[zh] Update restricted-psp.yaml

Signed-off-by: xin.li <[email protected]>

Author: my-git9

content/zh/examples/policy/restricted-psp.yaml

@@ -5,44 +5,43 @@ metadata:
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
     apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
 spec:
   privileged: false
-  # Required to prevent escalations to root.
+  # 防止权限升级到 root
   allowPrivilegeEscalation: false
-  # This is redundant with non-root + disallow privilege escalation,
-  # but we can provide it for defense in depth.
   requiredDropCapabilities:
     - ALL
-  # Allow core volume types.
+  # 允许的核心卷类型.
   volumes:
     - 'configMap'
     - 'emptyDir'
     - 'projected'
     - 'secret'
     - 'downwardAPI'
-    # Assume that persistentVolumes set up by the cluster admin are safe to use.
+    # 假设集群管理员设置的临时 CSI 驱动程序和持久卷可以安全使用
+    - 'csi'
     - 'persistentVolumeClaim'
+    - 'ephemeral'
   hostNetwork: false
   hostIPC: false
   hostPID: false
   runAsUser:
-    # Require the container to run without root privileges.
+    # 要求容器在没有 root 权限的情况下运行
     rule: 'MustRunAsNonRoot'
   seLinux:
-    # This policy assumes the nodes are using AppArmor rather than SELinux.
+    # 此策略假定节点使用 AppArmor 而不是 SELinux
     rule: 'RunAsAny'
   supplementalGroups:
     rule: 'MustRunAs'
     ranges:
-      # Forbid adding the root group.
+      # 禁止添加 root 组
       - min: 1
         max: 65535
   fsGroup:
     rule: 'MustRunAs'
     ranges:
-      # Forbid adding the root group.
+      # 禁止添加 root 组
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false