Skip to content

Commit f569220

Browse files
committed
[zh] sync /pod-security-standards.md
1 parent b3baa90 commit f569220

File tree

1 file changed

+55
-50
lines changed

1 file changed

+55
-50
lines changed

content/zh-cn/docs/concepts/security/pod-security-standards.md

Lines changed: 55 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -380,7 +380,7 @@ fail validation.
380380
<tr>
381381
<td style="white-space: nowrap"><!--Privilege Escalation (v1.8+)-->特权提升(v1.8+)</td>
382382
<td>
383-
<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed.-->禁止(通过 SetUID 或 SetGID 文件模式)获得特权提升。</p>
383+
<p><!--Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em>-->禁止(通过 SetUID 或 SetGID 文件模式)获得特权提升。<em><a href="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(spec.os.name != windows)</code></em></p>
384384
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
385385
<ul>
386386
<li><code>spec.containers[*].securityContext.allowPrivilegeEscalation</code></li>
@@ -435,7 +435,7 @@ fail validation.
435435
<tr>
436436
<td style="white-space: nowrap">Seccomp (v1.19+)</td>
437437
<td>
438-
<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。</p>
438+
<p><!--Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(spec.os.name != windows)</code></em>-->Seccomp Profile 必须被显式设置成一个允许的值。禁止使用 <code>Unconfined</code> Profile 或者指定 <em>不存在的</em> Profile。<em><a href="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(spec.os.name != windows)</code></em></p>
439439
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
440440
<ul>
441441
<li><code>spec.securityContext.seccompProfile.type</code></li>
@@ -468,10 +468,10 @@ fail validation.
468468
<p>
469469
<!--
470470
Containers must drop <code>ALL</code> capabilities, and are only permitted to add back
471-
the <code>NET_BIND_SERVICE</code> capability.
471+
the <code>NET_BIND_SERVICE</code> capability. <em><a href="#policies-specific-to-linux">This is Linux only policy</a> in v1.25+ <code>(.spec.os.name != "windows")</code></em>
472472
-->
473473
容器必须弃用 <code>ALL</code> 权能,并且只允许添加
474-
<code>NET_BIND_SERVICE</code> 权能。
474+
<code>NET_BIND_SERVICE</code> 权能。<em><a href="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(.spec.os.name != "windows")</code></em>
475475
</p>
476476
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
477477
<ul>
@@ -526,15 +526,6 @@ of individual policies are not defined here.
526526
- {{< example file="security/podsecurity-baseline.yaml" >}}Baseline 名字空间{{< /example >}}
527527
- {{< example file="security/podsecurity-restricted.yaml" >}}Restricted 名字空间{{< /example >}}
528528

529-
<!--
530-
[**PodSecurityPolicy**](/docs/concepts/security/pod-security-policy/) (Deprecated)
531-
-->
532-
[**PodSecurityPolicy**](/zh-cn/docs/concepts/security/pod-security-policy/) (已弃用)
533-
534-
- {{< example file="policy/privileged-psp.yaml" >}}Privileged{{< /example >}}
535-
- {{< example file="policy/baseline-psp.yaml" >}}Baseline{{< /example >}}
536-
- {{< example file="policy/restricted-psp.yaml" >}}Restricted{{< /example >}}
537-
538529
<!--
539530
### Alternatives
540531
-->
@@ -551,6 +542,57 @@ Other alternatives for enforcing policies are being developed in the Kubernetes
551542
- [Kyverno](https://kyverno.io/policies/pod-security/)
552543
- [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
553544

545+
<!--
546+
## Pod OS field
547+
548+
Kubernetes lets you use nodes that run either Linux or Windows. You can mix both kinds of
549+
node in one cluster.
550+
Windows in Kubernetes has some limitations and differentiators from Linux-based
551+
workloads. Specifically, many of the Pod `securityContext` fields
552+
[have no effect on Windows](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext).
553+
-->
554+
## Pod OS 字段 {#pod-os-field}
555+
556+
Kubernetes 允许你使用运行 Linux 或 Windows 的节点。你可以在一个集群中混用两种类型的节点。
557+
Kubernetes 中的 Windows 与基于 Linux 的工作负载相比有一些限制和差异。
558+
具体而言,许多 Pod `securityContext`
559+
字段[在 Windows 上不起作用](/zh-cn/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext)
560+
561+
562+
{{< note >}}
563+
<!--
564+
Kubelets prior to v1.24 don't enforce the pod OS field, and if a cluster has nodes on versions earlier than v1.24 the restricted policies should be pinned to a version prior to v1.25.
565+
-->
566+
v1.24 之前的 Kubelet 不强制处理 Pod OS 字段,如果集群中有些节点运行早于 v1.24 的版本,
567+
则应将限制性的策略锁定到 v1.25 之前的版本。
568+
{{< /note >}}
569+
570+
<!--
571+
### Restricted Pod Security Standard changes
572+
Another important change, made in Kubernetes v1.25 is that the _restricted_ Pod security
573+
has been updated to use the `pod.spec.os.name` field. Based on the OS name, certain policies that are specific
574+
to a particular OS can be relaxed for the other OS.
575+
-->
576+
### 限制性的 Pod Security Standard 变更 {#restricted-pod-security-standard-changes}
577+
578+
Kubernetes v1.25 中的另一个重要变化是 **限制性的(Restricted)** Pod 安全性已更新,
579+
能够处理 `pod.spec.os.name` 字段。根据 OS 名称,专用于特定 OS 的某些策略对其他 OS 可以放宽限制。
580+
581+
<!--
582+
#### OS-specific policy controls
583+
584+
Restrictions on the following controls are only required if `.spec.os.name` is not `windows`:
585+
- Privilege Escalation
586+
- Seccomp
587+
- Linux Capabilities
588+
-->
589+
#### OS 特定的策略控制
590+
591+
仅当 `.spec.os.name` 不是 `windows` 时,才需要对以下控制进行限制:
592+
- 特权提升
593+
- Seccomp
594+
- Linux 权能
595+
554596
<!--
555597
## FAQ
556598
@@ -601,43 +643,6 @@ built-in [Pod Security Admission Controller](/docs/concepts/security/pod-securit
601643
[Pod 安全性策略](/zh-cn/docs/concepts/security/pod-security-policy/)已被废弃,
602644
取而代之的是内置的 [Pod 安全性准入控制器](/zh-cn/docs/concepts/security/pod-security-admission/)
603645

604-
<!--
605-
### What profiles should I apply to my Windows Pods?
606-
607-
Windows in Kubernetes has some limitations and differentiators from standard Linux-based
608-
workloads. Specifically, many of the Pod SecurityContext fields
609-
[have no effect on Windows](/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext).
610-
As such, no standardized Pod Security profiles currently exist.
611-
-->
612-
### 我应该为我的 Windows Pod 实施哪种框架?
613-
614-
Kubernetes 中的 Windows 负载与标准的基于 Linux 的负载相比有一些局限性和区别。
615-
尤其是 Pod SecurityContext
616-
字段[对 Windows 不起作用](/zh-cn/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers-securitycontext)
617-
因此,目前没有对应的标准 Pod 安全性框架。
618-
619-
<!--
620-
If you apply the restricted profile for a Windows pod, this **may** have an impact on the pod
621-
at runtime. The restricted profile requires enforcing Linux-specific restrictions (such as seccomp
622-
profile, and disallowing privilege escalation). If the kubelet and / or its container runtime ignore
623-
these Linux-specific values, then the Windows pod should still work normally within the restricted
624-
profile. However, the lack of enforcement means that there is no additional restriction, for Pods
625-
that use Windows containers, compared to the baseline profile.
626-
-->
627-
如果你为一个 Windows Pod 应用了 Restricted 策略,**可能会** 对该 Pod 的运行时产生影响。
628-
Restricted 策略需要强制执行 Linux 特有的限制(如 seccomp Profile,并且禁止特权提升)。
629-
如果 kubelet 和/或其容器运行时忽略了 Linux 特有的值,那么应该不影响 Windows Pod 正常工作。
630-
然而,对于使用 Windows 容器的 Pod 来说,缺乏强制执行意味着相比于 Restricted 策略,没有任何额外的限制。
631-
632-
<!--
633-
The use of the HostProcess flag to create a HostProcess pod should only be done in alignment with the privileged policy.
634-
Creation of a Windows HostProcess pod is blocked under the baseline and restricted policies,
635-
so any HostProcess pod should be considered privileged.
636-
-->
637-
你应该只在 Privileged 策略下使用 HostProcess 标志来创建 HostProcess Pod。
638-
在 Baseline 和 Restricted 策略下,创建 Windows HostProcess Pod 是被禁止的,
639-
因此任何 HostProcess Pod 都应该被认为是有特权的。
640-
641646
<!--
642647
### What about sandboxed Pods?
643648

0 commit comments

Comments
 (0)