[zh] sync /administer-cluster/securing-a-cluster.md

pull/38519/head
windsonsea 2022-12-17 12:09:44 +08:00 committed by Michael
parent ed8b9f1305
commit fffee16428
1 changed files with 15 additions and 12 deletions

View File

@ -6,8 +6,7 @@ content_type: task
reviewers:
- smarterclayton
- liggitt
- ericchiang
- destijl
- enj
title: Securing a Cluster
content_type: task
-->
@ -491,11 +490,14 @@ and may grant an attacker significant visibility into the state of your cluster.
your backups using a well reviewed backup and encryption solution, and consider using full disk
encryption where possible.
Kubernetes supports [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/), a feature
introduced in 1.7, v1 beta since 1.13, and v2 alpha since 1.25. This will encrypt resources like `Secret` and `ConfigMap` in etcd, preventing
parties that gain access to your etcd backups from viewing the content of those secrets. While
this feature is currently beta, it offers an additional level of defense when backups
are not encrypted or an attacker gains read access to etcd.
Kubernetes supports optional [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) for information in the Kubernetes API.
This lets you ensure that when Kubernetes stores data for objects (for example, `Secret` or
`ConfigMap` objects), the API server writes an encrypted representation of the object.
That encryption means that even someone who has access to etcd backup data is unable
to view the content of those objects.
In Kubernetes {{< skew currentVersion >}} you can also encrypt custom resources;
encryption-at-rest for extension APIs defined in CustomResourceDefinitions was added to
Kubernetes as part of the v1.26 release.
-->
### 对 Secret 进行静态加密
@ -504,11 +506,12 @@ are not encrypted or an attacker gains read access to etcd.
你要始终使用经过充分审查的备份和加密方案来加密备份数据,
并考虑在可能的情况下使用全盘加密。
Kubernetes 支持[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
该功能在 1.7 版引入,在 1.13 版成为 v1 Beta在 1.25 版成为 v2 Alpha。
它会加密 etcd 里面的 `Secret``ConfigMap` 资源,以防止某一方通过查看 etcd 的备份文件查看到这些
Secret 的内容。虽然目前该功能还只是 Beta 阶段,
在备份未被加密或者攻击者获取到 etcd 的读访问权限时,它仍能提供额外的防御层级。
对于 Kubernetes API 中的信息Kubernetes 支持可选的[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
这让你可以确保当 Kubernetes 存储对象(例如 `Secret``ConfigMap`的数据时API 服务器写入的是加密的对象。
这种加密意味着即使有权访问 etcd 备份数据的某些人也无法查看这些对象的内容。
在 Kubernetes {{< skew currentVersion >}} 中,你也可以加密自定义资源;
针对以 CustomResourceDefinition 形式定义的扩展 API对其执行静态加密的能力作为 v1.26
版本的一部分已添加到 Kubernetes。
<!--
### Receiving alerts for security updates and reporting vulnerabilities