Merge pull request #34341 from Sea-n/zh-psp-redirect

k8s-ci-robot · web-flow · commit 1575e1e2085b · 2022-06-17T02:12:31.000-07:00
[zh] Fix link for PSP
diff --git a/content/zh-cn/docs/concepts/security/rbac-good-practices.md b/content/zh-cn/docs/concepts/security/rbac-good-practices.md
@@ -215,7 +215,7 @@ You can also use the deprecated [PodSecurityPolicy](/docs/concepts/policy/pod-se
 to restrict users' abilities to create privileged Pods (N.B. PodSecurityPolicy is scheduled for removal
 in version 1.25).
 -->
-你还可以使用已弃用的 [PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/)
+你还可以使用已弃用的 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/)
 机制以限制用户创建特权 Pod 的能力 （特别注意：PodSecurityPolicy 已计划在版本 1.25 中删除）。
 
 <!--
@@ -235,7 +235,7 @@ PersistentVolumes, and constrained users should use PersistentVolumeClaims to ac
 -->
 ### 持久卷的创建 {#persistent-volume-creation}
 
-如 [PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems) 
+如 [PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/#volumes-and-file-systems) 
 文档中所述，创建 PersistentVolumes 的权限可以提权访问底层主机。
 如果需要访问 PersistentVolume，受信任的管理员应该创建 `PersistentVolume`，
 受约束的用户应该使用 `PersistentVolumeClaim` 访问该存储。
diff --git a/content/zh-cn/docs/concepts/security/windows-security.md b/content/zh-cn/docs/concepts/security/windows-security.md
@@ -26,7 +26,7 @@ This page describes security considerations and best practices specific to the W
 <!--
 ## Protection for Secret data on nodes
 -->
-## 保护节点上的 Secret 数据
+## 保护节点上的 Secret 数据   {#protection-for-secret-data-on-nodes}
 
 <!--
 On Windows, data from Secrets are written out in clear text onto the node's local
@@ -48,7 +48,7 @@ operator, you should take both of the following additional measures:
 <!--
 ## Container users
 -->
-## 容器用户
+## 容器用户   {#container-users}
 
 <!--
 [RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername)
@@ -57,7 +57,7 @@ processes as specific user. This is roughly equivalent to
 [RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups).
 -->
 可以为 Windows Pod 或容器指定 [RunAsUsername](/zh/docs/tasks/configure-pod-container/configure-runasusername)
-以作为特定用户执行容器进程。这大致相当于 [RunAsUser](/zh/docs/concepts/policy/pod-security-policy/#users-and-groups)。
+以作为特定用户执行容器进程。这大致相当于 [RunAsUser](/zh-cn/docs/concepts/security/pod-security-policy/#users-and-groups)。
 
 <!--
 Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator.
@@ -92,7 +92,7 @@ Active Directory 身份运行。
 <!--
 ## Pod-level security isolation
 -->
-## Pod 级安全隔离
+## Pod 级安全隔离   {#pod-level-security-isolation}
 
 <!--
 Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom
diff --git a/content/zh-cn/docs/tasks/administer-cluster/securing-a-cluster.md b/content/zh-cn/docs/tasks/administer-cluster/securing-a-cluster.md
@@ -268,7 +268,7 @@ to the metadata API, and avoid using provisioning data to deliver secrets.
 -->
 ### 限制云元数据 API 访问
 
-云平台（AWS,  Azure, GCE 等）经常将 metadata 本地服务暴露给实例。
+云平台（AWS、Azure、GCE 等）经常将 metadata 本地服务暴露给实例。
 默认情况下，这些 API 可由运行在实例上的 Pod 访问，并且可以包含
 该云节点的凭据或配置数据（如 kubelet 凭据）。
 这些凭据可以用于在集群内升级或在同一账户下升级到其他云服务。
@@ -413,7 +413,7 @@ or run with elevated permissions if those service accounts are granted access to
 如果执行 Pod 创建操作的组件能够在 `kube-system` 这类名字空间中创建 Pod，
 则这类组件也可能获得意外的权限，因为这些 Pod 可以访问服务账户的 Secret，
 或者，如果对应服务帐户被授权访问宽松的
-[PodSecurityPolicy](/zh/docs/concepts/policy/pod-security-policy/)，
+[PodSecurityPolicy](/zh-cn/docs/concepts/security/pod-security-policy/)，
 它们就能以较高的权限运行。
 
 <!--
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
@@ -31,7 +31,7 @@ admission controller. This can be done effectively using a combination of dry-ru
 <!--
 - Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled.
 -->
-- 确保 `PodSecurity` [特性门控](/docs/reference/command-line-tools-reference/feature-gates/)被启用。
+- 确保 `PodSecurity` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)被启用。
 
 <!--
 This page assumes you are already familiar with the basic [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
@@ -307,7 +307,7 @@ need to be handled on a case-by-case basis later:
 - `.spec.allowPrivilegeEscalation` - (Only mutating if set to `false`) required for the Restricted
   profile.
 -->
-- `.spec.requiredDropCapabilities` - 需要此字段来为 Restricted 配置去掉 `ALL` 设置。 
+- `.spec.requiredDropCapabilities` - 需要此字段来为 Restricted 配置去掉 `ALL` 设置。
 - `.spec.seLinux` - （仅针对带有 `MustRunAs` 规则的变更性设置）需要此字段来满足
   Baseline 和 Restricted 配置所需要的 SELinux 需求。
 - `.spec.runAsUser` - （仅针对带有 `RunAsAny` 规则的非变更性设置）需要此字段来为
@@ -556,7 +556,7 @@ Finally, you can effectively bypass PodSecurityPolicy at the namespace level by
 accounts in the namespace.
 -->
 最后，你可以通过将
-{{< example file="policy/privileged-psp.yaml" >}}完全特权的 PSP{{< /example >}} 
+{{< example file="policy/privileged-psp.yaml" >}}完全特权的 PSP{{< /example >}}
 绑定到某名字空间中所有服务账户上，在名字空间层面绕过所有 PodSecurityPolicy。
 
 ```sh
@@ -594,7 +594,7 @@ kubectl delete -n $NAMESPACE rolebinding disable-psp
 <!--
 ## 4. Review namespace creation processes {#review-namespace-creation-process}
 -->
-## 4. 审阅名字空间创建过程  {#review-namespace-creation-process}  
+## 4. 审阅名字空间创建过程  {#review-namespace-creation-process}
 
 <!--
 Now that existing namespaces have been updated to enforce Pod Security Admission, you should ensure
@@ -639,7 +639,7 @@ controller plugins:
 -->
 如果需要验证 PodSecurityPolicy 准入控制器不再被启用，你可以通过扮演某个无法访问任何
 PodSecurityPolicy 的用户来执行测试（参见
-[PodSecurityPolicy 示例](/zh/docs/concepts/policy/pod-security-policy/#example)），
+[PodSecurityPolicy 示例](/zh-cn/docs/concepts/security/pod-security-policy/#example)），
 或者通过检查 API 服务器的日志来进行验证。在启动期间，API
 服务器会输出日志行，列举所挂载的准入控制器插件。
 
diff --git a/static/_redirects b/static/_redirects
@@ -162,6 +162,7 @@
 
 /docs/concepts/policy/pod-security-policy/      /docs/concepts/security/pod-security-policy/ 301
 /docs/consumer-guideline/pod-security-coverage/     /docs/concepts/security/pod-security-policy/ 301
+/zh-cn/docs/concepts/policy/pod-security-policy/      /zh-cn/docs/concepts/security/pod-security-policy/ 301
 
 /docs/contribute/create-pull-request/     /docs/home/contribute/create-pull-request/ 301
 /docs/contribute/page-templates/     /docs/home/contribute/page-templates/ 301
@@ -248,7 +249,7 @@
 /docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/     /docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/ 301
 /docs/tasks/access-kubernetes-api/setup-extension-api-server/     /docs/tasks/extend-kubernetes/setup-extension-api-server/ 301
 
-/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/   /docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/ 301  
+/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-deprecation-affects-you/   /docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/ 301
 /docs/tasks/administer-cluster/access-cluster-services/     /docs/tasks/access-application-cluster/access-cluster-services/ 301
 /docs/tasks/administer-cluster/apply-resource-quota-limit/     /docs/tasks/administer-cluster/quota-api-object/ 301
 /docs/tasks/administer-cluster/assign-pods-nodes/     /docs/tasks/configure-pod-container/assign-pods-nodes/ 301
