kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #39201 from Zhuzhenghao/cluster-level-pss 

[zh] Cleanup cluster-level-pss.md
pull/39123/merge
Kubernetes Prow Robot 2023-02-01 02:25:06 -08:00 committed by GitHub
parent 4bafa46582 e7f6e0b88a
commit cf6015ece1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 49 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
content/zh-cn/docs/tutorials/security/cluster-level-pss.md
View File

@ -3,7 +3,7 @@ title: 在集群级别应用 Pod 安全标准
content_type: tutorial
weight: 10
---
<!--
<!--
title: Apply Pod Security Standards at the Cluster Level
content_type: tutorial
weight: 10
@ -16,7 +16,7 @@ This tutorial applies only for new clusters.
本教程仅适用于新集群。
{{% /alert %}}
<!--
<!--
Pod Security admission (PSA) is enabled by default in v1.23 and later, as it has
[graduated to beta](/blog/2021/12/09/pod-security-admission-beta/).
Pod Security
@ -46,7 +46,7 @@ Pod 安全准入是在创建 Pod 时应用
请查阅该版本的文档。
## {{% heading "prerequisites" %}}
<!--
<!--
Install the following on your workstation:
- [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
@ -65,7 +65,7 @@ lets you apply built-in [Pod Security Standards](/docs/concepts/security/pod-sec
with the following modes: `enforce`, `audit`, and `warn`.
To gather information that helps you to choose the Pod Security Standards
that are most appropriate for your configuration, do the following:
that are most appropriate for your configuration, do the following:
-->
## 正确选择要应用的 Pod 安全标准 {#choose-the-right-pod-security-standard-to-apply}
@ -76,7 +76,7 @@ that are most appropriate for your configuration, do the following:
要收集信息以便选择最适合你的配置的 Pod 安全标准,请执行以下操作:
<!--
<!--
1. Create a cluster with no Pod Security Standards applied:
-->
1. 创建一个没有应用 Pod 安全标准的集群:
@ -89,20 +89,20 @@ that are most appropriate for your configuration, do the following:
```
Creating cluster "psa-wo-cluster-pss" ...
✓ Ensuring node image (kindest/node:v1.24.0) 🖼
✓ Preparing nodes 📦
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-psa-wo-cluster-pss"
You can now use your cluster with:
kubectl cluster-info --context kind-psa-wo-cluster-pss
Thanks for using kind! 😊
```
<!--
<!--
1. Set the kubectl context to the new cluster:
-->
2. 将 kubectl 上下文设置为新集群:
@ -116,11 +116,11 @@ that are most appropriate for your configuration, do the following:
Kubernetes control plane is running at https://127.0.0.1:61350
CoreDNS is running at https://127.0.0.1:61350/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
```
<!--
<!--
1. Get a list of namespaces in the cluster:
-->
3. 获取集群中的名字空间列表:
@ -130,7 +130,7 @@ that are most appropriate for your configuration, do the following:
```
<!-- The output is similar to this: -->
输出类似于:
```
```
NAME STATUS AGE
default Active 9m30s
kube-node-lease Active 9m32s
@ -139,7 +139,7 @@ that are most appropriate for your configuration, do the following:
local-path-storage Active 9m26s
```
<!--
<!--
1. Use `--dry-run=server` to understand what happens when different Pod Security Standards
are applied:
-->
@ -147,18 +147,18 @@ that are most appropriate for your configuration, do the following:
1. Privileged
```shell
kubectl label --dry-run=server --overwrite ns --all \
kubectl label --dry-run=server --overwrite ns --all \
pod-security.kubernetes.io/enforce=privileged
```
<!-- The output is similar to this: -->
输出类似于:
```
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
namespace/kube-system labeled
namespace/local-path-storage labeled
```
```
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
namespace/kube-system labeled
namespace/local-path-storage labeled
```
2. Baseline
```shell
kubectl label --dry-run=server --overwrite ns --all \
@ -166,7 +166,7 @@ that are most appropriate for your configuration, do the following:
```
<!-- The output is similar to this: -->
输出类似于:
```
```
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
@ -185,7 +185,7 @@ that are most appropriate for your configuration, do the following:
```
<!-- The output is similar to this: -->
输出类似于:
```
```
namespace/default labeled
namespace/kube-node-lease labeled
namespace/kube-public labeled
@ -200,15 +200,16 @@ that are most appropriate for your configuration, do the following:
namespace/local-path-storage labeled
```
<!--
<!--
From the previous output, you'll notice that applying the `privileged` Pod Security Standard shows no warnings
for any namespaces. However, `baseline` and `restricted` standards both have
warnings, specifically in the `kube-system` namespace.
-->
从前面的输出中,你会注意到应用 `privileged` Pod 安全标准不会显示任何名字空间的警告。
然而,`baseline` 和 `restricted` 标准都有警告,特别是在 `kube-system` 名字空间中。
<!--
<!--
## Set modes, versions and standards
In this section, you apply the following Pod Security Standards to the `latest` version:
@ -223,7 +224,7 @@ In this section, you apply the following Pod Security Standards to the `latest`
* 在 `enforce` 模式下的 `baseline` 标准。
* `warn``audit` 模式下的 `restricted` 标准。
<!--
<!--
The `baseline` Pod Security Standard provides a convenient
middle ground that allows keeping the exemption list short and prevents known
privilege escalations.
@ -240,7 +241,7 @@ following:
在你自己的环境中实施 Pod 安全准入时,请考虑以下事项:
<!--
<!--
1. Based on the risk posture applied to a cluster, a stricter Pod Security
Standard like `restricted` might be a better choice.
1. Exempting the `kube-system` namespace allows pods to run as
@ -260,7 +261,7 @@ following:
```
mkdir -p /tmp/pss
cat <<EOF > /tmp/pss/cluster-level-pss.yaml
cat <<EOF > /tmp/pss/cluster-level-pss.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
@ -293,13 +294,13 @@ following:
对于 v1.22,使用 [v1alpha1](https://v1-22.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/)。
{{< /note >}}
<!--
<!--
1. Configure the API server to consume this file during cluster creation:
-->
4. 在创建集群时配置 API 服务器使用此文件:
```
cat <<EOF > /tmp/pss/cluster-config.yaml
cat <<EOF > /tmp/pss/cluster-config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
@ -333,7 +334,7 @@ following:
```
{{<note>}}
<!--
<!--
If you use Docker Desktop with KinD on macOS, you can
add `/tmp` as a Shared Directory under the menu item
**Preferences > Resources > File Sharing**.
@ -343,7 +344,7 @@ following:
下添加 `/tmp` 作为共享目录。
{{</note>}}
<!--
<!--
1. Create a cluster that uses Pod Security Admission to apply
these Pod Security Standards:
-->
@ -356,22 +357,22 @@ following:
输出类似于:
```
Creating cluster "psa-with-cluster-pss" ...
✓ Ensuring node image (kindest/node:v1.24.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
✓ Ensuring node image (kindest/node:v1.24.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-psa-with-cluster-pss"
You can now use your cluster with:
kubectl cluster-info --context kind-psa-with-cluster-pss
Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂
```
<!--
1. Point kubectl to the cluster
<!--
1. Point kubectl to the cluster:
-->
6. 将 kubectl 指向集群
@ -383,11 +384,10 @@ following:
```
Kubernetes control plane is running at https://127.0.0.1:63855
CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
```
<!--
<!--
1. Create the following Pod specification for a minimal configuration in the default namespace:
-->
7. 创建以下 Pod 规约作为在 default 名字空间中的一个最小配置:
@ -406,8 +406,7 @@ following:
- containerPort: 80
EOF
```
<!--
<!--
1. Create the Pod in the cluster:
-->
8. 在集群中创建 Pod
@ -422,7 +421,7 @@ following:
pod/nginx created
```
<!--
<!--
## Clean up
Now delete the clusters which you created above by running the following command:
@ -440,7 +439,7 @@ kind delete cluster --name psa-wo-cluster-pss
## {{% heading "whatsnext" %}}
<!--
<!--
- Run a
[shell script](/examples/security/kind-with-cluster-level-baseline-pod-security.sh)
to perform all the preceding steps at once:
@ -464,4 +463,4 @@ kind delete cluster --name psa-wo-cluster-pss
6. 应用这个文件,在新集群中创建一个 Pod
- [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)
- [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
- [在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss/)
- [在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss/)