You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.-->禁止(通过 SetUID 或 SetGID 文件模式)获得特权提升。</p>
383
+
<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em>-->禁止(通过 SetUID 或 SetGID 文件模式)获得特权提升。<em><a href="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(spec.os.name != windows)</code></em></p>
<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。</p>
438
+
<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em>-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。<em><ahref="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(spec.os.name != windows)</code></em></p>
Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
471
-
the <code>NET_BIND_SERVICE</code> capability.
471
+
the <code>NET_BIND_SERVICE</code> capability. <em><ahref="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(.spec.os.name != "windows")</code></em>
472
472
-->
473
473
容器必须弃用 <code>ALL</code> 权能,并且只允许添加
474
-
<code>NET_BIND_SERVICE</code> 权能。
474
+
<code>NET_BIND_SERVICE</code> 权能。<em><ahref="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(.spec.os.name != "windows")</code></em>
Kubernetes lets you use nodes that run either Linux or Windows. You can mix both kinds of
549
+
node in one cluster.
550
+
Windows in Kubernetes has some limitations and differentiators from Linux-based
551
+
workloads. Specifically, many of the Pod `securityContext` fields
552
+
[have no effect on Windows](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext).
553
+
-->
554
+
## Pod OS 字段 {#pod-os-field}
555
+
556
+
Kubernetes 允许你使用运行 Linux 或 Windows 的节点。你可以在一个集群中混用两种类型的节点。
557
+
Kubernetes 中的 Windows 与基于 Linux 的工作负载相比有一些限制和差异。
558
+
具体而言,许多 Pod `securityContext`
559
+
字段[在 Windows 上不起作用](/zh-cn/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext)。
560
+
561
+
562
+
{{< note >}}
563
+
<!--
564
+
Kubelets prior to v1.24 don't enforce the pod OS field, and if a cluster has nodes on versions earlier than v1.24 the restricted policies should be pinned to a version prior to v1.25.
565
+
-->
566
+
v1.24 之前的 Kubelet 不强制处理 Pod OS 字段,如果集群中有些节点运行早于 v1.24 的版本,
567
+
则应将限制性的策略锁定到 v1.25 之前的版本。
568
+
{{< /note >}}
569
+
570
+
<!--
571
+
### Restricted Pod Security Standard changes
572
+
Another important change, made in Kubernetes v1.25 is that the _restricted_ Pod security
573
+
has been updated to use the `pod.spec.os.name` field. Based on the OS name, certain policies that are specific
574
+
to a particular OS can be relaxed for the other OS.
575
+
-->
576
+
### 限制性的 Pod Security Standard 变更 {#restricted-pod-security-standard-changes}
577
+
578
+
Kubernetes v1.25 中的另一个重要变化是 **限制性的(Restricted)** Pod 安全性已更新,
579
+
能够处理 `pod.spec.os.name` 字段。根据 OS 名称,专用于特定 OS 的某些策略对其他 OS 可以放宽限制。
580
+
581
+
<!--
582
+
#### OS-specific policy controls
583
+
584
+
Restrictions on the following controls are only required if `.spec.os.name` is not `windows`:
0 commit comments