|
| 1 | +--- |
| 2 | +title: Windows 节点的安全性 |
| 3 | +content_type: concept |
| 4 | +weight: 75 |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +reviewers: |
| 8 | +- jayunit100 |
| 9 | +- jsturtevant |
| 10 | +- marosset |
| 11 | +- perithompson |
| 12 | + title: Security For Windows Nodes |
| 13 | + content_type: concept |
| 14 | + weight: 75 |
| 15 | +--> |
| 16 | + |
| 17 | +<!-- overview --> |
| 18 | + |
| 19 | +<!-- |
| 20 | +This page describes security considerations and best practices specific to the Windows operating system. |
| 21 | +--> |
| 22 | +本篇介绍特定于 Windows 操作系统的安全注意事项和最佳实践。 |
| 23 | + |
| 24 | +<!-- body --> |
| 25 | + |
| 26 | +<!-- |
| 27 | +## Protection for Secret data on nodes |
| 28 | +--> |
| 29 | +## 保护节点上的 Secret 数据 |
| 30 | + |
| 31 | +<!-- |
| 32 | +On Windows, data from Secrets are written out in clear text onto the node's local |
| 33 | +storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster |
| 34 | +operator, you should take both of the following additional measures: |
| 35 | +--> |
| 36 | +在 Windows 上,来自 Secret 的数据以明文形式写入节点的本地存储 |
| 37 | +(与在 Linux 上使用 tmpfs / 内存中文件系统不同)。 |
| 38 | +作为集群操作员,你应该采取以下两项额外措施: |
| 39 | + |
| 40 | +<!-- |
| 41 | +1. Use file ACLs to secure the Secrets' file location. |
| 42 | +1. Apply volume-level encryption using [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server). |
| 43 | +--> |
| 44 | +1. 使用文件 ACL 来保护 Secret 的文件位置。 |
| 45 | +2. 使用 [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) |
| 46 | + 进行卷级加密。 |
| 47 | + |
| 48 | +<!-- |
| 49 | +## Container users |
| 50 | +--> |
| 51 | +## 容器用户 |
| 52 | + |
| 53 | +<!-- |
| 54 | +[RunAsUsername](/docs/tasks/configure-pod-container/configure-runasusername) |
| 55 | +can be specified for Windows Pods or containers to execute the container |
| 56 | +processes as specific user. This is roughly equivalent to |
| 57 | +[RunAsUser](/docs/concepts/policy/pod-security-policy/#users-and-groups). |
| 58 | +--> |
| 59 | +可以为 Windows Pod 或容器指定 [RunAsUsername](/zh/docs/tasks/configure-pod-container/configure-runasusername) |
| 60 | +以作为特定用户执行容器进程。这大致相当于 [RunAsUser](/zh/docs/concepts/policy/pod-security-policy/#users-and-groups)。 |
| 61 | + |
| 62 | +<!-- |
| 63 | +Windows containers offer two default user accounts, ContainerUser and ContainerAdministrator. |
| 64 | +The differences between these two user accounts are covered in |
| 65 | +[When to use ContainerAdmin and ContainerUser user accounts](https://docs.microsoft.com/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts) within Microsoft's _Secure Windows containers_ documentation. |
| 66 | +--> |
| 67 | +Windows 容器提供两个默认用户帐户,ContainerUser 和 ContainerAdministrator。 |
| 68 | +在微软的 Windows 容器安全文档 |
| 69 | +[何时使用 ContainerAdmin 和 ContainerUser 用户帐户](https://docs.microsoft.com/zh-cn/virtualization/windowscontainers/manage-containers/container-security#when-to-use-containeradmin-and-containeruser-user-accounts) |
| 70 | +中介绍了这两个用户帐户之间的区别。 |
| 71 | + |
| 72 | +<!-- |
| 73 | +Local users can be added to container images during the container build process. |
| 74 | +--> |
| 75 | +在容器构建过程中,可以将本地用户添加到容器镜像中。 |
| 76 | + |
| 77 | +{{< note >}} |
| 78 | +<!-- |
| 79 | +* [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) based images run as `ContainerUser` by default |
| 80 | +* [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) based images run as `ContainerAdministrator` by default |
| 81 | +--> |
| 82 | +* 基于 [Nano Server](https://hub.docker.com/_/microsoft-windows-nanoserver) 的镜像默认以 `ContainerUser` 运行 |
| 83 | +* 基于 [Server Core](https://hub.docker.com/_/microsoft-windows-servercore) 的镜像默认以 `ContainerAdministrator` 运行 |
| 84 | +{{< /note >}} |
| 85 | + |
| 86 | +<!-- |
| 87 | +Windows containers can also run as Active Directory identities by utilizing [Group Managed Service Accounts](/docs/tasks/configure-pod-container/configure-gmsa/) |
| 88 | +--> |
| 89 | +Windows 容器还可以通过使用[组管理的服务账号](/zh/docs/tasks/configure-pod-container/configure-gmsa/)作为 |
| 90 | +Active Directory 身份运行。 |
| 91 | + |
| 92 | +<!-- |
| 93 | +## Pod-level security isolation |
| 94 | +--> |
| 95 | +## Pod 级安全隔离 |
| 96 | + |
| 97 | +<!-- |
| 98 | +Linux-specific pod security context mechanisms (such as SELinux, AppArmor, Seccomp, or custom |
| 99 | +POSIX capabilities) are not supported on Windows nodes. |
| 100 | +--> |
| 101 | +Windows 节点不支持特定于 Linux 的 Pod 安全上下文机制(例如 SELinux、AppArmor、Seccomp 或自定义 POSIX 权能字)。 |
| 102 | + |
| 103 | +<!-- |
| 104 | +Privileged containers are [not supported](#compatibility-v1-pod-spec-containers-securitycontext) on Windows. |
| 105 | +Instead [HostProcess containers](/docs/tasks/configure-pod-container/create-hostprocess-pod) can be used on Windows to perform many of the tasks performed by privileged containers on Linux. |
| 106 | +--> |
| 107 | +Windows 上[不支持](#compatibility-v1-pod-spec-containers-securitycontext)特权容器。 |
| 108 | +然而,可以在 Windows 上使用 [HostProcess 容器](/zh/docs/tasks/configure-pod-container/create-hostprocess-pod)来执行 |
| 109 | +Linux 上特权容器执行的许多任务。 |
0 commit comments