Skip to content

Commit cbe169e

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #25134 from tengqm/zh-sync-security-context
[zh] sync tasks/configure-pod-container/security-context.md
2 parents 9220cd5 + 1352540 commit cbe169e

File tree

1 file changed

+53
-0
lines changed

1 file changed

+53
-0
lines changed

content/zh/docs/tasks/configure-pod-container/security-context.md

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -578,6 +578,59 @@ Linux 权能常数定义的形式为 `CAP_XXX`。但是你在 Container 清单
578578
列表中添加 `SYS_TIME`
579579
{{< /note >}}
580580

581+
<!--
582+
## Set the Seccomp Profile for a Container
583+
584+
To set the Seccomp profile for a Container, include the `seccompProfile` field
585+
in the `securityContext` section of your Pod or Container manifest. The
586+
`seccompProfile` field is a
587+
[SeccompProfile](/docs/reference/generated/kubernetes-api/{{< param "version"
588+
>}}/#seccompprofile-v1-core) object consisting of `type` and `localhostProfile`.
589+
Valid options for `type` include `RuntimeDefault`, `Unconfined`, and
590+
`Localhost`. `localhostProfile` must only be set set if `type: Localhost`. It
591+
indicates the path of the pre-configured profile on the node, relative to the
592+
kubelet's configured Seccomp profile location (configured with the `-root-dir`
593+
flag).
594+
595+
Here is an example that sets the Seccomp profile to the node's container runtime
596+
default profile:
597+
-->
598+
## 为容器设置 Seccomp 样板
599+
600+
若要为容器设置 Seccomp 样板(Profile),可在你的 Pod 或 Container 清单的
601+
`securityContext` 节中包含 `seccompProfile` 字段。该字段是一个
602+
[SeccompProfile](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#seccompprofile-v1-core)
603+
对象,包含 `type``localhostProfile` 属性。
604+
`type` 的合法选项包括 `RuntimeDefault``Unconfined``Localhost`
605+
`localhostProfile` 只能在 `type: Localhost` 配置下才需要设置。
606+
该字段标明节点上预先配置的样板的路径,路径是相对于 kubelet 所配置的
607+
Seccomp 样板路径(使用 `--root-dir` 配置)而言的。
608+
609+
下面是一个例子,设置容器使用节点上容器运行时的默认样板作为 Seccomp 样板:
610+
611+
```yaml
612+
...
613+
securityContext:
614+
seccompProfile:
615+
type: RuntimeDefault
616+
```
617+
618+
<!--
619+
Here is an example that sets the Seccomp profile to a pre-configured file at
620+
`<kubelet-root-dir>/seccomp/my-profiles/profile-allow.json`:
621+
-->
622+
下面是另一个例子,将 Seccomp 的样板设置为位于
623+
`<kubelet-根目录>/seccomp/my-profiles/profile-allow.json`
624+
的一个预先配置的文件。
625+
626+
```yaml
627+
...
628+
securityContext:
629+
seccompProfile:
630+
type: Localhost
631+
localhostProfile: my-profiles/profile-allow.json
632+
```
633+
581634
<!--
582635
## Assign SELinux labels to a Container
583636

0 commit comments

Comments
 (0)