|
| 1 | +--- |
| 2 | +title: 使用名字空间标签来实施 Pod 安全性标准 |
| 3 | +content_type: task |
| 4 | +min-kubernetes-server-version: v1.22 |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +title: Enforce Pod Security Standards with Namespace Labels |
| 8 | +reviewers: |
| 9 | +- tallclair |
| 10 | +- liggitt |
| 11 | +content_type: task |
| 12 | +min-kubernetes-server-version: v1.22 |
| 13 | +--> |
| 14 | + |
| 15 | +<!-- |
| 16 | +Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards). |
| 17 | +--> |
| 18 | +你可以通过为名字空间设置标签来强制实施 [Pod 安全标准](/zh/docs/concepts/security/pod-security-standards)。 |
| 19 | + |
| 20 | +## {{% heading "prerequisites" %}} |
| 21 | + |
| 22 | +{{% version-check %}} |
| 23 | + |
| 24 | +<!-- |
| 25 | +- Ensure the `PodSecurity` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) is enabled. |
| 26 | +--> |
| 27 | +- 确保 `PodSecurity` [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features)已被启用。 |
| 28 | + |
| 29 | +<!-- |
| 30 | +## Requiring the `baseline` Pod Security Standard with namespace labels |
| 31 | +--> |
| 32 | +## 通过名字空间标签来要求实施 `baseline` Pod 容器标准 |
| 33 | + |
| 34 | +<!-- |
| 35 | +This manifest defines a Namespace `my-baseline-namespace` that: |
| 36 | +
|
| 37 | +- _Blocks_ any pods that don't satisfy the `baseline` policy requirements. |
| 38 | +- Generates a user-facing warning and adds an audit annotation to any created pod that does not |
| 39 | + meet the `restricted` policy requirements. |
| 40 | +- Pins the versions of the `baseline` and `restricted` policies to v{{< skew latestVersion >}}. |
| 41 | +--> |
| 42 | +下面的清单定义了一个 `my-baseline-namespace` 名字空间,其中 |
| 43 | + |
| 44 | +- *阻止*任何不满足 `baseline` 策略要求的 Pods; |
| 45 | +- 针对任何无法满足 `restricted` 策略要求的、已创建的 Pod 为用户生成警告信息, |
| 46 | + 并添加审计注解; |
| 47 | +- 将 `baseline` 和 `restricted` 策略的版本锁定到 v{{< skew latestVersion >}}。 |
| 48 | + |
| 49 | +```yaml |
| 50 | +apiVersion: v1 |
| 51 | +kind: Namespace |
| 52 | +metadata: |
| 53 | + name: my-baseline-namespace |
| 54 | + labels: |
| 55 | + pod-security.kubernetes.io/enforce: baseline |
| 56 | + pod-security.kubernetes.io/enforce-version: v{{< skew latestVersion >}} |
| 57 | + |
| 58 | + # 我们将这些标签设置为我们所 _期望_ 的 `enforce` 级别 |
| 59 | + pod-security.kubernetes.io/audit: restricted |
| 60 | + pod-security.kubernetes.io/audit-version: v{{< skew latestVersion >}} |
| 61 | + pod-security.kubernetes.io/warn: restricted |
| 62 | + pod-security.kubernetes.io/warn-version: v{{< skew latestVersion >}} |
| 63 | +``` |
| 64 | +
|
| 65 | +<!-- |
| 66 | +## Add labels to existing namespaces with `kubectl label` |
| 67 | +--> |
| 68 | +## 使用 `kubectl label` 为现有名字空间添加标签 |
| 69 | + |
| 70 | +{{< note >}} |
| 71 | +<!-- |
| 72 | +When an `enforce` policy (or version) label is added or changed, the admission plugin will test |
| 73 | +each pod in the namespace against the new policy. Violations are returned to the user as warnings. |
| 74 | +--> |
| 75 | +在添加或变更 `enforce` 策略(或版本)标签时,准入插件会测试名字空间中的每个 |
| 76 | +Pod 以检查其是否满足新的策略。不符合策略的情况会被以警告的形式返回给用户。 |
| 77 | +{{< /note >}} |
| 78 | + |
| 79 | +<!-- |
| 80 | +It is helpful to apply the `--dry-run` flag when initially evaluating security profile changes for |
| 81 | +namespaces. The Pod Security Standard checks will still be run in _dry run_ mode, giving you |
| 82 | +information about how the new policy would treat existing pods, without actually updating a policy. |
| 83 | +--> |
| 84 | +在刚开始为名字空间评估安全性策略变更时,使用 `--dry-run` 标志是很有用的。 |
| 85 | +Pod 安全性标准会在 _dry run(试运行)_ |
| 86 | +模式下运行,在这种模式下会生成新策略如何处理现有 Pod 的信息, |
| 87 | +但不会真正更新策略。 |
| 88 | + |
| 89 | +```shell |
| 90 | +kubectl label --dry-run=server --overwrite ns --all \ |
| 91 | + pod-security.kubernetes.io/enforce=baseline |
| 92 | +``` |
| 93 | + |
| 94 | +<!-- |
| 95 | +### Applying to all namespaces |
| 96 | +--> |
| 97 | +### 应用到所有名字空间 |
| 98 | + |
| 99 | +<!-- |
| 100 | +If you're just getting started with the Pod Security Standards, a suitable first step would be to |
| 101 | +configure all namespaces with audit annotations for a stricter level such as `baseline`: |
| 102 | +--> |
| 103 | +如果你是刚刚开始使用 Pod 安全性标准,一种比较合适的初始步骤是针对所有名字空间为类似 |
| 104 | +`baseline` 这种比较严格的安全级别配置审计注解。 |
| 105 | + |
| 106 | +```shell |
| 107 | +kubectl label --overwrite ns --all \ |
| 108 | + pod-security.kubernetes.io/audit=baseline \ |
| 109 | + pod-security.kubernetes.io/warn=baseline |
| 110 | +``` |
| 111 | + |
| 112 | +<!-- |
| 113 | +Note that this is not setting an enforce level, so that namespaces that haven't been explicitly |
| 114 | +evaluated can be distinguished. You can list namespaces without an explicitly set enforce level |
| 115 | +using this command: |
| 116 | +--> |
| 117 | +注意,这里没有设置 enforce 级别,因而没有被显式评估的名字空间可以被识别出来。 |
| 118 | +你可以使用下面的命令列举那些没有显式设置 enforce 级别的名字空间: |
| 119 | + |
| 120 | +```shell |
| 121 | +kubectl get namespaces --selector='!pod-security.kubernetes.io/enforce' |
| 122 | +``` |
| 123 | + |
| 124 | +<!-- |
| 125 | +### Applying to a single namespace |
| 126 | +--> |
| 127 | +### 应用到单个名字空间 |
| 128 | + |
| 129 | +<!-- |
| 130 | +You can update a specific namespace as well. This command adds the `enforce=restricted` |
| 131 | +policy to `my-existing-namespace`, pinning the restricted policy version to v{{< skew latestVersion >}}. |
| 132 | +--> |
| 133 | +你也可以更新特定的名字空间。下面的命令将 `enforce=restricted` 策略应用到 |
| 134 | +`my-existing-namespace` 名字空间,将 restricted 策略的版本锁定到 v{{< skew latestVersion >}}。 |
| 135 | + |
| 136 | +```shell |
| 137 | +kubectl label --overwrite ns my-existing-namespace \ |
| 138 | + pod-security.kubernetes.io/enforce=restricted \ |
| 139 | + pod-security.kubernetes.io/enforce-version=v{{< skew latestVersion >}} |
| 140 | +``` |
| 141 | + |
0 commit comments