Skip to content

Commit 86f3cc9

Browse files
windsonseawindsonsea
committed
[zh] Sync pod-security-standards.md
1 parent a188498 commit 86f3cc9

File tree

1 file changed

+98
-9
lines changed

1 file changed

+98
-9
lines changed

content/zh-cn/docs/concepts/security/pod-security-standards.md

Lines changed: 98 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,12 @@ fail validation.
141141
<tr>
142142
<td style="white-space: nowrap"><!--Privileged Containers-->特权容器</td>
143143
<td>
144-
<p><!--Privileged Pods disable most security mechanisms and must be disallowed.-->特权 Pod 会使大多数安全性机制失效,必须被禁止。</p>
144+
<p>
145+
<!--
146+
Privileged Pods disable most security mechanisms and must be disallowed.
147+
-->
148+
特权 Pod 会使大多数安全性机制失效,必须被禁止。
149+
</p>
145150
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
146151
<ul>
147152
<li><code>spec.containers[*].securityContext.privileged</code></li>
@@ -158,7 +163,12 @@ fail validation.
158163
<tr>
159164
<td style="white-space: nowrap"><!--Capabilities-->权能</td>
160165
<td>
161-
<p><!--Adding additional capabilities beyond those listed below must be disallowed.-->必须禁止添加除下列字段之外的权能。</p>
166+
<p>
167+
<!--
168+
Adding additional capabilities beyond those listed below must be disallowed.
169+
-->
170+
必须禁止添加除下列字段之外的权能。
171+
</p>
162172
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
163173
<ul>
164174
<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
@@ -201,7 +211,12 @@ fail validation.
201211
<tr>
202212
<td style="white-space: nowrap"><!--Host Ports-->宿主端口</td>
203213
<td>
204-
<p><!--HostPorts should be disallowed entirely (recommended) or restricted to a known list.-->应该完全禁止使用宿主端口(推荐)或者至少限制只能使用某确定列表中的端口。</p>
214+
<p>
215+
<!--
216+
HostPorts should be disallowed entirely (recommended) or restricted to a known list.
217+
-->
218+
应该完全禁止使用宿主端口(推荐)或者至少限制只能使用某确定列表中的端口。
219+
</p>
205220
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
206221
<ul>
207222
<li><code>spec.containers[*].ports[*].hostPort</code></li>
@@ -217,6 +232,65 @@ fail validation.
217232
</ul>
218233
</td>
219234
</tr>
235+
<tr>
236+
<td>
237+
<!--
238+
Host Probes / Lifecycle Hooks (v1.34+)
239+
-->
240+
主机探针/生命周期回调(v1.34+)
241+
</td>
242+
<td>
243+
<p>
244+
<!--
245+
The Host field in probes and lifecycle hooks must be disallowed.
246+
-->
247+
探针和生命周期回调中的 Host 字段必须被禁止使用。
248+
</p>
249+
<p><strong>
250+
<!--
251+
Restricted Fields
252+
-->
253+
限制的字段
254+
</strong></p>
255+
<ul>
256+
<li><code>spec.containers[*].livenessProbe.httpGet.host</code></li>
257+
<li><code>spec.containers[*].readinessProbe.httpGet.host</code></li>
258+
<li><code>spec.containers[*].startupProbe.httpGet.host</code></li>
259+
<li><code>spec.containers[*].livenessProbe.tcpSocket.host</code></li>
260+
<li><code>spec.containers[*].readinessProbe.tcpSocket.host</code></li>
261+
<li><code>spec.containers[*].startupProbe.tcpSocket.host</code></li>
262+
<li><code>spec.containers[*].lifecycle.postStart.tcpSocket.host</code>
263+
<li><code>spec.containers[*].lifecycle.preStop.tcpSocket.host</code>
264+
<li><code>spec.containers[*].lifecycle.postStart.httpGet.host</code></li>
265+
<li><code>spec.containers[*].lifecycle.preStop.httpGet.host</code></li>
266+
<li><code>spec.initContainers[*].livenessProbe.httpGet.host</code></li>
267+
<li><code>spec.initContainers[*].readinessProbe.httpGet.host</code></li>
268+
<li><code>spec.initContainers[*].startupProbe.httpGet.host</code></li>
269+
<li><code>spec.initContainers[*].livenessProbe.tcpSocket.host</code></li>
270+
<li><code>spec.initContainers[*].readinessProbe.tcpSocket.host</code></li>
271+
<li><code>spec.initContainers[*].startupProbe.tcpSocket.host</code></li>
272+
<li><code>spec.initContainers[*].lifecycle.postStart.tcpSocket.host</code>
273+
<li><code>spec.initContainers[*].lifecycle.preStop.tcpSocket.host</code>
274+
<li><code>spec.initContainers[*].lifecycle.postStart.httpGet.host</code></li>
275+
<li><code>spec.initContainers[*].lifecycle.preStop.httpGet.host</code></li>
276+
</ul>
277+
<p><strong>
278+
<!--
279+
Allowed Values
280+
-->
281+
准许的取值
282+
</strong></p>
283+
<ul>
284+
<li>
285+
<!--
286+
Undefined/nil
287+
-->
288+
未定义、nil
289+
</li>
290+
<li>""</li>
291+
</ul>
292+
</td>
293+
</tr>
220294
<tr>
221295
<td style="white-space: nowrap">AppArmor</td>
222296
<td>
@@ -236,7 +310,7 @@ fail validation.
236310
</ul>
237311
<p><strong><!--Allowed Values-->准许的取值<</strong></p>
238312
<ul>
239-
<li>Undefined/nil</li>
313+
<li><!--Undefined/nil-->未定义、nil</li>
240314
<li><code>RuntimeDefault</code></li>
241315
<li><code>Localhost</code></li>
242316
</ul>
@@ -297,7 +371,12 @@ fail validation.
297371
<tr>
298372
<td style="white-space: nowrap"><code>/proc</code><!--Mount Type-->挂载类型</td>
299373
<td>
300-
<p><!--The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.-->要求使用默认的 <code>/proc</code> 掩码以减小攻击面。</p>
374+
<p>
375+
<!--
376+
The default <code>/proc</code> masks are set up to reduce attack surface, and should be required.
377+
-->
378+
要求使用默认的 <code>/proc</code> 掩码以减小攻击面。
379+
</p>
301380
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
302381
<ul>
303382
<li><code>spec.containers[*].securityContext.procMount</code></li>
@@ -314,7 +393,12 @@ fail validation.
314393
<tr>
315394
<td>Seccomp</td>
316395
<td>
317-
<p><!--Seccomp profile must not be explicitly set to <code>Unconfined</code>.-->Seccomp 配置必须不能显式设置为 <code>Unconfined</code>。</p>
396+
<p>
397+
<!--
398+
Seccomp profile must not be explicitly set to <code>Unconfined</code>.
399+
-->
400+
Seccomp 配置必须不能显式设置为 <code>Unconfined</code>。
401+
</p>
318402
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
319403
<ul>
320404
<li><code>spec.securityContext.seccompProfile.type</code></li>
@@ -456,8 +540,12 @@ fail validation.
456540
<li><code>true</code></li>
457541
</ul>
458542
<small>
459-
<!--The container fields may be undefined/<code>nil</code> if the pod-level
460-
<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.-->如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 <code>true</code>,则允许容器组的安全上下文字段设置为 未定义/<code>nil</code>。
543+
<!--
544+
The container fields may be undefined/<code>nil</code> if the pod-level
545+
<code>spec.securityContext.runAsNonRoot</code> is set to <code>true</code>.
546+
-->
547+
如果 Pod 级别 <code>spec.securityContext.runAsNonRoot</code> 设置为 <code>true</code>,
548+
则允许容器组的安全上下文字段设置为未定义/<code>nil</code>。
461549
</small>
462550
</td>
463551
</tr>
@@ -518,7 +606,8 @@ fail validation.
518606
the <code>NET_BIND_SERVICE</code> capability. <em><a href="#os-specific-policy-controls">This is Linux only policy</a> in v1.25+ <code>(.spec.os.name != "windows")</code></em>
519607
-->
520608
容器必须弃用 <code>ALL</code> 权能,并且只允许添加
521-
<code>NET_BIND_SERVICE</code> 权能。<em><a href="#policies-specific-to-linux">这是 v1.25+ 中仅针对 Linux 的策略</a> <code>(.spec.os.name != "windows")</code></em>
609+
<code>NET_BIND_SERVICE</code> 权能。<em><a href="#policies-specific-to-linux">这是
610+
v1.25+ 中仅针对 Linux 的策略</a> <code>(.spec.os.name != "windows")</code></em>。
522611
</p>
523612
<p><strong><!--Restricted Fields-->限制的字段</strong></p>
524613
<ul>

0 commit comments

Comments
 (0)