Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Apply suggestions from code review Co-authored-by: Dmitry Shurupov <dmitry.shurupov@palark.com> Update assign-pod-node.md Copy /docs/reference/issues-security/* from EN Update content/ru/docs/concepts/scheduling-eviction/assign-pod-node.md Add examples/pods/*.yaml files Translate _index.md Translate issues.md Update issues.md Translate official-cve-feed.md Translate official-cve-feed.md Translate security.md Update _index.md Update issues.md Apply suggestions from code review Co-authored-by: Dmitry Shurupov <dmitry.shurupov@palark.com>
- Loading branch information
1 parent
6f3462a
commit 354d577
Showing
31 changed files
with
933 additions
and
0 deletions.
There are no files selected for viewing
349 changes: 349 additions & 0 deletions
349
content/ru/docs/concepts/scheduling-eviction/assign-pod-node.md
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
title: Проблемы и безопасность Kubernetes | ||
weight: 70 | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
--- | ||
title: Трекер задач (Issues) Kubernetes | ||
weight: 10 | ||
aliases: [/cve/,/cves/] | ||
--- | ||
|
||
Чтобы сообщить о проблеме в области безопасности, воспользуйтесь процедурой [раскрытия информации о безопасности Kubernetes](/docs/reference/issues-security/security/#report-a-vulnerability). | ||
|
||
Механизм [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/) позволяет работать с кодом Kubernetes и отслеживать активные задачи. | ||
|
||
* Официальный [список известных CVE](/docs/reference/issues-security/official-cve-feed/) | ||
(уязвимостей в области безопасности), которые были обнародованы [Комитетом по реагированию на угрозы в области безопасности Kubernetes](https://github.com/kubernetes/committee-security-response). | ||
* [Issues на GitHub, связанные с CVE](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE) | ||
|
||
Связанные с безопасностью анонсы публикуются в рассылке [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce). |
39 changes: 39 additions & 0 deletions
39
content/ru/docs/reference/issues-security/official-cve-feed.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
--- | ||
title: Официальный CVE-фид | ||
weight: 25 | ||
outputs: | ||
- json | ||
- html | ||
layout: cve-feed | ||
--- | ||
|
||
{{< feature-state for_k8s_version="v1.25" state="alpha" >}} | ||
|
||
Поддерживаемый сообществом список официальных CVE, анонсированных | ||
Комитетом по реагированию на проблемы безопасности Kubernetes. Подробности см. на странице | ||
[Общие сведения о безопасности Kubernetes и раскрытии информации](/docs/reference/issues-security/security/). | ||
|
||
Проект Kubernetes публикует доступный для автоматического считывания [JSON-фид](/docs/reference/issues-security/official-cve-feed/index.json), включающий анонсированные проблемы в области безопасности. Доступ к нему можно получить, выполнив следующую команду: | ||
|
||
{{< comment >}} | ||
`replace` используется для обхода известной проблемы с рендерингом ">" | ||
: https://github.com/gohugoio/hugo/issues/7229 в шаблоне макетов JSON | ||
`layouts/_default/cve-feed.json` | ||
{{< /comment >}} | ||
|
||
```shell | ||
curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json | ||
``` | ||
|
||
{{< cve-feed >}} | ||
|
||
<!-- | CVE ID | Краткое описание проблемы | Ссылка на Issue на GitHub'е | | ||
| ----------- | ----------- | --------- | | ||
| [CVE-2021-25741](https://www.cve.org/CVERecord?id=CVE-2021-25741) | Symlink Exchange Can Allow Host Filesystem Access | [#104980](https://github.com/kubernetes/kubernetes/issues/104980) | | ||
| [CVE-2020-8565](https://www.cve.org/CVERecord?id=CVE-2020-8565) | Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 | [#95623](https://github.com/kubernetes/kubernetes/issues/95623) | --> | ||
|
||
Список автоматически обновляется с заметной, но небольшой задержкой (от нескольких минут до нескольких часов) | ||
с момента анонса CVE до момента его появления в этом фиде. | ||
В качестве источника используется набор GitHub Issues, отфильтрованный по контролируемому и | ||
ограниченному лейблу `official-cve-feed`. Исходные данные хранятся в бакете Google Cloud, | ||
право на запись в который есть только у небольшого числа доверенных представителей сообщества. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
--- | ||
title: Общие сведения о безопасности Kubernetes и раскрытии информации | ||
aliases: [/security/] | ||
reviewers: | ||
- eparis | ||
- erictune | ||
- philips | ||
- jessfraz | ||
content_type: concept | ||
weight: 20 | ||
--- | ||
|
||
<!-- overview --> | ||
На этой странице приводятся общие сведения о безопасности Kubernetes и раскрытии информации, имеющей к ней отношение. | ||
|
||
|
||
<!-- body --> | ||
## Анонсы в области безопасности | ||
|
||
Информация о проблемах в области безопасности и ключевых изменениях API доступна в рассылке [kubernetes-security-announce](https://groups.google.com/forum/#!forum/kubernetes-security-announce). | ||
|
||
## Сообщить об уязвимости | ||
|
||
Мы искренне признательны исследователям в области безопасности и пользователям, которые передают информацию об уязвимостях в Open Source-сообщество Kubernetes. Все отчеты тщательно изучаются группой добровольцев сообщества. | ||
|
||
Чтобы создать отчет, отправьте свою уязвимость в [программу поиска багов Kubernetes](https://hackerone.com/kubernetes). Это позволит отследить и обработать уязвимость в стандартные сроки. | ||
|
||
Также можно оправить [стандартное письмо об ошибках Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/.github/ISSUE_TEMPLATE/bug-report.yaml) с описанием проблемы и ее подробностями в закрытый список [security@kubernetes.io](mailto:security@kubernetes.io). | ||
|
||
Письмо можно зашифровать, используя GPG ключи [членов Комитета по безопасности](https://git.k8s.io/security/README.md#product-security-committee-psc). Шифрование с использованием GPG НЕ является обязательным. | ||
|
||
### Когда следует сообщать об уязвимости | ||
|
||
- Обнаружена уязвимость, способная повлиять на безопасность Kubernetes. | ||
- Вы не уверены, как именно уязвимость повлияет на Kubernetes, но у вас есть серьезные основания полагать, что она может ударить по безопасности оркестратора. | ||
- Обнаружена уязвимость в проекте, от которого зависит работа Kubernetes. | ||
- Если у проекта имеется собственный регламент регистрации и раскрытия информации об уязвимостях, пожалуйста, следуйте ему и пишите сразу в проект. | ||
|
||
### Когда НЕ следует сообщать об уязвимости | ||
|
||
- Вам нужна помощь в настройке компонентов Kubernetes для обеспечения безопасности. | ||
- Вам нужна помощь в применении обновлений, связанных с безопасностью. | ||
- Проблема не связана с безопасностью. | ||
|
||
## Реагирование на уязвимости в области безопасности | ||
|
||
Каждый отчет об уязвимости анализируется членами Комитета по реагированию на угрозы безопасности в течение 3 рабочих дней (автор получает подтверждение). После этого [запускается соответствующая процедура](https://git.k8s.io/security/security-release-process.md#disclosures). | ||
|
||
Любая информация об уязвимостях, переданная Комитету по реагированию на угрозы безопасности, остается внутри проекта Kubernetes и не передается в другие проекты, если только это не требуется для устранения проблемы. | ||
|
||
Автору отчета будет сообщено о результатах триажа и дальнейших шагах по подготовке исправления и планированию релиза. | ||
|
||
## Сроки раскрытия информации | ||
|
||
Дата публичного раскрытия согласовывается Комитетом по реагированию на угрозы безопасности Kubernetes и автором отчета об уязвимости. Мы предпочитаем полностью раскрывать информацию об обнаруженной проблеме сразу после того, как станет понятно, какие шаги необходимо предпринять для устранения ее последствий. Разумно отложить раскрытие информации, если проблема или порядок дальнейших шагов не до конца понятны, решение плохо протестировано или необходима координация действий вендоров. Срок раскрытия информации варьируется от незамедлительного (особенно если она уже широко известна) до нескольких недель. Для "простых" уязвимостей с момента подачи отчета до даты раскрытия обычно проходит около 7 дней. Комитет по реагированию на угрозы безопасности сохраняет последнее слово при определении даты раскрытия информации. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: command-demo | ||
labels: | ||
purpose: demonstrate-command | ||
spec: | ||
containers: | ||
- name: command-demo-container | ||
image: debian | ||
command: ["printenv"] | ||
args: ["HOSTNAME", "KUBERNETES_PORT"] | ||
restartPolicy: OnFailure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: init-demo | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
ports: | ||
- containerPort: 80 | ||
volumeMounts: | ||
- name: workdir | ||
mountPath: /usr/share/nginx/html | ||
# These containers are run during pod initialization | ||
initContainers: | ||
- name: install | ||
image: busybox:1.28 | ||
command: | ||
- wget | ||
- "-O" | ||
- "/work-dir/index.html" | ||
- http://info.cern.ch | ||
volumeMounts: | ||
- name: workdir | ||
mountPath: "/work-dir" | ||
dnsPolicy: Default | ||
volumes: | ||
- name: workdir | ||
emptyDir: {} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: lifecycle-demo | ||
spec: | ||
containers: | ||
- name: lifecycle-demo-container | ||
image: nginx | ||
lifecycle: | ||
postStart: | ||
exec: | ||
command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] | ||
preStop: | ||
exec: | ||
command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] | ||
|
21 changes: 21 additions & 0 deletions
21
content/ru/examples/pods/pod-configmap-env-var-valueFrom.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/echo", "$(SPECIAL_LEVEL_KEY) $(SPECIAL_TYPE_KEY)" ] | ||
env: | ||
- name: SPECIAL_LEVEL_KEY | ||
valueFrom: | ||
configMapKeyRef: | ||
name: special-config | ||
key: SPECIAL_LEVEL | ||
- name: SPECIAL_TYPE_KEY | ||
valueFrom: | ||
configMapKeyRef: | ||
name: special-config | ||
key: SPECIAL_TYPE | ||
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh", "-c", "env" ] | ||
envFrom: | ||
- configMapRef: | ||
name: special-config | ||
restartPolicy: Never |
20 changes: 20 additions & 0 deletions
20
content/ru/examples/pods/pod-configmap-volume-specific-key.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh","-c","cat /etc/config/keys" ] | ||
volumeMounts: | ||
- name: config-volume | ||
mountPath: /etc/config | ||
volumes: | ||
- name: config-volume | ||
configMap: | ||
name: special-config | ||
items: | ||
- key: SPECIAL_LEVEL | ||
path: keys | ||
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh", "-c", "ls /etc/config/" ] | ||
volumeMounts: | ||
- name: config-volume | ||
mountPath: /etc/config | ||
volumes: | ||
- name: config-volume | ||
configMap: | ||
# Provide the name of the ConfigMap containing the files you want | ||
# to add to the container | ||
name: special-config | ||
restartPolicy: Never |
21 changes: 21 additions & 0 deletions
21
content/ru/examples/pods/pod-multiple-configmap-env-variable.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: dapi-test-pod | ||
spec: | ||
containers: | ||
- name: test-container | ||
image: registry.k8s.io/busybox | ||
command: [ "/bin/sh", "-c", "env" ] | ||
env: | ||
- name: SPECIAL_LEVEL_KEY | ||
valueFrom: | ||
configMapKeyRef: | ||
name: special-config | ||
key: special.how | ||
- name: LOG_LEVEL | ||
valueFrom: | ||
configMapKeyRef: | ||
name: env-config | ||
key: log_level | ||
restartPolicy: Never |
19 changes: 19 additions & 0 deletions
19
content/ru/examples/pods/pod-nginx-preferred-affinity.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
affinity: | ||
nodeAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 1 | ||
preference: | ||
matchExpressions: | ||
- key: disktype | ||
operator: In | ||
values: | ||
- ssd | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
affinity: | ||
nodeAffinity: | ||
requiredDuringSchedulingIgnoredDuringExecution: | ||
nodeSelectorTerms: | ||
- matchExpressions: | ||
- key: disktype | ||
operator: In | ||
values: | ||
- ssd | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
nodeName: foo-node # schedule pod to specific node | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
labels: | ||
env: test | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
imagePullPolicy: IfNotPresent | ||
nodeSelector: | ||
disktype: ssd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
containers: | ||
- image: nginx | ||
name: nginx | ||
volumeMounts: | ||
- mountPath: /var/run/secrets/tokens | ||
name: vault-token | ||
serviceAccountName: build-robot | ||
volumes: | ||
- name: vault-token | ||
projected: | ||
sources: | ||
- serviceAccountToken: | ||
path: vault-token | ||
expirationSeconds: 7200 | ||
audience: vault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod1 | ||
labels: | ||
tier: frontend | ||
spec: | ||
containers: | ||
- name: hello1 | ||
image: gcr.io/google-samples/hello-app:2.0 | ||
|
||
--- | ||
|
||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: pod2 | ||
labels: | ||
tier: frontend | ||
spec: | ||
containers: | ||
- name: hello2 | ||
image: gcr.io/google-samples/hello-app:1.0 |
Oops, something went wrong.