kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[zh] Update admission-controllers.md 

Signed-off-by: xin.li <xin.li@daocloud.io>
pull/32746/head
xin.li 2022-04-04 17:04:41 +08:00
parent b3b7a184e0
commit e7f92e51d4
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
content/zh/docs/reference/access-authn-authz/admission-controllers.md
View File

@ -1208,10 +1208,10 @@ based on the requested security context and the available Pod Security Policies.
安全策略确定是否可以执行请求。
<!--
See also [Pod Security Policy documentation](/docs/concepts/policy/pod-security-policy/)
See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
for more information.
-->
查看 [Pod 安全策略文档](/zh/docs/concepts/policy/pod-security-policy/)
查看 [Pod 安全策略文档](/zh/docs/concepts/security/pod-security-policy/)
了解更多细节。
### PodTolerationRestriction {#podtolerationrestriction}
@ -1328,22 +1328,29 @@ Pod 的 `.spec.overhead` 字段和 RuntimeClass 的 `.overhead` 字段均为处
### SecurityContextDeny {#securitycontextdeny}
<!--
This admission controller will deny any pod that attempts to set certain escalating
This admission controller will deny any Pod that attempts to set certain escalating
[SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
fields, as shown in the
[Configure a Security Context for a Pod or Container](/docs/tasks/configure-pod-container/security-context/)
task.
This should be enabled if a cluster doesn't utilize
[pod security policies](/docs/concepts/policy/pod-security-policy/)
to restrict the set of values a security context can take.
If you don't use [Pod Security admission]((/docs/concepts/security/pod-security-admission/),
[PodSecurityPolicies](/docs/concepts/security/pod-security-policy/), nor any external enforcement mechanism,
then you could use this admission controller to restrict the set of values a security context can take.
See [Pod Security Standards](/docs/concepts/security/pod-security-standards/) for more context on restricting
pod privileges.
-->
该准入控制器将拒绝任何试图设置特定提升
[SecurityContext](/zh/docs/tasks/configure-pod-container/security-context/)
字段的 Pod正如任务
[为 Pod 或 Container 配置安全上下文](/zh/docs/tasks/configure-pod-container/security-context/)
中所展示的那样。
如果集群没有使用 [Pod 安全策略](/zh/docs/concepts/policy/pod-security-policy/)
来限制安全上下文所能获取的值集,那么应该启用这个功能。
如果集群没有使用 [Pod 安全性准入](/zh/docs/concepts/security/pod-security-admission/)、
[PodSecurityPolicies](/zh/docs/concepts/security/pod-security-policy/)
也没有任何外部执行机制,那么你可以使用此准入控制器来限制安全上下文所能获取的值集。
有关限制 Pod 权限的更多内容,请参阅
[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)。
### ServiceAccount {#serviceaccount}