kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sync en zh example yaml (#19778)

This commit is contained in:
chentanjun 2020-03-23 11:32:45 +08:00 committed by GitHub
parent 9a332233c0
commit 09fc6f9e03
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 99 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
content/zh/examples/policy/restricted-psp.yaml
View File

@ -1,48 +1,48 @@
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: restricted name: restricted
annotations: annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec: spec:
privileged: false privileged: false
# Required to prevent escalations to root. # Required to prevent escalations to root.
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation, # This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth. # but we can provide it for defense in depth.
requiredDropCapabilities: requiredDropCapabilities:
- ALL - ALL
# Allow core volume types. # Allow core volume types.
volumes: volumes:
- 'configMap' - 'configMap'
- 'emptyDir' - 'emptyDir'
- 'projected' - 'projected'
- 'secret' - 'secret'
- 'downwardAPI' - 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use. # Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim' - 'persistentVolumeClaim'
hostNetwork: false hostNetwork: false
hostIPC: false hostIPC: false
hostPID: false hostPID: false
runAsUser: runAsUser:
# Require the container to run without root privileges. # Require the container to run without root privileges.
rule: 'MustRunAsNonRoot' rule: 'MustRunAsNonRoot'
seLinux: seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux. # This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny' rule: 'RunAsAny'
supplementalGroups: supplementalGroups:
rule: 'MustRunAs' rule: 'MustRunAs'
ranges: ranges:
# Forbid adding the root group. # Forbid adding the root group.
- min: 1 - min: 1
max: 65535 max: 65535
fsGroup: fsGroup:
rule: 'MustRunAs' rule: 'MustRunAs'
ranges: ranges:
# Forbid adding the root group. # Forbid adding the root group.
- min: 1 - min: 1
max: 65535 max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false

40
content/zh/examples/windows/emptydir-pod.yaml
View File

@ -1,20 +1,20 @@
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: my-empty-dir-pod name: my-empty-dir-pod
spec: spec:
containers: containers:
- image: microsoft/windowsservercore:1709 - image: microsoft/windowsservercore:1709
name: my-empty-dir-pod name: my-empty-dir-pod
volumeMounts: volumeMounts:
- mountPath: /cache - mountPath: /cache
name: cache-volume name: cache-volume
- mountPath: C:/scratch - mountPath: C:/scratch
name: scratch-volume name: scratch-volume
volumes: volumes:
- name: cache-volume - name: cache-volume
emptyDir: {} emptyDir: {}
- name: scratch-volume - name: scratch-volume
emptyDir: {} emptyDir: {}
nodeSelector: nodeSelector:
beta.kubernetes.io/os: windows beta.kubernetes.io/os: windows

34
content/zh/examples/windows/run-as-username-container.yaml
View File

@ -1,17 +1,17 @@
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: run-as-username-container-demo name: run-as-username-container-demo
spec: spec:
securityContext: securityContext:
windowsOptions: windowsOptions:
runAsUserName: "ContainerUser" runAsUserName: "ContainerUser"
containers: containers:
- name: run-as-username-demo - name: run-as-username-demo
image: mcr.microsoft.com/windows/servercore:ltsc2019 image: mcr.microsoft.com/windows/servercore:ltsc2019
command: ["ping", "-t", "localhost"] command: ["ping", "-t", "localhost"]
securityContext: securityContext:
windowsOptions: windowsOptions:
runAsUserName: "ContainerAdministrator" runAsUserName: "ContainerAdministrator"
nodeSelector: nodeSelector:
beta.kubernetes.io/os: windows kubernetes.io/os: windows

28
content/zh/examples/windows/run-as-username-pod.yaml
View File

@ -1,14 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: run-as-username-pod-demo name: run-as-username-pod-demo
spec: spec:
securityContext: securityContext:
windowsOptions: windowsOptions:
runAsUserName: "ContainerUser" runAsUserName: "ContainerUser"
containers: containers:
- name: run-as-username-demo - name: run-as-username-demo
image: mcr.microsoft.com/windows/servercore:ltsc2019 image: mcr.microsoft.com/windows/servercore:ltsc2019
command: ["ping", "-t", "localhost"] command: ["ping", "-t", "localhost"]
nodeSelector: nodeSelector:
beta.kubernetes.io/os: windows kubernetes.io/os: windows