Merge pull request #32141 from tengqm/zh-securitycontext

[zh] Resync security context page

Author: k8s-ci-robot

content/zh/docs/tasks/configure-pod-container/security-context.md

@@ -1,5 +1,5 @@
 ---
-title: 为 Pod 或容器配置安全性上下文
+title: 为 Pod 或容器配置安全上下文
 content_type: task
 weight: 80
 ---
@@ -21,38 +21,49 @@ a Pod or Container. Security context settings include, but are not limited to:
 
 * Discretionary Access Control: Permission to access an object, like a file, is based on
   [user ID (UID) and group ID (GID)](https://wiki.archlinux.org/index.php/users_and_groups).
-* [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux): Objects are assigned security labels.
+* [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux):
+  Objects are assigned security labels.
 * Running as privileged or unprivileged.
 * [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): 
   Give a process some privileges, but not all the privileges of the root user.
 -->
 安全上下文（Security Context）定义 Pod 或 Container 的特权与访问控制设置。
 安全上下文包括但不限于：
 
-* 自主访问控制（Discretionary Access Control）：基于
-  [用户 ID（UID）和组 ID（GID）](https://wiki.archlinux.org/index.php/users_and_groups).
+* 自主访问控制（Discretionary Access Control）：
+  基于[用户 ID（UID）和组 ID（GID）](https://wiki.archlinux.org/index.php/users_and_groups)
   来判定对对象（例如文件）的访问权限。
 * [安全性增强的 Linux（SELinux）](https://zh.wikipedia.org/wiki/%E5%AE%89%E5%85%A8%E5%A2%9E%E5%BC%BA%E5%BC%8FLinux)：
   为对象赋予安全性标签。
 * 以特权模式或者非特权模式运行。
 * [Linux 权能](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): 
   为进程赋予 root 用户的部分特权而非全部特权。
 <!--
-* [AppArmor](/docs/tutorials/clusters/apparmor/): Use program profiles to restrict the capabilities of individual programs.
-* [Seccomp](/docs/tutorials/clusters/seccomp/): Filter a process's system calls.
-* AllowPrivilegeEscalation: Controls whether a process can gain more
-  privileges than its parent process. This bool directly controls whether the
+* [AppArmor](/docs/tutorials/security/apparmor/):
+  Use program profiles to restrict the capabilities of individual programs.
+* [Seccomp](/docs/tutorials/security/seccomp/): Filter a process's system calls.
+* `allowPrivilegeEscalation`: Controls whether a process can gain more privileges than
+  its parent process. This bool directly controls whether the
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
-  flag gets set on the container process. AllowPrivilegeEscalation is true
-  always when the container is: 1) run as Privileged OR 2) has `CAP_SYS_ADMIN`.
+  flag gets set on the container process.
+  `allowPrivilegeEscalation` is always true
+  when the container:
+
+  - is run as privileged, or
+  - has `CAP_SYS_ADMIN`
+
 * readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
 -->
-* [AppArmor](/zh/docs/tutorials/clusters/apparmor/)：使用程序框架来限制个别程序的权能。
-* [Seccomp](/zh/docs/tutorials/clusters/seccomp/)：过滤进程的系统调用。
-* AllowPrivilegeEscalation：控制进程是否可以获得超出其父进程的特权。
+* [AppArmor](/zh/docs/tutorials/security/apparmor/)：使用程序配置来限制个别程序的权能。
+* [Seccomp](/zh/docs/tutorials/security/seccomp/)：过滤进程的系统调用。
+* `allowPrivilegeEscalation`：控制进程是否可以获得超出其父进程的特权。
   此布尔值直接控制是否为容器进程设置
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)标志。
-  当容器以特权模式运行或者具有 `CAP_SYS_ADMIN` 权能时，AllowPrivilegeEscalation 总是为 true。
+  当容器满足一下条件之一时，`allowPrivilegeEscalation` 总是为 true：
+
+  - 以特权模式运行，或者
+  - 具有 `CAP_SYS_ADMIN` 权能
+
 * readOnlyRootFilesystem：以只读方式加载容器的根文件系统。
 
 <!--
@@ -213,19 +224,24 @@ Run the following command:
 id
 ```
 
-输出为：
-```
+<!--
+The output is similar to this:
+-->
+输出类似于：
+
+```none
 uid=1000 gid=3000 groups=2000
 ```
 
 <!--
-You will see that gid is 3000 which is same as `runAsGroup` field. If the `runAsGroup` was omitted the gid would
-remain as 0(root) and the process will be able to interact with files that are owned by root(0) group and that have
-the required group permissions for root(0) group.
+From the output, you can see that `gid` is 3000 which is same as the `runAsGroup` field.
+If the `runAsGroup` was omitted, the `gid` would remain as 0 (root) and the process will
+be able to interact with files that are owned by the root(0) group and groups that have
+the required group permissions for the root (0) group.
 
 Exit your shell:
 -->
-你会看到 `gid` 值为 3000，也就是 `runAsGroup` 字段的值。
+从输出中你会看到 `gid` 值为 3000，也就是 `runAsGroup` 字段的值。
 如果 `runAsGroup` 被忽略，则 `gid` 会取值 0（root），而进程就能够与 root
 用户组所拥有以及要求 root 用户组访问权限的文件交互。
 
@@ -251,18 +267,21 @@ slowing Pod startup. You can use the `fsGroupChangePolicy` field inside a `secur
 to control the way that Kubernetes checks and manages ownership and permissions
 for a volume.
 -->
-默认情况下，Kubernetes 在挂载一个卷时，会递归地更改每个卷中的内容的属主和访问权限，使之与 Pod
-的 `securityContext` 中指定的 `fsGroup` 匹配。
+默认情况下，Kubernetes 在挂载一个卷时，会递归地更改每个卷中的内容的属主和访问权限，
+使之与 Pod 的 `securityContext` 中指定的 `fsGroup` 匹配。
 对于较大的数据卷，检查和变更属主与访问权限可能会花费很长时间，降低 Pod 启动速度。
 你可以在 `securityContext` 中使用 `fsGroupChangePolicy` 字段来控制 Kubernetes
 检查和管理卷属主和访问权限的方式。
 
 <!--
-**fsGroupChangePolicy** -  `fsGroupChangePolicy` defines behavior for changing ownership and permission of the volume
-before being exposed inside a Pod. This field only applies to volume types that support
-`fsGroup` controlled ownership and permissions. This field has two possible values:
+**fsGroupChangePolicy** -  `fsGroupChangePolicy` defines behavior for changing ownership
+  and permission of the volume before being exposed inside a Pod.
+  This field only applies to volume types that support `fsGroup` controlled ownership and permissions.
+  This field has two possible values:
 
-* _OnRootMismatch_: Only change permissions and ownership if permission and ownership of root directory does not match with expected permissions of the volume. This could help shorten the time it takes to change ownership and permission of a volume.
+* _OnRootMismatch_: Only change permissions and ownership if permission and ownership of
+  root directory does not match with expected permissions of the volume.
+  This could help shorten the time it takes to change ownership and permission of a volume.
 * _Always_: Always change permission and ownership of the volume when volume is mounted.
 
 For example:
@@ -293,7 +312,7 @@ This field has no effect on ephemeral volume types such as
 and [`emptydir`](/docs/concepts/storage/volumes/#emptydir).
 -->
 {{< note >}}
-此字段对于[`secret`](/zh/docs/concepts/storage/volumes/#secret)、
+此字段对于 [`secret`](/zh/docs/concepts/storage/volumes/#secret)、
 [`configMap`](/zh/docs/concepts/storage/volumes/#configmap)
 和 [`emptydir`](/zh/docs/concepts/storage/volumes/#emptydir)
 这类临时性存储无效。
@@ -316,23 +335,24 @@ ownership and permission change, `fsGroupChangePolicy` does not take effect, and
 as specified by CSI, the driver is expected to mount the volume with the
 provided `fsGroup`, resulting in a volume that is readable/writable by the
 `fsGroup`.
+-->
+如果你部署了一个[容器存储接口 (CSI)](https://github.com/container-storage-interface/spec/blob/master/spec.md)
+驱动，而该驱动支持 `VOLUME_MOUNT_GROUP` `NodeServiceCapability`，
+在 `securityContext` 中指定 `fsGroup` 来设置文件所有权和权限的过程将由 CSI
+驱动而不是 Kubernetes 来执行，前提是 Kubernetes 的 `DelegateFSGroupToCSIDriver` 
+特性门控已启用。在这种情况下，由于 Kubernetes 不执行任何所有权和权限更改，
+`fsGroupChangePolicy` 不会生效，并且按照 CSI 的规定，CSI 驱动应该使用所指定的
+`fsGroup` 来挂载卷，从而生成了一个对 `fsGroup` 可读/可写的卷.
 
+<!--
 Please refer to the [KEP](https://github.com/gnufied/enhancements/blob/master/keps/sig-storage/2317-fsgroup-on-mount/README.md)
 and the description of the `VolumeCapability.MountVolume.volume_mount_group`
 field in the [CSI spec](https://github.com/container-storage-interface/spec/blob/master/spec.md#createvolume)
 for more information.
 -->
-如果你部署了一个[容器存储接口 (CSI)](https://github.com/container-storage-interface/spec/blob/master/spec.md)
-驱动支持 `VOLUME_MOUNT_GROUP` `NodeServiceCapability`，
-在 `securityContext` 中指定 `fsGroup` 来设置文件所有权和权限的过程将由 CSI 驱动
-而不是 Kubernetes 来执行，前提是 Kubernetes 的 `DelegateFSGroupToCSIDriver` 
-特性门控已启用。在这种情况下，由于 Kubernetes 不执行任何
-所有权和权限更改，`fsGroupChangePolicy` 不会生效，并且
-按照 CSI 的规定，CSI 驱动应该使用所指定的 `fsGroup` 来挂载卷，从而生成了一个对 `fsGroup` 可读/可写的卷.
-
 更多的信息请参考 [KEP](https://github.com/gnufied/enhancements/blob/master/keps/sig-storage/2317-fsgroup-on-mount/README.md)
-和 [CSI 规范](https://github.com/container-storage-interface/spec/blob/master/spec.md#createvolume) 中的字
-段 `VolumeCapability.MountVolume.volume_mount_group` 的描述 。
+和 [CSI 规范](https://github.com/container-storage-interface/spec/blob/master/spec.md#createvolume) 
+中的字段 `VolumeCapability.MountVolume.volume_mount_group` 的描述。
 
 <!--
 ## Set the security context for a Container
@@ -352,9 +372,8 @@ and the Container have a `securityContext` field:
 若要为 Container 设置安全性配置，可以在 Container 清单中包含 `securityContext` 
 字段。`securityContext` 字段的取值是一个
 [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
-对象。你为 Container 设置的安全性配置仅适用于该容器本身，并且所指定的设置
-在与 Pod 层面设置的内容发生重叠时，会重载后者。Container 层面的设置不会影响
-到 Pod 的卷。
+对象。你为 Container 设置的安全性配置仅适用于该容器本身，并且所指定的设置在与
+Pod 层面设置的内容发生重叠时，会重载后者。Container 层面的设置不会影响到 Pod 的卷。
 
 下面是一个 Pod 的配置文件，其中包含一个 Container。Pod 和 Container 都有
 `securityContext` 字段：
@@ -402,7 +421,7 @@ The output shows that the processes are running as user 2000. This is the value
 of `runAsUser` specified for the Container. It overrides the value 1000 that is
 specified for the Pod.
 -->
-输出显示进程以用户 2000 账号运行。该值是在 Container 的 `runAsUser` 中设置的。
+输出显示进程以用户 2000 运行。该值是在 Container 的 `runAsUser` 中设置的。
 该设置值重载了 Pod 层面所设置的值 1000。
 
 ```
@@ -434,12 +453,12 @@ Here is configuration file that does not add or remove any Container capabilitie
 -->
 ## 为 Container 设置权能   {#set-capabilities-for-a-container}
 
-使用 [Linux 权能](https://man7.org/linux/man-pages/man7/capabilities.7.html)，你可以
-赋予进程 root 用户所拥有的某些特权，但不必赋予其全部特权。
-要为 Container 添加或移除 Linux 权能，可以在 Container 清单的 `securityContext` 节
-包含 `capabilities` 字段。
+使用 [Linux 权能](https://man7.org/linux/man-pages/man7/capabilities.7.html)，
+你可以赋予进程 root 用户所拥有的某些特权，但不必赋予其全部特权。
+要为 Container 添加或移除 Linux 权能，可以在 Container 清单的 `securityContext`
+节包含 `capabilities` 字段。
 
-首先，查看不包含 `capabilities` 字段时候会发生什么。
+首先，看一下不包含 `capabilities` 字段时候会发生什么。
 下面是一个配置文件，其中没有添加或移除容器的权能：
 
 {{< codenew file="pods/security/security-context-3.yaml" >}}
@@ -598,12 +617,15 @@ for definitions of the capability constants.
 了解权能常数的定义。
 
 <!--
-Linux capability constants have the form `CAP_XXX`. But when you list capabilities in your Container manifest, you must omit the `CAP_` portion of the constant. For example, to add `CAP_SYS_TIME`, include `SYS_TIME` in your list of capabilities.
+Linux capability constants have the form `CAP_XXX`.
+But when you list capabilities in your Container manifest, you must
+omit the `CAP_` portion of the constant.
+For example, to add `CAP_SYS_TIME`, include `SYS_TIME` in your list of capabilities.
 -->
 {{< note >}}
 Linux 权能常数定义的形式为 `CAP_XXX`。但是你在 Container 清单中列举权能时，
-要将权能名称中的 `CAP_` 部分去掉。例如，要添加 `CAP_SYS_TIME`，可在权能
-列表中添加 `SYS_TIME`。
+要将权能名称中的 `CAP_` 部分去掉。例如，要添加 `CAP_SYS_TIME`，
+可在权能列表中添加 `SYS_TIME`。
 {{< /note >}}
 
 <!--
@@ -623,18 +645,18 @@ flag).
 Here is an example that sets the Seccomp profile to the node's container runtime
 default profile:
 -->
-## 为容器设置 Seccomp 样板
+## 为容器设置 Seccomp 配置 
 
-若要为容器设置 Seccomp 样板（Profile），可在你的 Pod 或 Container 清单的
+若要为容器设置 Seccomp 配置（Profile），可在你的 Pod 或 Container 清单的
 `securityContext` 节中包含 `seccompProfile` 字段。该字段是一个 
 [SeccompProfile](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#seccompprofile-v1-core)
 对象，包含 `type` 和 `localhostProfile` 属性。
 `type` 的合法选项包括 `RuntimeDefault`、`Unconfined` 和 `Localhost`。
-`localhostProfile` 只能在 `type: Localhost` 配置下才需要设置。
-该字段标明节点上预先配置的样板的路径，路径是相对于 kubelet 所配置的
-Seccomp 样板路径（使用 `--root-dir` 配置）而言的。
+`localhostProfile` 只能在 `type: Localhost` 配置下才可以设置。
+该字段标明节点上预先设定的配置的路径，路径是相对于 kubelet 所配置的
+Seccomp 配置路径（使用 `--root-dir` 设置）而言的。
 
-下面是一个例子，设置容器使用节点上容器运行时的默认样板作为 Seccomp 样板：
+下面是一个例子，设置容器使用节点上容器运行时的默认配置作为 Seccomp 配置：
 
 ```yaml
 ...
@@ -704,15 +726,15 @@ Pod 的安全上下文适用于 Pod 中的容器，也适用于 Pod 所挂载的
 
 <!--
 * `fsGroup`: Volumes that support ownership management are modified to be owned
-and writable by the GID specified in `fsGroup`. See the
-[Ownership Management design document](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
-for more details.
+  and writable by the GID specified in `fsGroup`. See the
+  [Ownership Management design document](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
+  for more details.
 
 * `seLinuxOptions`: Volumes that support SELinux labeling are relabeled to be accessible
-by the label specified under `seLinuxOptions`. Usually you only
-need to set the `level` section. This sets the
-[Multi-Category Security (MCS)](https://selinuxproject.org/page/NB_MLS)
-label given to all Containers in the Pod as well as the Volumes.
+  by the label specified under `seLinuxOptions`. Usually you only
+  need to set the `level` section. This sets the
+  [Multi-Category Security (MCS)](https://selinuxproject.org/page/NB_MLS)
+  label given to all Containers in the Pod as well as the Volumes.
 -->
 * `fsGroup`：支持属主管理的卷会被修改，将其属主变更为 `fsGroup` 所指定的 GID，
   并且对该 GID 可写。进一步的细节可参阅
@@ -763,9 +785,9 @@ kubectl delete pod security-context-demo-4
 -->
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core) API 定义
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core) API 定义
-* [使用最新的安全性增强来调优 Docker](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
-* [安全性上下文的设计文档](https://git.k8s.io/community/contributors/design-proposals/auth/security_context.md)
-* [属主管理的设计文档](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
+* [使用最新的安全性增强来调优 Docker（英文）](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)
+* [安全上下文的设计文档（英文）](https://git.k8s.io/community/contributors/design-proposals/auth/security_context.md)
+* [属主管理的设计文档（英文）](https://git.k8s.io/community/contributors/design-proposals/storage/volume-ownership-management.md)
 * [Pod 安全策略](/zh/docs/concepts/policy/pod-security-policy/)
-* [AllowPrivilegeEscalation 的设计文档](https://git.k8s.io/community/contributors/design-proposals/auth/no-new-privs.md)
+* [AllowPrivilegeEscalation 的设计文档（英文）](https://git.k8s.io/community/contributors/design-proposals/auth/no-new-privs.md)