[zh] sync /administer-cluster/securing-a-cluster.md
windsonsea
Michael
parent
ed8b9f1305
commit
fffee16428
|
|
@ -6,8 +6,7 @@ content_type: task
|
||||||
reviewers:
|
reviewers:
|
||||||
- smarterclayton
|
- smarterclayton
|
||||||
- liggitt
|
- liggitt
|
||||||
- ericchiang
|
- enj
|
||||||
- destijl
|
|
||||||
title: Securing a Cluster
|
title: Securing a Cluster
|
||||||
content_type: task
|
content_type: task
|
||||||
-->
|
-->
|
||||||
|
|
@ -491,11 +490,14 @@ and may grant an attacker significant visibility into the state of your cluster.
|
||||||
your backups using a well reviewed backup and encryption solution, and consider using full disk
|
your backups using a well reviewed backup and encryption solution, and consider using full disk
|
||||||
encryption where possible.
|
encryption where possible.
|
||||||
|
|
||||||
Kubernetes supports [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/), a feature
|
Kubernetes supports optional [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) for information in the Kubernetes API.
|
||||||
introduced in 1.7, v1 beta since 1.13, and v2 alpha since 1.25. This will encrypt resources like `Secret` and `ConfigMap` in etcd, preventing
|
This lets you ensure that when Kubernetes stores data for objects (for example, `Secret` or
|
||||||
parties that gain access to your etcd backups from viewing the content of those secrets. While
|
`ConfigMap` objects), the API server writes an encrypted representation of the object.
|
||||||
this feature is currently beta, it offers an additional level of defense when backups
|
That encryption means that even someone who has access to etcd backup data is unable
|
||||||
are not encrypted or an attacker gains read access to etcd.
|
to view the content of those objects.
|
||||||
|
In Kubernetes {{< skew currentVersion >}} you can also encrypt custom resources;
|
||||||
|
encryption-at-rest for extension APIs defined in CustomResourceDefinitions was added to
|
||||||
|
Kubernetes as part of the v1.26 release.
|
||||||
-->
|
-->
|
||||||
### 对 Secret 进行静态加密
|
### 对 Secret 进行静态加密
|
||||||
|
|
||||||
|
|
@ -504,11 +506,12 @@ are not encrypted or an attacker gains read access to etcd.
|
||||||
你要始终使用经过充分审查的备份和加密方案来加密备份数据,
|
你要始终使用经过充分审查的备份和加密方案来加密备份数据,
|
||||||
并考虑在可能的情况下使用全盘加密。
|
并考虑在可能的情况下使用全盘加密。
|
||||||
|
|
||||||
Kubernetes 支持[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
|
对于 Kubernetes API 中的信息,Kubernetes 支持可选的[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
|
||||||
该功能在 1.7 版引入,在 1.13 版成为 v1 Beta,在 1.25 版成为 v2 Alpha。
|
这让你可以确保当 Kubernetes 存储对象(例如 `Secret` 或 `ConfigMap`)的数据时,API 服务器写入的是加密的对象。
|
||||||
它会加密 etcd 里面的 `Secret` 和 `ConfigMap` 资源,以防止某一方通过查看 etcd 的备份文件查看到这些
|
这种加密意味着即使有权访问 etcd 备份数据的某些人也无法查看这些对象的内容。
|
||||||
Secret 的内容。虽然目前该功能还只是 Beta 阶段,
|
在 Kubernetes {{< skew currentVersion >}} 中,你也可以加密自定义资源;
|
||||||
在备份未被加密或者攻击者获取到 etcd 的读访问权限时,它仍能提供额外的防御层级。
|
针对以 CustomResourceDefinition 形式定义的扩展 API,对其执行静态加密的能力作为 v1.26
|
||||||
|
版本的一部分已添加到 Kubernetes。
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
### Receiving alerts for security updates and reporting vulnerabilities
|
### Receiving alerts for security updates and reporting vulnerabilities
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue