Merge pull request #45186 from my-git9/security-index1

k8s-ci-robot · web-flow · commit db31d7c34873 · 2024-02-18T16:07:29.000-08:00
[zh-cn]sync security/_index.md
diff --git a/content/zh-cn/docs/concepts/security/_index.md b/content/zh-cn/docs/concepts/security/_index.md
@@ -2,4 +2,253 @@
 title: "安全"
 weight: 85
 description: 确保云原生工作负载安全的一组概念。
+simple_list: true
 ---
+
+<!--
+title: "Security"
+weight: 85
+description: >
+  Concepts for keeping your cloud-native workload secure.
+simple_list: true
+-->
+
+<!--
+This section of the Kubernetes documentation aims to help you learn to run
+workloads more securely, and about the essential aspects of keeping a
+Kubernetes cluster secure.
+
+Kubernetes is based on a cloud-native architecture, and draws on advice from the
+{{< glossary_tooltip text="CNCF" term_id="cncf" >}} about good practice for
+cloud native information security.
+-->
+Kubernetes 文档的这一部分内容的旨在引导你学习如何更安全地运行工作负载，
+以及维护 Kubernetes 集群的基本安全性。
+
+Kubernetes 基于云原生架构，并借鉴了
+{{< glossary_tooltip text="CNCF" term_id="cncf" >}} 有关云原生信息安全良好实践的建议。
+
+<!--
+Read [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/)
+for the broader context about how to secure your cluster and the applications that
+you're running on it.
+-->
+请阅读[云原生安全和 Kubernetes](/zh-cn/docs/concepts/security/cloud-native-security/)，
+了解有关如何保护集群及其上运行的应用程序的更广泛背景信息。
+
+<!--
+## Kubernetes security mechanisms {#security-mechanisms}
+
+Kubernetes includes several APIs and security controls, as well as ways to
+define [policies](#policies) that can form part of how you manage information security.
+-->
+## Kubernetes 安全机制 {#security-mechanisms}
+
+Kubernetes 包含多个 API 和安全组件，
+以及定义[策略](#policies)的方法，这些策略可以作为你的信息安全管理的一部分。
+
+<!--
+### Control plane protection
+
+A key security mechanism for any Kubernetes cluster is to
+[control access to the Kubernetes API](/docs/concepts/security/controlling-access).
+-->
+### 控制平面保护
+
+任何 Kubernetes 集群的一个关键安全机制是[控制对 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access)。
+
+<!--
+Kubernetes expects you to configure and use TLS to provide
+[data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/)
+within the control plane, and between the control plane and its clients.
+You can also enable [encryption at rest](/docs/tasks/administer-cluster/encrypt-data/)
+for the data stored within Kubernetes control plane; this is separate from using
+encryption at rest for your own workloads' data, which might also be a good idea.
+-->
+Kubernetes 希望你配置并使用 TLS，
+以便在控制平面内以及控制平面与其客户端之间提供[传输中的数据加密](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/)。
+你还可以为 Kubernetes 控制平面中存储的数据启用静态加密；
+这与对你自己的工作负载数据使用静态加密不同，后者可能也是一个好主意。
+
+<!--
+### Secrets
+
+The [Secret](/docs/concepts/configuration/secret/) API provides basic protection for
+configuration values that require confidentiality.
+-->
+### Secret
+
+[Secret](/zh-cn/docs/concepts/configuration/secret/) API
+为需要保密的配置值提供基本保护。
+
+<!--
+### Workload protection
+
+Enforce [Pod security standards](/docs/concepts/security/pod-security-standards/) to
+ensure that Pods and their containers are isolated appropriately. You can also use
+[RuntimeClasses](/docs/concepts/containers/runtime-class) to define custom isolation
+if you need it.
+-->
+### 工具负载保护
+
+实施 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)以确保
+Pod 及其容器得到适当隔离。如果需要，你还可以使用
+[RuntimeClass](/zh-cn/docs/concepts/containers/runtime-class) 来配置自定义隔离。
+
+<!--
+[Network policies](/docs/concepts/services-networking/network-policies/) let you control
+network traffic between Pods, or between Pods and the network outside your cluster.
+
+You can deploy security controls from the wider ecosystem to implement preventative
+or detective controls around Pods, their containers, and the images that run in them.
+-->
+[网络策略（NetworkPolicy)](/zh-cn/docs/concepts/services-networking/network-policies/)
+可让控制 Pod 之间或 Pod 与集群外部网络之间的网络流量。
+
+<!--
+### Auditing
+
+Kubernetes [audit logging](/docs/tasks/debug/debug-cluster/audit/) provides a
+security-relevant, chronological set of records documenting the sequence of actions
+in a cluster. The cluster audits the activities generated by users, by applications
+that use the Kubernetes API, and by the control plane itself.
+-->
+### 审计
+
+Kubernetes [审计日志记录](/zh-cn/docs/tasks/debug/debug-cluster/audit/)提供了一组与安全相关、
+按时间顺序排列的记录，记录了集群中的操作序列。
+集群审计用户、使用 Kubernetes API 的应用程序以及控制平面本身生成的活动。
+
+<!--
+## Cloud provider security
+
+{{% thirdparty-content vendor="true" %}}
+
+If you are running a Kubernetes cluster on your own hardware or a different cloud provider,
+consult your documentation for security best practices.
+Here are links to some of the popular cloud providers' security documentation:
+-->
+## 云提供商安全
+
+{{% thirdparty-content vendor="true" %}}
+
+如果你在自己的硬件或不同的云平台上运行 Kubernetes 集群，请参阅对应云平台的文档以了解安全最佳实践。
+以下是一些流行云提供商的安全文档的链接：
+
+<!--
+{{< table caption="Cloud provider security" >}}
+
+IaaS Provider        | Link |
+-------------------- | ------------ |
+Alibaba Cloud | https://www.alibabacloud.com/trust-center |
+Amazon Web Services | https://aws.amazon.com/security |
+Google Cloud Platform | https://cloud.google.com/security |
+Huawei Cloud | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety |
+IBM Cloud | https://www.ibm.com/cloud/security |
+Microsoft Azure | https://docs.microsoft.com/en-us/azure/security/azure-security |
+Oracle Cloud Infrastructure | https://www.oracle.com/security |
+VMware vSphere | https://www.vmware.com/security/hardening-guides |
+
+{{< /table >}}
+-->
+{{< table caption="Cloud provider security" >}}
+
+IaaS 提供商        | 链接 |
+-------------------- | ------------ |
+阿里云 | https://www.alibabacloud.com/trust-center |
+亚马逊网络服务 | https://aws.amazon.com/security |
+谷歌云平台 | https://cloud.google.com/security |
+华为云 | https://www.huaweicloud.com/intl/en-us/securecenter/overallsafety |
+IBM 云 | https://www.ibm.com/cloud/security |
+微软 Azure | https://docs.microsoft.com/en-us/azure/security/azure-security |
+Oracle 云基础设施| https://www.oracle.com/security |
+VMware vSphere | https://www.vmware.com/security/hardening-guides |
+
+{{< /table >}}
+
+<!--
+## Policies
+
+You can define security policies using Kubernetes-native mechanisms,
+such as [NetworkPolicy](/docs/concepts/services-networking/network-policies/)
+(declarative control over network packet filtering) or
+[ValidatingAdmisisonPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) (declarative restrictions on what changes
+someone can make using the Kubernetes API).
+-->
+## 策略
+
+你可以使用 Kubernetes 原生机制定义安全策略，例如
+[NetworkPolicy](/zh-cn/docs/concepts/services-networking/network-policies/)（对网络数据包过滤的声明式控制）
+或 [ValidatingAdmisisonPolicy](/zh-cn/docs/reference/access -authn-authz/validating-admission-policy/)
+（对某人可以使用 Kubernetes API 进行哪些更改的声明性限制）。
+
+<!--
+However, you can also rely on policy implementations from the wider
+ecosystem around Kubernetes. Kubernetes provides extension mechanisms
+to let those ecosystem projects implement their own policy controls
+on source code review, container image approval, API access controls,
+networking, and more.
+-->
+你还可以依赖 Kubernetes 周边更广泛的生态系统的策略实现。
+Kubernetes 提供了扩展机制，让这些生态系统项目在源代码审查、
+容器镜像审批、API 访问控制、网络等方面实施自己的策略控制。
+
+<!--
+For more information about policy mechanisms and Kubernetes,
+read [Policies](/docs/concepts/policy/).
+-->
+有关策略机制和 Kubernetes 的更多信息，请阅读[策略](/zh-cn/docs/concepts/policy/)。
+
+## {{% heading "whatsnext" %}}
+
+<!--
+Learn about related Kubernetes security topics:
+
+* [Securing your cluster](/docs/tasks/administer-cluster/securing-a-cluster/)
+* [Known vulnerabilities](/docs/reference/issues-security/official-cve-feed/)
+  in Kubernetes (and links to further information)
+* [Data encryption in transit](/docs/tasks/tls/managing-tls-in-a-cluster/) for the control plane
+* [Data encryption at rest](/docs/tasks/administer-cluster/encrypt-data/)
+* [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access)
+* [Network policies](/docs/concepts/services-networking/network-policies/) for Pods
+* [Secrets in Kubernetes](/docs/concepts/configuration/secret/)
+* [Pod security standards](/docs/concepts/security/pod-security-standards/)
+* [RuntimeClasses](/docs/concepts/containers/runtime-class)
+-->
+了解相关的 Kubernetes 安全主题：
+
+* [保护集群](/zh-cn/docs/tasks/administer-cluster/secure-a-cluster/)
+* Kubernetes 中的[已知漏洞](/zh-cn/docs/reference/issues-security/official-cve-feed/)（以及更多信息的链接）
+* [传输中的数据加密](/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/)（针对控制平面）
+* [静态数据加密](/zh-cn/docs/tasks/administer-cluster/encrypt-data/)
+* [控制对 Kubernetes API 的访问](/zh-cn/docs/concepts/security/controlling-access)
+* Pod 的 [网络策略](/zh-cn/docs/concepts/services-networking/network-policies/)
+* [Kubernetes 中的 Secret](/zh-cn/docs/concepts/configuration/secret/)
+* [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)
+* [运行时类](/zh-cn/docs/concepts/containers/runtime-class)
+
+<!--
+Learn the context:
+-->
+了解上下文：
+
+<!-- if changing this, also edit the front matter of content/en/docs/concepts/security/cloud-native-security.md to match; check the no_list setting -->
+<!--
+* [Cloud Native Security and Kubernetes](/docs/concepts/security/cloud-native-security/)
+-->
+* [云原生安全和 Kubernetes](/zh-cn/docs/concepts/security/cloud-native-security/)
+
+<!--
+Get certified:
+
+* [Certified Kubernetes Security Specialist](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/)
+  certification and official training course.
+
+Read more in this section:
+-->
+获取认证：
+
+* [Kubernetes 安全专家认证](https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/)和官方培训课程。
+
+阅读本节的更多内容：
+
