Skip to content

Commit b74c283

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #32746 from my-git9/admission-controller
[zh] Update admission-controllers.md
2 parents a7ee8ae + e7f92e5 commit b74c283

File tree

1 file changed

+15
-8
lines changed

1 file changed

+15
-8
lines changed

content/zh/docs/reference/access-authn-authz/admission-controllers.md

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1208,10 +1208,10 @@ based on the requested security context and the available Pod Security Policies.
12081208
安全策略确定是否可以执行请求。
12091209

12101210
<!--
1211-
See also [Pod Security Policy documentation](/docs/concepts/policy/pod-security-policy/)
1211+
See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
12121212
for more information.
12131213
-->
1214-
查看 [Pod 安全策略文档](/zh/docs/concepts/policy/pod-security-policy/)
1214+
查看 [Pod 安全策略文档](/zh/docs/concepts/security/pod-security-policy/)
12151215
了解更多细节。
12161216

12171217
### PodTolerationRestriction {#podtolerationrestriction}
@@ -1328,22 +1328,29 @@ Pod 的 `.spec.overhead` 字段和 RuntimeClass 的 `.overhead` 字段均为处
13281328
### SecurityContextDeny {#securitycontextdeny}
13291329

13301330
<!--
1331-
This admission controller will deny any pod that attempts to set certain escalating
1331+
This admission controller will deny any Pod that attempts to set certain escalating
13321332
[SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
13331333
fields, as shown in the
13341334
[Configure a Security Context for a Pod or Container](/docs/tasks/configure-pod-container/security-context/)
13351335
task.
1336-
This should be enabled if a cluster doesn't utilize
1337-
[pod security policies](/docs/concepts/policy/pod-security-policy/)
1338-
to restrict the set of values a security context can take.
1336+
If you don't use [Pod Security admission]((/docs/concepts/security/pod-security-admission/),
1337+
[PodSecurityPolicies](/docs/concepts/security/pod-security-policy/), nor any external enforcement mechanism,
1338+
then you could use this admission controller to restrict the set of values a security context can take.
1339+
1340+
See [Pod Security Standards](/docs/concepts/security/pod-security-standards/) for more context on restricting
1341+
pod privileges.
13391342
-->
13401343
该准入控制器将拒绝任何试图设置特定提升
13411344
[SecurityContext](/zh/docs/tasks/configure-pod-container/security-context/)
13421345
字段的 Pod,正如任务
13431346
[为 Pod 或 Container 配置安全上下文](/zh/docs/tasks/configure-pod-container/security-context/)
13441347
中所展示的那样。
1345-
如果集群没有使用 [Pod 安全策略](/zh/docs/concepts/policy/pod-security-policy/)
1346-
来限制安全上下文所能获取的值集,那么应该启用这个功能。
1348+
如果集群没有使用 [Pod 安全性准入](/zh/docs/concepts/security/pod-security-admission/)、
1349+
[PodSecurityPolicies](/zh/docs/concepts/security/pod-security-policy/),
1350+
也没有任何外部执行机制,那么你可以使用此准入控制器来限制安全上下文所能获取的值集。
1351+
1352+
有关限制 Pod 权限的更多内容,请参阅
1353+
[Pod 安全标准](/zh/docs/concepts/security/pod-security-standards/)。
13471354

13481355
### ServiceAccount {#serviceaccount}
13491356

0 commit comments

Comments
 (0)