[zh] sync page ns-level-pss

zhuzhenghao · zhuzhenghao · commit 18107b55ae31 · 2023-03-06T13:43:44.000+08:00
diff --git a/content/zh-cn/docs/tutorials/security/ns-level-pss.md b/content/zh-cn/docs/tutorials/security/ns-level-pss.md
@@ -11,7 +11,9 @@ weight: 20
 -->
 
 {{% alert title="Note" %}}
-<!-- This tutorial applies only for new clusters. -->
+<!--
+This tutorial applies only for new clusters.
+-->
 本教程仅适用于新集群。
 {{% /alert %}}
 
@@ -24,7 +26,7 @@ when pods are created. In this tutorial, you will enforce the `baseline` Pod Sec
 one namespace at a time.
 
 You can also apply Pod Security Standards to multiple namespaces at once at the cluster
-level. For instructions, refer to 
+level. For instructions, refer to
 [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/).
 -->
 Pod 安全准入（PSA）在 v1.23 及更高版本默认启用，
@@ -59,42 +61,48 @@ Install the following on your workstation:
 2. 按照如下方式创建一个 `KinD` 集群：
 
    ```shell
-   kind create cluster --name psa-ns-level --image kindest/node:v1.23.0
+   kind create cluster --name psa-ns-level
    ```
 
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
    输出类似于：
 
    ```
    Creating cluster "psa-ns-level" ...
-    ✓ Ensuring node image (kindest/node:v1.23.0) 🖼 
+    ✓ Ensuring node image (kindest/node:v{{< skew currentVersion >}}.0) 🖼 
     ✓ Preparing nodes 📦  
     ✓ Writing configuration 📜 
     ✓ Starting control-plane 🕹️ 
     ✓ Installing CNI 🔌 
     ✓ Installing StorageClass 💾 
    Set kubectl context to "kind-psa-ns-level"
    You can now use your cluster with:
-   
+
    kubectl cluster-info --context kind-psa-ns-level
-   
+
    Not sure what to do next? 😅  Check out https://kind.sigs.k8s.io/docs/user/quick-start/
    ```
 
-<!-- 1. Set the kubectl context to the new cluster: -->
+<!--
+1. Set the kubectl context to the new cluster:
+-->
 1. 将 kubectl 上下文设置为新集群：
 
    ```shell
    kubectl cluster-info --context kind-psa-ns-level
    ```
 
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
    输出类似于：
 
    ```
    Kubernetes control plane is running at https://127.0.0.1:50996
    CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
-   
+
    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
    ```
 
@@ -111,42 +119,45 @@ Create a new namespace called `example`:
 kubectl create ns example
 ```
 
-<!-- The output is similar to this: -->
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```
 namespace/example created
 ```
 
 <!-- 
-## Apply Pod Security Standards
+## Enable Pod Security Standards checking for that namespace
 
 1. Enable Pod Security Standards on this namespace using labels supported by
-   built-in Pod Security Admission. In this step we will warn on baseline pod
-   security standard as per the latest version (default value)
+   built-in Pod Security Admission. In this step you will configure a check to
+   warn on Pods that don't meet the latest version of the _baseline_ pod
+   security standard.
 -->
-## 应用 Pod 安全标准  {#apply-pod-security-standards}
+## 为该命名空间启用 Pod 安全标准检查  {#enable-pod-security-standards-checking-for-that-namespace}
 
 1. 使用内置 Pod 安全准入所支持的标签在此名字空间上启用 Pod 安全标准。
    在这一步中，我们将根据最新版本（默认值）对基线 Pod 安全标准发出警告。
 
    ```shell
    kubectl label --overwrite ns example \
-     pod-security.kubernetes.io/warn=baseline \
-     pod-security.kubernetes.io/warn-version=latest
+      pod-security.kubernetes.io/warn=baseline \
+      pod-security.kubernetes.io/warn-version=latest
    ```
 
 <!-- 
-2. Multiple pod security standards can be enabled on any namespace, using labels.
-   Following command will `enforce` the `baseline` Pod Security Standard, but
+2. You can configure multiple pod security standard checks on any namespace, using labels.
+   The following command will `enforce` the `baseline` Pod Security Standard, but
    `warn` and `audit` for `restricted` Pod Security Standards as per the latest
    version (default value)
 -->
-2. 可以使用标签在任何名字空间上启用多个 Pod 安全标准。
+1. 你可以使用标签在任何名字空间上配置多个 Pod 安全标准检查。
    以下命令将强制（`enforce`） 执行基线（`baseline`）Pod 安全标准，
    但根据最新版本（默认值）对受限（`restricted`）Pod 安全标准执行警告（`warn`）和审核（`audit`）。
 
-   ```
+   ```shell
    kubectl label --overwrite ns example \
      pod-security.kubernetes.io/enforce=baseline \
      pod-security.kubernetes.io/enforce-version=latest \
@@ -157,67 +168,51 @@ namespace/example created
    ```
 
 <!-- 
-## Verify the Pod Security Standards
+## Verify the Pod Security Standard enforcement
 
-1. Create a minimal pod in `example` namespace:
+1. Create a baseline Pod in the `example` namespace:
 -->
 ## 验证 Pod 安全标准  {#verify-the-pod-security-standards}
 
-1. 在 `example` 名字空间中创建一个最小的 Pod：
-
-   ```shell
-   cat <<EOF > /tmp/pss/nginx-pod.yaml
-   apiVersion: v1
-   kind: Pod
-   metadata:
-     name: nginx
-   spec:
-     containers:
-       - image: nginx
-         name: nginx
-         ports:
-           - containerPort: 80
-   EOF
-   ```
-
-<!-- 
-2. Apply the pod spec to the cluster in `example` namespace: 
--->
-1. 将 Pod 规约应用到集群中的 `example` 名字空间中：
+1. 在 `example` 名字空间中创建一个基线 Pod：
 
    ```shell
-   kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml
    ```
-
-   <!-- The output is similar to this: -->
-   输出类似于：
+   <!--
+   The Pod does start OK; the output includes a warning. For example:
+   -->
+   Pod 确实启动正常；输出包括一条警告信息。例如：
 
    ```
-   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext seccompProfile.type to "RuntimeDefault" or "Localhost")
+   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    pod/nginx created
    ```
 
 <!-- 
-1. Apply the pod spec to the cluster in `default` namespace:
+1. Create a baseline Pod in the `default` namespace:
 -->
-3. 将 Pod 规约应用到集群中的 `default` 名字空间中：
+1. 在 `default` 名字空间中创建一个基线 Pod：
 
    ```shell
-   kubectl apply -n default -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml
    ```
 
-   <!-- Output is similar to this: -->
+   <!--
+   Output is similar to this:
+   -->
    输出类似于：
 
    ```
    pod/nginx created
    ```
 
 <!-- 
-The Pod Security Standards were applied only to the `example`
-namespace. You could create the same Pod in the `default` namespace
-with no warnings.
+The Pod Security Standards enforcement and warning settings were applied only
+to the `example` namespace. You could create the same Pod in the `default`
+namespace with no warnings.
 -->
+Pod 安全标准实施和警告设置仅被应用到 `example` 名字空间。
 以上 Pod 安全标准仅被应用到 `example` 名字空间。
 你可以在没有警告的情况下在 `default` 名字空间中创建相同的 Pod。
 
@@ -246,6 +241,7 @@ kind delete cluster --name psa-ns-level
   3. Apply `baseline` Pod Security Standard in `enforce` mode while applying
      `restricted` Pod Security Standard also in `warn` and `audit` mode.
   4. Create a new pod with the following pod security standards applied
+
 - [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
 - [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
 - [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/)
