Merge pull request #39201 from Zhuzhenghao/cluster-level-pss

k8s-ci-robot · web-flow · commit cf6015ece106 · 2023-02-01T02:25:06.000-08:00
[zh] Cleanup cluster-level-pss.md
diff --git a/content/zh-cn/docs/tutorials/security/cluster-level-pss.md b/content/zh-cn/docs/tutorials/security/cluster-level-pss.md
@@ -3,7 +3,7 @@ title: 在集群级别应用 Pod 安全标准
 content_type: tutorial
 weight: 10
 ---
-<!-- 
+<!--
 title: Apply Pod Security Standards at the Cluster Level
 content_type: tutorial
 weight: 10
@@ -16,7 +16,7 @@ This tutorial applies only for new clusters.
 本教程仅适用于新集群。
 {{% /alert %}}
 
-<!-- 
+<!--
 Pod Security admission (PSA) is enabled by default in v1.23 and later, as it has
 [graduated to beta](/blog/2021/12/09/pod-security-admission-beta/).
 Pod Security
@@ -46,7 +46,7 @@ Pod 安全准入是在创建 Pod 时应用
 请查阅该版本的文档。
 
 ## {{% heading "prerequisites" %}}
-<!-- 
+<!--
 Install the following on your workstation:
 
 - [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
@@ -65,7 +65,7 @@ lets you apply built-in [Pod Security Standards](/docs/concepts/security/pod-sec
 with the following modes: `enforce`, `audit`, and `warn`.
 
 To gather information that helps you to choose the Pod Security Standards
-that are most appropriate for your configuration, do the following: 
+that are most appropriate for your configuration, do the following:
 -->
 ## 正确选择要应用的 Pod 安全标准  {#choose-the-right-pod-security-standard-to-apply}
 
@@ -76,7 +76,7 @@ that are most appropriate for your configuration, do the following:
 
 要收集信息以便选择最适合你的配置的 Pod 安全标准，请执行以下操作：
 
-<!-- 
+<!--
 1. Create a cluster with no Pod Security Standards applied:
 -->
 1. 创建一个没有应用 Pod 安全标准的集群：
@@ -89,20 +89,20 @@ that are most appropriate for your configuration, do the following:
    ```
    Creating cluster "psa-wo-cluster-pss" ...
    ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
-   ✓ Preparing nodes 📦  
+   ✓ Preparing nodes 📦
    ✓ Writing configuration 📜
    ✓ Starting control-plane 🕹️
    ✓ Installing CNI 🔌
    ✓ Installing StorageClass 💾
    Set kubectl context to "kind-psa-wo-cluster-pss"
    You can now use your cluster with:
-   
+
    kubectl cluster-info --context kind-psa-wo-cluster-pss
-   
+
    Thanks for using kind! 😊
    ```
 
-<!-- 
+<!--
 1. Set the kubectl context to the new cluster:
 -->
 2. 将 kubectl 上下文设置为新集群：
@@ -116,11 +116,11 @@ that are most appropriate for your configuration, do the following:
    Kubernetes control plane is running at https://127.0.0.1:61350
 
    CoreDNS is running at https://127.0.0.1:61350/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
-    
+
    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
    ```
 
-<!-- 
+<!--
 1. Get a list of namespaces in the cluster:
 -->
 3. 获取集群中的名字空间列表：
@@ -130,7 +130,7 @@ that are most appropriate for your configuration, do the following:
    ```
    <!-- The output is similar to this: -->
    输出类似于：
-   ```      
+   ```
    NAME                 STATUS   AGE
    default              Active   9m30s
    kube-node-lease      Active   9m32s
@@ -139,34 +139,34 @@ that are most appropriate for your configuration, do the following:
    local-path-storage   Active   9m26s
    ```
 
-<!-- 
+<!--
 1. Use `--dry-run=server` to understand what happens when different Pod Security Standards
    are applied:
 -->
 4. 使用 `--dry-run=server` 来了解应用不同的 Pod 安全标准时会发生什么：
 
    1. Privileged
       ```shell
-      kubectl label --dry-run=server --overwrite ns --all \                    
+      kubectl label --dry-run=server --overwrite ns --all \
       pod-security.kubernetes.io/enforce=privileged
       ```
       <!-- The output is similar to this: -->
       输出类似于：
-       ```      
-       namespace/default labeled
-       namespace/kube-node-lease labeled
-       namespace/kube-public labeled
-       namespace/kube-system labeled
-       namespace/local-path-storage labeled
-       ```
+      ```
+      namespace/default labeled
+      namespace/kube-node-lease labeled
+      namespace/kube-public labeled
+      namespace/kube-system labeled
+      namespace/local-path-storage labeled
+      ```
    2. Baseline
       ```shell
       kubectl label --dry-run=server --overwrite ns --all \
       pod-security.kubernetes.io/enforce=baseline
       ```
       <!-- The output is similar to this: -->
       输出类似于：
-      ```   
+      ```
       namespace/default labeled
       namespace/kube-node-lease labeled
       namespace/kube-public labeled
@@ -185,7 +185,7 @@ that are most appropriate for your configuration, do the following:
       ```
       <!-- The output is similar to this: -->
       输出类似于：
-      ```   
+      ```
       namespace/default labeled
       namespace/kube-node-lease labeled
       namespace/kube-public labeled
@@ -200,15 +200,16 @@ that are most appropriate for your configuration, do the following:
       namespace/local-path-storage labeled
       ```
 
-<!-- 
+<!--
 From the previous output, you'll notice that applying the `privileged` Pod Security Standard shows no warnings
 for any namespaces. However, `baseline` and `restricted` standards both have
 warnings, specifically in the `kube-system` namespace.
 -->
+
 从前面的输出中，你会注意到应用 `privileged` Pod 安全标准不会显示任何名字空间的警告。
 然而，`baseline` 和 `restricted` 标准都有警告，特别是在 `kube-system` 名字空间中。
 
-<!-- 
+<!--
 ## Set modes, versions and standards
 
 In this section, you apply the following Pod Security Standards to the `latest` version:
@@ -223,7 +224,7 @@ In this section, you apply the following Pod Security Standards to the `latest`
 * 在 `enforce` 模式下的 `baseline` 标准。
 * `warn` 和 `audit` 模式下的 `restricted` 标准。
 
-<!-- 
+<!--
 The `baseline` Pod Security Standard provides a convenient
 middle ground that allows keeping the exemption list short and prevents known
 privilege escalations.
@@ -240,7 +241,7 @@ following:
 
 在你自己的环境中实施 Pod 安全准入时，请考虑以下事项：
 
-<!-- 
+<!--
 1. Based on the risk posture applied to a cluster, a stricter Pod Security
    Standard like `restricted` might be a better choice.
 1. Exempting the `kube-system` namespace allows pods to run as
@@ -260,7 +261,7 @@ following:
 
    ```
    mkdir -p /tmp/pss
-   cat <<EOF > /tmp/pss/cluster-level-pss.yaml 
+   cat <<EOF > /tmp/pss/cluster-level-pss.yaml
    apiVersion: apiserver.config.k8s.io/v1
    kind: AdmissionConfiguration
    plugins:
@@ -293,13 +294,13 @@ following:
    对于 v1.22，使用 [v1alpha1](https://v1-22.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/)。
    {{< /note >}}
 
-<!-- 
+<!--
 1. Configure the API server to consume this file during cluster creation:
 -->
 4. 在创建集群时配置 API 服务器使用此文件：
 
    ```
-   cat <<EOF > /tmp/pss/cluster-config.yaml 
+   cat <<EOF > /tmp/pss/cluster-config.yaml
    kind: Cluster
    apiVersion: kind.x-k8s.io/v1alpha4
    nodes:
@@ -333,7 +334,7 @@ following:
    ```
 
    {{<note>}}
-   <!-- 
+   <!--
    If you use Docker Desktop with KinD on macOS, you can
    add `/tmp` as a Shared Directory under the menu item
    **Preferences > Resources > File Sharing**.
@@ -343,7 +344,7 @@ following:
    下添加 `/tmp` 作为共享目录。
    {{</note>}}
 
-<!-- 
+<!--
 1. Create a cluster that uses Pod Security Admission to apply
    these Pod Security Standards:
 -->
@@ -356,22 +357,22 @@ following:
    输出类似于：
    ```
    Creating cluster "psa-with-cluster-pss" ...
-    ✓ Ensuring node image (kindest/node:v1.24.0) 🖼 
-    ✓ Preparing nodes 📦  
-    ✓ Writing configuration 📜 
-    ✓ Starting control-plane 🕹️ 
-    ✓ Installing CNI 🔌 
-    ✓ Installing StorageClass 💾 
+    ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
+    ✓ Preparing nodes 📦
+    ✓ Writing configuration 📜
+    ✓ Starting control-plane 🕹️
+    ✓ Installing CNI 🔌
+    ✓ Installing StorageClass 💾
    Set kubectl context to "kind-psa-with-cluster-pss"
    You can now use your cluster with:
-   
+
    kubectl cluster-info --context kind-psa-with-cluster-pss
-   
+
    Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂
    ```
 
-<!-- 
-1. Point kubectl to the cluster
+<!--
+1. Point kubectl to the cluster:
 -->
 6. 将 kubectl 指向集群
 
@@ -383,11 +384,10 @@ following:
    ```
    Kubernetes control plane is running at https://127.0.0.1:63855
    CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
- 
+
    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
    ```
-
-<!-- 
+<!--
 1. Create the following Pod specification for a minimal configuration in the default namespace:
 -->
 7. 创建以下 Pod 规约作为在 default 名字空间中的一个最小配置：
@@ -406,8 +406,7 @@ following:
            - containerPort: 80
    EOF
    ```
-
-<!-- 
+<!--
 1. Create the Pod in the cluster:
 -->
 8. 在集群中创建 Pod：
@@ -422,7 +421,7 @@ following:
    pod/nginx created
    ```
 
-<!-- 
+<!--
 ## Clean up
 
 Now delete the clusters which you created above by running the following command:
@@ -440,7 +439,7 @@ kind delete cluster --name psa-wo-cluster-pss
 
 ## {{% heading "whatsnext" %}}
 
-<!-- 
+<!--
 - Run a
   [shell script](/examples/security/kind-with-cluster-level-baseline-pod-security.sh)
   to perform all the preceding steps at once:
@@ -464,4 +463,4 @@ kind delete cluster --name psa-wo-cluster-pss
   6. 应用这个文件，在新集群中创建一个 Pod
 - [Pod 安全准入](/zh-cn/docs/concepts/security/pod-security-admission/)
 - [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
-- [在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss/)
+- [在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss/)
