kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh] Sync /tutorials/security/seccomp.md

pull/39119/head
windsonsea 2023-01-27 11:32:22 +08:00
parent c2c438de4a
commit b437a83cf0
1 changed files with 66 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
content/zh-cn/docs/tutorials/security/seccomp.md
View File

@ -1,7 +1,7 @@
--- ---
title: 使用 seccomp 限制容器的系统调用 title: 使用 seccomp 限制容器的系统调用
content_type: tutorial content_type: tutorial
weight: 20 weight: 40
min-kubernetes-server-version: v1.22 min-kubernetes-server-version: v1.22
--- ---
<!-- <!--
@ -11,7 +11,7 @@ reviewers:
- saschagrunert - saschagrunert
title: Restrict a Container's Syscalls with seccomp title: Restrict a Container's Syscalls with seccomp
content_type: tutorial content_type: tutorial
weight: 20 weight: 40
min-kubernetes-server-version: v1.22 min-kubernetes-server-version: v1.22
--> -->
@ -424,6 +424,70 @@ docker exec -it kind-worker bash -c \
} }
``` ```
<!--
## Create Pod that uses the container runtime default seccomp profile
Most container runtimes provide a sane set of default syscalls that are allowed
or not. You can adopt these defaults for your workload by setting the seccomp
type in the security context of a pod or container to `RuntimeDefault`.
-->
## 创建使用容器运行时默认 seccomp 配置文件的 Pod {#create-pod-that-uses-the-container-runtime-default-seccomp-profile}
大多数容器运行时都提供了一组合理的、默认被允许或默认被禁止的系统调用。
你可以通过将 Pod 或容器的安全上下文中的 seccomp 类型设置为 `RuntimeDefault`
来为你的工作负载采用这些默认值。
{{< note >}}
<!--
If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
-->
如果你已经启用了 `SeccompDefault` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
只要没有指定其他 seccomp 配置文件,那么 Pod 就会使用 `RuntimeDefault` seccomp 配置文件。
否则,默认值为 `Unconfined`
{{< /note >}}
<!--
Here's a manifest for a Pod that requests the `RuntimeDefault` seccomp profile
for all its containers:
-->
这是一个 Pod 的清单,它要求其所有容器使用 `RuntimeDefault` seccomp 配置文件:
{{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}
<!--
Create that Pod:
-->
创建此 Pod
```shell
kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
```
```shell
kubectl get pod default-pod
```
<!--
The Pod should be showing as having started successfully:
-->
此 Pod 应该显示为已成功启动:
```
NAME READY STATUS RESTARTS AGE
default-pod 1/1 Running 0 20s
```
<!--
Finally, now that you saw that work OK, clean up:
-->
最后,你看到一切正常之后,请清理:
```shell
kubectl delete pod default-pod --wait --now
```
<!-- <!--
## Create a Pod with a seccomp profile for syscall auditing ## Create a Pod with a seccomp profile for syscall auditing
@ -772,69 +836,6 @@ kubectl delete service fine-pod --wait
kubectl delete pod fine-pod --wait --now kubectl delete pod fine-pod --wait --now
``` ```
<!--
## Create Pod that uses the container runtime default seccomp profile
Most container runtimes provide a sane set of default syscalls that are allowed
or not. You can adopt these defaults for your workload by setting the seccomp
type in the security context of a pod or container to `RuntimeDefault`.
-->
## 创建使用容器运行时默认 seccomp 配置文件的 Pod {#create-pod-that-uses-the-container-runtime-default-seccomp-profile}
大多数容器运行时都提供了一组合理的默认系统调用,以及是否允许执行这些系统调用。
你可以通过将 Pod 或容器的安全上下文中的 seccomp 类型设置为 `RuntimeDefault`
来为你的工作负载采用这些默认值。
{{< note >}}
<!--
If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
-->
如果你已经启用了 `SeccompDefault` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
只要没有指定其他 seccomp 配置文件,那么 Pod 就会使用 `SeccompDefault` 的 seccomp 配置文件。
否则,默认值为 `Unconfined`
{{< /note >}}
<!--
Here's a manifest for a Pod that requests the `RuntimeDefault` seccomp profile
for all its containers:
-->
这是一个 Pod 的清单,它要求其所有容器使用 `RuntimeDefault` seccomp 配置文件:
{{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}
<!--
Create that Pod:
-->
创建此 Pod
```shell
kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
```
```shell
kubectl get pod default-pod
```
<!--
The Pod should be showing as having started successfully:
-->
此 Pod 应该显示为成功启动:
```
NAME READY STATUS RESTARTS AGE
default-pod 1/1 Running 0 20s
```
<!--
Finally, now that you saw that work OK, clean up:
-->
最后,你看到一切正常之后,请清理:
```shell
kubectl delete pod default-pod --wait --now
```
## {{% heading "whatsnext" %}} ## {{% heading "whatsnext" %}}
<!-- <!--