[zh]translate content/zh/docs/tutorials/security/ns-level-pss.md

Author: howieyuen

content/zh/docs/tutorials/security/_index.md

@@ -0,0 +1,5 @@
+---
+title: "安全"
+weight: 40
+---
+

content/zh/docs/tutorials/security/ns-level-pss.md

@@ -0,0 +1,243 @@
+---
+title: 在名字空间级别应用 Pod 安全标准
+content_type: tutorial
+weight: 10
+---
+
+<!--
+title: Apply Pod Security Standards at the Namespace Level
+content_type: tutorial
+weight: 10
+-->
+
+{{% alert title="Note" %}}
+<!-- This tutorial applies only for new clusters. -->
+本教程仅适用于新集群。
+{{% /alert %}}
+
+<!--
+Pod Security admission (PSA) is enabled by default in v1.23 and later, as it [graduated
+to beta](/blog/2021/12/09/pod-security-admission-beta/). Pod Security Admission
+is an admission controller that applies 
+[Pod Security Standards](docs/concepts/security/pod-security-standards/) 
+when pods are created. In this tutorial, you will enforce the `baseline` Pod Security Standard,
+one namespace at a time.
+
+You can also apply Pod Security Standards to multiple namespaces at once at the cluster
+level. For instructions, refer to [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss).
+-->
+Pod 安全准入（PSA）在 v1.23 及更高版本默认启用，
+因为它[升级到测试版（beta）](/blog/2021/12/09/pod-security-admission-beta/)。
+Pod 安全准入是在创建 Pod 时应用
+[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)的准入控制器。
+在本教程中，你将应用 `baseline` Pod 安全标准，每次一个名字空间。
+
+你还可以在集群级别一次将 Pod 安全标准应用于多个名称空间。
+有关说明，请参阅[在集群级别应用 Pod 安全标准](/zh/docs/tutorials/security/cluster-level-pss)。
+
+## {{% heading "prerequisites" %}}
+
+<!-- 
+Install the following on your workstation:
+
+- [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/)
+-->
+在你的工作站中安装以下内容：
+
+- [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/)
+
+<!--
+## Create cluster
+
+1. Create a `KinD` cluster as follows:
+-->
+## 创建集群  {#create-cluster}
+
+2. 按照如下方式创建一个 `KinD` 集群：
+
+   ```shell
+   kind create cluster --name psa-ns-level --image kindest/node:v1.23.0
+   ```
+   <!-- The output is similar to this: -->
+   输入类似于：
+   ```
+   Creating cluster "psa-ns-level" ...
+    ✓ Ensuring node image (kindest/node:v1.23.0) 🖼 
+    ✓ Preparing nodes 📦  
+    ✓ Writing configuration 📜 
+    ✓ Starting control-plane 🕹️ 
+    ✓ Installing CNI 🔌 
+    ✓ Installing StorageClass 💾 
+   Set kubectl context to "kind-psa-ns-level"
+   You can now use your cluster with:
+   
+   kubectl cluster-info --context kind-psa-ns-level
+   
+   Not sure what to do next? 😅  Check out https://kind.sigs.k8s.io/docs/user/quick-start/
+   ```
+
+<!-- 1. Set the kubectl context to the new cluster: -->
+1. 将 kubectl 上下文设置为新集群：
+   ```shell
+   kubectl cluster-info --context kind-psa-ns-level
+   ```
+    <!-- The output is similar to this: -->
+   输入类似于：
+   ```
+   Kubernetes control plane is running at https://127.0.0.1:50996
+   CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
+   
+   To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
+   ```
+
+<!--
+## Create a namespace
+
+Create a new namespace called `example`:
+-->
+## 创建名字空间  {#create-a-namespace}
+
+创建一个名为 `example` 的新名字空间：
+
+```shell
+kubectl create ns example
+```
+<!-- The output is similar to this: -->
+输出类似于：
+```
+namespace/example created
+```
+
+<!-- 
+## Apply Pod Security Standards
+
+1. Enable Pod Security Standards on this namespace using labels supported by
+   built-in Pod Security Admission. In this step we will warn on baseline pod
+   security standard as per the latest version (default value)
+-->
+## 应用 Pod 安全标准  {#apply-pod-security-standards}
+
+1. 使用内置 Pod 安全准入所支持的标签在此名字空间上启用 Pod 安全标准。
+   在这一步中，我们将根据最新版本（默认值）对基线 Pod 安全标准发出警告。
+
+   ```shell
+   kubectl label --overwrite ns example \
+     pod-security.kubernetes.io/warn=baseline \
+     pod-security.kubernetes.io/warn-version=latest
+   ```
+
+<!-- 
+2. Multiple pod security standards can be enabled on any namespace, using labels.
+   Following command will `enforce` the `baseline` Pod Security Standard, but
+   `warn` and `audit` for `restricted` Pod Security Standards as per the latest
+   version (default value)
+-->
+2. 可以使用标签在任何名字空间上启用多个 Pod 安全标准。
+   以下命令将强制（`enforce`） 执行基线（`baseline`）Pod 安全标准，
+   但根据最新版本（默认值）对受限（`restricted`）Pod 安全标准执行警告（`warn`）和审核（`audit`）。
+
+   ```
+   kubectl label --overwrite ns example \
+     pod-security.kubernetes.io/enforce=baseline \
+     pod-security.kubernetes.io/enforce-version=latest \
+     pod-security.kubernetes.io/warn=restricted \
+     pod-security.kubernetes.io/warn-version=latest \
+     pod-security.kubernetes.io/audit=restricted \
+     pod-security.kubernetes.io/audit-version=latest
+   ```
+
+<!-- 
+## Verify the Pod Security Standards
+
+1. Create a minimal pod in `example` namespace:
+-->
+## 验证 Pod 安全标准  {#verify-the-pod-security-standards}
+
+1. 在 `example` 名字空间中创建一个最小的 pod：
+
+   ```shell
+   cat <<EOF > /tmp/pss/nginx-pod.yaml
+   apiVersion: v1
+   kind: Pod
+   metadata:
+     name: nginx
+   spec:
+     containers:
+       - image: nginx
+         name: nginx
+         ports:
+           - containerPort: 80
+   EOF
+   ```
+
+<!-- 
+2. Apply the pod spec to the cluster in `example` namespace: 
+-->
+1. 将 Pod 规约应用到集群中的 `example` 名字空间中：
+   ```shell
+   kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
+   ```
+   <!-- The output is similar to this: -->
+   输出类似于：
+   ```
+   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext seccompProfile.type to "RuntimeDefault" or "Localhost")
+   pod/nginx created
+   ```
+
+<!-- 
+1. Apply the pod spec to the cluster in `default` namespace:
+-->
+3. 将 Pod 规约应用到集群中的 `default` 名字空间中：
+    ```shell
+    kubectl apply -n default -f /tmp/pss/nginx-pod.yaml
+    ```
+   <!-- Output is similar to this: -->
+   输入类似于：
+   ```
+   pod/nginx created
+   ```
+
+<!-- 
+The Pod Security Standards were applied only to the `example`
+namespace. You could create the same Pod in the `default` namespace
+with no warnings.
+-->
+以上 Pod 安全标准仅被应用到 `example` 名字空间。
+你可以在没有警告的情况下在 `default` 名字空间中创建相同的 Pod。
+
+<!-- 
+## Clean up
+
+Run `kind delete cluster -name psa-ns-level` to delete the cluster created.
+-->
+## 清理  {#clean-up}
+
+运行 `kind delete cluster -name psa-ns-level` 删除创建的集群。
+
+## {{% heading "whatsnext" %}}
+
+<!-- 
+- Run a
+  [shell script](/examples/security/kind-with-namespace-level-baseline-pod-security.sh)
+  to perform all the preceding steps all at once.
+  1. Create KinD cluster
+  2. Create new namespace
+  3. Apply `baseline` Pod Security Standard in `enforce` mode while applying
+     `restricted` Pod Security Standard also in `warn` and `audit` mode.
+  4. Create a new pod with the following pod security standards applied
+- [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
+- [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
+- [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/)
+-->
+- 运行一个 [shell 脚本](/examples/security/kind-with-namespace-level-baseline-pod-security.sh)
+   一次执行所有前面的步骤。
+   1. 创建 KinD 集群
+   2. 创建新的名字空间
+   3. 在 `enforce` 模式下应用 `baseline` Pod 安全标准，
+      同时在 `warn` 和 `audit` 模式下应用 `restricted` Pod 安全标准。
+   4. 创建一个应用以下 Pod 安全标准的新 Pod
+- [Pod 安全准入](/zh/docs/concepts/security/pod-security-admission/)
+- [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)
+- [在集群级别应用 Pod 安全标准](/zh/docs/tutorials/security/cluster-level-pss/)