Merge pull request #53376 from my-git9/npe-2327

[zh-cn]sync cloud-native-security

Author: k8s-ci-robot

content/zh-cn/docs/concepts/security/cloud-native-security.md

@@ -19,21 +19,21 @@ weight: 10
 hide_summary: true
 
 description: >
-  Concepts for keeping your cloud-native workload secure.
+  Concepts for keeping your cloud native workload secure.
 ---
 -->
 <!-- 
-Kubernetes is based on a cloud-native architecture, and draws on advice from the
-{{< glossary_tooltip text="CNCF" term_id="cncf" >}} about good practice for
+Kubernetes is based on a cloud native architecture and draws on advice from the
+{{< glossary_tooltip text="CNCF" term_id="cncf" >}} about good practices for
 cloud native information security. 
 -->
 Kubernetes 基于云原生架构，并借鉴了
 {{< glossary_tooltip text="CNCF" term_id="cncf" >}}
 有关云原生信息安全良好实践的建议。
 
 <!--
-Read on through this page for an overview of how Kubernetes is designed to
-help you deploy a secure cloud native platform.
+Read on for an overview of how Kubernetes is designed to help you deploy a
+secure cloud native platform.
 -->
 继续阅读本页，了解 Kubernetes 如何设计以帮助你部署安全的云原生平台。
 
@@ -66,7 +66,7 @@ CNCF 关于云原生安全的[白皮书](https://github.com/cncf/tag-security/bl
 
 <!--
 - Ensure the integrity of development environments.
-- Design applications following good practice for information security,
+- Design applications following good practices for information security,
   appropriate for your context.
 - Consider end user security as part of solution design.
 -->
@@ -85,8 +85,8 @@ To achieve this, you can:
    that minimizes attack surfaces, even for internal threats.
 1. Define a code review process that considers security concerns.
 1. Build a _threat model_ of your system or application that identifies
-   trust boundaries. Use that to model to identify risks and to help find
-   ways to treat those risks.
+   trust boundaries. Use that threat model to identify risks and determine
+   how to treat them.
 1. Incorporate advanced security automation, such as _fuzzing_ and
    [security chaos engineering](https://glossary.cncf.io/security-chaos-engineering/),
    where it's justified.
@@ -95,7 +95,7 @@ To achieve this, you can:
    尽可能缩小攻击面，对内部威胁也有效。
 2. 建立考虑安全问题的代码审查流程。
 3. 构建系统或应用程序的**威胁模型**，确定信任边界。
-   利用该模型识别风险，并帮助找到处理这些风险的方法。
+   利用该威胁模型识别风险，并帮助找到处理这些风险的方法。
 4. 合理的采用高级的安全自动化机制，例如**模糊测试**和[**安全混沌工程**](https://glossary.cncf.io/zh-cn/security-chaos-engineering/)。
 
 <!--
@@ -106,8 +106,8 @@ To achieve this, you can:
 <!--
 - Ensure the security of the supply chain for container images you execute.
 - Ensure the security of the supply chain for the cluster and other components
-  that execute your application. An example of another component might be an
-  external database that your cloud-native application uses for persistence.
+  that execute your application. For example, this might include an external
+  database that your cloud native application uses for persistence.
 -->
 - 针对你所运行的容器镜像，确保供应链安全。
 - 针对运行应用程序的集群或其他组件，保证其供应链安全。
@@ -147,7 +147,7 @@ To achieve this, you can:
 
 <!--
 Ensure appropriate restrictions on what can be deployed, who can deploy it,
-and where it can be deployed to.
+and where it can be deployed.
 You can enforce measures from the _distribute_ phase, such as verifying the
 cryptographic identity of container image artifacts.
 -->
@@ -157,21 +157,21 @@ cryptographic identity of container image artifacts.
 <!--
 You can deploy different applications and cluster components into different
 {{< glossary_tooltip text="namespaces" term_id="namespace" >}}. Containers
-themselves, and namespaces, both provide isolation mechanisms that are
-relevant to information security.
+and namespaces both provide isolation mechanisms that are relevant to
+information security.
 -->
 你可以部署不同的应用程序和集群组件到不同的{{< glossary_tooltip text="命名空间" term_id="namespace" >}}中。
-容器本身和命名空间都提供了信息安全相关的隔离机制。
+容器和命名空间都提供了与信息安全相关的隔离机制。
 
 <!--
 When you deploy Kubernetes, you also set the foundation for your
 applications' runtime environment: a Kubernetes cluster (or
 multiple clusters).
-That IT infrastructure must provide the security guarantees that higher
+That infrastructure must provide the security guarantees that higher
 layers expect.
 -->
 当你部署 Kubernetes 时，也是在为应用程序的运行环境奠定基础：一个或多个 Kubernetes 集群。
-该 IT 基础设施必须提供上层所期望的安全保障。
+该基础设施必须提供上层所期望的安全保障。
 
 <!--
 ## _Runtime_ lifecycle phase {#lifecycle-phase-runtime}
@@ -199,7 +199,7 @@ Kubernetes API 是集群运行的基础。保护 API 是提供可靠的集群安
 <!--
 Other pages in the Kubernetes documentation have more detail about how to set up
 specific aspects of access control. The [security checklist](/docs/concepts/security/security-checklist/)
-has a set of suggested basic checks for your cluster.
+provides suggested basic checks for your cluster.
 -->
 Kubernetes 文档中的其他页面更详细地介绍了如何设置访问控制的具体细节。
 [安全检查清单](/zh-cn/docs/concepts/security/security-checklist/)为你的集群提供了一套建议的基本检查。
@@ -218,12 +218,12 @@ components.
 
 <!--
 Kubernetes uses TLS to protect API traffic; make sure to deploy the cluster using
-TLS (including for traffic between nodes and the control plane), and protect the
+TLS (including for traffic between nodes and the control plane) and protect the
 encryption keys. If you use Kubernetes' own API for
 [CertificateSigningRequests](/docs/reference/access-authn-authz/certificate-signing-requests/#certificate-signing-requests),
 pay special attention to restricting misuse there.
 -->
-Kubernetes 使用 TLS 保护 API 流量；确保在部署集群时采用了 TLS（包含工作节点和控制平面间的流量） 加密方式，
+Kubernetes 使用 TLS 保护 API 流量；确保在部署集群时采用了 TLS（包含工作节点和控制平面间的流量）加密方式，
 并保护好加密密钥。如果使用 Kubernetes 自带的
 [证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#certificate-signing-requests) API，
 特别注意不要滥用它们。
@@ -235,38 +235,38 @@ Kubernetes 使用 TLS 保护 API 流量；确保在部署集群时采用了 TLS
 
 <!--
 {{< glossary_tooltip text="Containers" term_id="container" >}} provide two
-things: isolation between different applications, and a mechanism to combine
+things: isolation between applications and a mechanism to combine
 those isolated applications to run on the same host computer. Those two
-aspects, isolation and aggregation, mean that runtime security involves
+aspects-isolation and aggregation-mean that runtime security involves
 identifying trade-offs and finding an appropriate balance.
 -->
-{{< glossary_tooltip text="容器" term_id="container" >}} 提供了两种功能：
+{{< glossary_tooltip text="容器" term_id="container" >}}提供了两种功能：
 不同应用程序间的隔离，以及将这些隔离的应用程序合并运行到同一台主机的机制。
 隔离和聚合这两个方面意味着运行时安全需要权衡利弊，并找到合适的平衡点。
 
 <!--
 Kubernetes relies on a {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-to actually set up and run containers. The Kubernetes project does
-not recommend a specific container runtime and you should make sure that
-the runtime(s) that you choose meet your information security needs.
+to set up and run containers. The Kubernetes project does
+not recommend a specific container runtime, and you should make sure that
+the runtime(s) you choose meet your information security needs.
 -->
 Kubernetes 依赖{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}
-来设置和运行容器。 Kubernetes 项目不会推荐特定的容器运行时，你应当确保
-你选用的运行时符合你的信息安全需要。
+来设置和运行容器。Kubernetes 项目不会推荐特定的容器运行时，
+你应当确保选用的运行时符合你的信息安全需要。
 <!--
 To protect your compute at runtime, you can:
 -->
 要在运行时保护计算资源，你可以：
 
 <!--
-1. Enforce [Pod security standards](/docs/concepts/security/pod-security-standards/)
-   for applications, to help ensure they run with only the necessary privileges.
+1. Enforce [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
+   for applications to help ensure they run with only the necessary privileges.
 1. Run a specialized operating system on your nodes that is designed specifically
    for running containerized workloads. This is typically based on a read-only
    operating system (_immutable image_) that provides only the services
    essential for running containers.
 
-   Container-specific operating systems help to isolate system components and
+   Container-specific operating systems help isolate system components and
    present a reduced attack surface in case of a container escape.
 -->
 1. 为应用程序强制采用 [Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards/)，
@@ -280,20 +280,20 @@ To protect your compute at runtime, you can:
    fairly allocate shared resources, and use
    mechanisms such as [LimitRanges](/docs/concepts/policy/limit-range/)
    to ensure that Pods specify their resource requirements.
-1. Partition workloads across different nodes.
+1. Partition workloads across different nodes to improve isolation.
    Use [node isolation](/docs/concepts/scheduling-eviction/assign-pod-node/#node-isolation-restriction)
    mechanisms, either from Kubernetes itself or from the ecosystem, to ensure that
-   Pods with different trust contexts are run on separate sets of nodes.
+   Pods with different trust contexts run on separate sets of nodes.
 1. Use a {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
    that provides security restrictions.
 1. On Linux nodes, use a Linux security module such as [AppArmor](/docs/tutorials/security/apparmor/)
    or [seccomp](/docs/tutorials/security/seccomp/).
 -->
 3. 定义 [ResourceQuota](/zh-cn/docs/concepts/policy/resource-quotas/)
    以公平分配共享资源，并使用
-   [LimitRange](/zh-cn/docs/concepts/policy/limit-range/) 等机制
-   确保 Pod 定义了资源需求。
-4. 划分工作负载到不同节点上。
+   [LimitRange](/zh-cn/docs/concepts/policy/limit-range/)
+   等机制确保 Pod 定义了资源需求。
+4. 划分工作负载到不同节点上来提高隔离性。
    使用来自 Kubernetes 本身或生态系统的
    [节点隔离](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-isolation-restriction)机制，
    以确保具有不同信任上下文的 Pod 在不同的节点上运行。
@@ -317,7 +317,7 @@ To protect storage for your cluster and the applications that run there, you can
    rest for volumes.
 1. Enable [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/) for
    API objects.
-1. Protect data durability using backups. Verify that you can restore these, whenever you need to.
+1. Protect data durability using backups, and verify that you can restore them whenever needed.
 1. Authenticate connections between cluster nodes and any network storage they rely
    upon.
 1. Implement data encryption within your own application.
@@ -347,19 +347,19 @@ You should also consider network security measures, such as
 [NetworkPolicy](/docs/concepts/services-networking/network-policies/) or a
 [service mesh](https://glossary.cncf.io/service-mesh/).
 Some network plugins for Kubernetes provide encryption for your
-cluster network, using technologies such as a virtual
+cluster network using technologies such as a virtual
 private network (VPN) overlay.
 By design, Kubernetes lets you use your own networking plugin for your
-cluster (if you use managed Kubernetes, the person or organization
-managing your cluster may have chosen a network plugin for you).
+cluster. If you use managed Kubernetes, the provider may have already selected a
+network plugin for you.
 -->
 你也应当考虑网络安全措施，
 例如 [NetworkPolicy](/zh-cn/docs/concepts/services-networking/network-policies/)
 或者[服务网格](https://glossary.cncf.io/zh-cn/service-mesh/)。
 一些 Kubernetes 的网络插件使用虚拟专用网络（VPN）叠加等技术，
 可以为集群网络提供加密功能。
-从设计上，Kubernetes 允许你在你的集群中使用自有网络插件（如果你使用托管 Kubernetes，
-集群管理员或组织可能会为你选择一个网络插件）。
+从设计上，Kubernetes 允许你在你的集群中使用自有网络插件。
+如果你使用托管 Kubernetes，提供商可能会为你选择一个网络插件。
 
 <!--
 The network plugin you choose and the way you integrate it can have a
@@ -377,7 +377,7 @@ Kubernetes lets you extend your cluster with extra tooling. You can set up third
 party solutions to help you monitor or troubleshoot your applications and the
 clusters they are running. You also get some basic observability features built
 in to Kubernetes itself. Your code running in containers can generate logs,
-publish metrics or provide other observability data; at deploy time, you need to
+publish metrics, or provide other observability data; at deploy time, you need to
 make sure your cluster provides an appropriate level of protection there.
 -->
 Kubernetes 允许你使用外部工具扩展集群。
@@ -389,23 +389,23 @@ Kubernetes 自身还内置了一些基本的可观测性功能。
 <!--
 If you set up a metrics dashboard or something similar, review the chain of components
 that populate data into that dashboard, as well as the dashboard itself. Make sure
-that the whole chain is designed with enough resilience and enough integrity protection
+that the whole chain is designed with enough resilience and integrity protection
 that you can rely on it even during an incident where your cluster might be degraded.
 -->
 如果你配置了指标看板或其他类似的组件，审查暴露指标数据到看板的组件链路和看板本身。
 确保整个链路设计具有足够的弹性和足够的完整性保护，
 只有这样，即便是在集群降级导致的事件发生时，你也可以依赖它。
 
 <!--
-Where appropriate, deploy security measures below the level of Kubernetes
-itself, such as cryptographically measured boot, or authenticated distribution
+Where appropriate, deploy security measures below the Kubernetes layer,
+such as cryptographically measured boot or authenticated distribution
 of time (which helps ensure the fidelity of logs and audit records).
 -->
 在适当的情况下，在 Kubernetes 层之下部署一些安全举措，
 例如加密后启动或验证分发时间（有助于确保日志和审计记录的真实性）。
 
 <!--
-For a high assurance environment, deploy cryptographic protections to ensure that
+For a high-assurance environment, deploy cryptographic protections to ensure that
 logs are both tamper-proof and confidential.
 -->
 对于高安全级别需求环境，部署加密保护措施，以确保日志防篡改和保密。
@@ -426,11 +426,10 @@ logs are both tamper-proof and confidential.
 * [Towards Measured Boot Out of the Box](https://www.youtube.com/watch?v=EzSkU3Oecuw) (Linux Security Summit 2016)
 -->
 * CNCF 有关云原生安全的[白皮书](https://github.com/cncf/tag-security/blob/main/community/resources/security-whitepaper/v2/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf)。
-
 * CNCF 有关加固软件供应链的最佳实践[白皮书](https://github.com/cncf/tag-security/blob/f80844baaea22a358f5b20dca52cd6f72a32b066/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)。
-* [Fixing the Kubernetes clusterf\*\*k: Understanding security from the kernel up](https://archive.fosdem.org/2020/schedule/event/kubernetes/) (FOSDEM 2020)
-* [Kubernetes 安全最佳实践](https://www.youtube.com/watch?v=wqsUfvRyYpw) (Kubernetes Forum Seoul 2019)
-* [朝着开箱即用的测量启动前进](https://www.youtube.com/watch?v=EzSkU3Oecuw) (Linux Security Summit 2016)
+* [Fixing the Kubernetes clusterf\*\*k: Understanding security from the kernel up](https://archive.fosdem.org/2020/schedule/event/kubernetes/)（FOSDEM 2020）
+* [Kubernetes 安全最佳实践](https://www.youtube.com/watch?v=wqsUfvRyYpw)（Kubernetes Forum Seoul 2019）
+* [朝着开箱即用的测量启动前进](https://www.youtube.com/watch?v=EzSkU3Oecuw)（Linux Security Summit 2016）
 
 <!--
 ### Kubernetes and information security {#further-reading-k8s}