Merge pull request #51612 from my-git9/npa-28879

k8s-ci-robot · web-flow · commit 2f6f8f1756e1 · 2025-07-21T05:48:26.000-07:00
[zh-cn]sync linux-security secrets-good-practices labels-annotations-taints
diff --git a/content/zh-cn/docs/concepts/security/linux-security.md b/content/zh-cn/docs/concepts/security/linux-security.md
@@ -0,0 +1,57 @@
+---
+title: Linux 节点的安全性
+content_type: concept
+weight: 40
+---
+<!--
+reviewers:
+- lmktfy
+title: Security For Linux Nodes
+content_type: concept
+weight: 40
+-->
+
+<!-- overview -->
+
+<!--
+This page describes security considerations and best practices specific to the Linux operating system.
+-->
+本篇介绍特定于 Linux 操作系统的安全注意事项和最佳实践。
+
+<!-- body -->
+
+<!--
+## Protection for Secret data on nodes
+-->
+## 保护节点上的 Secret 数据   {#protection-for-secret-data-on-nodes}
+
+<!--
+On Linux nodes, memory-backed volumes (such as [`secret`](/docs/concepts/configuration/secret/)
+volume mounts, or [`emptyDir`](/docs/concepts/storage/volumes/#emptydir) with `medium: Memory`)
+are implemented with a `tmpfs` filesystem.
+-->
+在 Linux 节点上，由内存支持的卷（例如 [`secret`](/zh-cn/docs/concepts/configuration/secret/)
+卷挂载，或带有 `medium: Memory` 的 [`emptyDir`](/zh-cn/docs/concepts/storage/volumes/#emptydir)）
+使用 `tmpfs` 文件系统实现。
+
+<!--
+If you have swap configured and use an older Linux kernel (or a current kernel and an unsupported configuration of Kubernetes),
+**memory** backed volumes can have data written to persistent storage.
+-->
+如果你配置了交换分区并且使用较旧的 Linux 内核（或者内核是最新的，但其中某项配置是 Kubernetes 所不支持的），
+**内存**支持的卷可能会将数据写入持久存储。
+
+<!--
+The Linux kernel officially supports the `noswap` option from version 6.3,
+therefore it is recommended the used kernel version is 6.3 or later,
+or supports the `noswap` option via a backport, if swap is enabled on the node.
+-->
+Linux 内核从 6.3 版本开始正式支持 `noswap` 选项，
+因此建议使用 6.3 或更新版本的内核，
+或者如果节点上启用了交换分区，确保内核通过补丁向下移植支持 `noswap` 选项。
+
+<!--
+Read [swap memory management](/docs/concepts/cluster-administration/swap-memory-management/#memory-backed-volumes)
+for more info.
+-->
+更多信息参阅[交换内存管理](/zh-cn/docs/concepts/cluster-administration/swap-memory-management/#memory-backed-volumes)。
diff --git a/content/zh-cn/docs/concepts/security/secrets-good-practices.md b/content/zh-cn/docs/concepts/security/secrets-good-practices.md
@@ -161,6 +161,17 @@ For a list of supported providers, refer to
 有关支持的提供商列表，请参阅
 [Secret 存储 CSI 驱动的提供商](https://secrets-store-csi-driver.sigs.k8s.io/concepts.html#provider-for-the-secrets-store-csi-driver)。
 
+<!--
+## Good practices for using swap memory
+
+For best practices for setting swap memory for Linux nodes, please refer to
+[swap memory management](/docs/concepts/cluster-administration/swap-memory-management/#good-practice-for-using-swap-in-a-kubernetes-cluster).
+-->
+## 使用交换内存的良好实践     {#good-practices-for-using-swap-memory}
+
+对于为 Linux 节点设置交换内存的最佳实践，
+请参阅[交换内存管理](/zh-cn/docs/concepts/cluster-administration/swap-memory-management/#good-practice-for-using-swap-in-a-kubernetes-cluster)。
+
 <!--
 ## Developers
 
diff --git a/content/zh-cn/docs/reference/labels-annotations-taints/_index.md b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md
@@ -2745,8 +2745,6 @@ Type: Label
 Example: `service.kubernetes.io/service-proxy-name: "foo-bar"`
 
 Used on: Service
-
-The kube-proxy has this label for custom proxy, which delegates service control to custom proxy.
 -->
 ### service.kubernetes.io/service-proxy-name {#servicekubernetesioservice-proxy-name}
 
@@ -2756,7 +2754,17 @@ The kube-proxy has this label for custom proxy, which delegates service control
 
 用于：Service
 
-kube-proxy 自定义代理会使用这个标签，它将服务控制委托给自定义代理。
+<!--
+Setting a value for this label tells kube-proxy to ignore this service for proxying purposes.
+This allows for use of alternative proxy implementations for this service (e.g. running
+a DaemonSet that manages nftables its own way). Multiple alternative proxy implementations
+could be active simultaneously using this field, e.g. by having a value unique to each
+alternative proxy implementation to be responsible for their respective services.
+-->
+为这个标签设置一个值会告诉 kube-proxy 在执行代理操作时忽略此 Service。
+这一标签使得用户能够为此 Service 使用替代的代理实现（例如，运行管理 nftables 的 DaemonSet）。
+通过此字段，可以同时激活多个替代代理实现，例如，为每个替代代理实现设置唯一值，
+以负责各自的 Service。
 
 <!--
 ### experimental.windows.kubernetes.io/isolation-type (deprecated) {#experimental-windows-kubernetes-io-isolation-type}
@@ -3375,13 +3383,6 @@ Type: Annotation
 Example: `scheduler.alpha.kubernetes.io/tolerationsWhitelist: '[{"operator": "Exists", "effect": "NoSchedule", "key": "dedicated-node"}]'`
 
 Used on: Namespace
-
-This annotation is only useful when the (Alpha)
-[PodTolerationRestriction](/docs/reference/access-authn-authz/admission-controllers/#podtolerationrestriction)
-admission controller is enabled. The annotation value is a JSON document that defines a list of
-allowed tolerations for the namespace it annotates. When you create a Pod or modify its
-tolerations, the API server checks the tolerations to see if they are mentioned in the allow list.
-The pod is admitted only if the check succeeds.
 -->
 ### scheduler.alpha.kubernetes.io/tolerationsWhitelist {#schedulerkubernetestolerations-whitelist}
 
@@ -3391,6 +3392,14 @@ The pod is admitted only if the check succeeds.
 
 用于：命名空间
 
+<!--
+This annotation is only useful when the (Alpha)
+[PodTolerationRestriction](/docs/reference/access-authn-authz/admission-controllers/#podtolerationrestriction)
+admission controller is enabled. The annotation value is a JSON document that defines a list of
+allowed tolerations for the namespace it annotates. When you create a Pod or modify its
+tolerations, the API server checks the tolerations to see if they are mentioned in the allow list.
+The pod is admitted only if the check succeeds.
+-->
 此注解只有在启用（Alpha）
 [PodTolerationRestriction](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podtolerationrestriction)
 控制器时才生效。注解值是一个 JSON 文档，它为它所注解的命名空间定义了一个允许容忍的列表。
@@ -4878,10 +4887,6 @@ Used on: Pod
 This annotation was only relevant if you were using
 [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) objects.
 Kubernetes v{{< skew currentVersion >}} does not support the PodSecurityPolicy API.
-
-When the PodSecurityPolicy admission controller admitted a Pod, the admission controller
-modified the Pod to have this annotation.
-The value of the annotation was the name of the PodSecurityPolicy that was used for validation.
 -->
 ### kubernetes.io/psp（已弃用） {#kubernetes-io-psp}
 
@@ -4894,6 +4899,11 @@ The value of the annotation was the name of the PodSecurityPolicy that was used
 这个注解只在你使用 [PodSecurityPolicies](/zh-cn/docs/concepts/security/pod-security-policy/) 时才有意义。
 Kubernetes v{{< skew currentVersion >}} 不支持 PodSecurityPolicy API。
 
+<!--
+When the PodSecurityPolicy admission controller admitted a Pod, the admission controller
+modified the Pod to have this annotation.
+The value of the annotation was the name of the PodSecurityPolicy that was used for validation.
+-->
 当 PodSecurityPolicy 准入控制器接受一个 Pod 时，会修改该 Pod，并给这个 Pod 添加此注解。
 注解的值是用来对 Pod 进行验证检查的 PodSecurityPolicy 的名称。
 
