Skip to content

Commit

Permalink
Merge pull request #44549 from hunshcn/sysctl-zh
Browse files Browse the repository at this point in the history
[zh-cn] sync pod-security-standards.md user-namespaces.md sysctl-cluster.md
  • Loading branch information
k8s-ci-robot authored Dec 30, 2023
2 parents d0a5e23 + dccbe9f commit 5c1b76a
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 12 deletions.
19 changes: 19 additions & 0 deletions content/zh-cn/docs/concepts/security/pod-security-standards.md
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,10 @@ fail validation.
<li><code>net.ipv4.tcp_syncookies</code></li>
<li><code>net.ipv4.ping_group_range</code></li>
<li><code>net.ipv4.ip_local_reserved_ports</code><!-- (since Kubernetes 1.27)-->(从 Kubernetes 1.27 开始)</li>
<li><code>net.ipv4.tcp_keepalive_time</code><!-- (since Kubernetes 1.29)-->(从 Kubernetes 1.29 开始)</li>
<li><code>net.ipv4.tcp_fin_timeout</code><!-- (since Kubernetes 1.29)-->(从 Kubernetes 1.29 开始)</li>
<li><code>net.ipv4.tcp_keepalive_intvl</code><!-- (since Kubernetes 1.29)-->(从 Kubernetes 1.29 开始)</li>
<li><code>net.ipv4.tcp_keepalive_probes</code><!-- (since Kubernetes 1.29)-->(从 Kubernetes 1.29 开始)</li>
</ul>
</td>
</tr>
Expand Down Expand Up @@ -594,6 +598,21 @@ Restrictions on the following controls are only required if `.spec.os.name` is n
- Seccomp
- Linux 权能

<!--
## User namespaces
User Namespaces are a Linux-only feature to run workloads with increased
isolation. How they work together with Pod Security Standards is described in
the [documentation](/docs/concepts/workloads/pods/user-namespaces#integration-with-pod-security-admission-checks) for Pods that use user namespaces.
-->
## 用户命名空间 {#user-namespaces}

用户命名空间是 Linux 特有的功能,可在运行工作负载时提高隔离度。
关于用户命名空间如何与 PodSecurityStandard 协同工作,
请参阅
[文档](/zh-cn/docs/concepts/workloads/pods/user-namespaces#integration-with-pod-security-admission-checks)
了解 Pod 如何使用用户命名空间。

<!--
## FAQ
Expand Down
44 changes: 44 additions & 0 deletions content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,50 @@ Pod 的 UID/GID 不会与主机的文件所有者/组相匹配。

[CVE-2021-25741]: https://github.com/kubernetes/kubernetes/issues/104980

<!--
## Integration with Pod security admission checks
-->
## 与 Pod 安全准入检查的集成 {#integration-with-pod-security-admission-checks}

{{< feature-state state="alpha" for_k8s_version="v1.29" >}}

<!--
For Linux Pods that enable user namespaces, Kubernetes relaxes the application of
[Pod Security Standards](/docs/concepts/security/pod-security-standards) in a controlled way.
This behavior can be controlled by the [feature
gate](/docs/reference/command-line-tools-reference/feature-gates/)
`UserNamespacesPodSecurityStandards`, which allows an early opt-in for end
users. Admins have to ensure that user namespaces are enabled by all nodes
within the cluster if using the feature gate.
-->
对于启用了用户命名空间的 Linux Pod,Kubernetes 会以受控方式放宽
[Pod 安全性标准](/zh-cn/docs/concepts/security/pod-security-standards)的应用。
这种行为可以通过[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
`UserNamespacesPodSecurityStandards` 进行控制,可以让最终用户提前尝试此特性。
如果管理员启用此特性门控,必须确保群集中的所有节点都启用了用户命名空间。

<!--
If you enable the associated feature gate and create a Pod that uses user
namespaces, the following fields won't be constrained even in contexts that enforce the
_Baseline_ or _Restricted_ pod security standard. This behavior does not
present a security concern because `root` inside a Pod with user namespaces
actually refers to the user inside the container, that is never mapped to a
privileged user on the host. Here's the list of fields that are **not** checks for Pods in those
circumstances:
-->
如果你启用相关特性门控并创建了使用用户命名空间的 Pod,以下的字段不会被限制,
即使在执行了 _Baseline__Restricted_ Pod 安全性标准的上下文中。这种行为不会带来安全问题,
因为带有用户命名空间的 Pod 内的 `root` 实际上指的是容器内的用户,绝不会映射到主机上的特权用户。
以下是在这种情况下**不进行**检查的 Pod 字段列表:

- `spec.securityContext.runAsNonRoot`
- `spec.containers[*].securityContext.runAsNonRoot`
- `spec.initContainers[*].securityContext.runAsNonRoot`
- `spec.ephemeralContainers[*].securityContext.runAsNonRoot`
- `spec.securityContext.runAsUser`
- `spec.containers[*].securityContext.runAsUser`
- `spec.initContainers[*].securityContext.runAsUser`

<!--
## Limitations
-->
Expand Down
32 changes: 20 additions & 12 deletions content/zh-cn/docs/tasks/administer-cluster/sysctl-cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -129,19 +129,27 @@ The following sysctls are supported in the _safe_ set:
以下几种 sysctl 参数是 **安全的**

<!--
- `kernel.shm_rmid_forced`,
- `net.ipv4.ip_local_port_range`,
- `net.ipv4.tcp_syncookies`,
- `net.ipv4.ping_group_range` (since Kubernetes 1.18),
- `net.ipv4.ip_unprivileged_port_start` (since Kubernetes 1.22),
- `net.ipv4.ip_local_reserved_ports` (since Kubernetes 1.27).
- `kernel.shm_rmid_forced`;
- `net.ipv4.ip_local_port_range`;
- `net.ipv4.tcp_syncookies`;
- `net.ipv4.ping_group_range` (since Kubernetes 1.18);
- `net.ipv4.ip_unprivileged_port_start` (since Kubernetes 1.22);
- `net.ipv4.ip_local_reserved_ports` (since Kubernetes 1.27, needs kernel 3.16+);
- `net.ipv4.tcp_keepalive_time` (since Kubernetes 1.29, needs kernel 4.5+);
- `net.ipv4.tcp_fin_timeout` (since Kubernetes 1.29, needs kernel 4.6+);
- `net.ipv4.tcp_keepalive_intvl` (since Kubernetes 1.29, needs kernel 4.5+);
- `net.ipv4.tcp_keepalive_probes` (since Kubernetes 1.29, needs kernel 4.5+).
-->
- `kernel.shm_rmid_forced`,
- `net.ipv4.ip_local_port_range`,
- `net.ipv4.tcp_syncookies`,
- `net.ipv4.ping_group_range`(从 Kubernetes 1.18 开始),
- `net.ipv4.ip_unprivileged_port_start`(从 Kubernetes 1.22 开始),
- `net.ipv4.ip_local_reserved_ports`(从 Kubernetes 1.27 开始)。
- `kernel.shm_rmid_forced`
- `net.ipv4.ip_local_port_range`
- `net.ipv4.tcp_syncookies`
- `net.ipv4.ping_group_range`(从 Kubernetes 1.18 开始);
- `net.ipv4.ip_unprivileged_port_start`(从 Kubernetes 1.22 开始);
- `net.ipv4.ip_local_reserved_ports`(从 Kubernetes 1.27 开始,需要 kernel 3.16+);
- `net.ipv4.tcp_keepalive_time`(从 Kubernetes 1.29 开始,需要 kernel 4.5+);
- `net.ipv4.tcp_fin_timeout`(从 Kubernetes 1.29 开始,需要 kernel 4.6+);
- `net.ipv4.tcp_keepalive_intvl`(从 Kubernetes 1.29 开始,需要 kernel 4.5+);
- `net.ipv4.tcp_keepalive_probes`(从 Kubernetes 1.29 开始,需要 kernel 4.5+)。

{{< note >}}
<!--
Expand Down

0 comments on commit 5c1b76a

Please sign in to comment.