[zh] sync /administer-cluster/securing-a-cluster.md
windsonsea
Michael
parent
ed8b9f1305
commit
fffee16428
|
|
@ -6,8 +6,7 @@ content_type: task
|
|||
reviewers:
|
||||
- smarterclayton
|
||||
- liggitt
|
||||
- ericchiang
|
||||
- destijl
|
||||
- enj
|
||||
title: Securing a Cluster
|
||||
content_type: task
|
||||
-->
|
||||
|
|
@ -491,11 +490,14 @@ and may grant an attacker significant visibility into the state of your cluster.
|
|||
your backups using a well reviewed backup and encryption solution, and consider using full disk
|
||||
encryption where possible.
|
||||
|
||||
Kubernetes supports [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/), a feature
|
||||
introduced in 1.7, v1 beta since 1.13, and v2 alpha since 1.25. This will encrypt resources like `Secret` and `ConfigMap` in etcd, preventing
|
||||
parties that gain access to your etcd backups from viewing the content of those secrets. While
|
||||
this feature is currently beta, it offers an additional level of defense when backups
|
||||
are not encrypted or an attacker gains read access to etcd.
|
||||
Kubernetes supports optional [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) for information in the Kubernetes API.
|
||||
This lets you ensure that when Kubernetes stores data for objects (for example, `Secret` or
|
||||
`ConfigMap` objects), the API server writes an encrypted representation of the object.
|
||||
That encryption means that even someone who has access to etcd backup data is unable
|
||||
to view the content of those objects.
|
||||
In Kubernetes {{< skew currentVersion >}} you can also encrypt custom resources;
|
||||
encryption-at-rest for extension APIs defined in CustomResourceDefinitions was added to
|
||||
Kubernetes as part of the v1.26 release.
|
||||
-->
|
||||
### 对 Secret 进行静态加密
|
||||
|
||||
|
|
@ -504,11 +506,12 @@ are not encrypted or an attacker gains read access to etcd.
|
|||
你要始终使用经过充分审查的备份和加密方案来加密备份数据,
|
||||
并考虑在可能的情况下使用全盘加密。
|
||||
|
||||
Kubernetes 支持[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
|
||||
该功能在 1.7 版引入,在 1.13 版成为 v1 Beta,在 1.25 版成为 v2 Alpha。
|
||||
它会加密 etcd 里面的 `Secret` 和 `ConfigMap` 资源,以防止某一方通过查看 etcd 的备份文件查看到这些
|
||||
Secret 的内容。虽然目前该功能还只是 Beta 阶段,
|
||||
在备份未被加密或者攻击者获取到 etcd 的读访问权限时,它仍能提供额外的防御层级。
|
||||
对于 Kubernetes API 中的信息,Kubernetes 支持可选的[静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)。
|
||||
这让你可以确保当 Kubernetes 存储对象(例如 `Secret` 或 `ConfigMap`)的数据时,API 服务器写入的是加密的对象。
|
||||
这种加密意味着即使有权访问 etcd 备份数据的某些人也无法查看这些对象的内容。
|
||||
在 Kubernetes {{< skew currentVersion >}} 中,你也可以加密自定义资源;
|
||||
针对以 CustomResourceDefinition 形式定义的扩展 API,对其执行静态加密的能力作为 v1.26
|
||||
版本的一部分已添加到 Kubernetes。
|
||||
|
||||
<!--
|
||||
### Receiving alerts for security updates and reporting vulnerabilities
|
||||
|
|
|
|||
Loading…
Reference in New Issue