Merge pull request #40076 from fenggw-fnst/task-7

k8s-ci-robot · web-flow · commit 69302d6f6ce1 · 2023-03-17T02:19:15.000-07:00
[zh-cn] sync task files of task-7
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
@@ -1,13 +1,15 @@
 ---
 title: 通过配置内置准入控制器实施 Pod 安全标准
 content_type: task
+weight: 240
 ---
 <!--
 title: Enforce Pod Security Standards by Configuring the Built-in Admission Controller
 reviewers:
 - tallclair
 - liggitt
 content_type: task
+weight: 240
 -->
 
 <!--
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
@@ -1,13 +1,15 @@
 ---
 title: 使用名字空间标签来实施 Pod 安全性标准
 content_type: task
+weight: 250
 ---
 <!--
 title: Enforce Pod Security Standards with Namespace Labels
 reviewers:
 - tallclair
 - liggitt
 content_type: task
+weight: 250
 -->
 
 <!--
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
@@ -1,13 +1,13 @@
 ---
 title: 为容器分派扩展资源 
 content_type: task
-weight: 40
+weight: 70
 ---
 
 <!--
 title: Assign Extended Resources to a Container
 content_type: task
-weight: 40
+weight: 70
 -->
 
 <!-- overview -->
@@ -166,7 +166,7 @@ It has a status of Pending:
 -->
 输出结果表明 Pod 虽然被创建了，但没有被调度到节点上正常运行。Pod 的状态为 Pending：
 
-```
+```yaml
 NAME                       READY     STATUS    RESTARTS   AGE
 extended-resource-demo-2   0/1       Pending   0          6m
 ```
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/security-context.md b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
@@ -1,7 +1,7 @@
 ---
 title: 为 Pod 或容器配置安全上下文
 content_type: task
-weight: 80
+weight: 110
 ---
 <!--
 reviewers:
@@ -10,7 +10,7 @@ reviewers:
 - thockin
 title: Configure a Security Context for a Pod or Container
 content_type: task
-weight: 80
+weight: 110
 -->
 
 <!-- overview -->
@@ -21,41 +21,52 @@ a Pod or Container. Security context settings include, but are not limited to:
 
 * Discretionary Access Control: Permission to access an object, like a file, is based on
   [user ID (UID) and group ID (GID)](https://wiki.archlinux.org/index.php/users_and_groups).
+
 * [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux):
   Objects are assigned security labels.
+
 * Running as privileged or unprivileged.
-* [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): 
+
+* [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/):
   Give a process some privileges, but not all the privileges of the root user.
+
 -->
 安全上下文（Security Context）定义 Pod 或 Container 的特权与访问控制设置。
 安全上下文包括但不限于：
 
 * 自主访问控制（Discretionary Access Control）：
   基于[用户 ID（UID）和组 ID（GID）](https://wiki.archlinux.org/index.php/users_and_groups)
   来判定对对象（例如文件）的访问权限。
+
 * [安全性增强的 Linux（SELinux）](https://zh.wikipedia.org/wiki/%E5%AE%89%E5%85%A8%E5%A2%9E%E5%BC%BA%E5%BC%8FLinux)：
   为对象赋予安全性标签。
+
 * 以特权模式或者非特权模式运行。
+
 * [Linux 权能](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): 
   为进程赋予 root 用户的部分特权而非全部特权。
+
 <!--
 * [AppArmor](/docs/tutorials/security/apparmor/):
   Use program profiles to restrict the capabilities of individual programs.
+
 * [Seccomp](/docs/tutorials/security/seccomp/): Filter a process's system calls.
+
 * `allowPrivilegeEscalation`: Controls whether a process can gain more privileges than
   its parent process. This bool directly controls whether the
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
   flag gets set on the container process.
-  `allowPrivilegeEscalation` is always true
-  when the container:
+  `allowPrivilegeEscalation` is always true when the container:
 
   - is run as privileged, or
   - has `CAP_SYS_ADMIN`
 
-* readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
+* `readOnlyRootFilesystem`: Mounts the container's root filesystem as read-only.
 -->
 * [AppArmor](/zh-cn/docs/tutorials/security/apparmor/)：使用程序配置来限制个别程序的权能。
+
 * [Seccomp](/zh-cn/docs/tutorials/security/seccomp/)：过滤进程的系统调用。
+
 * `allowPrivilegeEscalation`：控制进程是否可以获得超出其父进程的特权。
   此布尔值直接控制是否为容器进程设置
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)标志。
@@ -64,10 +75,10 @@ a Pod or Container. Security context settings include, but are not limited to:
   - 以特权模式运行，或者
   - 具有 `CAP_SYS_ADMIN` 权能
 
-* readOnlyRootFilesystem：以只读方式加载容器的根文件系统。
+* `readOnlyRootFilesystem`：以只读方式加载容器的根文件系统。
 
 <!--
-The above bullets are not a complete set of security context settings - please see
+The above bullets are not a complete set of security context settings -- please see
 [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
 for a comprehensive list.
 -->
@@ -702,7 +713,7 @@ To assign SELinux labels, the SELinux security module must be loaded on the host
 {{< feature-state for_k8s_version="v1.25" state="alpha" >}}
 
 <!--
-By default, the contrainer runtime recursively assigns SELinux label to all
+By default, the container runtime recursively assigns SELinux label to all
 files on all Pod volumes. To speed up this process, Kubernetes can change the
 SELinux label of a volume instantly by using a mount option
 `-o context=<label>`.
@@ -804,15 +815,15 @@ Pod 的安全上下文适用于 Pod 中的容器，也适用于 Pod 所挂载的
   该部分设置的是赋予 Pod 中所有容器及卷的
   [多类别安全性（Multi-Category Security，MCS)](https://selinuxproject.org/page/NB_MLS)标签。
 
-  <!--
-  After you specify an MCS label for a Pod, all Pods with the same label can
-  access the Volume. If you need inter-Pod protection, you must assign a unique
-  MCS label to each Pod.
-  -->
-  {{< warning >}}
-  在为 Pod 设置 MCS 标签之后，所有带有相同标签的 Pod 可以访问该卷。
-  如果你需要跨 Pod 的保护，你必须为每个 Pod 赋予独特的 MCS 标签。
-  {{< /warning >}}
+<!--
+After you specify an MCS label for a Pod, all Pods with the same label can
+access the Volume. If you need inter-Pod protection, you must assign a unique
+MCS label to each Pod.
+-->
+{{< warning >}}
+在为 Pod 设置 MCS 标签之后，所有带有相同标签的 Pod 可以访问该卷。
+如果你需要跨 Pod 的保护，你必须为每个 Pod 赋予独特的 MCS 标签。
+{{< /warning >}}
 
 <!--
 ## Clean up
@@ -842,7 +853,8 @@ kubectl delete pod security-context-demo-4
 * [AllowPrivilegeEscalation design
   document](https://git.k8s.io/design-proposals-archive/auth/no-new-privs.md)
 * For more information about security mechanisms in Linux, see
-  [Overview of Linux Kernel Security Features](https://www.linux.com/learn/overview-linux-kernel-security-features) (Note: Some information is out of date)
+  [Overview of Linux Kernel Security Features](https://www.linux.com/learn/overview-linux-kernel-security-features)
+  (Note: Some information is out of date)
 -->
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core) API 定义
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core) API 定义
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
@@ -1,13 +1,13 @@
 ---
 title: 创建静态 Pod
-weight: 170
+weight: 220
 content_type: task
 ---
 <!--
 reviewers:
 - jsafrane
 title: Create static Pods
-weight: 170
+weight: 220
 content_type: task
 -->
 
