用于 KMS v1 驱动。
</p>
</td>
</tr>
@ -140,7 +218,10 @@ KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以
<code>string</code>
</td>
<td>
<p><!--endpoint is the gRPC server listening address, for example &quot;unix:///var/run/kms-provider.sock&quot;.-->
<p>
<!--
endpoint is the gRPC server listening address, for example &quot;unix:///var/run/kms-provider.sock&quot;.
-->
<code>endpoint</code> 是 gRPC 服务器的监听地址,例如 &quot;unix:///var/run/kms-provider.sock&quot;
</p>
</td>
@ -149,7 +230,10 @@ KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以
<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
<p><!--timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.-->
<p>
<!--
timeout for gRPC calls to kms-plugin (ex. 5s). The default is 3 seconds.
-->
对 KMS 插件执行 gRPC 调用的超时时长(例如,'5s')。默认值为 3 秒。
</p>
</td>
@ -167,7 +251,10 @@ KMSConfiguration 包含基于 KMS 的封套转换器的名称、缓存大小以
- [AESConfiguration](#apiserver-config-k8s-io-v1-AESConfiguration)
- [SecretboxConfiguration](#apiserver-config-k8s-io-v1-SecretboxConfiguration)
<p><!--Key contains name and secret of the provided key for a transformer.-->
<p>
<!--
Key contains name and secret of the provided key for a transformer.
-->
Key 中包含为某转换器所提供的键名和对应的私密数据。
</p>
@ -179,7 +266,10 @@ Key 中包含为某转换器所提供的键名和对应的私密数据。
<code>string</code>
</td>
<td>
<p><!--name is the name of the key to be used while storing data to disk.-->
<p>
<!--
name is the name of the key to be used while storing data to disk.
-->
<code>name</code> 是在向磁盘中存储数据时使用的键名。
</p>
</td>
@ -188,8 +278,11 @@ Key 中包含为某转换器所提供的键名和对应的私密数据。
<code>string</code>
</td>
<td>
<p><!--secret is the actual key, encoded in base64.-->
<code>secret</code> 是实际的秘钥,用 base64 编码。
<p>
<!--
secret is the actual key, encoded in base64.
-->
<code>secret</code> 是实际的密钥,用 base64 编码。
</p>
</td>
</tr>
@ -205,7 +298,10 @@ Key 中包含为某转换器所提供的键名和对应的私密数据。
- [ResourceConfiguration](#apiserver-config-k8s-io-v1-ResourceConfiguration)
<p><!--ProviderConfiguration stores the provided configuration for an encryption provider.-->
<p>
<!--
ProviderConfiguration stores the provided configuration for an encryption provider.
-->
ProviderConfiguration 为加密驱动存储配置信息。
</p>
@ -217,7 +313,10 @@ ProviderConfiguration 为加密驱动存储配置信息。
<a href="#apiserver-config-k8s-io-v1-AESConfiguration"><code>AESConfiguration</code></a>
</td>
<td>
<p><!--aesgcm is the configuration for the AES-GCM transformer.-->
<p>
<!--
aesgcm is the configuration for the AES-GCM transformer.
-->
<code>aesgcm</code> 是用于 AES-GCM 转换器的配置。
</p>
</td>
@ -226,7 +325,10 @@ ProviderConfiguration 为加密驱动存储配置信息。
<a href="#apiserver-config-k8s-io-v1-AESConfiguration"><code>AESConfiguration</code></a>
</td>
<td>
<p><!--aescbc is the configuration for the AES-CBC transformer.-->
<p>
<!--
aescbc is the configuration for the AES-CBC transformer.
-->
<code>aescbc</code> 是用于 AES-CBC 转换器的配置。
</p>
</td>
@ -235,7 +337,10 @@ ProviderConfiguration 为加密驱动存储配置信息。
<a href="#apiserver-config-k8s-io-v1-SecretboxConfiguration"><code>SecretboxConfiguration</code></a>
</td>
<td>
<p><!--secretbox is the configuration for the Secretbox based transformer.-->
<p>
<!--
secretbox is the configuration for the Secretbox based transformer.
-->
<code>secretbox</code> 是用于基于 Secretbox 的转换器的配置。
</p>
</td>
@ -244,7 +349,10 @@ ProviderConfiguration 为加密驱动存储配置信息。
<a href="#apiserver-config-k8s-io-v1-IdentityConfiguration"><code>IdentityConfiguration</code></a>
</td>
<td>
<p><!--identity is the (empty) configuration for the identity transformer.-->
<p>
<!--
identity is the (empty) configuration for the identity transformer.
-->
<code>identity</code> 是用于标识转换器的配置(空)。
</p>
</td>
@ -253,7 +361,10 @@ ProviderConfiguration 为加密驱动存储配置信息。
<a href="#apiserver-config-k8s-io-v1-KMSConfiguration"><code>KMSConfiguration</code></a>
</td>
<td>
<p><!--kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.-->
<p>
<!--
kms contains the name, cache size and path to configuration file for a KMS based envelope transformer.
-->
<code>kms</code> 中包含用于基于 KMS 的封套转换器的名称、缓存大小以及配置文件路径信息。
</p>
</td>
@ -270,7 +381,10 @@ ProviderConfiguration 为加密驱动存储配置信息。
- [EncryptionConfiguration](#apiserver-config-k8s-io-v1-EncryptionConfiguration)
<p><!--ResourceConfiguration stores per resource configuration.-->
<p>
<!--
ResourceConfiguration stores per resource configuration.
-->
ResourceConfiguration 中保存资源配置。
</p>
@ -282,8 +396,21 @@ ResourceConfiguration 中保存资源配置。
<code>[]string</code>
</td>
<td>
<p><!--resources is a list of kubernetes resources which have to be encrypted.-->
<code>resources</code> 是必需要加密的 Kubernetes 资源的列表。
<p>
<!--
resources is a list of kubernetes resources which have to be encrypted. The resource names are derived from <code>resource</code> or <code>resource.group</code> of the group/version/resource.
eg: <code>pandas.awesome.bears.example</code> is a custom resource with 'group': <code>awesome.bears.example</code>, 'resource': <code>pandas</code>.
Use <code>&ast;.&ast;</code> to encrypt all resources and <code>&ast;.&lt;group&gt;</code>' to encrypt all resources in a specific group.
eg: <code>&ast;.awesome.bears.example</code> will encrypt all resources in the group <code>awesome.bears.example</code>.
eg: <code>&ast;.</code> will encrypt all resources in the core group (such as pods, configmaps, etc).
-->
<code>resources</code> 是必须要加密的 Kubernetes 资源的列表。
资源名称来自于组/版本/资源的 <code>resource</code><code>resource.group</code>
例如:<code>pandas.awesome.bears.example</code> 是一个自定义资源,
具有 'group': <code>awesome.bears.example</code>、'resource': <code>pandas</code>
使用 <code>&ast;.&ast;</code> 加密所有资源,使用 <code>&ast;.&lt;group&gt;</code> 加密特定组中的所有资源。
例如:<code>&ast;.awesome.bears.example</code> 将加密组 <code>awesome.bears.example</code> 中的所有资源。
例如:<code>&ast;.</code> 将加密核心组中的所有资源(如 Pod、ConfigMap 等)。
</p>
</td>
</tr>
@ -291,9 +418,12 @@ ResourceConfiguration 中保存资源配置。
<a href="#apiserver-config-k8s-io-v1-ProviderConfiguration"><code>[]ProviderConfiguration</code></a>
</td>
<td>
<p><!--providers is a list of transformers to be used for reading and writing the resources to disk. eg: aesgcm, aescbc, secretbox, identity.-->
<p>
<!--
providers is a list of transformers to be used for reading and writing the resources to disk. eg: aesgcm, aescbc, secretbox, identity, kms.
-->
<code>providers</code> 是一个转换器列表,用来将资源写入到磁盘或从磁盘上读出。
例如:'aesgcm'、'aescbc'、'secretbox'、'identity'。
例如:'aesgcm'、'aescbc'、'secretbox'、'identity'、'kms'
</p>
</td>
</tr>
@ -309,11 +439,13 @@ ResourceConfiguration 中保存资源配置。
- [ProviderConfiguration](#apiserver-config-k8s-io-v1-ProviderConfiguration)
<p><!--SecretboxConfiguration contains the API configuration for an Secretbox transformer.-->
<p>
<!--
SecretboxConfiguration contains the API configuration for an Secretbox transformer.
-->
SecretboxConfiguration 包含用于某 Secretbox 转换器的 API 配置。
</p>
<table class="table">
<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
<tbody>
@ -322,12 +454,14 @@ SecretboxConfiguration 包含用于某 Secretbox 转换器的 API 配置。
<a href="#apiserver-config-k8s-io-v1-Key"><code>[]Key</code></a>
</td>
<td>
<p><!--keys is a list of keys to be used for creating the Secretbox transformer.
Each key has to be 32 bytes long.-->
<code>keys</code> 是一个秘钥列表,用来创建 Secretbox 转换器。每个秘钥必须是 32 字节长。
<p>
<!--
keys is a list of keys to be used for creating the Secretbox transformer.
Each key has to be 32 bytes long.
-->
<code>keys</code> 是一个密钥列表,用来创建 Secretbox 转换器。每个密钥必须是 32 字节长。
</p>
</td>
</tr>
</tbody>
</table>