Skip to content

Commit

Permalink
[zh] sync /security/controlling-access.md
Browse files Browse the repository at this point in the history
  • Loading branch information
windsonsea committed Jun 15, 2023
1 parent a631f1b commit 764d78c
Show file tree
Hide file tree
Showing 2 changed files with 909 additions and 16 deletions.
34 changes: 18 additions & 16 deletions content/zh-cn/docs/concepts/security/controlling-access.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,14 @@ When a request reaches the API, it goes through several stages, illustrated in t
following diagram:
-->
用户使用 `kubectl`、客户端库或构造 REST 请求来访问 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/)
人类用户和 [Kubernetes 服务账户](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)都可以被鉴权访问 API。
人类用户和 [Kubernetes 服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)都可以被鉴权访问 API。
当请求到达 API 时,它会经历多个阶段,如下图所示:

![Kubernetes API 请求处理步骤示意图](/images/docs/admin/access-control-overview.svg)
![Kubernetes API 请求处理步骤示意图](/zh-cn/docs/images/access-control-overview.svg)

<!-- ## Transport security -->
<!--
## Transport security
-->
## 传输安全 {#transport-security}

<!--
Expand Down Expand Up @@ -95,7 +97,7 @@ until one of them succeeds.
-->
认证步骤的输入整个 HTTP 请求;但是,通常组件只检查头部或/和客户端证书。

认证模块包含客户端证书、密码、普通令牌、引导令牌和 JSON Web 令牌(JWT,用于服务账户)。
认证模块包含客户端证书、密码、普通令牌、引导令牌和 JSON Web 令牌(JWT,用于服务账号)。

可以指定多个认证模块,在这种情况下,服务器依次尝试每个验证模块,直到其中一个成功。

Expand Down Expand Up @@ -167,6 +169,7 @@ allowed to read objects in the `projectCaribou` namespace:
}
}
```

<!--
If Bob makes a request to write (`create` or `update`) to the objects in the
`projectCaribou` namespace, his authorization is denied. If Bob makes a request
Expand Down Expand Up @@ -253,7 +256,6 @@ The cluster audits the activities generated by users, by applications that use t
For more information, see [Auditing](/docs/tasks/debug/debug-cluster/audit/).
-->

## 审计 {#auditing}

Kubernetes 审计提供了一套与安全相关的、按时间顺序排列的记录,其中记录了集群中的操作序列。
Expand Down Expand Up @@ -290,22 +292,22 @@ You can learn about:
阅读更多有关身份认证、鉴权和 API 访问控制的文档:

- [认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
- [使用 Bootstrap 令牌进行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
- [使用 Bootstrap 令牌进行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
- [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
- [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
- [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
- [鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)
- [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
- [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
- [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
- [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
- [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
- [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
- [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
- [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
- [证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
- 包括 [CSR 认证](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
- 服务账户
- 包括 [CSR 认证](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
- 服务账号
- [开发者指导](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
- [管理](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)

你可以了解
你可以了解
- Pod 如何使用
[Secret](/zh-cn/docs/concepts/configuration/secret/#service-accounts-automatically-create-and-attach-secrets-with-api-credentials)
获取 API 凭证
获取 API 凭据
Loading

0 comments on commit 764d78c

Please sign in to comment.