Merge pull request #41125 from my-git9/audit-annotations2
[zh-cn] sync object-meta audit-annotations service-v1.mdpull/41142/head
Kubernetes Prow Robot
GitHub
commit
b6483ce43f
|
|
@ -33,11 +33,12 @@ ObjectMeta 是所有持久化资源必须具有的元数据,其中包括用户
|
|||
- **name** (string)
|
||||
|
||||
<!--
|
||||
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names
|
||||
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
|
||||
-->
|
||||
|
||||
name 在命名空间内必须是唯一的。创建资源时需要,尽管某些资源可能允许客户端请求自动地生成适当的名称。
|
||||
名称主要用于创建幂等性和配置定义。无法更新。更多信息:
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names#names
|
||||
|
||||
- **generateName** (string)
|
||||
|
||||
|
|
@ -64,34 +65,34 @@ ObjectMeta 是所有持久化资源必须具有的元数据,其中包括用户
|
|||
<!--
|
||||
Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
|
||||
|
||||
Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces
|
||||
Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
|
||||
-->
|
||||
|
||||
namespace 定义了一个值空间,其中每个名称必须唯一。空命名空间相当于 “default” 命名空间,但 “default” 是规范表示。
|
||||
并非所有对象都需要限定在命名空间中——这些对象的此字段的值将为空。
|
||||
|
||||
必须是 DNS_LABEL。无法更新。更多信息:
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/namespaces/
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/namespaces
|
||||
|
||||
- **labels** (map[string]string)
|
||||
|
||||
<!--
|
||||
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels
|
||||
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
|
||||
-->
|
||||
|
||||
可用于组织和分类(确定范围和选择)对象的字符串键和值的映射。
|
||||
可以匹配 ReplicationController 和 Service 的选择算符。更多信息:
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/labels/
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/labels
|
||||
|
||||
- **annotations** (map[string]string)
|
||||
|
||||
<!--
|
||||
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations
|
||||
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
|
||||
-->
|
||||
|
||||
annotations 是一个非结构化的键值映射,存储在资源中,可以由外部工具设置以存储和检索任意元数据。
|
||||
它们不可查询,在修改对象时应保留。更多信息:
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/annotations/
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/annotations
|
||||
|
||||
<!-- ### System {#System} -->
|
||||
### 系统字段 {#System}
|
||||
|
|
@ -256,13 +257,15 @@ ObjectMeta 是所有持久化资源必须具有的元数据,其中包括用户
|
|||
|
||||
- **ownerReferences.name** (string),<!-- required -->必选
|
||||
|
||||
<!-- Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names -->
|
||||
<!-- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names-->
|
||||
|
||||
被引用资源的名称。更多信息:
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names/
|
||||
|
||||
- **ownerReferences.uid** (string),<!-- required -->必选
|
||||
|
||||
<!-- UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids -->
|
||||
<!-- UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids -->
|
||||
|
||||
被引用资源的 uid。更多信息:
|
||||
https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names#uids
|
||||
|
||||
|
|
@ -384,8 +387,9 @@ ObjectMeta 是所有持久化资源必须具有的元数据,其中包括用户
|
|||
<!--
|
||||
UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
|
||||
|
||||
Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
|
||||
Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
|
||||
-->
|
||||
|
||||
UID 是该对象在时间和空间上的唯一值。它通常由服务器在成功创建资源时生成,并且不允许使用 PUT 操作更改。
|
||||
|
||||
由系统填充。只读。更多信息:
|
||||
|
|
|
|||
|
|
@ -856,6 +856,15 @@ GET /api/v1/namespaces/{namespace}/services
|
|||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
|
||||
|
||||
<!--
|
||||
- **sendInitialEvents** (*in query*): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
-->
|
||||
- **sendInitialEvents** (**查询参数**): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
|
||||
- **timeoutSeconds**(**查询参数**):integer
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
|
||||
|
|
@ -924,6 +933,15 @@ GET /api/v1/services
|
|||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
|
||||
|
||||
<!--
|
||||
- **sendInitialEvents** (*in query*): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
-->
|
||||
- **sendInitialEvents** (**查询参数**): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
|
||||
- **timeoutSeconds**(**查询参数**):integer
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
|
||||
|
|
@ -1367,6 +1385,15 @@ DELETE /api/v1/namespaces/{namespace}/services
|
|||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
|
||||
|
||||
<!--
|
||||
- **sendInitialEvents** (*in query*): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
-->
|
||||
- **sendInitialEvents** (**查询参数**): boolean
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#sendInitialEvents" >}}">sendInitialEvents</a>
|
||||
|
||||
- **timeoutSeconds**(**查询参数**):integer
|
||||
|
||||
<a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,8 @@ This page serves as a reference for the audit annotations of the kubernetes.io
|
|||
namespace. These annotations apply to `Event` object from API group
|
||||
`audit.k8s.io`.
|
||||
-->
|
||||
该页面作为 kubernetes.io 名字空间的审计注解的参考。这些注解适用于 API 组 `audit.k8s.io` 中的 `Event` 对象。
|
||||
该页面作为 kubernetes.io 名字空间的审计注解的参考。这些注解适用于 API 组
|
||||
`audit.k8s.io` 中的 `Event` 对象。
|
||||
|
||||
{{< note >}}
|
||||
<!--
|
||||
|
|
@ -69,7 +70,7 @@ for more information.
|
|||
|
||||
例子:`pod-security.kubernetes.io/enforce-policy: restricted:latest`
|
||||
|
||||
值**必须**是对应于 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards) 级别的
|
||||
值**必须**是对应于 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards)级别的
|
||||
`privileged:<版本>`、`baseline:<版本>`、`restricted:<版本>`,
|
||||
关联的版本**必须**是 `latest` 或格式为 `v<MAJOR>.<MINOR>` 的有效 Kubernetes 版本。
|
||||
此注解通知有关在 PodSecurity 准入期间允许或拒绝 Pod 的执行级别。
|
||||
|
|
@ -97,7 +98,8 @@ for more information.
|
|||
PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container
|
||||
"example" must set securityContext.allowPrivilegeEscalation=false), ...`
|
||||
|
||||
注解值给出审计策略违规的详细说明,它包含所违反的 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)级别以及
|
||||
注解值给出审计策略违规的详细说明,它包含所违反的
|
||||
[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)级别以及
|
||||
PodSecurity 执行中违反的特定策略及对应字段。
|
||||
|
||||
有关详细信息,请参阅 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)。
|
||||
|
|
@ -203,3 +205,53 @@ There's more information about this in the Go documentation:
|
|||
-->
|
||||
Go 文档中有更多关于此的信息:
|
||||
[拒绝 SHA-1 证书](https://go.dev/doc/go1.18#sha1)。
|
||||
|
||||
## validation.policy.admission.k8s.io/validation_failure
|
||||
|
||||
<!--
|
||||
Example: `validation.policy.admission.k8s.io/validation_failure: '[{"message": "Invalid value", {"policy": "policy.example.com", {"binding": "policybinding.example.com", {"expressionIndex": "1", {"validationActions": ["Audit"]}]'`
|
||||
-->
|
||||
例子:`validation.policy.admission.k8s.io/validation_failure:
|
||||
'[{"message": "Invalid value", {"policy": "policy.example.com",
|
||||
{"binding": "policybinding.example.com", {"expressionIndex": "1",
|
||||
{"validationActions": ["Audit"]}]'`
|
||||
|
||||
<!--
|
||||
Used by Kubernetes version v1.27 and later.
|
||||
|
||||
This annotation indicates that a admission policy validation evaluted to false
|
||||
for an API request, or that the validation resulted in an error while the policy
|
||||
was configured with `failurePolicy: Fail`.
|
||||
-->
|
||||
由 Kubernetes v1.27 及更高版本使用。
|
||||
|
||||
此注解表示 API 请求的准入策略验证评估为 false,
|
||||
或者当策略配置为 `failurePolicy: Fail` 时验证报错。
|
||||
|
||||
<!--
|
||||
The value of the annotation is a JSON object. The `message` in the JSON
|
||||
provides the message about the validation failure.
|
||||
-->
|
||||
注解的值是一个 JSON 对象。JSON 中的 `message`
|
||||
字段提供了有关验证失败的信息。
|
||||
|
||||
<!--
|
||||
The `policy`, `binding` and `expressionIndex` in the JSON identifies the
|
||||
name of the `ValidatingAdmissionPolicy`, the name of the
|
||||
`ValidatingAdmissionPolicyBinding` and the index in the policy `validations` of
|
||||
the CEL expressions that failed, respectively.
|
||||
-->
|
||||
JSON 中的 `policy`、`binding` 和 `expressionIndex`
|
||||
分别标识了 `ValidatingAdmissionPolicy` 的名称、
|
||||
`ValidatingAdmissionPolicyBinding` 的名称以及失败的
|
||||
CEL 表达式在策略 `validations` 中的索引。
|
||||
|
||||
<!--
|
||||
The `validationActions` shows what actions were taken for this validation failure.
|
||||
See [Validating Admission Policy](/docs/reference/access-authn-authz/validating-admission-policy/)
|
||||
for more details about `validationActions`.
|
||||
-->
|
||||
`validationActions` 显示针对此验证失败采取的操作。
|
||||
有关 `validationActions` 的更多详细信息,
|
||||
请参阅[验证准入策略](/zh-cn/docs/reference/access-authn-authz/validating-admission-policy/)。
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue