Merge pull request #35946 from ydFu/update-seccomp

[zh] updated /tutorials/security/seccomp.md
2022-08-13 20:32:12 -07:00 · 2022-08-13 20:32:12 -07:00 · fac477b9e4
parent bb8912ef2c b4514b57f2
commit fac477b9e4
1 changed files with 60 additions and 23 deletions
--- a/content/zh-cn/docs/tutorials/security/seccomp.md
+++ b/content/zh-cn/docs/tutorials/security/seccomp.md
@ -109,7 +109,7 @@ into the cluster.
 现在先将它们下载到名为 `profiles/` 的目录中，以便将它们加载到集群中。

 {{< tabs name="tab_with_code" >}}
-{{{< tab name="audit.json" >}}
+{{< tab name="audit.json" >}}
 {{< codenew file="pods/security/seccomp/profiles/audit.json" >}}
 {{< /tab >}}
 {{< tab name="violation.json" >}}
@ -120,7 +120,9 @@ into the cluster.
 {{< /tab >}}}
 {{< /tabs >}}

-<!-- Run these commands: -->
+<!--
+Run these commands:
+-->
 执行这些命令：

 ```shell
@ -131,7 +133,9 @@ curl -L -o profiles/fine-grained.json https://k8s.io/examples/pods/security/secc
 ls profiles
 ```

-<!-- You should see three profiles listed at the end of the final step: -->
+<!--
+You should see three profiles listed at the end of the final step:
+-->
 你应该看到在最后一步的末尾列出有三个配置文件：
 ```
 audit.json  fine-grained.json  violation.json
@ -186,7 +190,7 @@ before you continue.
 {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}
 默认首选的配置文件，而不是回退到 `Unconfined`。
 如果你想尝试，请在继续之前参阅
-[启用使用 `RuntimeDefault` 作为所有工作负载的默认 seccomp 配置文件](#enable-runtimedefault-as-default)
+[启用使用 `RuntimeDefault` 作为所有工作负载的默认 seccomp 配置文件](#enable-runtimedefault-as-default)。

 <!--
 Once you have a kind configuration in place, create the kind cluster with
@ -214,6 +218,7 @@ You should see output indicating that a container is running with name
 -->
 你应该看到输出中名为 `kind-control-plane` 的容器正在运行。
 输出类似于：
+
 ```
 CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS              PORTS                       NAMES
 6a96207fed4b        kindest/node:v1.18.2   "/usr/local/bin/entr…"   27 seconds ago      Up 24 seconds       127.0.0.1:42223->6443/tcp   kind-control-plane
@ -366,7 +371,9 @@ nodes:
            seccomp-default: "true"
 ```

-<!-- If the cluster is ready, then running a pod: -->
+<!--
+If the cluster is ready, then running a pod:
+-->
 如果集群已就绪，则运行一个 Pod：

 ```shell
@ -428,7 +435,9 @@ the native API fields in favor of the annotations.
 请在可能的情况下使用原生 API 字段而不是注解。
 {{< /note >}}

-<!-- Create the Pod in the cluster: -->
+<!--
+Create the Pod in the cluster:
+-->
 在集群中创建 Pod：

 ```shell
@ -463,15 +472,20 @@ that allows access to the endpoint from inside the kind control plane container.
 kubectl expose pod audit-pod --type NodePort --port 5678
 ```

-<!-- Check what port the Service has been assigned on the node. -->
+<!--
+Check what port the Service has been assigned on the node.
+-->
 检查 Service 在节点上分配的端口。

 ```shell
 kubectl get service audit-pod
 ```

-<!-- The output is similar to: -->
+<!--
+The output is similar to:
+-->
 输出类似于：
+
 ```
 NAME        TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
 audit-pod   NodePort   10.111.36.142   <none>        5678:32373/TCP   72s
@ -548,14 +562,14 @@ kubectl delete pod audit-pod --wait --now
 ```

 <!-- 
-## Create Pod with seccomp profile that causes violation
+## Create Pod with a seccomp profile that causes violation

 For demonstration, apply a profile to the Pod that does not allow for any
 syscalls.

 The manifest for this demonstration is:
 -->
-## 使用导致违规的 seccomp 配置文件创建 Pod {#create-pod-with-seccomp-profile-that-causes-violation}
+## 使用导致违规的 seccomp 配置文件创建 Pod {#create-pod-with-a-seccomp-profile-that-causes-violation}

 出于演示目的，将配置文件应用于不允许任何系统调用的 Pod 上。

@ -563,7 +577,9 @@ The manifest for this demonstration is:

 {{< codenew file="pods/security/seccomp/ga/violation-pod.yaml" >}}

-<!-- Attempt to create the Pod in the cluster: -->
+<!--
+Attempt to create the Pod in the cluster:
+-->
 尝试在集群中创建 Pod：

 ```shell
@ -606,8 +622,8 @@ Clean up that Pod before moving to the next section:
 kubectl delete pod violation-pod --wait --now
 ```

-<!-- 
-## Create Pod with seccomp profile that only allows necessary syscalls
+<!--
+## Create Pod with a seccomp profile that only allows necessary syscalls

 If you take a look at the `fine-grained.json` profile, you will notice some of the syscalls
 seen in syslog of the first example where the profile set `"defaultAction":
@ -618,7 +634,7 @@ sent to `syslog`.

 The manifest for this example is:
 -->
-## 使用只允许必要的系统调用的 seccomp 配置文件创建 Pod {#create-pod-with-seccomp-profile-that-only-allows-necessary-syscalls}
+## 使用只允许必要的系统调用的 seccomp 配置文件创建 Pod {#create-pod-with-a-seccomp-profile-that-only-allows-necessary-syscalls}

 如果你看一看 `fine-grained.json` 配置文件，
 你会注意到第一个示例的 syslog 中看到的一些系统调用，
@ -631,7 +647,9 @@ The manifest for this example is:

 {{< codenew file="pods/security/seccomp/ga/fine-pod.yaml" >}}

-<!-- Create the Pod in your cluster: -->
+<!--
+Create the Pod in your cluster:
+-->
 在你的集群中创建 Pod：

 ```shell
@ -642,8 +660,11 @@ kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/fine-pod.yaml
 kubectl get pod fine-pod
 ```

-<!-- The Pod should be showing as having started successfully: -->
+<!--
+The Pod should be showing as having started successfully:
+-->
 此 Pod 应该显示为已成功启动：
+
 ```
 NAME        READY   STATUS    RESTARTS   AGE
 fine-pod   1/1     Running   0          30s
@ -660,28 +681,36 @@ mention calls from `http-echo`:
 tail -f /var/log/syslog | grep 'http-echo'
 ```

-<!-- Next, expose the Pod with a NodePort Service: -->
+<!--
+Next, expose the Pod with a NodePort Service:
+-->
 接着，使用 NodePort Service 公开 Pod：

 ```shell
 kubectl expose pod fine-pod --type NodePort --port 5678
 ```

-<!-- Check what port the Service has been assigned on the node: -->
+<!--
+Check what port the Service has been assigned on the node:
+-->
 检查节点上的 Service 分配了什么端口：

 ```shell
 kubectl get service fine-pod
 ```

-<!-- The output is similar to: -->
+<!--
+The output is similar to:
+-->
 输出类似于：
 ```
 NAME        TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
 fine-pod    NodePort   10.111.36.142   <none>        5678:32373/TCP   72s
 ```

-<!-- Use `curl` to access that endpoint from inside the kind control plane container: -->
+<!--
+Use `curl` to access that endpoint from inside the kind control plane container:
+-->
 使用 `curl` 从 kind 控制平面容器内部访问端点：

 ```shell
@ -745,8 +774,11 @@ for all its containers:

 {{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}

-<!-- Create that Pod: -->
+<!--
+Create that Pod:
+-->
 创建此 Pod：
+
 ```shell
 kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
 ```
@ -755,14 +787,19 @@ kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.ya
 kubectl get pod default-pod
 ```

-<!-- The Pod should be showing as having started successfully: -->
+<!--
+The Pod should be showing as having started successfully:
+-->
 此 Pod 应该显示为成功启动：
+
 ```
 NAME        READY   STATUS    RESTARTS   AGE
 default-pod 1/1     Running   0          20s
 ```

-<!-- Finally, now that you saw that work OK, clean up: -->
+<!--
+Finally, now that you saw that work OK, clean up:
+-->
 最后，你看到一切正常之后，请清理：

 ```shell