Merge pull request #43101 from windsonsea/decryh

[zh] Sync decrypt-data.md

Author: k8s-ci-robot

content/zh-cn/docs/tasks/administer-cluster/decrypt-data.md

@@ -0,0 +1,286 @@
+---
+title: 解密已静态加密的机密数据
+content_type: task
+weight: 215
+---
+<!--
+title: Decrypt Confidential Data that is Already Encrypted at Rest
+content_type: task
+weight: 215
+-->
+
+<!-- overview -->
+
+<!--
+All of the APIs in Kubernetes that let you write persistent API resource data support
+at-rest encryption. For example, you can enable at-rest encryption for
+{{< glossary_tooltip text="Secrets" term_id="secret" >}}.
+This at-rest encryption is additional to any system-level encryption for the
+etcd cluster or for the filesystem(s) on hosts where you are running the
+kube-apiserver.
+-->
+Kubernetes 中允许允许你写入持久性 API 资源数据的所有 API 都支持静态加密。
+例如，你可以为 {{< glossary_tooltip text="Secret" term_id="secret" >}} 启用静态加密。
+此静态加密是对 etcd 集群或运行 kube-apiserver 的主机上的文件系统的所有系统级加密的补充。
+
+<!--
+This page shows how to switch from encryption of API data at rest, so that API data
+are stored unencrypted. You might want to do this to improve performance; usually,
+though, if it was a good idea to encrypt some data, it's also a good idea to leave them
+encrypted.
+-->
+本文介绍如何停止静态加密 API 数据，以便 API 数据以未加密的形式存储。
+你可能希望这样做以提高性能；但通常情况下，如果加密某些数据是个好主意，那么继续加密这些数据也是一个好主意。
+
+{{< note >}}
+<!--
+This task covers encryption for resource data stored using the
+{{< glossary_tooltip text="Kubernetes API" term_id="kubernetes-api" >}}. For example, you can
+encrypt Secret objects, including the key-value data they contain.
+-->
+此任务涵盖使用 {{< glossary_tooltip text="Kubernetes API" term_id="kubernetes-api" >}}
+存储的资源数据的加密。例如，你可以加密 Secret 对象，包括它们所包含的键值数据。
+
+<!--
+If you wanted to manage encryption for data in filesystems that are mounted into containers, you instead
+need to either:
+
+- use a storage integration that provides encrypted
+  {{< glossary_tooltip text="volumes" term_id="volume" >}}
+- encrypt the data within your own application
+-->
+如果要加密安装到容器中的文件系统中的数据，则需要：
+
+- 使用提供{{< glossary_tooltip text="存储卷" term_id="volume" >}}加密的存储集成方案
+- 在你自己的应用中加密数据
+{{< /note >}}
+
+## {{% heading "prerequisites" %}}
+
+* {{< include "task-tutorial-prereqs.md" >}}
+
+<!--
+* This task assumes that you are running the Kubernetes API server as a
+  {{< glossary_tooltip text="static pod" term_id="static-pod" >}} on each control
+  plane node.
+
+* Your cluster's control plane **must** use etcd v3.x (major version 3, any minor version).
+-->
+* 此任务假设你将 Kubernetes API 服务器组件以{{< glossary_tooltip text="静态 Pod" term_id="static-pod" >}}
+  方式运行在每个控制平面节点上。
+
+* 集群的控制平面**必须**使用 etcd v3.x（主版本 3，任何次要版本）。
+
+<!--
+* To encrypt a custom resource, your cluster must be running Kubernetes v1.26 or newer.
+
+* You should have some API data that are already encrypted.
+-->
+* 要加密自定义资源，你的集群必须运行 Kubernetes v1.26 或更高版本。
+
+* 你应该有一些已加密的 API 数据。
+
+{{< version-check >}}
+
+<!-- steps -->
+
+<!--
+## Determine whether encryption at rest is already enabled
+
+By default, the API server uses an `identity` provider that stores plain-text representations
+of resources.
+**The default `identity` provider does not provide any confidentiality protection.**
+-->
+## 确定静态加密是否已被启用   {#determine-whether-encryption-at-rest-is-already-enabled}
+
+默认情况下，API 服务器使用一个名为 `identity` 的提供程序来存储资源的明文表示。
+**默认的 `identity` 提供程序不提供任何机密性保护。**
+
+<!--
+The `kube-apiserver` process accepts an argument `--encryption-provider-config`
+that specifies a path to a configuration file. The contents of that file, if you specify one,
+control how Kubernetes API data is encrypted in etcd.
+If it is not specified, you do not have encryption at rest enabled.
+
+The format of that configuration file is YAML, representing a configuration API kind named
+[`EncryptionConfiguration`](/docs/reference/config-api/apiserver-encryption.v1/).
+You can see an example configuration
+in [Encryption at rest configuration](/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration).
+-->
+`kube-apiserver` 进程接受参数 `--encryption-provider-config`，该参数指定了配置文件的路径。
+如果你指定了一个路径，那么该文件的内容将控制 Kubernetes API 数据在 etcd 中的加密方式。
+如果未指定，则表示你未启用静态加密。
+
+该配置文件的格式是 YAML，表示名为
+[`EncryptionConfiguration`](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/) 的配置 API 类别。
+你可以在[静态加密配置](/zh-cn/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration)中查看示例配置。
+
+<!--
+If `--encryption-provider-config` is set, check which resources (such as `secrets`) are
+configured for encryption, and what provider is used.
+Make sure that the preferred provider for that resource type is **not** `identity`; you
+only set `identity` (_no encryption_) as default when you want to disable encryption at
+rest.
+Verify that the first-listed provider for a resource is something **other** than `identity`,
+which means that any new information written to resources of that type will be encrypted as
+configured. If you do see `identity` as the first-listed provider for any resource, this
+means that those resources are being written out to etcd without encryption.
+-->
+如果设置了 `--encryption-provider-config`，检查哪些资源（如 `secrets`）已配置为进行加密，
+并查看所适用的是哪个提供程序。确保该资源类型首选的提供程序 **不是** `identity`；
+只有在想要禁用静态加密时，才可将 `identity`（**无加密**）设置为默认值。
+验证资源首选的提供程序是否不是 `identity`，这意味着写入该类型资源的任何新信息都将按照配置被加密。
+如果在任何资源的首选提供程序中看到 `identity`，这意味着这些资源将以非加密的方式写入 etcd 中。
+
+<!--
+## Decrypt all data {#decrypting-all-data}
+
+This example shows how to stop encrypting the Secret API at rest. If you are encrypting
+other API kinds, adjust the steps to match.
+-->
+## 解密所有数据 {#decrypting-all-data}
+
+本例展示如何停止对 Secret API 进行静态加密。如果你正在加密其他 API 类别，可以相应调整以下步骤。
+
+<!--
+### Locate the encryption configuration file
+
+First, find the API server configuration files. On each control plane node, static Pod manifest
+for the kube-apiserver specifies a command line argument, `--encryption-provider-config`.
+You are likely to find that this file is mounted into the static Pod using a
+[`hostPath`](/docs/concepts/storage/volumes/#hostpath) volume mount. Once you locate the volume
+you can find the file on the node filesystem and inspect it.
+-->
+### 找到加密配置文件   {#locate-encryption-configuration-file}
+
+首先，找到 API 服务器的配置文件。在每个控制平面节点上，kube-apiserver 的静态 Pod
+清单指定了一个命令行参数 `--encryption-provider-config`。你很可能会发现此文件通过
+[`hostPath`](/zh-cn/docs/concepts/storage/volumes/#hostpath) 卷挂载到静态 Pod 中。
+一旦你找到到此卷，就可以在节点文件系统中找到此文件并对其进行检查。
+
+<!--
+### Configure the API server to decrypt objects
+
+To disable encryption at rest, place the `identity` provider as the first
+entry in your encryption configuration file.
+
+For example, if your existing EncryptionConfiguration file reads:
+-->
+### 配置 API 服务器以解密对象   {#configure-api-server-to-decrypt-objects}
+
+要禁用静态加密，将 `identity` 提供程序设置为加密配置文件中的第一个条目。
+
+例如，如果你现有的 EncryptionConfiguration 文件内容如下：
+
+<!--
+# Do not use this (invalid) example key for encryption
+-->
+```yaml
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - aescbc:
+          keys:
+            # 你加密时不要使用这个（无效）的示例密钥
+            - name: example
+              secret: 2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQ==
+```
+
+<!--
+then change it to:
+-->
+然后将其更改为：
+
+<!--
+# add this line
+-->
+```yaml
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+      - secrets
+    providers:
+      - identity: {} # 增加这一行
+      - aescbc:
+          keys:
+            - name: example
+              secret: 2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQ==
+```
+
+<!--
+and restart the kube-apiserver Pod on this node.
+
+### Reconfigure other control plane hosts {#api-server-config-update-more-1}
+
+If you have multiple API servers in your cluster, you should deploy the changes in turn to each API server.
+
+Make sure that you use the same encryption configuration on each control plane host.
+-->
+并重启此节点上的 kube-apiserver Pod。
+
+### 重新配置其他控制平面主机 {#api-server-config-update-more-1}
+
+如果你的集群中有多个 API 服务器，应轮流对每个 API 服务器部署这些更改。
+
+确保在每个控制平面主机上使用相同的加密配置。
+
+<!--
+### Force decryption
+
+Then run the following command to force decryption of all Secrets:
+-->
+### 强制解密   {#force-decryption}
+
+然后运行以下命令强制解密所有 Secret：
+
+<!--
+# If you are decrypting a different kind of object, change "secrets" to match.
+-->
+```shell
+# 如果你正在解密不同类别的对象，请相应更改 "secrets"
+kubectl get secrets --all-namespaces -o json | kubectl replace -f -
+```
+
+<!--
+Once you have replaced **all** existing encrypted resources with backing data that
+don't use encryption, you can remove the encryption settings from the
+`kube-apiserver`.
+
+The command line options to remove are:
+-->
+一旦你用未加密的后台数据替换了**所有**现有的已加密资源，即可从 `kube-apiserver` 中删除这些加密设置。
+
+要移除的命令行选项为：
+
+- `--encryption-provider-config`
+- `--encryption-provider-config-automatic-reload`
+
+<!--
+Restart the kube-apiserver Pod again to apply the new configuration.
+
+### Reconfigure other control plane hosts {#api-server-config-update-more-2}
+
+If you have multiple API servers in your cluster, you should again deploy the changes in turn to each API server.
+
+Make sure that you use the same encryption configuration on each control plane host.
+-->
+再次重启 kube-apiserver Pod 以应用新的配置。
+
+### 重新配置其他控制平面主机   {#api-server-config-update-more-2}
+
+如果你的集群中有多个 API 服务器，应再次轮流对每个 API 服务器部署这些更改。
+
+确保在每个控制平面主机上使用相同的加密配置。
+
+## {{% heading "whatsnext" %}}
+
+<!--
+* Learn more about the [EncryptionConfiguration configuration API (v1)](/docs/reference/config-api/apiserver-encryption.v1/).
+-->
+* 更多细节参阅 [EncryptionConfiguration configuration API (v1)](/zh-cn/docs/reference/config-api/apiserver-encryption.v1/)。