[{"data":1,"prerenderedAt":4631},["ShallowReactive",2],{"search-docs":3,"doc-\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-network-security":886},[4,8,12,16,20,24,28,32,36,40,44,48,52,56,60,64,68,72,76,80,84,88,92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,159,162,165,169,172,175,178,182,186,190,194,198,202,206,210,214,218,222,226,230,234,238,242,246,250,254,258,262,266,269,273,277,281,285,288,291,294,298,301,304,307,310,313,316,319,322,325,329,332,336,340,344,348,352,356,359,362,365,368,371,374,377,380,383,386,389,393,396,399,402,405,408,411,414,417,420,424,428,432,435,438,442,446,450,454,458,462,466,470,474,477,480,483,487,491,494,497,500,504,507,511,515,518,521,524,527,530,533,536,539,542,545,548,551,554,557,560,563,566,569,572,575,579,583,587,591,595,599,603,606,610,614,617,620,623,626,629,633,637,640,643,646,649,652,655,658,661,664,667,670,673,676,679,682,685,688,691,694,697,700,703,706,709,712,716,720,724,728,732,736,740,744,748,752,756,760,764,768,772,775,779,783,787,790,793,796,799,802,805,808,811,814,818,822,825,829,832,835,838,841,844,848,851,854,858,862,865,869,873,876,879,882],{"path":5,"title":6,"description":7},"\u002Fabout\u002Fauthor","作者相关","只想纯粹的做一个程序员...",{"path":9,"title":10,"description":11},"\u002Fabout\u002Fjourney","心路历程","",{"path":13,"title":14,"description":15},"\u002Fai\u002Fagent\u002Fframeworks","Agent 框架","主流 Agent 框架：LangChain、LlamaIndex、AutoGen、CrewAI",{"path":17,"title":18,"description":19},"\u002Fai\u002Fagent\u002Fhooks","Agent Hooks 与自动化","Claude Agent 的 Hooks 生命周期、事件类型、典型自动化场景",{"path":21,"title":22,"description":23},"\u002Fai\u002Fagent\u002Fintroduction","AI Agent 概述","AI Agent 核心概念：感知、规划、执行、记忆",{"path":25,"title":26,"description":27},"\u002Fai\u002Fagent\u002Fpractice","Agent 实战","AI Agent 实战：构建自主任务执行系统",{"path":29,"title":30,"description":31},"\u002Fai\u002Fagent\u002Fsdk","Claude Agent SDK 开发","使用 Claude Agent SDK 构建自定义 AI Agent：架构、API、生命周期",{"path":33,"title":34,"description":35},"\u002Fai\u002Fagent\u002Fsubagents","Subagents 子代理","用 Subagents 分解复杂任务、并发执行、隔离上下文",{"path":37,"title":38,"description":39},"\u002Fai\u002Fagent\u002Ftool-use","工具调用","AI Agent 工具调用：Function Calling、Tool Use 原理与实践",{"path":41,"title":42,"description":43},"\u002Fai\u002Ffundamentals\u002Fdeep-learning","深度学习入门","深度学习基础知识：前向传播、反向传播、损失函数、优化器",{"path":45,"title":46,"description":47},"\u002Fai\u002Ffundamentals\u002Fml-basics","机器学习基础","机器学习核心概念：监督学习、无监督学习、强化学习",{"path":49,"title":50,"description":51},"\u002Fai\u002Ffundamentals\u002Fneural-networks","神经网络原理","神经网络架构：CNN、RNN、注意力机制",{"path":53,"title":54,"description":55},"\u002Fai\u002Fgetting-started","AI 学习路线","AI 技术学习路线图，从基础到实战的完整指南",{"path":57,"title":58,"description":59},"\u002Fai\u002Fllm\u002Ffine-tuning","模型微调","大模型微调技术：LoRA、QLoRA、全量微调、RLHF",{"path":61,"title":62,"description":63},"\u002Fai\u002Fllm\u002Fintroduction","大模型概述","大语言模型发展历程、核心能力与主流模型对比",{"path":65,"title":66,"description":67},"\u002Fai\u002Fllm\u002Flocal-deploy","本地部署","大模型本地部署：Ollama、vLLM、llama.cpp",{"path":69,"title":70,"description":71},"\u002Fai\u002Fllm\u002Ftransformer","Transformer 架构","Transformer 架构详解：自注意力机制、位置编码、多头注意力",{"path":73,"title":74,"description":75},"\u002Fai\u002Fmcp\u002Fclient","MCP Client 开发","MCP Client 开发指南：连接、调用、集成",{"path":77,"title":78,"description":79},"\u002Fai\u002Fmcp\u002Fdebugging","MCP 调试与排错","MCP Server 开发与集成过程中的常见问题、日志分析、诊断工具",{"path":81,"title":82,"description":83},"\u002Fai\u002Fmcp\u002Fintroduction","MCP 概述","Model Context Protocol 协议概述：架构、核心概念、应用场景",{"path":85,"title":86,"description":87},"\u002Fai\u002Fmcp\u002Fserver","MCP Server 开发","MCP Server 开发指南：资源、工具、提示词的实现",{"path":89,"title":90,"description":91},"\u002Fai\u002Fmcp\u002Ftools","MCP Tools 深入","深入理解 MCP Tools：与 Resources\u002FPrompts 的差异、Schema 设计、Annotations 与权限控制",{"path":93,"title":94,"description":95},"\u002Fai\u002Fprompt\u002Fadvanced","高级 Prompt 模式","高级 Prompt 设计模式：Tree-of-Thought、自我反思、多轮对话策略",{"path":97,"title":98,"description":99},"\u002Fai\u002Fprompt\u002Fbasics","Prompt 基础","Prompt Engineering 入门：基本概念、角色设定、输出格式控制",{"path":101,"title":102,"description":103},"\u002Fai\u002Fprompt\u002Ftechniques","提示词技巧","常用提示词技巧：Few-shot、Chain-of-Thought、ReAct",{"path":105,"title":106,"description":107},"\u002Fai\u002Frag\u002Fembedding","文本嵌入","文本嵌入模型：Embedding 原理、模型选择、相似度计算",{"path":109,"title":110,"description":111},"\u002Fai\u002Frag\u002Fintroduction","RAG 概述","检索增强生成（RAG）架构原理、优势与应用场景",{"path":113,"title":114,"description":115},"\u002Fai\u002Frag\u002Fpractice","RAG 实战","RAG 应用实战：文档问答系统、知识库搭建",{"path":117,"title":118,"description":119},"\u002Fai\u002Frag\u002Fvector-database","向量数据库","主流向量数据库对比：Milvus、Pinecone、Chroma、Weaviate",{"path":121,"title":122,"description":123},"\u002Fai\u002Fskills\u002Fbest-practices","Skill 最佳实践","编写高质量 Skill 的设计原则、常见陷阱与优化技巧",{"path":125,"title":126,"description":127},"\u002Fai\u002Fskills\u002Fcreating","创建自定义 Skill","从零编写一个可被 Agent 自动发现和调用的 Skill",{"path":129,"title":130,"description":131},"\u002Fai\u002Fskills\u002Fintroduction","Agent Skills 概述","Claude Agent Skills 概念、工作原理、与 Tools\u002FMCP 的区别",{"path":133,"title":134,"description":135},"\u002Fgolang\u002Fadvanced\u002Fconcurrency","Go - 并发深入","深入理解 Go 并发编程的核心机制。",{"path":137,"title":138,"description":139},"\u002Fgolang\u002Fadvanced\u002Fgc","Go - 垃圾回收","理解 Go 的垃圾回收机制，掌握 GC 调优方法。",{"path":141,"title":142,"description":143},"\u002Fgolang\u002Fadvanced\u002Fgmp","Go - GMP 调度模型","GMP 是 Go 运行时调度器的核心模型，理解它对于编写高性能 Go 程序至关重要。",{"path":145,"title":146,"description":147},"\u002Fgolang\u002Fadvanced\u002Fgo-concurrency","Go - 并发编程","Go 的并发是其核心特性之一，通过 Goroutine 和 Channel 实现。",{"path":149,"title":150,"description":151},"\u002Fgolang\u002Fadvanced\u002Fmemory","Go - 内存模型","理解 Go 的内存分配机制和内存模型。",{"path":153,"title":154,"description":155},"\u002Fgolang\u002Fadvanced\u002Fprofiling","Go - 性能分析","掌握 Go 的性能分析工具：pprof、trace、benchmark。",{"path":157,"title":158,"description":11},"\u002Fgolang\u002Fcore\u002Fgo-basic","Go - 基础语法",{"path":160,"title":161,"description":11},"\u002Fgolang\u002Fcore\u002Fgo-composite","Go - 复合类型",{"path":163,"title":164,"description":11},"\u002Fgolang\u002Fcore\u002Fgo-control","Go - 流程控制",{"path":166,"title":167,"description":168},"\u002Fgolang\u002Fcore\u002Fgo-error","Go - 错误处理","Go 使用显式的错误返回值来处理错误，而不是异常机制。",{"path":170,"title":171,"description":11},"\u002Fgolang\u002Fcore\u002Fgo-function","Go - 函数",{"path":173,"title":174,"description":11},"\u002Fgolang\u002Fcore\u002Fgo-install","Go - 环境搭建",{"path":176,"title":177,"description":11},"\u002Fgolang\u002Fcore\u002Fgo-interface","Go - 接口",{"path":179,"title":180,"description":181},"\u002Fgolang\u002Fcore\u002Fgo-module","Go - 包管理","Go Modules 是 Go 1.11 引入的官方依赖管理方案，Go 1.16 后成为默认模式。",{"path":183,"title":184,"description":185},"\u002Fgolang\u002Fdistributed\u002Fgrpc","Go - gRPC","gRPC 是 Google 开发的高性能 RPC 框架，使用 Protocol Buffers 作为序列化协议。",{"path":187,"title":188,"description":189},"\u002Fgolang\u002Fdistributed\u002Fmicroservice","Go - 微服务","微服务架构的核心组件：服务发现、负载均衡、熔断降级。",{"path":191,"title":192,"description":193},"\u002Fgolang\u002Fdistributed\u002Fmq","Go - 消息队列","使用 Go 操作 Kafka 和 RabbitMQ。",{"path":195,"title":196,"description":197},"\u002Fgolang\u002Fdistributed\u002Fredis","Go - Redis","使用 go-redis 操作 Redis，实现缓存、分布式锁等功能。",{"path":199,"title":200,"description":201},"\u002Fgolang\u002Fengineering\u002Fconfig","Go - 配置管理","使用 viper 进行配置管理，支持多种配置格式和配置中心。",{"path":203,"title":204,"description":205},"\u002Fgolang\u002Fengineering\u002Fdocker","Go - Docker 部署","使用 Docker 容器化部署 Go 应用。",{"path":207,"title":208,"description":209},"\u002Fgolang\u002Fengineering\u002Fkubernetes","Go - Kubernetes 部署","在 Kubernetes 上部署和管理 Go 应用。",{"path":211,"title":212,"description":213},"\u002Fgolang\u002Fengineering\u002Flogging","Go - 日志系统","使用 zap 和 logrus 构建高性能结构化日志系统。",{"path":215,"title":216,"description":217},"\u002Fgolang\u002Fengineering\u002Ftesting","Go - 单元测试","Go 内置了强大的测试框架，掌握测试是编写高质量代码的基础。",{"path":219,"title":220,"description":221},"\u002Fgolang\u002Fstdlib\u002Fbufio","bufio","在 Go 语言中，bufio 包提供了带缓冲的 I\u002FO 操作，能够提高读写性能。以下是一些常用的 bufio 包 API 及其详细说明：",{"path":223,"title":224,"description":225},"\u002Fgolang\u002Fstdlib\u002Fcontainer","container","在Go语言标准库中，container 包提供了几种常用的数据结构实现，这些数据结构对于高效地管理和操作数据非常有用。以下是 container 包中主要的数据结构：",{"path":227,"title":228,"description":229},"\u002Fgolang\u002Fstdlib\u002Fcrypto","crypto","在 Go 语言中，crypto 包提供了一组用于加密和解密的功能。以下是一些常用的 crypto 包及其子包的 API 及其详细说明：",{"path":231,"title":232,"description":233},"\u002Fgolang\u002Fstdlib\u002Fencoding-csv","encoding\u002Fcsv","在 Go 语言中，encoding\u002Fcsv 包提供了对 CSV（逗号分隔值）文件进行读写的功能。以下是一些常用的 encoding\u002Fcsv 包的 API 及其详细说明：",{"path":235,"title":236,"description":237},"\u002Fgolang\u002Fstdlib\u002Fencoding-json","encoding\u002Fjson","在 Go 语言中，encoding\u002Fjson 包提供了对 JSON 数据进行编码和解码的功能。以下是一些常用的 encoding\u002Fjson 包的 API 及其详细说明：",{"path":239,"title":240,"description":241},"\u002Fgolang\u002Fstdlib\u002Fencoding-xml","encoding\u002Fxml","在 Go 语言中，encoding\u002Fxml 包提供了对 XML 数据进行编码和解码的功能。以下是一些常用的 encoding\u002Fxml 包的 API 及其详细说明：",{"path":243,"title":244,"description":245},"\u002Fgolang\u002Fstdlib\u002Fflag","flag","在Go语言中，flag 包是用于处理命令行参数的标准库，它提供了一种简单而直接的方式来解析和使用命令行参数。下面是关于 flag 包的一些基本介绍和常用功能：",{"path":247,"title":248,"description":249},"\u002Fgolang\u002Fstdlib\u002Ffmt","fmt","在 Go 语言的标准库中，fmt 包是非常重要的，它提供了处理格式化输入和输出的基本工具。以下是一些 fmt 包内常用的API：",{"path":251,"title":252,"description":253},"\u002Fgolang\u002Fstdlib\u002Fhttp","net\u002Fhttp","在 Go 语言中，net\u002Fhttp 包提供了用于构建 HTTP 客户端和服务器的强大工具。以下是一些常用的 net\u002Fhttp 包的 API 及其详细说明：",{"path":255,"title":256,"description":257},"\u002Fgolang\u002Fstdlib\u002Fio","io","在 Go 语言中，io 包提供了基本的输入输出功能。以下是一些常用的 io 包的 API 及其详细说明：",{"path":259,"title":260,"description":261},"\u002Fgolang\u002Fstdlib\u002Flog","log","在 Go 语言中，log 包提供了简单的日志记录功能。以下是一些常用的 log 包的 API 及其详细说明：",{"path":263,"title":264,"description":265},"\u002Fgolang\u002Fstdlib\u002Fmath","math","在 Go 语言中，math 包提供了基本的数学函数和常量。以下是一些常用的 math 包的 API 及其详细说明：",{"path":267,"title":268,"description":11},"\u002Fgolang\u002Fstdlib\u002Fnet","net",{"path":270,"title":271,"description":272},"\u002Fgolang\u002Fstdlib\u002Fos","os","在Go语言中，os 包是一个非常重要且常用的标准库，它提供了与操作系统交互的功能，包括文件操作、环境变量管理、进程管理等。下面是一些 os 包中常用的功能和API：",{"path":274,"title":275,"description":276},"\u002Fgolang\u002Fstdlib\u002Fsort","order","在 Go 语言中，sort 包提供了对切片和用户定义的集合进行排序的函数。它实现了常见的排序算法，如快速排序（Quicksort）和堆排序（Heapsort），并且为自定义集合提供了接口，使得用户可以根据特定的需求进行排序。",{"path":278,"title":279,"description":280},"\u002Fgolang\u002Fstdlib\u002Fstrconv","strconv","在 Go 语言中，strconv 包提供了字符串和基本数据类型之间的转换函数，例如将整数转换为字符串、字符串转换为整数，以及其他类型之间的转换。这些功能非常有用，特别是在处理用户输入或从外部数据源读取数据时。",{"path":282,"title":283,"description":284},"\u002Fgolang\u002Fstdlib\u002Ftime","time","在 Go 语言中，time 包提供了处理时间和日期的功能。以下是一些常用的 time 包的 API 及其详细说明：",{"path":286,"title":287,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Ferror","Gin - 错误处理",{"path":289,"title":290,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Ffile","Gin - 文件处理",{"path":292,"title":293,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Fmiddleware","Gin - 中间件",{"path":295,"title":296,"description":297},"\u002Fgolang\u002Fweb\u002Fgin\u002Fquickstart","Gin - 快速开始","Gin 是目前最流行的 Go Web 框架，以高性能和简洁 API 著称。",{"path":299,"title":300,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Frequest","Gin - 请求处理",{"path":302,"title":303,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Fresponse","Gin - 响应处理",{"path":305,"title":306,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Frouter","Gin - 路由",{"path":308,"title":309,"description":11},"\u002Fgolang\u002Fweb\u002Fgin\u002Fvalidation","Gin - 参数校验",{"path":311,"title":312,"description":11},"\u002Fgolang\u002Fweb\u002Fgorm\u002Fassociation","GORM - 关联关系",{"path":314,"title":315,"description":11},"\u002Fgolang\u002Fweb\u002Fgorm\u002Fcrud","GORM - CRUD 操作",{"path":317,"title":318,"description":11},"\u002Fgolang\u002Fweb\u002Fgorm\u002Fmodel","GORM - 模型定义",{"path":320,"title":321,"description":11},"\u002Fgolang\u002Fweb\u002Fgorm\u002Fperformance","GORM - 日志与性能",{"path":323,"title":324,"description":11},"\u002Fgolang\u002Fweb\u002Fgorm\u002Fquery","GORM - 高级查询",{"path":326,"title":327,"description":328},"\u002Fgolang\u002Fweb\u002Fgorm\u002Fquickstart","GORM - 快速开始","GORM 是 Go 语言最流行的 ORM 库，功能强大，使用简单。",{"path":330,"title":331,"description":11},"\u002Fgolang\u002Fweb\u002Fgorm\u002Ftransaction","GORM - 事务与 Hook",{"path":333,"title":334,"description":335},"\u002Finterview\u002Fbasic","计算机基础面经","本章节汇总了面试中常见的通用技术概念，不局限于特定语言或数据库，是考察技术内功的关键考点。",{"path":337,"title":338,"description":339},"\u002Finterview\u002Fgolang","Golang 面试题","Go 语言面试高频考点，覆盖基础语法、数据结构、并发编程、内存管理、GC、调度器等核心知识。",{"path":341,"title":342,"description":343},"\u002Finterview\u002Fk8s","Kubernetes 面试题","Kubernetes（K8s）面试高频考点，覆盖架构原理、核心资源、网络存储、调度策略、运维监控等核心知识。",{"path":345,"title":346,"description":347},"\u002Finterview\u002Fmysql","MySQL 面试题","MySQL 数据库面试高频考点，覆盖索引、事务、锁、优化、主从复制等核心知识。",{"path":349,"title":350,"description":351},"\u002Finterview\u002Fredis","Redis 面试题","Redis 面试高频考点，覆盖数据结构、持久化、集群、缓存一致性、性能优化等核心知识。",{"path":353,"title":354,"description":355},"\u002Finterview\u002Frocketmq","RocketMQ 面试题","RocketMQ 面试高频考点，覆盖消息模型、可靠性、顺序消息、事务消息、存储与高可用等核心知识。",{"path":357,"title":358,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Flist-arraylist","List - ArrayList 源码解析",{"path":360,"title":361,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Flist-linkedlist","List - LinkedList 源码解析",{"path":363,"title":364,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Flist-stack","List - Satck源码解析",{"path":366,"title":367,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Flist-vectore","List - Vector 源码解析",{"path":369,"title":370,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fmap-hashmap","Map - HashMap 源码解析",{"path":372,"title":373,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fmap-linkedhashmap","Map - LinkedHashMap 源码解析",{"path":375,"title":376,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fmap-treemap","Map - TreeMap 源码解析",{"path":378,"title":379,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fqueue-deque","Queue - Deque 接口解析",{"path":381,"title":382,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fqueue-queue","Queue - Queue 接口解析",{"path":384,"title":385,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fset-hashset","Set - HashSet源码解析",{"path":387,"title":388,"description":11},"\u002Fother\u002Fjava\u002Fcollection\u002Fset-linkedhashset","Set - LinkedHashSet 源码解析",{"path":390,"title":391,"description":392},"\u002Fother\u002Fjava\u002Fcollection\u002Fset-treeset","Set - TreeSet源码解析","TreeSet 是一个 Set 集合接口的实现类，与 HashSet 类似，其底层也是通过维护了一个 TreeMap 对象来封装了一些实现方法，故本篇不再对 TreeSet 的底层原理进行详细说明，仅对常用 API 做简单介绍，如需了解 TreeMap 的底层实现原理，请移步 Map - HashMap 源码解析",{"path":394,"title":395,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fannotation","Java核心 - 注解",{"path":397,"title":398,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fbasic-grammar","Java核心 - 基础语法",{"path":400,"title":401,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fclass-and-object","Java核心 - 面向对象",{"path":403,"title":404,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fcommon-classes","Java核心 - 常用类",{"path":406,"title":407,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fexception","Java核心 - 异常处理",{"path":409,"title":410,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fgenerics","Java核心 - 泛型",{"path":412,"title":413,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fjdk-env-path","Java核心 - 环境搭建",{"path":415,"title":416,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Freflection","Java核心 - 反射",{"path":418,"title":419,"description":11},"\u002Fother\u002Fjava\u002Fcore\u002Fstring","Java核心 - String 字符串",{"path":421,"title":422,"description":423},"\u002Fother\u002Fjava\u002Fio\u002Fbuffer-stream","Java IO - 缓冲流","缓冲流是对基本流的包装，通过内置缓冲区减少系统调用次数，大幅提升读写效率。",{"path":425,"title":426,"description":427},"\u002Fother\u002Fjava\u002Fio\u002Fbyte-stream","Java IO - 字节流","字节流是 Java IO 中最基本的流类型，以字节（byte）为单位进行数据读写，可以处理任意类型的文件。",{"path":429,"title":430,"description":431},"\u002Fother\u002Fjava\u002Fio\u002Fchar-stream","Java IO - 字符流","字符流以字符为单位进行读写，专门用于处理文本文件。相比字节流，字符流能够正确处理字符编码，避免中文乱码问题。",{"path":433,"title":434,"description":11},"\u002Fother\u002Fjava\u002Fio\u002Ffile","Java IO - File 类",{"path":436,"title":437,"description":11},"\u002Fother\u002Fjava\u002Fio\u002Fio-stream-system","Java IO - IO流概述",{"path":439,"title":440,"description":441},"\u002Fother\u002Fjava\u002Fio\u002Fnio","Java IO - NIO","NIO（New IO）是 JDK 1.4 引入的新 IO 模型，提供了更高效的 IO 操作方式，支持非阻塞 IO 和多路复用。",{"path":443,"title":444,"description":445},"\u002Fother\u002Fjava\u002Fjvm\u002Fclass-loading","类加载机制","类加载机制是 JVM 将 .class 文件加载到内存，并对数据进行校验、转换解析和初始化，最终形成可被 JVM 直接使用的 Java 类型的过程。",{"path":447,"title":448,"description":449},"\u002Fother\u002Fjava\u002Fjvm\u002Fgarbage-collection","垃圾回收","垃圾回收（Garbage Collection，GC）是 JVM 自动管理内存的机制，负责回收不再使用的对象所占用的内存。",{"path":451,"title":452,"description":453},"\u002Fother\u002Fjava\u002Fjvm\u002Fjvm-memory","JVM 内存结构","JVM 在执行 Java 程序时，会把它管理的内存划分为若干个不同的数据区域。这些区域有各自的用途、创建和销毁时间。",{"path":455,"title":456,"description":457},"\u002Fother\u002Fjava\u002Fjvm\u002Fjvm-tuning","JVM 调优","JVM 调优是优化 Java 应用性能的重要手段，主要包括参数配置、性能监控和问题排查。",{"path":459,"title":460,"description":461},"\u002Fother\u002Fjava\u002Fthread\u002Fatomic","原子类","Java 原子类（Atomic Classes）提供了一种无锁的线程安全方式，基于 CAS（Compare-And-Swap）操作实现。",{"path":463,"title":464,"description":465},"\u002Fother\u002Fjava\u002Fthread\u002Fcompletable-future","CompletableFuture","CompletableFuture 是 JDK 8 引入的异步编程工具，实现了 Future 和 CompletionStage 接口，支持函数式编程和链式调用。",{"path":467,"title":468,"description":469},"\u002Fother\u002Fjava\u002Fthread\u002Fconcurrent-collections","并发集合","Java 并发包提供了多种线程安全的集合类，用于替代传统的同步集合（如 Collections.synchronizedList）。",{"path":471,"title":472,"description":473},"\u002Fother\u002Fjava\u002Fthread\u002Fconcurrent-utils","并发工具类","Java 并发包提供了多种实用的并发工具类，用于控制线程之间的协调与同步。",{"path":475,"title":476,"description":11},"\u002Fother\u002Fjava\u002Fthread\u002Fsynchronized-lock","同步机制",{"path":478,"title":479,"description":11},"\u002Fother\u002Fjava\u002Fthread\u002Fthread-basic","线程基础",{"path":481,"title":482,"description":11},"\u002Fother\u002Fjava\u002Fthread\u002Fthread-pool","线程池",{"path":484,"title":485,"description":486},"\u002Fother\u002Fspring-series\u002Fspring\u002Fannotations-beans","Spring - 基于注解管理Bean","从 Java 5 开始，Java 增加了对注解（Annotation）的支持，它是代码中的一种特殊标记，可以在编译、类加载和运行时被读取，执行相应的处理。开发人员可以通过注解在不改变原有代码和逻辑的情况下，在源代码中嵌入补充信息。",{"path":488,"title":489,"description":490},"\u002Fother\u002Fspring-series\u002Fspring\u002Fimplement-ioc","Spring - 原理手写IoC","Spring 框架的 IOC 是基于 Java 反射机制实现的，在学习手写 IoC 之前，你需要具备一定的 Java 反射相关的知识，参考本站内的 Java 教程。",{"path":492,"title":493,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fintroduction-case","Spring - 入门案例",{"path":495,"title":496,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-aop","Spring - 面向切面AOP",{"path":498,"title":499,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-aot","Spring - AOT提前编译",{"path":501,"title":502,"description":503},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-data-validation","Spring - 数据校验","在开发中，我们经常遇到参数校验的需求，比如用户注册的时候，要校验用户名不能为空、用户名长度不超过20个字符、手机号是合法的手机号格式等等。如果使用普通方式，我们会把校验的代码和真正的业务处理逻辑耦合在一起，而且如果未来要新增一种校验逻辑也需要在修改多个地方。而spring validation允许通过注解的方式来定义对象校验规则，把校验和业务逻辑分离开，让代码编写更加方便。Spring Validation其实就是对Hibernate Validator进一步的封装，方便在Spring中使用。",{"path":505,"title":506,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-i18n","Spring - 国际化i18n",{"path":508,"title":509,"description":510},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-ioc","Spring - IOC容器","IoC 是 Inversion of Control 的简写，译为“控制反转”，它不是一门技术，而是一种设计思想，是一个重要的面向对象编程法则，能够指导我们如何设计出松耦合、更优良的程序。",{"path":512,"title":513,"description":514},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-junit","Spring - 单元测试JUnit","在之前的测试方法中，几乎都能看到以下的两行代码：",{"path":516,"title":517,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-resources","Spring - 资源操作",{"path":519,"title":520,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-summarize","Spring - Spring概述",{"path":522,"title":523,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fspring-transaction","Spring - 事务",{"path":525,"title":526,"description":11},"\u002Fother\u002Fspring-series\u002Fspring\u002Fxml-beans","Spring - 基于XML管理Bean",{"path":528,"title":529,"description":11},"\u002Fother\u002Fspring-series\u002Fspringboot\u002Fspringboot-config","SpringBoot - 配置详解",{"path":531,"title":532,"description":11},"\u002Fother\u002Fspring-series\u002Fspringboot\u002Fspringboot-data","SpringBoot - 数据访问",{"path":534,"title":535,"description":11},"\u002Fother\u002Fspring-series\u002Fspringboot\u002Fspringboot-quickstart","SpringBoot - 快速入门",{"path":537,"title":538,"description":11},"\u002Fother\u002Fspring-series\u002Fspringboot\u002Fspringboot-web","SpringBoot - Web 开发",{"path":540,"title":541,"description":11},"\u002Fother\u002Fspring-series\u002Fspringcloud\u002Fspringcloud-config","SpringCloud - 配置中心",{"path":543,"title":544,"description":11},"\u002Fother\u002Fspring-series\u002Fspringcloud\u002Fspringcloud-discovery","SpringCloud - 服务注册与发现",{"path":546,"title":547,"description":11},"\u002Fother\u002Fspring-series\u002Fspringcloud\u002Fspringcloud-feign","SpringCloud - 服务调用",{"path":549,"title":550,"description":11},"\u002Fother\u002Fspring-series\u002Fspringcloud\u002Fspringcloud-gateway","SpringCloud - 服务网关",{"path":552,"title":553,"description":11},"\u002Fother\u002Fspring-series\u002Fspringcloud\u002Fspringcloud-introduction","SpringCloud - 微服务概述",{"path":555,"title":556,"description":11},"\u002Fother\u002Fspring-series\u002Fspringcloud\u002Fspringcloud-sentinel","SpringCloud - 服务保护",{"path":558,"title":559,"description":11},"\u002Fother\u002Fspring-series\u002Fspringmvc\u002Fspringmvc-databind","SpringMVC - 数据绑定与转换",{"path":561,"title":562,"description":11},"\u002Fother\u002Fspring-series\u002Fspringmvc\u002Fspringmvc-exception","SpringMVC - 异常处理",{"path":564,"title":565,"description":11},"\u002Fother\u002Fspring-series\u002Fspringmvc\u002Fspringmvc-interceptor","SpringMVC - 拦截器",{"path":567,"title":568,"description":11},"\u002Fother\u002Fspring-series\u002Fspringmvc\u002Fspringmvc-introduction","SpringMVC - 简介与环境搭建",{"path":570,"title":571,"description":11},"\u002Fother\u002Fspring-series\u002Fspringmvc\u002Fspringmvc-request","SpringMVC - 请求处理",{"path":573,"title":574,"description":11},"\u002Fother\u002Fspring-series\u002Fspringmvc\u002Fspringmvc-response","SpringMVC - 响应处理",{"path":576,"title":577,"description":578},"\u002Fproject\u002Frocket-leaf\u002Farchitecture","项目架构","Rocket-Leaf 的目录结构、模块划分、数据流向，以及各层之间的依赖关系。",{"path":580,"title":581,"description":582},"\u002Fproject\u002Frocket-leaf\u002Fbackend-layers","后端分层设计","Rocket-Leaf 的 model \u002F rocketmq \u002F service 三层结构，以及服务之间的依赖关系与设计取舍。",{"path":584,"title":585,"description":586},"\u002Fproject\u002Frocket-leaf\u002Fclient-manager","RocketMQ 客户端管理器","AdminClientManager 的多客户端池、默认连接懒加载、自动重连重试的设计与实现。",{"path":588,"title":589,"description":590},"\u002Fproject\u002Frocket-leaf\u002Fencryption","连接信息加密存储","AES-256-GCM + SHA-256 字段级派生密钥的实现，以及如何在不破坏兼容性的前提下为历史明文数据做透明迁移。",{"path":592,"title":593,"description":594},"\u002Fproject\u002Frocket-leaf\u002Ffrontend","前端结构与类型绑定","React + Vite 目录组织、自动生成的 Wails 绑定、api 薄封装与自定义 hooks 的职责划分。",{"path":596,"title":597,"description":598},"\u002Fproject\u002Frocket-leaf","项目简介","Rocket-Leaf 是一款基于 Wails v3 构建的跨平台 RocketMQ 桌面管理客户端，Go 后端 + React 前端。本文档系列拆解它的架构与关键实现。",{"path":600,"title":601,"description":602},"\u002Fproject\u002Frocket-leaf\u002Fwails-v3","Wails v3 入门","Wails v3 的核心概念、Service 绑定机制，以及 Rocket-Leaf 是如何用它把 Go 后端和 React 前端打通的。",{"path":604,"title":605,"description":11},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-basic","Docker - 入门基础",{"path":607,"title":608,"description":609},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-compose","Docker - Compose","在部署应用时，常常使用到不止一个容器，那么在部署容器的时候就需要一个一个进行部署，这样的部署过程也相对来说比较繁琐复杂，也容易出问题，那么有没有一种更为简单的方法呢？",{"path":611,"title":612,"description":613},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-container-connection","Docker - 容器互联","在上一个章节中我们学习了 Docker 容器的端口映射，可以将 Docker 容器和本地以及网络中的端口进行连接起来。",{"path":615,"title":616,"description":11},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-dockerfile","Docker - Dockerfile",{"path":618,"title":619,"description":11},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-helloworld","Docker - HelloWorld",{"path":621,"title":622,"description":11},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-install","Docker - 安装",{"path":624,"title":625,"description":11},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-introduce","Docker - 简介",{"path":627,"title":628,"description":11},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-object","Docker - 镜像、容器、仓库",{"path":630,"title":631,"description":632},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-warehouse","Docker - 仓库管理","仓库是集中存放资源的地方，代码仓库是存放代码的，那么Docker 中的仓库就是存放 Docker 镜像的。",{"path":634,"title":635,"description":636},"\u002Ftutorials\u002Fcloud\u002Fdocker\u002Fdocker-web-containers","Docker - WEB应用实例","在之前的章节中，仅对普通容器进行了演示，但在实际中常常使用到 Docker 容器中的 WEB 应用程序。",{"path":638,"title":639,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-config","Kubernetes - ConfigMap 与 Secret",{"path":641,"title":642,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-helm","Kubernetes - Helm 包管理",{"path":644,"title":645,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-install","Kubernetes - 集群安装",{"path":647,"title":648,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-introduction","Kubernetes - 简介与架构",{"path":650,"title":651,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-kubectl","Kubernetes - kubectl 命令行工具",{"path":653,"title":654,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-monitoring","Kubernetes - 监控与日志",{"path":656,"title":657,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-network-security","Kubernetes - 网络与安全",{"path":659,"title":660,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-service","Kubernetes - Service 与 Ingress",{"path":662,"title":663,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-storage","Kubernetes - 持久化存储",{"path":665,"title":666,"description":11},"\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-workload","Kubernetes - 工作负载资源",{"path":668,"title":669,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-bash","Linux - Bash 基础语法",{"path":671,"title":672,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-file-directory","Linux - 文件与目录操作",{"path":674,"title":675,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-network","Linux - 网络配置",{"path":677,"title":678,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-package","Linux - 软件包管理",{"path":680,"title":681,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-process","Linux - 进程管理",{"path":683,"title":684,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-scripts","Linux - 常用脚本示例",{"path":686,"title":687,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-service","Linux - 服务管理",{"path":689,"title":690,"description":11},"\u002Ftutorials\u002Fcloud\u002Flinux\u002Flinux-user-permission","Linux - 用户与权限管理",{"path":692,"title":693,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-https","Nginx - HTTPS 配置",{"path":695,"title":696,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-install","Nginx - 安装与配置",{"path":698,"title":699,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-loadbalance","Nginx - 负载均衡",{"path":701,"title":702,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-optimization","Nginx - 性能优化",{"path":704,"title":705,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-proxy","Nginx - 反向代理",{"path":707,"title":708,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-static","Nginx - 静态资源服务",{"path":710,"title":711,"description":11},"\u002Ftutorials\u002Fcloud\u002Fnginx\u002Fnginx-vhost","Nginx - 虚拟主机配置",{"path":713,"title":714,"description":715},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fmysql-architecture","MySQL 高可用架构","主从复制、读写分离、分库分表。",{"path":717,"title":718,"description":719},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fmysql-index","MySQL 索引","索引是帮助 MySQL 高效获取数据的有序数据结构。",{"path":721,"title":722,"description":723},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fmysql-lock","MySQL 锁","锁用于解决并发访问时的数据一致性问题。",{"path":725,"title":726,"description":727},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fmysql-optimize","MySQL 性能优化","SQL 优化是后端开发必备技能。",{"path":729,"title":730,"description":731},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fmysql-transaction","MySQL 事务","事务是一组不可分割的操作，要么全部成功，要么全部失败。",{"path":733,"title":734,"description":735},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fsql-advanced","SQL 进阶","多表查询、子查询、函数、视图、存储过程。",{"path":737,"title":738,"description":739},"\u002Ftutorials\u002Fdatabase\u002Fmysql\u002Fsql-basic","SQL 基础","SQL（Structured Query Language）是操作关系型数据库的标准语言。",{"path":741,"title":742,"description":743},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-advanced","Redis 进阶功能","事务、发布订阅、Lua 脚本、Pipeline。",{"path":745,"title":746,"description":747},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-basic","Redis 基础","Redis 安装配置与基本命令。",{"path":749,"title":750,"description":751},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-cluster","Redis 高可用","主从复制、哨兵、Cluster 集群。",{"path":753,"title":754,"description":755},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-datatype","Redis 数据类型","Redis 5 种基本数据类型 + 4 种特殊类型。",{"path":757,"title":758,"description":759},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-optimize","Redis 性能优化","内存优化、缓存问题、最佳实践。",{"path":761,"title":762,"description":763},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-persistence","Redis 持久化","Redis 提供 RDB 和 AOF 两种持久化方式。",{"path":765,"title":766,"description":767},"\u002Ftutorials\u002Fdatabase\u002Fredis\u002Fredis-principle","Redis 底层原理","数据结构、线程模型、网络模型。",{"path":769,"title":770,"description":771},"\u002Ftutorials\u002Fdev-idea\u002Fdesign-patterns\u002Fbehaiver-patterns\u002Fobserver-pattern","观察者模式","观察者模式属于行为型模式，定义了对象之间的一对多的依赖关系，在这种模式中，当一个对象的状态发生变化时，所有依赖于它的对象都会得到通知，并且执行相关操作。观察者模式又被成为“发布—订阅模式”，即发布者发生改变后，会通知所有订阅者。",{"path":773,"title":774,"description":11},"\u002Ftutorials\u002Fdev-idea\u002Fdesign-patterns\u002Fcreate-patterns\u002Ffactory-pattern","工厂模式",{"path":776,"title":777,"description":778},"\u002Ftutorials\u002Fdev-idea\u002Fdesign-patterns\u002Fcreate-patterns\u002Fsingleton-pattern","单例模式","单例模式是最常用的设计模式之一，他可以保证在整个应用中，某个类只存在一个实例化对象，即全局使用到该类的只有一个对象，这种模式在需要限制某些类的实例数量时非常有用，通常全局只需要一个该对象即可，如一些配置文件映射对象、数据库连接对象等。",{"path":780,"title":781,"description":782},"\u002Ftutorials\u002Fdev-idea\u002Fdesign-patterns\u002Fstructural-patterns\u002Fadapter-pattern","适配器模式","适配器模式是一种结构型模式，可以将一个类的接口转换成客户端所期望的另一种接口，适配器模式可以帮助开发人员在不修改现有代码的情况下，将不兼容的类组合在一起。",{"path":784,"title":785,"description":786},"\u002Ftutorials\u002Fdev-tools\u002Fgit\u002Fgit-basic-operations","Git 创建版本库","在 Git 上创建版本库有两种方式，一种是直接拷贝远程 Git 仓库到本地，另外一种是我们自己创建本地的版本库。",{"path":788,"title":789,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fgit\u002Fgit-branch-manage","Git 分支管理",{"path":791,"title":792,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fgit\u002Fgit-content-operations","Git 仓库内容操作",{"path":794,"title":795,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fgit\u002Fgit-introduce-install","Git 介绍和安装",{"path":797,"title":798,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fgit\u002Fgit-remote-manage","Git 远程管理",{"path":800,"title":801,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fgit\u002Fgit-workspace-index-repo","Git 工作原理",{"path":803,"title":804,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fhomebrew","HomeBrew 教程",{"path":806,"title":807,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fidea\u002Fshortcuts","快捷键",{"path":809,"title":810,"description":11},"\u002Ftutorials\u002Fdev-tools\u002Fmaven\u002Fintroduce-install-config","Maven - 介绍、安装、配置",{"path":812,"title":813,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fbasic-knowledge","2. 基础知识",{"path":815,"title":816,"description":817},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fcomponent-communication","9. 组件通信","在前面的章节内，介绍了 Vue 中最核心的内容——组件的介绍和使用，和 Java 等编程语言相反，组件并不近似于这些变成语言中的类，类可以通过类或者其实例化的对象来相互交互，但 Vue 组件之间的作用域是相互独立的，这就意味着不同组件之间的数据无法相互引用。",{"path":819,"title":820,"description":821},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fcomputed","4. 计算属性","虽然直接在模板中使用表达式方便，但是如果在模板中添加很多逻辑，会让模板变的臃肿且难维护，耦合度较高。有没有一种简单的方式来实现呢？答案是有的。",{"path":823,"title":824,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fcreate-vue-project","1. 环境搭建及安装",{"path":826,"title":827,"description":828},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Flife-cycle","6. 生命周期","生命周期是指组件从创建、挂载、更新到销毁的整个过程中所经历的一系列阶段。在 Vue 中，每个组件都有自己的生命周期，可以通过生命周期钩子函数来监听和处理组件在不同阶段的行为和状态。",{"path":830,"title":831,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fother-api","10. 其他 API",{"path":833,"title":834,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fpinia","8. Pinia",{"path":836,"title":837,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Frouter","7. 路由",{"path":839,"title":840,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Ftemplate-grammar","3. 指令及模板语法",{"path":842,"title":843,"description":11},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fvue3-new-component","11. Vue3 新组件",{"path":845,"title":846,"description":847},"\u002Ftutorials\u002Ffront-end\u002Fvue3\u002Fwatch","5. 监视","Watch 是 Vue 提供的一个用于监视响应式数据变化并执行相应操作的 API，能够对响应式数据的变化做出一些操作的功能。Vue3 中的 Watch 支持多种用法，包括监视响应式对象、ref 对象、数组、函数等。",{"path":849,"title":850,"description":11},"\u002Ftutorials\u002Fmq\u002Fkafka\u002Fkafka-introduction","Kafka 简介与安装",{"path":852,"title":853,"description":11},"\u002Ftutorials\u002Fmq\u002Fkafka\u002Fkafka-producer-consumer","Kafka 生产者与消费者",{"path":855,"title":856,"description":857},"\u002Ftutorials\u002Fmq\u002Fkafka\u002Fkafka-springboot","Spring Boot 整合 Kafka","Spring Kafka 提供了对 Apache Kafka 的便捷集成。",{"path":859,"title":860,"description":861},"\u002Ftutorials\u002Fmq\u002Frabbitmq\u002Frabbitmq-exchange","RabbitMQ Exchange 详解","Exchange（交换机）是 RabbitMQ 的核心组件，负责接收生产者发送的消息，并根据规则将消息路由到一个或多个队列。",{"path":863,"title":864,"description":11},"\u002Ftutorials\u002Fmq\u002Frabbitmq\u002Frabbitmq-introduction","RabbitMQ 简介与安装",{"path":866,"title":867,"description":868},"\u002Ftutorials\u002Fmq\u002Frabbitmq\u002Frabbitmq-reliability","RabbitMQ 消息可靠性","消息可靠性是消息队列的核心要求，RabbitMQ 提供了多种机制来保证消息不丢失。",{"path":870,"title":871,"description":872},"\u002Ftutorials\u002Fmq\u002Frabbitmq\u002Frabbitmq-springboot","Spring Boot 整合 RabbitMQ","Spring AMQP 提供了对 RabbitMQ 的便捷集成，大大简化了开发工作。",{"path":874,"title":875,"description":11},"\u002Ftutorials\u002Fmq\u002Frocketmq\u002Frocketmq-client","RocketMQ 客户端使用",{"path":877,"title":878,"description":11},"\u002Ftutorials\u002Fmq\u002Frocketmq\u002Frocketmq-concepts","RocketMQ 核心概念",{"path":880,"title":881,"description":11},"\u002Ftutorials\u002Fmq\u002Frocketmq\u002Frocketmq-installation","RocketMQ 安装部署",{"path":883,"title":884,"description":885},"\u002Ftutorials\u002Fmq\u002Frocketmq\u002Frocketmq-message-type","RocketMQ 消息类型","RocketMQ 支持多种消息类型，满足不同业务场景需求。",{"id":887,"title":657,"body":888,"description":11,"extension":4626,"meta":4627,"navigation":1088,"path":656,"seo":4628,"stem":4629,"__hash__":4630},"docs\u002Ftutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-network-security.md",{"type":889,"value":890,"toc":4573},"minimark",[891,895,899,903,906,919,923,976,980,983,989,1043,1047,1137,1141,1144,1147,1156,1159,1449,1453,1531,1535,1605,1609,1912,1916,2083,2087,2242,2246,2249,2252,2297,2301,2439,2443,2527,2531,2645,2649,2750,2754,2894,2898,2902,3062,3066,3069,3145,3150,3187,3191,3195,3198,3302,3305,3308,3450,3453,3457,3693,3697,3795,3799,3990,3993,3996,4048,4051,4136,4139,4142,4193,4196,4199,4378,4381,4425,4428,4431,4468,4471,4504,4507,4534,4537,4564,4569],[892,893,894],"h2",{"id":894},"概述",[896,897,898],"p",{},"Kubernetes 网络和安全是生产环境中的重要主题。本文介绍 Kubernetes 的网络模型、网络策略以及安全最佳实践。",[892,900,902],{"id":901},"kubernetes-网络模型","Kubernetes 网络模型",[896,904,905],{},"Kubernetes 网络遵循以下基本原则：",[907,908,909,913,916],"ol",{},[910,911,912],"li",{},"所有 Pod 可以相互通信，无需 NAT",[910,914,915],{},"所有节点可以与所有 Pod 通信，无需 NAT",[910,917,918],{},"Pod 看到的自己的 IP 与其他 Pod 看到的一致",[920,921,922],"h3",{"id":922},"网络通信类型",[924,925,926,940],"table",{},[927,928,929],"thead",{},[930,931,932,937],"tr",{},[933,934,936],"th",{"align":935},"left","类型",[933,938,939],{"align":935},"说明",[941,942,943,952,960,968],"tbody",{},[930,944,945,949],{},[946,947,948],"td",{"align":935},"Pod 内部通信",[946,950,951],{"align":935},"同一 Pod 内容器通过 localhost 通信",[930,953,954,957],{},[946,955,956],{"align":935},"Pod 间通信",[946,958,959],{"align":935},"不同 Pod 通过 Pod IP 直接通信",[930,961,962,965],{},[946,963,964],{"align":935},"Pod 到 Service",[946,966,967],{"align":935},"通过 Service ClusterIP 和 DNS",[930,969,970,973],{},[946,971,972],{"align":935},"外部到集群",[946,974,975],{"align":935},"通过 NodePort、LoadBalancer、Ingress",[920,977,979],{"id":978},"cni-网络插件","CNI 网络插件",[896,981,982],{},"Kubernetes 使用 CNI（Container Network Interface）插件来实现网络功能。",[896,984,985],{},[986,987,988],"strong",{},"常见 CNI 插件：",[924,990,991,1001],{},[927,992,993],{},[930,994,995,998],{},[933,996,997],{"align":935},"插件",[933,999,1000],{"align":935},"特点",[941,1002,1003,1011,1019,1027,1035],{},[930,1004,1005,1008],{},[946,1006,1007],{"align":935},"Calico",[946,1009,1010],{"align":935},"功能全面，支持 NetworkPolicy",[930,1012,1013,1016],{},[946,1014,1015],{"align":935},"Flannel",[946,1017,1018],{"align":935},"简单易用，适合入门",[930,1020,1021,1024],{},[946,1022,1023],{"align":935},"Cilium",[946,1025,1026],{"align":935},"基于 eBPF，高性能",[930,1028,1029,1032],{},[946,1030,1031],{"align":935},"Weave",[946,1033,1034],{"align":935},"简单，支持加密",[930,1036,1037,1040],{},[946,1038,1039],{"align":935},"Canal",[946,1041,1042],{"align":935},"Flannel + Calico 的结合",[920,1044,1046],{"id":1045},"安装-calico","安装 Calico",[1048,1049,1053],"pre",{"className":1050,"code":1051,"language":1052,"meta":11,"style":11},"language-bash shiki shiki-themes github-light github-light github-dark","# 使用 kubectl 安装\nkubectl apply -f https:\u002F\u002Fraw.githubusercontent.com\u002Fprojectcalico\u002Fcalico\u002Fv3.26.0\u002Fmanifests\u002Fcalico.yaml\n\n# 或使用 Helm\nhelm repo add projectcalico https:\u002F\u002Fdocs.tigera.io\u002Fcalico\u002Fcharts\nhelm install calico projectcalico\u002Ftigera-operator -n tigera-operator --create-namespace\n","bash",[1054,1055,1056,1065,1083,1090,1096,1114],"code",{"__ignoreMap":11},[1057,1058,1061],"span",{"class":1059,"line":1060},"line",1,[1057,1062,1064],{"class":1063},"sCsY4","# 使用 kubectl 安装\n",[1057,1066,1068,1072,1076,1080],{"class":1059,"line":1067},2,[1057,1069,1071],{"class":1070},"snPdu","kubectl",[1057,1073,1075],{"class":1074},"sIIMD"," apply",[1057,1077,1079],{"class":1078},"sBjJW"," -f",[1057,1081,1082],{"class":1074}," https:\u002F\u002Fraw.githubusercontent.com\u002Fprojectcalico\u002Fcalico\u002Fv3.26.0\u002Fmanifests\u002Fcalico.yaml\n",[1057,1084,1086],{"class":1059,"line":1085},3,[1057,1087,1089],{"emptyLinePlaceholder":1088},true,"\n",[1057,1091,1093],{"class":1059,"line":1092},4,[1057,1094,1095],{"class":1063},"# 或使用 Helm\n",[1057,1097,1099,1102,1105,1108,1111],{"class":1059,"line":1098},5,[1057,1100,1101],{"class":1070},"helm",[1057,1103,1104],{"class":1074}," repo",[1057,1106,1107],{"class":1074}," add",[1057,1109,1110],{"class":1074}," projectcalico",[1057,1112,1113],{"class":1074}," https:\u002F\u002Fdocs.tigera.io\u002Fcalico\u002Fcharts\n",[1057,1115,1117,1119,1122,1125,1128,1131,1134],{"class":1059,"line":1116},6,[1057,1118,1101],{"class":1070},[1057,1120,1121],{"class":1074}," install",[1057,1123,1124],{"class":1074}," calico",[1057,1126,1127],{"class":1074}," projectcalico\u002Ftigera-operator",[1057,1129,1130],{"class":1078}," -n",[1057,1132,1133],{"class":1074}," tigera-operator",[1057,1135,1136],{"class":1078}," --create-namespace\n",[892,1138,1140],{"id":1139},"networkpolicy","NetworkPolicy",[896,1142,1143],{},"NetworkPolicy 是 Kubernetes 原生的网络安全策略，用于控制 Pod 之间的网络流量。",[920,1145,1146],{"id":1146},"默认行为",[1148,1149,1150,1153],"ul",{},[910,1151,1152],{},"默认情况下，Pod 之间没有网络隔离",[910,1154,1155],{},"一旦应用 NetworkPolicy，未被允许的流量将被拒绝",[920,1157,1158],{"id":1158},"基本结构",[1048,1160,1164],{"className":1161,"code":1162,"language":1163,"meta":11,"style":11},"language-yaml shiki shiki-themes github-light github-light github-dark","apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: example-policy\n  namespace: default\nspec:\n  podSelector:          # 选择策略应用的 Pod\n    matchLabels:\n      app: web\n  policyTypes:          # 策略类型\n  - Ingress             # 入站规则\n  - Egress              # 出站规则\n  ingress:              # 入站规则列表\n  - from:\n    - podSelector:\n        matchLabels:\n          role: frontend\n    ports:\n    - protocol: TCP\n      port: 80\n  egress:               # 出站规则列表\n  - to:\n    - podSelector:\n        matchLabels:\n          role: database\n    ports:\n    - protocol: TCP\n      port: 5432\n","yaml",[1054,1165,1166,1179,1189,1197,1207,1217,1224,1236,1244,1255,1266,1278,1289,1301,1311,1322,1330,1341,1349,1362,1373,1385,1395,1404,1411,1421,1428,1439],{"__ignoreMap":11},[1057,1167,1168,1172,1176],{"class":1059,"line":1060},[1057,1169,1171],{"class":1170},"sovSZ","apiVersion",[1057,1173,1175],{"class":1174},"sxrX7",": ",[1057,1177,1178],{"class":1074},"networking.k8s.io\u002Fv1\n",[1057,1180,1181,1184,1186],{"class":1059,"line":1067},[1057,1182,1183],{"class":1170},"kind",[1057,1185,1175],{"class":1174},[1057,1187,1188],{"class":1074},"NetworkPolicy\n",[1057,1190,1191,1194],{"class":1059,"line":1085},[1057,1192,1193],{"class":1170},"metadata",[1057,1195,1196],{"class":1174},":\n",[1057,1198,1199,1202,1204],{"class":1059,"line":1092},[1057,1200,1201],{"class":1170},"  name",[1057,1203,1175],{"class":1174},[1057,1205,1206],{"class":1074},"example-policy\n",[1057,1208,1209,1212,1214],{"class":1059,"line":1098},[1057,1210,1211],{"class":1170},"  namespace",[1057,1213,1175],{"class":1174},[1057,1215,1216],{"class":1074},"default\n",[1057,1218,1219,1222],{"class":1059,"line":1116},[1057,1220,1221],{"class":1170},"spec",[1057,1223,1196],{"class":1174},[1057,1225,1227,1230,1233],{"class":1059,"line":1226},7,[1057,1228,1229],{"class":1170},"  podSelector",[1057,1231,1232],{"class":1174},":          ",[1057,1234,1235],{"class":1063},"# 选择策略应用的 Pod\n",[1057,1237,1239,1242],{"class":1059,"line":1238},8,[1057,1240,1241],{"class":1170},"    matchLabels",[1057,1243,1196],{"class":1174},[1057,1245,1247,1250,1252],{"class":1059,"line":1246},9,[1057,1248,1249],{"class":1170},"      app",[1057,1251,1175],{"class":1174},[1057,1253,1254],{"class":1074},"web\n",[1057,1256,1258,1261,1263],{"class":1059,"line":1257},10,[1057,1259,1260],{"class":1170},"  policyTypes",[1057,1262,1232],{"class":1174},[1057,1264,1265],{"class":1063},"# 策略类型\n",[1057,1267,1269,1272,1275],{"class":1059,"line":1268},11,[1057,1270,1271],{"class":1174},"  - ",[1057,1273,1274],{"class":1074},"Ingress",[1057,1276,1277],{"class":1063},"             # 入站规则\n",[1057,1279,1281,1283,1286],{"class":1059,"line":1280},12,[1057,1282,1271],{"class":1174},[1057,1284,1285],{"class":1074},"Egress",[1057,1287,1288],{"class":1063},"              # 出站规则\n",[1057,1290,1292,1295,1298],{"class":1059,"line":1291},13,[1057,1293,1294],{"class":1170},"  ingress",[1057,1296,1297],{"class":1174},":              ",[1057,1299,1300],{"class":1063},"# 入站规则列表\n",[1057,1302,1304,1306,1309],{"class":1059,"line":1303},14,[1057,1305,1271],{"class":1174},[1057,1307,1308],{"class":1170},"from",[1057,1310,1196],{"class":1174},[1057,1312,1314,1317,1320],{"class":1059,"line":1313},15,[1057,1315,1316],{"class":1174},"    - ",[1057,1318,1319],{"class":1170},"podSelector",[1057,1321,1196],{"class":1174},[1057,1323,1325,1328],{"class":1059,"line":1324},16,[1057,1326,1327],{"class":1170},"        matchLabels",[1057,1329,1196],{"class":1174},[1057,1331,1333,1336,1338],{"class":1059,"line":1332},17,[1057,1334,1335],{"class":1170},"          role",[1057,1337,1175],{"class":1174},[1057,1339,1340],{"class":1074},"frontend\n",[1057,1342,1344,1347],{"class":1059,"line":1343},18,[1057,1345,1346],{"class":1170},"    ports",[1057,1348,1196],{"class":1174},[1057,1350,1352,1354,1357,1359],{"class":1059,"line":1351},19,[1057,1353,1316],{"class":1174},[1057,1355,1356],{"class":1170},"protocol",[1057,1358,1175],{"class":1174},[1057,1360,1361],{"class":1074},"TCP\n",[1057,1363,1365,1368,1370],{"class":1059,"line":1364},20,[1057,1366,1367],{"class":1170},"      port",[1057,1369,1175],{"class":1174},[1057,1371,1372],{"class":1078},"80\n",[1057,1374,1376,1379,1382],{"class":1059,"line":1375},21,[1057,1377,1378],{"class":1170},"  egress",[1057,1380,1381],{"class":1174},":               ",[1057,1383,1384],{"class":1063},"# 出站规则列表\n",[1057,1386,1388,1390,1393],{"class":1059,"line":1387},22,[1057,1389,1271],{"class":1174},[1057,1391,1392],{"class":1170},"to",[1057,1394,1196],{"class":1174},[1057,1396,1398,1400,1402],{"class":1059,"line":1397},23,[1057,1399,1316],{"class":1174},[1057,1401,1319],{"class":1170},[1057,1403,1196],{"class":1174},[1057,1405,1407,1409],{"class":1059,"line":1406},24,[1057,1408,1327],{"class":1170},[1057,1410,1196],{"class":1174},[1057,1412,1414,1416,1418],{"class":1059,"line":1413},25,[1057,1415,1335],{"class":1170},[1057,1417,1175],{"class":1174},[1057,1419,1420],{"class":1074},"database\n",[1057,1422,1424,1426],{"class":1059,"line":1423},26,[1057,1425,1346],{"class":1170},[1057,1427,1196],{"class":1174},[1057,1429,1431,1433,1435,1437],{"class":1059,"line":1430},27,[1057,1432,1316],{"class":1174},[1057,1434,1356],{"class":1170},[1057,1436,1175],{"class":1174},[1057,1438,1361],{"class":1074},[1057,1440,1442,1444,1446],{"class":1059,"line":1441},28,[1057,1443,1367],{"class":1170},[1057,1445,1175],{"class":1174},[1057,1447,1448],{"class":1078},"5432\n",[920,1450,1452],{"id":1451},"示例默认拒绝所有入站流量","示例：默认拒绝所有入站流量",[1048,1454,1456],{"className":1161,"code":1455,"language":1163,"meta":11,"style":11},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-ingress\n  namespace: default\nspec:\n  podSelector: {}  # 选择所有 Pod\n  policyTypes:\n  - Ingress\n  # 没有定义 ingress 规则，表示拒绝所有\n",[1054,1457,1458,1466,1474,1480,1489,1497,1503,1513,1519,1526],{"__ignoreMap":11},[1057,1459,1460,1462,1464],{"class":1059,"line":1060},[1057,1461,1171],{"class":1170},[1057,1463,1175],{"class":1174},[1057,1465,1178],{"class":1074},[1057,1467,1468,1470,1472],{"class":1059,"line":1067},[1057,1469,1183],{"class":1170},[1057,1471,1175],{"class":1174},[1057,1473,1188],{"class":1074},[1057,1475,1476,1478],{"class":1059,"line":1085},[1057,1477,1193],{"class":1170},[1057,1479,1196],{"class":1174},[1057,1481,1482,1484,1486],{"class":1059,"line":1092},[1057,1483,1201],{"class":1170},[1057,1485,1175],{"class":1174},[1057,1487,1488],{"class":1074},"default-deny-ingress\n",[1057,1490,1491,1493,1495],{"class":1059,"line":1098},[1057,1492,1211],{"class":1170},[1057,1494,1175],{"class":1174},[1057,1496,1216],{"class":1074},[1057,1498,1499,1501],{"class":1059,"line":1116},[1057,1500,1221],{"class":1170},[1057,1502,1196],{"class":1174},[1057,1504,1505,1507,1510],{"class":1059,"line":1226},[1057,1506,1229],{"class":1170},[1057,1508,1509],{"class":1174},": {}  ",[1057,1511,1512],{"class":1063},"# 选择所有 Pod\n",[1057,1514,1515,1517],{"class":1059,"line":1238},[1057,1516,1260],{"class":1170},[1057,1518,1196],{"class":1174},[1057,1520,1521,1523],{"class":1059,"line":1246},[1057,1522,1271],{"class":1174},[1057,1524,1525],{"class":1074},"Ingress\n",[1057,1527,1528],{"class":1059,"line":1257},[1057,1529,1530],{"class":1063},"  # 没有定义 ingress 规则，表示拒绝所有\n",[920,1532,1534],{"id":1533},"示例默认拒绝所有出站流量","示例：默认拒绝所有出站流量",[1048,1536,1538],{"className":1161,"code":1537,"language":1163,"meta":11,"style":11},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-egress\n  namespace: default\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n",[1054,1539,1540,1548,1556,1562,1571,1579,1585,1592,1598],{"__ignoreMap":11},[1057,1541,1542,1544,1546],{"class":1059,"line":1060},[1057,1543,1171],{"class":1170},[1057,1545,1175],{"class":1174},[1057,1547,1178],{"class":1074},[1057,1549,1550,1552,1554],{"class":1059,"line":1067},[1057,1551,1183],{"class":1170},[1057,1553,1175],{"class":1174},[1057,1555,1188],{"class":1074},[1057,1557,1558,1560],{"class":1059,"line":1085},[1057,1559,1193],{"class":1170},[1057,1561,1196],{"class":1174},[1057,1563,1564,1566,1568],{"class":1059,"line":1092},[1057,1565,1201],{"class":1170},[1057,1567,1175],{"class":1174},[1057,1569,1570],{"class":1074},"default-deny-egress\n",[1057,1572,1573,1575,1577],{"class":1059,"line":1098},[1057,1574,1211],{"class":1170},[1057,1576,1175],{"class":1174},[1057,1578,1216],{"class":1074},[1057,1580,1581,1583],{"class":1059,"line":1116},[1057,1582,1221],{"class":1170},[1057,1584,1196],{"class":1174},[1057,1586,1587,1589],{"class":1059,"line":1226},[1057,1588,1229],{"class":1170},[1057,1590,1591],{"class":1174},": {}\n",[1057,1593,1594,1596],{"class":1059,"line":1238},[1057,1595,1260],{"class":1170},[1057,1597,1196],{"class":1174},[1057,1599,1600,1602],{"class":1059,"line":1246},[1057,1601,1271],{"class":1174},[1057,1603,1604],{"class":1074},"Egress\n",[920,1606,1608],{"id":1607},"示例允许特定-pod-访问","示例：允许特定 Pod 访问",[1048,1610,1612],{"className":1161,"code":1611,"language":1163,"meta":11,"style":11},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: api-policy\n  namespace: default\nspec:\n  podSelector:\n    matchLabels:\n      app: api\n  policyTypes:\n  - Ingress\n  - Egress\n  ingress:\n  # 允许来自 frontend 的流量\n  - from:\n    - podSelector:\n        matchLabels:\n          app: frontend\n    ports:\n    - protocol: TCP\n      port: 8080\n  egress:\n  # 允许访问 database\n  - to:\n    - podSelector:\n        matchLabels:\n          app: database\n    ports:\n    - protocol: TCP\n      port: 5432\n  # 允许 DNS 查询\n  - to:\n    - namespaceSelector: {}\n      podSelector:\n        matchLabels:\n          k8s-app: kube-dns\n    ports:\n    - protocol: UDP\n      port: 53\n",[1054,1613,1614,1622,1630,1636,1645,1653,1659,1665,1671,1680,1686,1692,1698,1704,1709,1717,1725,1731,1740,1746,1756,1765,1771,1776,1784,1792,1798,1806,1812,1823,1832,1838,1847,1857,1865,1872,1883,1890,1902],{"__ignoreMap":11},[1057,1615,1616,1618,1620],{"class":1059,"line":1060},[1057,1617,1171],{"class":1170},[1057,1619,1175],{"class":1174},[1057,1621,1178],{"class":1074},[1057,1623,1624,1626,1628],{"class":1059,"line":1067},[1057,1625,1183],{"class":1170},[1057,1627,1175],{"class":1174},[1057,1629,1188],{"class":1074},[1057,1631,1632,1634],{"class":1059,"line":1085},[1057,1633,1193],{"class":1170},[1057,1635,1196],{"class":1174},[1057,1637,1638,1640,1642],{"class":1059,"line":1092},[1057,1639,1201],{"class":1170},[1057,1641,1175],{"class":1174},[1057,1643,1644],{"class":1074},"api-policy\n",[1057,1646,1647,1649,1651],{"class":1059,"line":1098},[1057,1648,1211],{"class":1170},[1057,1650,1175],{"class":1174},[1057,1652,1216],{"class":1074},[1057,1654,1655,1657],{"class":1059,"line":1116},[1057,1656,1221],{"class":1170},[1057,1658,1196],{"class":1174},[1057,1660,1661,1663],{"class":1059,"line":1226},[1057,1662,1229],{"class":1170},[1057,1664,1196],{"class":1174},[1057,1666,1667,1669],{"class":1059,"line":1238},[1057,1668,1241],{"class":1170},[1057,1670,1196],{"class":1174},[1057,1672,1673,1675,1677],{"class":1059,"line":1246},[1057,1674,1249],{"class":1170},[1057,1676,1175],{"class":1174},[1057,1678,1679],{"class":1074},"api\n",[1057,1681,1682,1684],{"class":1059,"line":1257},[1057,1683,1260],{"class":1170},[1057,1685,1196],{"class":1174},[1057,1687,1688,1690],{"class":1059,"line":1268},[1057,1689,1271],{"class":1174},[1057,1691,1525],{"class":1074},[1057,1693,1694,1696],{"class":1059,"line":1280},[1057,1695,1271],{"class":1174},[1057,1697,1604],{"class":1074},[1057,1699,1700,1702],{"class":1059,"line":1291},[1057,1701,1294],{"class":1170},[1057,1703,1196],{"class":1174},[1057,1705,1706],{"class":1059,"line":1303},[1057,1707,1708],{"class":1063},"  # 允许来自 frontend 的流量\n",[1057,1710,1711,1713,1715],{"class":1059,"line":1313},[1057,1712,1271],{"class":1174},[1057,1714,1308],{"class":1170},[1057,1716,1196],{"class":1174},[1057,1718,1719,1721,1723],{"class":1059,"line":1324},[1057,1720,1316],{"class":1174},[1057,1722,1319],{"class":1170},[1057,1724,1196],{"class":1174},[1057,1726,1727,1729],{"class":1059,"line":1332},[1057,1728,1327],{"class":1170},[1057,1730,1196],{"class":1174},[1057,1732,1733,1736,1738],{"class":1059,"line":1343},[1057,1734,1735],{"class":1170},"          app",[1057,1737,1175],{"class":1174},[1057,1739,1340],{"class":1074},[1057,1741,1742,1744],{"class":1059,"line":1351},[1057,1743,1346],{"class":1170},[1057,1745,1196],{"class":1174},[1057,1747,1748,1750,1752,1754],{"class":1059,"line":1364},[1057,1749,1316],{"class":1174},[1057,1751,1356],{"class":1170},[1057,1753,1175],{"class":1174},[1057,1755,1361],{"class":1074},[1057,1757,1758,1760,1762],{"class":1059,"line":1375},[1057,1759,1367],{"class":1170},[1057,1761,1175],{"class":1174},[1057,1763,1764],{"class":1078},"8080\n",[1057,1766,1767,1769],{"class":1059,"line":1387},[1057,1768,1378],{"class":1170},[1057,1770,1196],{"class":1174},[1057,1772,1773],{"class":1059,"line":1397},[1057,1774,1775],{"class":1063},"  # 允许访问 database\n",[1057,1777,1778,1780,1782],{"class":1059,"line":1406},[1057,1779,1271],{"class":1174},[1057,1781,1392],{"class":1170},[1057,1783,1196],{"class":1174},[1057,1785,1786,1788,1790],{"class":1059,"line":1413},[1057,1787,1316],{"class":1174},[1057,1789,1319],{"class":1170},[1057,1791,1196],{"class":1174},[1057,1793,1794,1796],{"class":1059,"line":1423},[1057,1795,1327],{"class":1170},[1057,1797,1196],{"class":1174},[1057,1799,1800,1802,1804],{"class":1059,"line":1430},[1057,1801,1735],{"class":1170},[1057,1803,1175],{"class":1174},[1057,1805,1420],{"class":1074},[1057,1807,1808,1810],{"class":1059,"line":1441},[1057,1809,1346],{"class":1170},[1057,1811,1196],{"class":1174},[1057,1813,1815,1817,1819,1821],{"class":1059,"line":1814},29,[1057,1816,1316],{"class":1174},[1057,1818,1356],{"class":1170},[1057,1820,1175],{"class":1174},[1057,1822,1361],{"class":1074},[1057,1824,1826,1828,1830],{"class":1059,"line":1825},30,[1057,1827,1367],{"class":1170},[1057,1829,1175],{"class":1174},[1057,1831,1448],{"class":1078},[1057,1833,1835],{"class":1059,"line":1834},31,[1057,1836,1837],{"class":1063},"  # 允许 DNS 查询\n",[1057,1839,1841,1843,1845],{"class":1059,"line":1840},32,[1057,1842,1271],{"class":1174},[1057,1844,1392],{"class":1170},[1057,1846,1196],{"class":1174},[1057,1848,1850,1852,1855],{"class":1059,"line":1849},33,[1057,1851,1316],{"class":1174},[1057,1853,1854],{"class":1170},"namespaceSelector",[1057,1856,1591],{"class":1174},[1057,1858,1860,1863],{"class":1059,"line":1859},34,[1057,1861,1862],{"class":1170},"      podSelector",[1057,1864,1196],{"class":1174},[1057,1866,1868,1870],{"class":1059,"line":1867},35,[1057,1869,1327],{"class":1170},[1057,1871,1196],{"class":1174},[1057,1873,1875,1878,1880],{"class":1059,"line":1874},36,[1057,1876,1877],{"class":1170},"          k8s-app",[1057,1879,1175],{"class":1174},[1057,1881,1882],{"class":1074},"kube-dns\n",[1057,1884,1886,1888],{"class":1059,"line":1885},37,[1057,1887,1346],{"class":1170},[1057,1889,1196],{"class":1174},[1057,1891,1893,1895,1897,1899],{"class":1059,"line":1892},38,[1057,1894,1316],{"class":1174},[1057,1896,1356],{"class":1170},[1057,1898,1175],{"class":1174},[1057,1900,1901],{"class":1074},"UDP\n",[1057,1903,1905,1907,1909],{"class":1059,"line":1904},39,[1057,1906,1367],{"class":1170},[1057,1908,1175],{"class":1174},[1057,1910,1911],{"class":1078},"53\n",[920,1913,1915],{"id":1914},"示例跨命名空间访问","示例：跨命名空间访问",[1048,1917,1919],{"className":1161,"code":1918,"language":1163,"meta":11,"style":11},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-from-monitoring\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: api\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - namespaceSelector:\n        matchLabels:\n          name: monitoring\n      podSelector:\n        matchLabels:\n          app: prometheus\n    ports:\n    - protocol: TCP\n      port: 9090\n",[1054,1920,1921,1929,1937,1943,1952,1961,1967,1973,1979,1987,1993,1999,2005,2013,2021,2027,2037,2043,2049,2058,2064,2074],{"__ignoreMap":11},[1057,1922,1923,1925,1927],{"class":1059,"line":1060},[1057,1924,1171],{"class":1170},[1057,1926,1175],{"class":1174},[1057,1928,1178],{"class":1074},[1057,1930,1931,1933,1935],{"class":1059,"line":1067},[1057,1932,1183],{"class":1170},[1057,1934,1175],{"class":1174},[1057,1936,1188],{"class":1074},[1057,1938,1939,1941],{"class":1059,"line":1085},[1057,1940,1193],{"class":1170},[1057,1942,1196],{"class":1174},[1057,1944,1945,1947,1949],{"class":1059,"line":1092},[1057,1946,1201],{"class":1170},[1057,1948,1175],{"class":1174},[1057,1950,1951],{"class":1074},"allow-from-monitoring\n",[1057,1953,1954,1956,1958],{"class":1059,"line":1098},[1057,1955,1211],{"class":1170},[1057,1957,1175],{"class":1174},[1057,1959,1960],{"class":1074},"production\n",[1057,1962,1963,1965],{"class":1059,"line":1116},[1057,1964,1221],{"class":1170},[1057,1966,1196],{"class":1174},[1057,1968,1969,1971],{"class":1059,"line":1226},[1057,1970,1229],{"class":1170},[1057,1972,1196],{"class":1174},[1057,1974,1975,1977],{"class":1059,"line":1238},[1057,1976,1241],{"class":1170},[1057,1978,1196],{"class":1174},[1057,1980,1981,1983,1985],{"class":1059,"line":1246},[1057,1982,1249],{"class":1170},[1057,1984,1175],{"class":1174},[1057,1986,1679],{"class":1074},[1057,1988,1989,1991],{"class":1059,"line":1257},[1057,1990,1260],{"class":1170},[1057,1992,1196],{"class":1174},[1057,1994,1995,1997],{"class":1059,"line":1268},[1057,1996,1271],{"class":1174},[1057,1998,1525],{"class":1074},[1057,2000,2001,2003],{"class":1059,"line":1280},[1057,2002,1294],{"class":1170},[1057,2004,1196],{"class":1174},[1057,2006,2007,2009,2011],{"class":1059,"line":1291},[1057,2008,1271],{"class":1174},[1057,2010,1308],{"class":1170},[1057,2012,1196],{"class":1174},[1057,2014,2015,2017,2019],{"class":1059,"line":1303},[1057,2016,1316],{"class":1174},[1057,2018,1854],{"class":1170},[1057,2020,1196],{"class":1174},[1057,2022,2023,2025],{"class":1059,"line":1313},[1057,2024,1327],{"class":1170},[1057,2026,1196],{"class":1174},[1057,2028,2029,2032,2034],{"class":1059,"line":1324},[1057,2030,2031],{"class":1170},"          name",[1057,2033,1175],{"class":1174},[1057,2035,2036],{"class":1074},"monitoring\n",[1057,2038,2039,2041],{"class":1059,"line":1332},[1057,2040,1862],{"class":1170},[1057,2042,1196],{"class":1174},[1057,2044,2045,2047],{"class":1059,"line":1343},[1057,2046,1327],{"class":1170},[1057,2048,1196],{"class":1174},[1057,2050,2051,2053,2055],{"class":1059,"line":1351},[1057,2052,1735],{"class":1170},[1057,2054,1175],{"class":1174},[1057,2056,2057],{"class":1074},"prometheus\n",[1057,2059,2060,2062],{"class":1059,"line":1364},[1057,2061,1346],{"class":1170},[1057,2063,1196],{"class":1174},[1057,2065,2066,2068,2070,2072],{"class":1059,"line":1375},[1057,2067,1316],{"class":1174},[1057,2069,1356],{"class":1170},[1057,2071,1175],{"class":1174},[1057,2073,1361],{"class":1074},[1057,2075,2076,2078,2080],{"class":1059,"line":1387},[1057,2077,1367],{"class":1170},[1057,2079,1175],{"class":1174},[1057,2081,2082],{"class":1078},"9090\n",[920,2084,2086],{"id":2085},"示例允许外部-ip-访问","示例：允许外部 IP 访问",[1048,2088,2090],{"className":1161,"code":2089,"language":1163,"meta":11,"style":11},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: allow-external\n  namespace: default\nspec:\n  podSelector:\n    matchLabels:\n      app: web\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - ipBlock:\n        cidr: 10.0.0.0\u002F8\n        except:\n        - 10.0.0.0\u002F24\n    ports:\n    - protocol: TCP\n      port: 443\n",[1054,2091,2092,2100,2108,2114,2123,2131,2137,2143,2149,2157,2163,2169,2175,2183,2192,2202,2209,2217,2223,2233],{"__ignoreMap":11},[1057,2093,2094,2096,2098],{"class":1059,"line":1060},[1057,2095,1171],{"class":1170},[1057,2097,1175],{"class":1174},[1057,2099,1178],{"class":1074},[1057,2101,2102,2104,2106],{"class":1059,"line":1067},[1057,2103,1183],{"class":1170},[1057,2105,1175],{"class":1174},[1057,2107,1188],{"class":1074},[1057,2109,2110,2112],{"class":1059,"line":1085},[1057,2111,1193],{"class":1170},[1057,2113,1196],{"class":1174},[1057,2115,2116,2118,2120],{"class":1059,"line":1092},[1057,2117,1201],{"class":1170},[1057,2119,1175],{"class":1174},[1057,2121,2122],{"class":1074},"allow-external\n",[1057,2124,2125,2127,2129],{"class":1059,"line":1098},[1057,2126,1211],{"class":1170},[1057,2128,1175],{"class":1174},[1057,2130,1216],{"class":1074},[1057,2132,2133,2135],{"class":1059,"line":1116},[1057,2134,1221],{"class":1170},[1057,2136,1196],{"class":1174},[1057,2138,2139,2141],{"class":1059,"line":1226},[1057,2140,1229],{"class":1170},[1057,2142,1196],{"class":1174},[1057,2144,2145,2147],{"class":1059,"line":1238},[1057,2146,1241],{"class":1170},[1057,2148,1196],{"class":1174},[1057,2150,2151,2153,2155],{"class":1059,"line":1246},[1057,2152,1249],{"class":1170},[1057,2154,1175],{"class":1174},[1057,2156,1254],{"class":1074},[1057,2158,2159,2161],{"class":1059,"line":1257},[1057,2160,1260],{"class":1170},[1057,2162,1196],{"class":1174},[1057,2164,2165,2167],{"class":1059,"line":1268},[1057,2166,1271],{"class":1174},[1057,2168,1525],{"class":1074},[1057,2170,2171,2173],{"class":1059,"line":1280},[1057,2172,1294],{"class":1170},[1057,2174,1196],{"class":1174},[1057,2176,2177,2179,2181],{"class":1059,"line":1291},[1057,2178,1271],{"class":1174},[1057,2180,1308],{"class":1170},[1057,2182,1196],{"class":1174},[1057,2184,2185,2187,2190],{"class":1059,"line":1303},[1057,2186,1316],{"class":1174},[1057,2188,2189],{"class":1170},"ipBlock",[1057,2191,1196],{"class":1174},[1057,2193,2194,2197,2199],{"class":1059,"line":1313},[1057,2195,2196],{"class":1170},"        cidr",[1057,2198,1175],{"class":1174},[1057,2200,2201],{"class":1074},"10.0.0.0\u002F8\n",[1057,2203,2204,2207],{"class":1059,"line":1324},[1057,2205,2206],{"class":1170},"        except",[1057,2208,1196],{"class":1174},[1057,2210,2211,2214],{"class":1059,"line":1332},[1057,2212,2213],{"class":1174},"        - ",[1057,2215,2216],{"class":1074},"10.0.0.0\u002F24\n",[1057,2218,2219,2221],{"class":1059,"line":1343},[1057,2220,1346],{"class":1170},[1057,2222,1196],{"class":1174},[1057,2224,2225,2227,2229,2231],{"class":1059,"line":1351},[1057,2226,1316],{"class":1174},[1057,2228,1356],{"class":1170},[1057,2230,1175],{"class":1174},[1057,2232,1361],{"class":1074},[1057,2234,2235,2237,2239],{"class":1059,"line":1364},[1057,2236,1367],{"class":1170},[1057,2238,1175],{"class":1174},[1057,2240,2241],{"class":1078},"443\n",[892,2243,2245],{"id":2244},"rbac-权限控制","RBAC 权限控制",[896,2247,2248],{},"RBAC（Role-Based Access Control）是 Kubernetes 的授权机制。",[920,2250,2251],{"id":2251},"核心概念",[924,2253,2254,2263],{},[927,2255,2256],{},[930,2257,2258,2261],{},[933,2259,2260],{"align":935},"资源",[933,2262,939],{"align":935},[941,2264,2265,2273,2281,2289],{},[930,2266,2267,2270],{},[946,2268,2269],{"align":935},"Role",[946,2271,2272],{"align":935},"命名空间级别的权限定义",[930,2274,2275,2278],{},[946,2276,2277],{"align":935},"ClusterRole",[946,2279,2280],{"align":935},"集群级别的权限定义",[930,2282,2283,2286],{},[946,2284,2285],{"align":935},"RoleBinding",[946,2287,2288],{"align":935},"将 Role 绑定到用户\u002F组\u002FServiceAccount",[930,2290,2291,2294],{},[946,2292,2293],{"align":935},"ClusterRoleBinding",[946,2295,2296],{"align":935},"将 ClusterRole 绑定到用户\u002F组\u002FServiceAccount",[920,2298,2300],{"id":2299},"创建-role","创建 Role",[1048,2302,2304],{"className":1161,"code":2303,"language":1163,"meta":11,"style":11},"apiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: Role\nmetadata:\n  name: pod-reader\n  namespace: default\nrules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n- apiGroups: [\"\"]\n  resources: [\"pods\u002Flog\"]\n  verbs: [\"get\"]\n",[1054,2305,2306,2315,2324,2330,2339,2347,2354,2371,2383,2406,2418,2429],{"__ignoreMap":11},[1057,2307,2308,2310,2312],{"class":1059,"line":1060},[1057,2309,1171],{"class":1170},[1057,2311,1175],{"class":1174},[1057,2313,2314],{"class":1074},"rbac.authorization.k8s.io\u002Fv1\n",[1057,2316,2317,2319,2321],{"class":1059,"line":1067},[1057,2318,1183],{"class":1170},[1057,2320,1175],{"class":1174},[1057,2322,2323],{"class":1074},"Role\n",[1057,2325,2326,2328],{"class":1059,"line":1085},[1057,2327,1193],{"class":1170},[1057,2329,1196],{"class":1174},[1057,2331,2332,2334,2336],{"class":1059,"line":1092},[1057,2333,1201],{"class":1170},[1057,2335,1175],{"class":1174},[1057,2337,2338],{"class":1074},"pod-reader\n",[1057,2340,2341,2343,2345],{"class":1059,"line":1098},[1057,2342,1211],{"class":1170},[1057,2344,1175],{"class":1174},[1057,2346,1216],{"class":1074},[1057,2348,2349,2352],{"class":1059,"line":1116},[1057,2350,2351],{"class":1170},"rules",[1057,2353,1196],{"class":1174},[1057,2355,2356,2359,2362,2365,2368],{"class":1059,"line":1226},[1057,2357,2358],{"class":1174},"- ",[1057,2360,2361],{"class":1170},"apiGroups",[1057,2363,2364],{"class":1174},": [",[1057,2366,2367],{"class":1074},"\"\"",[1057,2369,2370],{"class":1174},"]\n",[1057,2372,2373,2376,2378,2381],{"class":1059,"line":1238},[1057,2374,2375],{"class":1170},"  resources",[1057,2377,2364],{"class":1174},[1057,2379,2380],{"class":1074},"\"pods\"",[1057,2382,2370],{"class":1174},[1057,2384,2385,2388,2390,2393,2396,2399,2401,2404],{"class":1059,"line":1246},[1057,2386,2387],{"class":1170},"  verbs",[1057,2389,2364],{"class":1174},[1057,2391,2392],{"class":1074},"\"get\"",[1057,2394,2395],{"class":1174},", ",[1057,2397,2398],{"class":1074},"\"list\"",[1057,2400,2395],{"class":1174},[1057,2402,2403],{"class":1074},"\"watch\"",[1057,2405,2370],{"class":1174},[1057,2407,2408,2410,2412,2414,2416],{"class":1059,"line":1257},[1057,2409,2358],{"class":1174},[1057,2411,2361],{"class":1170},[1057,2413,2364],{"class":1174},[1057,2415,2367],{"class":1074},[1057,2417,2370],{"class":1174},[1057,2419,2420,2422,2424,2427],{"class":1059,"line":1268},[1057,2421,2375],{"class":1170},[1057,2423,2364],{"class":1174},[1057,2425,2426],{"class":1074},"\"pods\u002Flog\"",[1057,2428,2370],{"class":1174},[1057,2430,2431,2433,2435,2437],{"class":1059,"line":1280},[1057,2432,2387],{"class":1170},[1057,2434,2364],{"class":1174},[1057,2436,2392],{"class":1074},[1057,2438,2370],{"class":1174},[920,2440,2442],{"id":2441},"创建-clusterrole","创建 ClusterRole",[1048,2444,2446],{"className":1161,"code":2445,"language":1163,"meta":11,"style":11},"apiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: ClusterRole\nmetadata:\n  name: secret-reader\nrules:\n- apiGroups: [\"\"]\n  resources: [\"secrets\"]\n  verbs: [\"get\", \"list\", \"watch\"]\n",[1054,2447,2448,2456,2465,2471,2480,2486,2498,2509],{"__ignoreMap":11},[1057,2449,2450,2452,2454],{"class":1059,"line":1060},[1057,2451,1171],{"class":1170},[1057,2453,1175],{"class":1174},[1057,2455,2314],{"class":1074},[1057,2457,2458,2460,2462],{"class":1059,"line":1067},[1057,2459,1183],{"class":1170},[1057,2461,1175],{"class":1174},[1057,2463,2464],{"class":1074},"ClusterRole\n",[1057,2466,2467,2469],{"class":1059,"line":1085},[1057,2468,1193],{"class":1170},[1057,2470,1196],{"class":1174},[1057,2472,2473,2475,2477],{"class":1059,"line":1092},[1057,2474,1201],{"class":1170},[1057,2476,1175],{"class":1174},[1057,2478,2479],{"class":1074},"secret-reader\n",[1057,2481,2482,2484],{"class":1059,"line":1098},[1057,2483,2351],{"class":1170},[1057,2485,1196],{"class":1174},[1057,2487,2488,2490,2492,2494,2496],{"class":1059,"line":1116},[1057,2489,2358],{"class":1174},[1057,2491,2361],{"class":1170},[1057,2493,2364],{"class":1174},[1057,2495,2367],{"class":1074},[1057,2497,2370],{"class":1174},[1057,2499,2500,2502,2504,2507],{"class":1059,"line":1226},[1057,2501,2375],{"class":1170},[1057,2503,2364],{"class":1174},[1057,2505,2506],{"class":1074},"\"secrets\"",[1057,2508,2370],{"class":1174},[1057,2510,2511,2513,2515,2517,2519,2521,2523,2525],{"class":1059,"line":1238},[1057,2512,2387],{"class":1170},[1057,2514,2364],{"class":1174},[1057,2516,2392],{"class":1074},[1057,2518,2395],{"class":1174},[1057,2520,2398],{"class":1074},[1057,2522,2395],{"class":1174},[1057,2524,2403],{"class":1074},[1057,2526,2370],{"class":1174},[920,2528,2530],{"id":2529},"创建-rolebinding","创建 RoleBinding",[1048,2532,2534],{"className":1161,"code":2533,"language":1163,"meta":11,"style":11},"apiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: RoleBinding\nmetadata:\n  name: read-pods\n  namespace: default\nsubjects:\n- kind: ServiceAccount\n  name: my-service-account\n  namespace: default\nroleRef:\n  kind: Role\n  name: pod-reader\n  apiGroup: rbac.authorization.k8s.io\n",[1054,2535,2536,2544,2553,2559,2568,2576,2583,2594,2603,2611,2618,2627,2635],{"__ignoreMap":11},[1057,2537,2538,2540,2542],{"class":1059,"line":1060},[1057,2539,1171],{"class":1170},[1057,2541,1175],{"class":1174},[1057,2543,2314],{"class":1074},[1057,2545,2546,2548,2550],{"class":1059,"line":1067},[1057,2547,1183],{"class":1170},[1057,2549,1175],{"class":1174},[1057,2551,2552],{"class":1074},"RoleBinding\n",[1057,2554,2555,2557],{"class":1059,"line":1085},[1057,2556,1193],{"class":1170},[1057,2558,1196],{"class":1174},[1057,2560,2561,2563,2565],{"class":1059,"line":1092},[1057,2562,1201],{"class":1170},[1057,2564,1175],{"class":1174},[1057,2566,2567],{"class":1074},"read-pods\n",[1057,2569,2570,2572,2574],{"class":1059,"line":1098},[1057,2571,1211],{"class":1170},[1057,2573,1175],{"class":1174},[1057,2575,1216],{"class":1074},[1057,2577,2578,2581],{"class":1059,"line":1116},[1057,2579,2580],{"class":1170},"subjects",[1057,2582,1196],{"class":1174},[1057,2584,2585,2587,2589,2591],{"class":1059,"line":1226},[1057,2586,2358],{"class":1174},[1057,2588,1183],{"class":1170},[1057,2590,1175],{"class":1174},[1057,2592,2593],{"class":1074},"ServiceAccount\n",[1057,2595,2596,2598,2600],{"class":1059,"line":1238},[1057,2597,1201],{"class":1170},[1057,2599,1175],{"class":1174},[1057,2601,2602],{"class":1074},"my-service-account\n",[1057,2604,2605,2607,2609],{"class":1059,"line":1246},[1057,2606,1211],{"class":1170},[1057,2608,1175],{"class":1174},[1057,2610,1216],{"class":1074},[1057,2612,2613,2616],{"class":1059,"line":1257},[1057,2614,2615],{"class":1170},"roleRef",[1057,2617,1196],{"class":1174},[1057,2619,2620,2623,2625],{"class":1059,"line":1268},[1057,2621,2622],{"class":1170},"  kind",[1057,2624,1175],{"class":1174},[1057,2626,2323],{"class":1074},[1057,2628,2629,2631,2633],{"class":1059,"line":1280},[1057,2630,1201],{"class":1170},[1057,2632,1175],{"class":1174},[1057,2634,2338],{"class":1074},[1057,2636,2637,2640,2642],{"class":1059,"line":1291},[1057,2638,2639],{"class":1170},"  apiGroup",[1057,2641,1175],{"class":1174},[1057,2643,2644],{"class":1074},"rbac.authorization.k8s.io\n",[920,2646,2648],{"id":2647},"创建-clusterrolebinding","创建 ClusterRoleBinding",[1048,2650,2652],{"className":1161,"code":2651,"language":1163,"meta":11,"style":11},"apiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: ClusterRoleBinding\nmetadata:\n  name: read-secrets-global\nsubjects:\n- kind: Group\n  name: developers\n  apiGroup: rbac.authorization.k8s.io\nroleRef:\n  kind: ClusterRole\n  name: secret-reader\n  apiGroup: rbac.authorization.k8s.io\n",[1054,2653,2654,2662,2671,2677,2686,2692,2703,2712,2720,2726,2734,2742],{"__ignoreMap":11},[1057,2655,2656,2658,2660],{"class":1059,"line":1060},[1057,2657,1171],{"class":1170},[1057,2659,1175],{"class":1174},[1057,2661,2314],{"class":1074},[1057,2663,2664,2666,2668],{"class":1059,"line":1067},[1057,2665,1183],{"class":1170},[1057,2667,1175],{"class":1174},[1057,2669,2670],{"class":1074},"ClusterRoleBinding\n",[1057,2672,2673,2675],{"class":1059,"line":1085},[1057,2674,1193],{"class":1170},[1057,2676,1196],{"class":1174},[1057,2678,2679,2681,2683],{"class":1059,"line":1092},[1057,2680,1201],{"class":1170},[1057,2682,1175],{"class":1174},[1057,2684,2685],{"class":1074},"read-secrets-global\n",[1057,2687,2688,2690],{"class":1059,"line":1098},[1057,2689,2580],{"class":1170},[1057,2691,1196],{"class":1174},[1057,2693,2694,2696,2698,2700],{"class":1059,"line":1116},[1057,2695,2358],{"class":1174},[1057,2697,1183],{"class":1170},[1057,2699,1175],{"class":1174},[1057,2701,2702],{"class":1074},"Group\n",[1057,2704,2705,2707,2709],{"class":1059,"line":1226},[1057,2706,1201],{"class":1170},[1057,2708,1175],{"class":1174},[1057,2710,2711],{"class":1074},"developers\n",[1057,2713,2714,2716,2718],{"class":1059,"line":1238},[1057,2715,2639],{"class":1170},[1057,2717,1175],{"class":1174},[1057,2719,2644],{"class":1074},[1057,2721,2722,2724],{"class":1059,"line":1246},[1057,2723,2615],{"class":1170},[1057,2725,1196],{"class":1174},[1057,2727,2728,2730,2732],{"class":1059,"line":1257},[1057,2729,2622],{"class":1170},[1057,2731,1175],{"class":1174},[1057,2733,2464],{"class":1074},[1057,2735,2736,2738,2740],{"class":1059,"line":1268},[1057,2737,1201],{"class":1170},[1057,2739,1175],{"class":1174},[1057,2741,2479],{"class":1074},[1057,2743,2744,2746,2748],{"class":1059,"line":1280},[1057,2745,2639],{"class":1170},[1057,2747,1175],{"class":1174},[1057,2749,2644],{"class":1074},[920,2751,2753],{"id":2752},"serviceaccount","ServiceAccount",[1048,2755,2757],{"className":1161,"code":2756,"language":1163,"meta":11,"style":11},"# 创建 ServiceAccount\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: app-service-account\n  namespace: default\n\n---\n# 在 Pod 中使用\napiVersion: v1\nkind: Pod\nmetadata:\n  name: app-pod\nspec:\n  serviceAccountName: app-service-account\n  containers:\n  - name: app\n    image: myapp:1.0\n",[1054,2758,2759,2764,2773,2781,2787,2796,2804,2808,2813,2818,2826,2835,2841,2850,2856,2865,2872,2884],{"__ignoreMap":11},[1057,2760,2761],{"class":1059,"line":1060},[1057,2762,2763],{"class":1063},"# 创建 ServiceAccount\n",[1057,2765,2766,2768,2770],{"class":1059,"line":1067},[1057,2767,1171],{"class":1170},[1057,2769,1175],{"class":1174},[1057,2771,2772],{"class":1074},"v1\n",[1057,2774,2775,2777,2779],{"class":1059,"line":1085},[1057,2776,1183],{"class":1170},[1057,2778,1175],{"class":1174},[1057,2780,2593],{"class":1074},[1057,2782,2783,2785],{"class":1059,"line":1092},[1057,2784,1193],{"class":1170},[1057,2786,1196],{"class":1174},[1057,2788,2789,2791,2793],{"class":1059,"line":1098},[1057,2790,1201],{"class":1170},[1057,2792,1175],{"class":1174},[1057,2794,2795],{"class":1074},"app-service-account\n",[1057,2797,2798,2800,2802],{"class":1059,"line":1116},[1057,2799,1211],{"class":1170},[1057,2801,1175],{"class":1174},[1057,2803,1216],{"class":1074},[1057,2805,2806],{"class":1059,"line":1226},[1057,2807,1089],{"emptyLinePlaceholder":1088},[1057,2809,2810],{"class":1059,"line":1238},[1057,2811,2812],{"class":1070},"---\n",[1057,2814,2815],{"class":1059,"line":1246},[1057,2816,2817],{"class":1063},"# 在 Pod 中使用\n",[1057,2819,2820,2822,2824],{"class":1059,"line":1257},[1057,2821,1171],{"class":1170},[1057,2823,1175],{"class":1174},[1057,2825,2772],{"class":1074},[1057,2827,2828,2830,2832],{"class":1059,"line":1268},[1057,2829,1183],{"class":1170},[1057,2831,1175],{"class":1174},[1057,2833,2834],{"class":1074},"Pod\n",[1057,2836,2837,2839],{"class":1059,"line":1280},[1057,2838,1193],{"class":1170},[1057,2840,1196],{"class":1174},[1057,2842,2843,2845,2847],{"class":1059,"line":1291},[1057,2844,1201],{"class":1170},[1057,2846,1175],{"class":1174},[1057,2848,2849],{"class":1074},"app-pod\n",[1057,2851,2852,2854],{"class":1059,"line":1303},[1057,2853,1221],{"class":1170},[1057,2855,1196],{"class":1174},[1057,2857,2858,2861,2863],{"class":1059,"line":1313},[1057,2859,2860],{"class":1170},"  serviceAccountName",[1057,2862,1175],{"class":1174},[1057,2864,2795],{"class":1074},[1057,2866,2867,2870],{"class":1059,"line":1324},[1057,2868,2869],{"class":1170},"  containers",[1057,2871,1196],{"class":1174},[1057,2873,2874,2876,2879,2881],{"class":1059,"line":1332},[1057,2875,1271],{"class":1174},[1057,2877,2878],{"class":1170},"name",[1057,2880,1175],{"class":1174},[1057,2882,2883],{"class":1074},"app\n",[1057,2885,2886,2889,2891],{"class":1059,"line":1343},[1057,2887,2888],{"class":1170},"    image",[1057,2890,1175],{"class":1174},[1057,2892,2893],{"class":1074},"myapp:1.0\n",[892,2895,2897],{"id":2896},"pod-安全标准","Pod 安全标准",[920,2899,2901],{"id":2900},"podsecuritycontext","PodSecurityContext",[1048,2903,2905],{"className":1161,"code":2904,"language":1163,"meta":11,"style":11},"apiVersion: v1\nkind: Pod\nmetadata:\n  name: secure-pod\nspec:\n  securityContext:\n    runAsUser: 1000\n    runAsGroup: 3000\n    fsGroup: 2000\n    runAsNonRoot: true\n  containers:\n  - name: app\n    image: myapp:1.0\n    securityContext:\n      allowPrivilegeEscalation: false\n      readOnlyRootFilesystem: true\n      capabilities:\n        drop:\n        - ALL\n",[1054,2906,2907,2915,2923,2929,2938,2944,2951,2961,2971,2981,2991,2997,3007,3015,3022,3032,3041,3048,3055],{"__ignoreMap":11},[1057,2908,2909,2911,2913],{"class":1059,"line":1060},[1057,2910,1171],{"class":1170},[1057,2912,1175],{"class":1174},[1057,2914,2772],{"class":1074},[1057,2916,2917,2919,2921],{"class":1059,"line":1067},[1057,2918,1183],{"class":1170},[1057,2920,1175],{"class":1174},[1057,2922,2834],{"class":1074},[1057,2924,2925,2927],{"class":1059,"line":1085},[1057,2926,1193],{"class":1170},[1057,2928,1196],{"class":1174},[1057,2930,2931,2933,2935],{"class":1059,"line":1092},[1057,2932,1201],{"class":1170},[1057,2934,1175],{"class":1174},[1057,2936,2937],{"class":1074},"secure-pod\n",[1057,2939,2940,2942],{"class":1059,"line":1098},[1057,2941,1221],{"class":1170},[1057,2943,1196],{"class":1174},[1057,2945,2946,2949],{"class":1059,"line":1116},[1057,2947,2948],{"class":1170},"  securityContext",[1057,2950,1196],{"class":1174},[1057,2952,2953,2956,2958],{"class":1059,"line":1226},[1057,2954,2955],{"class":1170},"    runAsUser",[1057,2957,1175],{"class":1174},[1057,2959,2960],{"class":1078},"1000\n",[1057,2962,2963,2966,2968],{"class":1059,"line":1238},[1057,2964,2965],{"class":1170},"    runAsGroup",[1057,2967,1175],{"class":1174},[1057,2969,2970],{"class":1078},"3000\n",[1057,2972,2973,2976,2978],{"class":1059,"line":1246},[1057,2974,2975],{"class":1170},"    fsGroup",[1057,2977,1175],{"class":1174},[1057,2979,2980],{"class":1078},"2000\n",[1057,2982,2983,2986,2988],{"class":1059,"line":1257},[1057,2984,2985],{"class":1170},"    runAsNonRoot",[1057,2987,1175],{"class":1174},[1057,2989,2990],{"class":1078},"true\n",[1057,2992,2993,2995],{"class":1059,"line":1268},[1057,2994,2869],{"class":1170},[1057,2996,1196],{"class":1174},[1057,2998,2999,3001,3003,3005],{"class":1059,"line":1280},[1057,3000,1271],{"class":1174},[1057,3002,2878],{"class":1170},[1057,3004,1175],{"class":1174},[1057,3006,2883],{"class":1074},[1057,3008,3009,3011,3013],{"class":1059,"line":1291},[1057,3010,2888],{"class":1170},[1057,3012,1175],{"class":1174},[1057,3014,2893],{"class":1074},[1057,3016,3017,3020],{"class":1059,"line":1303},[1057,3018,3019],{"class":1170},"    securityContext",[1057,3021,1196],{"class":1174},[1057,3023,3024,3027,3029],{"class":1059,"line":1313},[1057,3025,3026],{"class":1170},"      allowPrivilegeEscalation",[1057,3028,1175],{"class":1174},[1057,3030,3031],{"class":1078},"false\n",[1057,3033,3034,3037,3039],{"class":1059,"line":1324},[1057,3035,3036],{"class":1170},"      readOnlyRootFilesystem",[1057,3038,1175],{"class":1174},[1057,3040,2990],{"class":1078},[1057,3042,3043,3046],{"class":1059,"line":1332},[1057,3044,3045],{"class":1170},"      capabilities",[1057,3047,1196],{"class":1174},[1057,3049,3050,3053],{"class":1059,"line":1343},[1057,3051,3052],{"class":1170},"        drop",[1057,3054,1196],{"class":1174},[1057,3056,3057,3059],{"class":1059,"line":1351},[1057,3058,2213],{"class":1174},[1057,3060,3061],{"class":1074},"ALL\n",[920,3063,3065],{"id":3064},"pod-security-standards","Pod Security Standards",[896,3067,3068],{},"Kubernetes 1.25+ 支持 Pod Security Standards：",[1048,3070,3072],{"className":1161,"code":3071,"language":1163,"meta":11,"style":11},"# 在命名空间上设置安全策略\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: production\n  labels:\n    pod-security.kubernetes.io\u002Fenforce: restricted\n    pod-security.kubernetes.io\u002Faudit: restricted\n    pod-security.kubernetes.io\u002Fwarn: restricted\n",[1054,3073,3074,3079,3087,3096,3102,3110,3117,3127,3136],{"__ignoreMap":11},[1057,3075,3076],{"class":1059,"line":1060},[1057,3077,3078],{"class":1063},"# 在命名空间上设置安全策略\n",[1057,3080,3081,3083,3085],{"class":1059,"line":1067},[1057,3082,1171],{"class":1170},[1057,3084,1175],{"class":1174},[1057,3086,2772],{"class":1074},[1057,3088,3089,3091,3093],{"class":1059,"line":1085},[1057,3090,1183],{"class":1170},[1057,3092,1175],{"class":1174},[1057,3094,3095],{"class":1074},"Namespace\n",[1057,3097,3098,3100],{"class":1059,"line":1092},[1057,3099,1193],{"class":1170},[1057,3101,1196],{"class":1174},[1057,3103,3104,3106,3108],{"class":1059,"line":1098},[1057,3105,1201],{"class":1170},[1057,3107,1175],{"class":1174},[1057,3109,1960],{"class":1074},[1057,3111,3112,3115],{"class":1059,"line":1116},[1057,3113,3114],{"class":1170},"  labels",[1057,3116,1196],{"class":1174},[1057,3118,3119,3122,3124],{"class":1059,"line":1226},[1057,3120,3121],{"class":1170},"    pod-security.kubernetes.io\u002Fenforce",[1057,3123,1175],{"class":1174},[1057,3125,3126],{"class":1074},"restricted\n",[1057,3128,3129,3132,3134],{"class":1059,"line":1238},[1057,3130,3131],{"class":1170},"    pod-security.kubernetes.io\u002Faudit",[1057,3133,1175],{"class":1174},[1057,3135,3126],{"class":1074},[1057,3137,3138,3141,3143],{"class":1059,"line":1246},[1057,3139,3140],{"class":1170},"    pod-security.kubernetes.io\u002Fwarn",[1057,3142,1175],{"class":1174},[1057,3144,3126],{"class":1074},[896,3146,3147],{},[986,3148,3149],{},"安全级别：",[924,3151,3152,3161],{},[927,3153,3154],{},[930,3155,3156,3159],{},[933,3157,3158],{"align":935},"级别",[933,3160,939],{"align":935},[941,3162,3163,3171,3179],{},[930,3164,3165,3168],{},[946,3166,3167],{"align":935},"privileged",[946,3169,3170],{"align":935},"无限制，用于系统级工作负载",[930,3172,3173,3176],{},[946,3174,3175],{"align":935},"baseline",[946,3177,3178],{"align":935},"最小限制，防止已知的权限提升",[930,3180,3181,3184],{},[946,3182,3183],{"align":935},"restricted",[946,3185,3186],{"align":935},"最严格，遵循最佳安全实践",[892,3188,3190],{"id":3189},"secret-安全","Secret 安全",[920,3192,3194],{"id":3193},"加密-secret","加密 Secret",[896,3196,3197],{},"配置 etcd 加密：",[1048,3199,3201],{"className":1161,"code":3200,"language":1163,"meta":11,"style":11},"# encryption-config.yaml\napiVersion: apiserver.config.k8s.io\u002Fv1\nkind: EncryptionConfiguration\nresources:\n- resources:\n  - secrets\n  providers:\n  - aescbc:\n      keys:\n      - name: key1\n        secret: \u003Cbase64-encoded-key>\n  - identity: {}\n",[1054,3202,3203,3208,3217,3226,3233,3241,3248,3255,3264,3271,3283,3293],{"__ignoreMap":11},[1057,3204,3205],{"class":1059,"line":1060},[1057,3206,3207],{"class":1063},"# encryption-config.yaml\n",[1057,3209,3210,3212,3214],{"class":1059,"line":1067},[1057,3211,1171],{"class":1170},[1057,3213,1175],{"class":1174},[1057,3215,3216],{"class":1074},"apiserver.config.k8s.io\u002Fv1\n",[1057,3218,3219,3221,3223],{"class":1059,"line":1085},[1057,3220,1183],{"class":1170},[1057,3222,1175],{"class":1174},[1057,3224,3225],{"class":1074},"EncryptionConfiguration\n",[1057,3227,3228,3231],{"class":1059,"line":1092},[1057,3229,3230],{"class":1170},"resources",[1057,3232,1196],{"class":1174},[1057,3234,3235,3237,3239],{"class":1059,"line":1098},[1057,3236,2358],{"class":1174},[1057,3238,3230],{"class":1170},[1057,3240,1196],{"class":1174},[1057,3242,3243,3245],{"class":1059,"line":1116},[1057,3244,1271],{"class":1174},[1057,3246,3247],{"class":1074},"secrets\n",[1057,3249,3250,3253],{"class":1059,"line":1226},[1057,3251,3252],{"class":1170},"  providers",[1057,3254,1196],{"class":1174},[1057,3256,3257,3259,3262],{"class":1059,"line":1238},[1057,3258,1271],{"class":1174},[1057,3260,3261],{"class":1170},"aescbc",[1057,3263,1196],{"class":1174},[1057,3265,3266,3269],{"class":1059,"line":1246},[1057,3267,3268],{"class":1170},"      keys",[1057,3270,1196],{"class":1174},[1057,3272,3273,3276,3278,3280],{"class":1059,"line":1257},[1057,3274,3275],{"class":1174},"      - ",[1057,3277,2878],{"class":1170},[1057,3279,1175],{"class":1174},[1057,3281,3282],{"class":1074},"key1\n",[1057,3284,3285,3288,3290],{"class":1059,"line":1268},[1057,3286,3287],{"class":1170},"        secret",[1057,3289,1175],{"class":1174},[1057,3291,3292],{"class":1074},"\u003Cbase64-encoded-key>\n",[1057,3294,3295,3297,3300],{"class":1059,"line":1280},[1057,3296,1271],{"class":1174},[1057,3298,3299],{"class":1170},"identity",[1057,3301,1591],{"class":1174},[920,3303,3304],{"id":3304},"外部密钥管理",[896,3306,3307],{},"使用 External Secrets Operator 集成外部密钥管理：",[1048,3309,3311],{"className":1161,"code":3310,"language":1163,"meta":11,"style":11},"apiVersion: external-secrets.io\u002Fv1beta1\nkind: ExternalSecret\nmetadata:\n  name: db-secret\nspec:\n  refreshInterval: 1h\n  secretStoreRef:\n    name: vault-backend\n    kind: ClusterSecretStore\n  target:\n    name: db-credentials\n  data:\n  - secretKey: password\n    remoteRef:\n      key: secret\u002Fdata\u002Fdb\n      property: password\n",[1054,3312,3313,3322,3331,3337,3346,3352,3362,3369,3379,3389,3396,3405,3412,3424,3431,3441],{"__ignoreMap":11},[1057,3314,3315,3317,3319],{"class":1059,"line":1060},[1057,3316,1171],{"class":1170},[1057,3318,1175],{"class":1174},[1057,3320,3321],{"class":1074},"external-secrets.io\u002Fv1beta1\n",[1057,3323,3324,3326,3328],{"class":1059,"line":1067},[1057,3325,1183],{"class":1170},[1057,3327,1175],{"class":1174},[1057,3329,3330],{"class":1074},"ExternalSecret\n",[1057,3332,3333,3335],{"class":1059,"line":1085},[1057,3334,1193],{"class":1170},[1057,3336,1196],{"class":1174},[1057,3338,3339,3341,3343],{"class":1059,"line":1092},[1057,3340,1201],{"class":1170},[1057,3342,1175],{"class":1174},[1057,3344,3345],{"class":1074},"db-secret\n",[1057,3347,3348,3350],{"class":1059,"line":1098},[1057,3349,1221],{"class":1170},[1057,3351,1196],{"class":1174},[1057,3353,3354,3357,3359],{"class":1059,"line":1116},[1057,3355,3356],{"class":1170},"  refreshInterval",[1057,3358,1175],{"class":1174},[1057,3360,3361],{"class":1074},"1h\n",[1057,3363,3364,3367],{"class":1059,"line":1226},[1057,3365,3366],{"class":1170},"  secretStoreRef",[1057,3368,1196],{"class":1174},[1057,3370,3371,3374,3376],{"class":1059,"line":1238},[1057,3372,3373],{"class":1170},"    name",[1057,3375,1175],{"class":1174},[1057,3377,3378],{"class":1074},"vault-backend\n",[1057,3380,3381,3384,3386],{"class":1059,"line":1246},[1057,3382,3383],{"class":1170},"    kind",[1057,3385,1175],{"class":1174},[1057,3387,3388],{"class":1074},"ClusterSecretStore\n",[1057,3390,3391,3394],{"class":1059,"line":1257},[1057,3392,3393],{"class":1170},"  target",[1057,3395,1196],{"class":1174},[1057,3397,3398,3400,3402],{"class":1059,"line":1268},[1057,3399,3373],{"class":1170},[1057,3401,1175],{"class":1174},[1057,3403,3404],{"class":1074},"db-credentials\n",[1057,3406,3407,3410],{"class":1059,"line":1280},[1057,3408,3409],{"class":1170},"  data",[1057,3411,1196],{"class":1174},[1057,3413,3414,3416,3419,3421],{"class":1059,"line":1291},[1057,3415,1271],{"class":1174},[1057,3417,3418],{"class":1170},"secretKey",[1057,3420,1175],{"class":1174},[1057,3422,3423],{"class":1074},"password\n",[1057,3425,3426,3429],{"class":1059,"line":1303},[1057,3427,3428],{"class":1170},"    remoteRef",[1057,3430,1196],{"class":1174},[1057,3432,3433,3436,3438],{"class":1059,"line":1313},[1057,3434,3435],{"class":1170},"      key",[1057,3437,1175],{"class":1174},[1057,3439,3440],{"class":1074},"secret\u002Fdata\u002Fdb\n",[1057,3442,3443,3446,3448],{"class":1059,"line":1324},[1057,3444,3445],{"class":1170},"      property",[1057,3447,1175],{"class":1174},[1057,3449,3423],{"class":1074},[892,3451,3452],{"id":3452},"网络安全最佳实践",[920,3454,3456],{"id":3455},"_1-最小权限原则","1. 最小权限原则",[1048,3458,3460],{"className":1161,"code":3459,"language":1163,"meta":11,"style":11},"# 仅允许必要的网络访问\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: minimal-access\nspec:\n  podSelector:\n    matchLabels:\n      app: backend\n  policyTypes:\n  - Ingress\n  - Egress\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          app: frontend\n    ports:\n    - port: 8080\n  egress:\n  - to:\n    - podSelector:\n        matchLabels:\n          app: database\n    ports:\n    - port: 5432\n  - to:  # DNS\n    - namespaceSelector: {}\n    ports:\n    - port: 53\n      protocol: UDP\n",[1054,3461,3462,3467,3475,3483,3489,3498,3504,3510,3516,3525,3531,3537,3543,3549,3557,3565,3571,3579,3585,3596,3602,3610,3618,3624,3632,3638,3648,3660,3668,3674,3684],{"__ignoreMap":11},[1057,3463,3464],{"class":1059,"line":1060},[1057,3465,3466],{"class":1063},"# 仅允许必要的网络访问\n",[1057,3468,3469,3471,3473],{"class":1059,"line":1067},[1057,3470,1171],{"class":1170},[1057,3472,1175],{"class":1174},[1057,3474,1178],{"class":1074},[1057,3476,3477,3479,3481],{"class":1059,"line":1085},[1057,3478,1183],{"class":1170},[1057,3480,1175],{"class":1174},[1057,3482,1188],{"class":1074},[1057,3484,3485,3487],{"class":1059,"line":1092},[1057,3486,1193],{"class":1170},[1057,3488,1196],{"class":1174},[1057,3490,3491,3493,3495],{"class":1059,"line":1098},[1057,3492,1201],{"class":1170},[1057,3494,1175],{"class":1174},[1057,3496,3497],{"class":1074},"minimal-access\n",[1057,3499,3500,3502],{"class":1059,"line":1116},[1057,3501,1221],{"class":1170},[1057,3503,1196],{"class":1174},[1057,3505,3506,3508],{"class":1059,"line":1226},[1057,3507,1229],{"class":1170},[1057,3509,1196],{"class":1174},[1057,3511,3512,3514],{"class":1059,"line":1238},[1057,3513,1241],{"class":1170},[1057,3515,1196],{"class":1174},[1057,3517,3518,3520,3522],{"class":1059,"line":1246},[1057,3519,1249],{"class":1170},[1057,3521,1175],{"class":1174},[1057,3523,3524],{"class":1074},"backend\n",[1057,3526,3527,3529],{"class":1059,"line":1257},[1057,3528,1260],{"class":1170},[1057,3530,1196],{"class":1174},[1057,3532,3533,3535],{"class":1059,"line":1268},[1057,3534,1271],{"class":1174},[1057,3536,1525],{"class":1074},[1057,3538,3539,3541],{"class":1059,"line":1280},[1057,3540,1271],{"class":1174},[1057,3542,1604],{"class":1074},[1057,3544,3545,3547],{"class":1059,"line":1291},[1057,3546,1294],{"class":1170},[1057,3548,1196],{"class":1174},[1057,3550,3551,3553,3555],{"class":1059,"line":1303},[1057,3552,1271],{"class":1174},[1057,3554,1308],{"class":1170},[1057,3556,1196],{"class":1174},[1057,3558,3559,3561,3563],{"class":1059,"line":1313},[1057,3560,1316],{"class":1174},[1057,3562,1319],{"class":1170},[1057,3564,1196],{"class":1174},[1057,3566,3567,3569],{"class":1059,"line":1324},[1057,3568,1327],{"class":1170},[1057,3570,1196],{"class":1174},[1057,3572,3573,3575,3577],{"class":1059,"line":1332},[1057,3574,1735],{"class":1170},[1057,3576,1175],{"class":1174},[1057,3578,1340],{"class":1074},[1057,3580,3581,3583],{"class":1059,"line":1343},[1057,3582,1346],{"class":1170},[1057,3584,1196],{"class":1174},[1057,3586,3587,3589,3592,3594],{"class":1059,"line":1351},[1057,3588,1316],{"class":1174},[1057,3590,3591],{"class":1170},"port",[1057,3593,1175],{"class":1174},[1057,3595,1764],{"class":1078},[1057,3597,3598,3600],{"class":1059,"line":1364},[1057,3599,1378],{"class":1170},[1057,3601,1196],{"class":1174},[1057,3603,3604,3606,3608],{"class":1059,"line":1375},[1057,3605,1271],{"class":1174},[1057,3607,1392],{"class":1170},[1057,3609,1196],{"class":1174},[1057,3611,3612,3614,3616],{"class":1059,"line":1387},[1057,3613,1316],{"class":1174},[1057,3615,1319],{"class":1170},[1057,3617,1196],{"class":1174},[1057,3619,3620,3622],{"class":1059,"line":1397},[1057,3621,1327],{"class":1170},[1057,3623,1196],{"class":1174},[1057,3625,3626,3628,3630],{"class":1059,"line":1406},[1057,3627,1735],{"class":1170},[1057,3629,1175],{"class":1174},[1057,3631,1420],{"class":1074},[1057,3633,3634,3636],{"class":1059,"line":1413},[1057,3635,1346],{"class":1170},[1057,3637,1196],{"class":1174},[1057,3639,3640,3642,3644,3646],{"class":1059,"line":1423},[1057,3641,1316],{"class":1174},[1057,3643,3591],{"class":1170},[1057,3645,1175],{"class":1174},[1057,3647,1448],{"class":1078},[1057,3649,3650,3652,3654,3657],{"class":1059,"line":1430},[1057,3651,1271],{"class":1174},[1057,3653,1392],{"class":1170},[1057,3655,3656],{"class":1174},":  ",[1057,3658,3659],{"class":1063},"# DNS\n",[1057,3661,3662,3664,3666],{"class":1059,"line":1441},[1057,3663,1316],{"class":1174},[1057,3665,1854],{"class":1170},[1057,3667,1591],{"class":1174},[1057,3669,3670,3672],{"class":1059,"line":1814},[1057,3671,1346],{"class":1170},[1057,3673,1196],{"class":1174},[1057,3675,3676,3678,3680,3682],{"class":1059,"line":1825},[1057,3677,1316],{"class":1174},[1057,3679,3591],{"class":1170},[1057,3681,1175],{"class":1174},[1057,3683,1911],{"class":1078},[1057,3685,3686,3689,3691],{"class":1059,"line":1834},[1057,3687,3688],{"class":1170},"      protocol",[1057,3690,1175],{"class":1174},[1057,3692,1901],{"class":1074},[920,3694,3696],{"id":3695},"_2-命名空间隔离","2. 命名空间隔离",[1048,3698,3700],{"className":1161,"code":3699,"language":1163,"meta":11,"style":11},"# 禁止跨命名空间访问\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: deny-from-other-namespaces\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - podSelector: {}  # 只允许同命名空间\n",[1054,3701,3702,3707,3715,3723,3729,3738,3746,3752,3758,3764,3770,3776,3784],{"__ignoreMap":11},[1057,3703,3704],{"class":1059,"line":1060},[1057,3705,3706],{"class":1063},"# 禁止跨命名空间访问\n",[1057,3708,3709,3711,3713],{"class":1059,"line":1067},[1057,3710,1171],{"class":1170},[1057,3712,1175],{"class":1174},[1057,3714,1178],{"class":1074},[1057,3716,3717,3719,3721],{"class":1059,"line":1085},[1057,3718,1183],{"class":1170},[1057,3720,1175],{"class":1174},[1057,3722,1188],{"class":1074},[1057,3724,3725,3727],{"class":1059,"line":1092},[1057,3726,1193],{"class":1170},[1057,3728,1196],{"class":1174},[1057,3730,3731,3733,3735],{"class":1059,"line":1098},[1057,3732,1201],{"class":1170},[1057,3734,1175],{"class":1174},[1057,3736,3737],{"class":1074},"deny-from-other-namespaces\n",[1057,3739,3740,3742,3744],{"class":1059,"line":1116},[1057,3741,1211],{"class":1170},[1057,3743,1175],{"class":1174},[1057,3745,1960],{"class":1074},[1057,3747,3748,3750],{"class":1059,"line":1226},[1057,3749,1221],{"class":1170},[1057,3751,1196],{"class":1174},[1057,3753,3754,3756],{"class":1059,"line":1238},[1057,3755,1229],{"class":1170},[1057,3757,1591],{"class":1174},[1057,3759,3760,3762],{"class":1059,"line":1246},[1057,3761,1260],{"class":1170},[1057,3763,1196],{"class":1174},[1057,3765,3766,3768],{"class":1059,"line":1257},[1057,3767,1271],{"class":1174},[1057,3769,1525],{"class":1074},[1057,3771,3772,3774],{"class":1059,"line":1268},[1057,3773,1294],{"class":1170},[1057,3775,1196],{"class":1174},[1057,3777,3778,3780,3782],{"class":1059,"line":1280},[1057,3779,1271],{"class":1174},[1057,3781,1308],{"class":1170},[1057,3783,1196],{"class":1174},[1057,3785,3786,3788,3790,3792],{"class":1059,"line":1291},[1057,3787,1316],{"class":1174},[1057,3789,1319],{"class":1170},[1057,3791,1509],{"class":1174},[1057,3793,3794],{"class":1063},"# 只允许同命名空间\n",[920,3796,3798],{"id":3797},"_3-限制出站流量","3. 限制出站流量",[1048,3800,3802],{"className":1161,"code":3801,"language":1163,"meta":11,"style":11},"# 限制只能访问特定外部服务\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n  name: restrict-egress\nspec:\n  podSelector:\n    matchLabels:\n      app: backend\n  policyTypes:\n  - Egress\n  egress:\n  - to:\n    - ipBlock:\n        cidr: 10.0.0.0\u002F8  # 内部网络\n  - to:\n    - ipBlock:\n        cidr: 0.0.0.0\u002F0\n        except:\n        - 0.0.0.0\u002F8\n        - 10.0.0.0\u002F8\n        - 172.16.0.0\u002F12\n        - 192.168.0.0\u002F16\n    ports:\n    - port: 443  # 只允许 HTTPS 出站\n",[1054,3803,3804,3809,3817,3825,3831,3840,3846,3852,3858,3866,3872,3878,3884,3892,3900,3912,3920,3928,3937,3943,3950,3956,3963,3970,3976],{"__ignoreMap":11},[1057,3805,3806],{"class":1059,"line":1060},[1057,3807,3808],{"class":1063},"# 限制只能访问特定外部服务\n",[1057,3810,3811,3813,3815],{"class":1059,"line":1067},[1057,3812,1171],{"class":1170},[1057,3814,1175],{"class":1174},[1057,3816,1178],{"class":1074},[1057,3818,3819,3821,3823],{"class":1059,"line":1085},[1057,3820,1183],{"class":1170},[1057,3822,1175],{"class":1174},[1057,3824,1188],{"class":1074},[1057,3826,3827,3829],{"class":1059,"line":1092},[1057,3828,1193],{"class":1170},[1057,3830,1196],{"class":1174},[1057,3832,3833,3835,3837],{"class":1059,"line":1098},[1057,3834,1201],{"class":1170},[1057,3836,1175],{"class":1174},[1057,3838,3839],{"class":1074},"restrict-egress\n",[1057,3841,3842,3844],{"class":1059,"line":1116},[1057,3843,1221],{"class":1170},[1057,3845,1196],{"class":1174},[1057,3847,3848,3850],{"class":1059,"line":1226},[1057,3849,1229],{"class":1170},[1057,3851,1196],{"class":1174},[1057,3853,3854,3856],{"class":1059,"line":1238},[1057,3855,1241],{"class":1170},[1057,3857,1196],{"class":1174},[1057,3859,3860,3862,3864],{"class":1059,"line":1246},[1057,3861,1249],{"class":1170},[1057,3863,1175],{"class":1174},[1057,3865,3524],{"class":1074},[1057,3867,3868,3870],{"class":1059,"line":1257},[1057,3869,1260],{"class":1170},[1057,3871,1196],{"class":1174},[1057,3873,3874,3876],{"class":1059,"line":1268},[1057,3875,1271],{"class":1174},[1057,3877,1604],{"class":1074},[1057,3879,3880,3882],{"class":1059,"line":1280},[1057,3881,1378],{"class":1170},[1057,3883,1196],{"class":1174},[1057,3885,3886,3888,3890],{"class":1059,"line":1291},[1057,3887,1271],{"class":1174},[1057,3889,1392],{"class":1170},[1057,3891,1196],{"class":1174},[1057,3893,3894,3896,3898],{"class":1059,"line":1303},[1057,3895,1316],{"class":1174},[1057,3897,2189],{"class":1170},[1057,3899,1196],{"class":1174},[1057,3901,3902,3904,3906,3909],{"class":1059,"line":1313},[1057,3903,2196],{"class":1170},[1057,3905,1175],{"class":1174},[1057,3907,3908],{"class":1074},"10.0.0.0\u002F8",[1057,3910,3911],{"class":1063},"  # 内部网络\n",[1057,3913,3914,3916,3918],{"class":1059,"line":1324},[1057,3915,1271],{"class":1174},[1057,3917,1392],{"class":1170},[1057,3919,1196],{"class":1174},[1057,3921,3922,3924,3926],{"class":1059,"line":1332},[1057,3923,1316],{"class":1174},[1057,3925,2189],{"class":1170},[1057,3927,1196],{"class":1174},[1057,3929,3930,3932,3934],{"class":1059,"line":1343},[1057,3931,2196],{"class":1170},[1057,3933,1175],{"class":1174},[1057,3935,3936],{"class":1074},"0.0.0.0\u002F0\n",[1057,3938,3939,3941],{"class":1059,"line":1351},[1057,3940,2206],{"class":1170},[1057,3942,1196],{"class":1174},[1057,3944,3945,3947],{"class":1059,"line":1364},[1057,3946,2213],{"class":1174},[1057,3948,3949],{"class":1074},"0.0.0.0\u002F8\n",[1057,3951,3952,3954],{"class":1059,"line":1375},[1057,3953,2213],{"class":1174},[1057,3955,2201],{"class":1074},[1057,3957,3958,3960],{"class":1059,"line":1387},[1057,3959,2213],{"class":1174},[1057,3961,3962],{"class":1074},"172.16.0.0\u002F12\n",[1057,3964,3965,3967],{"class":1059,"line":1397},[1057,3966,2213],{"class":1174},[1057,3968,3969],{"class":1074},"192.168.0.0\u002F16\n",[1057,3971,3972,3974],{"class":1059,"line":1406},[1057,3973,1346],{"class":1170},[1057,3975,1196],{"class":1174},[1057,3977,3978,3980,3982,3984,3987],{"class":1059,"line":1413},[1057,3979,1316],{"class":1174},[1057,3981,3591],{"class":1170},[1057,3983,1175],{"class":1174},[1057,3985,3986],{"class":1078},"443",[1057,3988,3989],{"class":1063},"  # 只允许 HTTPS 出站\n",[892,3991,3992],{"id":3992},"镜像安全",[920,3994,3995],{"id":3995},"镜像拉取策略",[1048,3997,3999],{"className":1161,"code":3998,"language":1163,"meta":11,"style":11},"spec:\n  containers:\n  - name: app\n    image: myapp:v1.2.3  # 使用固定版本，避免 latest\n    imagePullPolicy: Always  # 始终拉取\n",[1054,4000,4001,4007,4013,4023,4035],{"__ignoreMap":11},[1057,4002,4003,4005],{"class":1059,"line":1060},[1057,4004,1221],{"class":1170},[1057,4006,1196],{"class":1174},[1057,4008,4009,4011],{"class":1059,"line":1067},[1057,4010,2869],{"class":1170},[1057,4012,1196],{"class":1174},[1057,4014,4015,4017,4019,4021],{"class":1059,"line":1085},[1057,4016,1271],{"class":1174},[1057,4018,2878],{"class":1170},[1057,4020,1175],{"class":1174},[1057,4022,2883],{"class":1074},[1057,4024,4025,4027,4029,4032],{"class":1059,"line":1092},[1057,4026,2888],{"class":1170},[1057,4028,1175],{"class":1174},[1057,4030,4031],{"class":1074},"myapp:v1.2.3",[1057,4033,4034],{"class":1063},"  # 使用固定版本，避免 latest\n",[1057,4036,4037,4040,4042,4045],{"class":1059,"line":1098},[1057,4038,4039],{"class":1170},"    imagePullPolicy",[1057,4041,1175],{"class":1174},[1057,4043,4044],{"class":1074},"Always",[1057,4046,4047],{"class":1063},"  # 始终拉取\n",[920,4049,4050],{"id":4050},"私有仓库认证",[1048,4052,4054],{"className":1161,"code":4053,"language":1163,"meta":11,"style":11},"apiVersion: v1\nkind: Pod\nmetadata:\n  name: private-image-pod\nspec:\n  containers:\n  - name: app\n    image: registry.example.com\u002Fmyapp:1.0\n  imagePullSecrets:\n  - name: regcred\n",[1054,4055,4056,4064,4072,4078,4087,4093,4099,4109,4118,4125],{"__ignoreMap":11},[1057,4057,4058,4060,4062],{"class":1059,"line":1060},[1057,4059,1171],{"class":1170},[1057,4061,1175],{"class":1174},[1057,4063,2772],{"class":1074},[1057,4065,4066,4068,4070],{"class":1059,"line":1067},[1057,4067,1183],{"class":1170},[1057,4069,1175],{"class":1174},[1057,4071,2834],{"class":1074},[1057,4073,4074,4076],{"class":1059,"line":1085},[1057,4075,1193],{"class":1170},[1057,4077,1196],{"class":1174},[1057,4079,4080,4082,4084],{"class":1059,"line":1092},[1057,4081,1201],{"class":1170},[1057,4083,1175],{"class":1174},[1057,4085,4086],{"class":1074},"private-image-pod\n",[1057,4088,4089,4091],{"class":1059,"line":1098},[1057,4090,1221],{"class":1170},[1057,4092,1196],{"class":1174},[1057,4094,4095,4097],{"class":1059,"line":1116},[1057,4096,2869],{"class":1170},[1057,4098,1196],{"class":1174},[1057,4100,4101,4103,4105,4107],{"class":1059,"line":1226},[1057,4102,1271],{"class":1174},[1057,4104,2878],{"class":1170},[1057,4106,1175],{"class":1174},[1057,4108,2883],{"class":1074},[1057,4110,4111,4113,4115],{"class":1059,"line":1238},[1057,4112,2888],{"class":1170},[1057,4114,1175],{"class":1174},[1057,4116,4117],{"class":1074},"registry.example.com\u002Fmyapp:1.0\n",[1057,4119,4120,4123],{"class":1059,"line":1246},[1057,4121,4122],{"class":1170},"  imagePullSecrets",[1057,4124,1196],{"class":1174},[1057,4126,4127,4129,4131,4133],{"class":1059,"line":1257},[1057,4128,1271],{"class":1174},[1057,4130,2878],{"class":1170},[1057,4132,1175],{"class":1174},[1057,4134,4135],{"class":1074},"regcred\n",[920,4137,4138],{"id":4138},"镜像扫描",[896,4140,4141],{},"使用 Trivy 扫描镜像：",[1048,4143,4145],{"className":1050,"code":4144,"language":1052,"meta":11,"style":11},"# 扫描镜像漏洞\ntrivy image nginx:1.21\n\n# 在 CI\u002FCD 中集成\ntrivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest\n",[1054,4146,4147,4152,4163,4167,4172],{"__ignoreMap":11},[1057,4148,4149],{"class":1059,"line":1060},[1057,4150,4151],{"class":1063},"# 扫描镜像漏洞\n",[1057,4153,4154,4157,4160],{"class":1059,"line":1067},[1057,4155,4156],{"class":1070},"trivy",[1057,4158,4159],{"class":1074}," image",[1057,4161,4162],{"class":1074}," nginx:1.21\n",[1057,4164,4165],{"class":1059,"line":1085},[1057,4166,1089],{"emptyLinePlaceholder":1088},[1057,4168,4169],{"class":1059,"line":1092},[1057,4170,4171],{"class":1063},"# 在 CI\u002FCD 中集成\n",[1057,4173,4174,4176,4178,4181,4184,4187,4190],{"class":1059,"line":1098},[1057,4175,4156],{"class":1070},[1057,4177,4159],{"class":1074},[1057,4179,4180],{"class":1078}," --exit-code",[1057,4182,4183],{"class":1078}," 1",[1057,4185,4186],{"class":1078}," --severity",[1057,4188,4189],{"class":1074}," HIGH,CRITICAL",[1057,4191,4192],{"class":1074}," myapp:latest\n",[892,4194,4195],{"id":4195},"审计日志",[920,4197,4198],{"id":4198},"配置审计策略",[1048,4200,4202],{"className":1161,"code":4201,"language":1163,"meta":11,"style":11},"apiVersion: audit.k8s.io\u002Fv1\nkind: Policy\nrules:\n- level: Metadata\n  resources:\n  - group: \"\"\n    resources: [\"secrets\", \"configmaps\"]\n- level: Request\n  resources:\n  - group: \"\"\n    resources: [\"pods\"]\n  verbs: [\"create\", \"update\", \"delete\"]\n- level: RequestResponse\n  resources:\n  - group: \"rbac.authorization.k8s.io\"\n  verbs: [\"create\", \"update\", \"delete\"]\n",[1054,4203,4204,4213,4222,4228,4240,4246,4258,4274,4285,4291,4301,4311,4332,4343,4349,4360],{"__ignoreMap":11},[1057,4205,4206,4208,4210],{"class":1059,"line":1060},[1057,4207,1171],{"class":1170},[1057,4209,1175],{"class":1174},[1057,4211,4212],{"class":1074},"audit.k8s.io\u002Fv1\n",[1057,4214,4215,4217,4219],{"class":1059,"line":1067},[1057,4216,1183],{"class":1170},[1057,4218,1175],{"class":1174},[1057,4220,4221],{"class":1074},"Policy\n",[1057,4223,4224,4226],{"class":1059,"line":1085},[1057,4225,2351],{"class":1170},[1057,4227,1196],{"class":1174},[1057,4229,4230,4232,4235,4237],{"class":1059,"line":1092},[1057,4231,2358],{"class":1174},[1057,4233,4234],{"class":1170},"level",[1057,4236,1175],{"class":1174},[1057,4238,4239],{"class":1074},"Metadata\n",[1057,4241,4242,4244],{"class":1059,"line":1098},[1057,4243,2375],{"class":1170},[1057,4245,1196],{"class":1174},[1057,4247,4248,4250,4253,4255],{"class":1059,"line":1116},[1057,4249,1271],{"class":1174},[1057,4251,4252],{"class":1170},"group",[1057,4254,1175],{"class":1174},[1057,4256,4257],{"class":1074},"\"\"\n",[1057,4259,4260,4263,4265,4267,4269,4272],{"class":1059,"line":1226},[1057,4261,4262],{"class":1170},"    resources",[1057,4264,2364],{"class":1174},[1057,4266,2506],{"class":1074},[1057,4268,2395],{"class":1174},[1057,4270,4271],{"class":1074},"\"configmaps\"",[1057,4273,2370],{"class":1174},[1057,4275,4276,4278,4280,4282],{"class":1059,"line":1238},[1057,4277,2358],{"class":1174},[1057,4279,4234],{"class":1170},[1057,4281,1175],{"class":1174},[1057,4283,4284],{"class":1074},"Request\n",[1057,4286,4287,4289],{"class":1059,"line":1246},[1057,4288,2375],{"class":1170},[1057,4290,1196],{"class":1174},[1057,4292,4293,4295,4297,4299],{"class":1059,"line":1257},[1057,4294,1271],{"class":1174},[1057,4296,4252],{"class":1170},[1057,4298,1175],{"class":1174},[1057,4300,4257],{"class":1074},[1057,4302,4303,4305,4307,4309],{"class":1059,"line":1268},[1057,4304,4262],{"class":1170},[1057,4306,2364],{"class":1174},[1057,4308,2380],{"class":1074},[1057,4310,2370],{"class":1174},[1057,4312,4313,4315,4317,4320,4322,4325,4327,4330],{"class":1059,"line":1280},[1057,4314,2387],{"class":1170},[1057,4316,2364],{"class":1174},[1057,4318,4319],{"class":1074},"\"create\"",[1057,4321,2395],{"class":1174},[1057,4323,4324],{"class":1074},"\"update\"",[1057,4326,2395],{"class":1174},[1057,4328,4329],{"class":1074},"\"delete\"",[1057,4331,2370],{"class":1174},[1057,4333,4334,4336,4338,4340],{"class":1059,"line":1291},[1057,4335,2358],{"class":1174},[1057,4337,4234],{"class":1170},[1057,4339,1175],{"class":1174},[1057,4341,4342],{"class":1074},"RequestResponse\n",[1057,4344,4345,4347],{"class":1059,"line":1303},[1057,4346,2375],{"class":1170},[1057,4348,1196],{"class":1174},[1057,4350,4351,4353,4355,4357],{"class":1059,"line":1313},[1057,4352,1271],{"class":1174},[1057,4354,4252],{"class":1170},[1057,4356,1175],{"class":1174},[1057,4358,4359],{"class":1074},"\"rbac.authorization.k8s.io\"\n",[1057,4361,4362,4364,4366,4368,4370,4372,4374,4376],{"class":1059,"line":1324},[1057,4363,2387],{"class":1170},[1057,4365,2364],{"class":1174},[1057,4367,4319],{"class":1074},[1057,4369,2395],{"class":1174},[1057,4371,4324],{"class":1074},[1057,4373,2395],{"class":1174},[1057,4375,4329],{"class":1074},[1057,4377,2370],{"class":1174},[920,4379,4380],{"id":4380},"审计日志级别",[924,4382,4383,4391],{},[927,4384,4385],{},[930,4386,4387,4389],{},[933,4388,3158],{"align":935},[933,4390,939],{"align":935},[941,4392,4393,4401,4409,4417],{},[930,4394,4395,4398],{},[946,4396,4397],{"align":935},"None",[946,4399,4400],{"align":935},"不记录",[930,4402,4403,4406],{},[946,4404,4405],{"align":935},"Metadata",[946,4407,4408],{"align":935},"只记录请求元数据",[930,4410,4411,4414],{},[946,4412,4413],{"align":935},"Request",[946,4415,4416],{"align":935},"记录元数据和请求体",[930,4418,4419,4422],{},[946,4420,4421],{"align":935},"RequestResponse",[946,4423,4424],{"align":935},"记录元数据、请求体和响应体",[892,4426,4427],{"id":4427},"安全检查清单",[920,4429,4430],{"id":4430},"集群安全",[1148,4432,4435,4444,4450,4456,4462],{"className":4433},[4434],"contains-task-list",[910,4436,4439,4443],{"className":4437},[4438],"task-list-item",[4440,4441],"input",{"disabled":1088,"type":4442},"checkbox"," 启用 RBAC",[910,4445,4447,4449],{"className":4446},[4438],[4440,4448],{"disabled":1088,"type":4442}," 配置 API Server 认证",[910,4451,4453,4455],{"className":4452},[4438],[4440,4454],{"disabled":1088,"type":4442}," 启用审计日志",[910,4457,4459,4461],{"className":4458},[4438],[4440,4460],{"disabled":1088,"type":4442}," 定期轮换证书",[910,4463,4465,4467],{"className":4464},[4438],[4440,4466],{"disabled":1088,"type":4442}," 限制 kubelet 权限",[920,4469,4470],{"id":4470},"工作负载安全",[1148,4472,4474,4480,4486,4492,4498],{"className":4473},[4434],[910,4475,4477,4479],{"className":4476},[4438],[4440,4478],{"disabled":1088,"type":4442}," 使用非 root 用户运行容器",[910,4481,4483,4485],{"className":4482},[4438],[4440,4484],{"disabled":1088,"type":4442}," 设置只读根文件系统",[910,4487,4489,4491],{"className":4488},[4438],[4440,4490],{"disabled":1088,"type":4442}," 禁用特权容器",[910,4493,4495,4497],{"className":4494},[4438],[4440,4496],{"disabled":1088,"type":4442}," 配置资源限制",[910,4499,4501,4503],{"className":4500},[4438],[4440,4502],{"disabled":1088,"type":4442}," 使用 NetworkPolicy",[920,4505,4506],{"id":4506},"数据安全",[1148,4508,4510,4516,4522,4528],{"className":4509},[4434],[910,4511,4513,4515],{"className":4512},[4438],[4440,4514],{"disabled":1088,"type":4442}," 启用 etcd 加密",[910,4517,4519,4521],{"className":4518},[4438],[4440,4520],{"disabled":1088,"type":4442}," 使用 Secret 存储敏感数据",[910,4523,4525,4527],{"className":4524},[4438],[4440,4526],{"disabled":1088,"type":4442}," 考虑使用外部密钥管理",[910,4529,4531,4533],{"className":4530},[4438],[4440,4532],{"disabled":1088,"type":4442}," 定期备份",[920,4535,3992],{"id":4536},"镜像安全-1",[1148,4538,4540,4546,4552,4558],{"className":4539},[4434],[910,4541,4543,4545],{"className":4542},[4438],[4440,4544],{"disabled":1088,"type":4442}," 使用可信基础镜像",[910,4547,4549,4551],{"className":4548},[4438],[4440,4550],{"disabled":1088,"type":4442}," 定期扫描漏洞",[910,4553,4555,4557],{"className":4554},[4438],[4440,4556],{"disabled":1088,"type":4442}," 使用固定版本标签",[910,4559,4561,4563],{"className":4560},[4438],[4440,4562],{"disabled":1088,"type":4442}," 配置镜像拉取策略",[4565,4566,4568],"note",{"title":4567},"总结","\n1. 使用 NetworkPolicy 实现网络隔离\n2. 使用 RBAC 控制访问权限\n3. 配置 Pod 安全上下文\n4. 保护敏感数据（Secret 加密）\n5. 定期进行安全审计\n",[4570,4571,4572],"style",{},"html pre.shiki code .sCsY4, html code.shiki .sCsY4{--shiki-light:#6A737D;--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .snPdu, html code.shiki .snPdu{--shiki-light:#6F42C1;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sIIMD, html code.shiki .sIIMD{--shiki-light:#032F62;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sBjJW, html code.shiki .sBjJW{--shiki-light:#005CC5;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sovSZ, html code.shiki .sovSZ{--shiki-light:#22863A;--shiki-default:#22863A;--shiki-dark:#85E89D}html pre.shiki code .sxrX7, html code.shiki .sxrX7{--shiki-light:#24292E;--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":11,"searchDepth":1067,"depth":1067,"links":4574},[4575,4576,4581,4590,4598,4602,4606,4611,4616,4620],{"id":894,"depth":1067,"text":894},{"id":901,"depth":1067,"text":902,"children":4577},[4578,4579,4580],{"id":922,"depth":1085,"text":922},{"id":978,"depth":1085,"text":979},{"id":1045,"depth":1085,"text":1046},{"id":1139,"depth":1067,"text":1140,"children":4582},[4583,4584,4585,4586,4587,4588,4589],{"id":1146,"depth":1085,"text":1146},{"id":1158,"depth":1085,"text":1158},{"id":1451,"depth":1085,"text":1452},{"id":1533,"depth":1085,"text":1534},{"id":1607,"depth":1085,"text":1608},{"id":1914,"depth":1085,"text":1915},{"id":2085,"depth":1085,"text":2086},{"id":2244,"depth":1067,"text":2245,"children":4591},[4592,4593,4594,4595,4596,4597],{"id":2251,"depth":1085,"text":2251},{"id":2299,"depth":1085,"text":2300},{"id":2441,"depth":1085,"text":2442},{"id":2529,"depth":1085,"text":2530},{"id":2647,"depth":1085,"text":2648},{"id":2752,"depth":1085,"text":2753},{"id":2896,"depth":1067,"text":2897,"children":4599},[4600,4601],{"id":2900,"depth":1085,"text":2901},{"id":3064,"depth":1085,"text":3065},{"id":3189,"depth":1067,"text":3190,"children":4603},[4604,4605],{"id":3193,"depth":1085,"text":3194},{"id":3304,"depth":1085,"text":3304},{"id":3452,"depth":1067,"text":3452,"children":4607},[4608,4609,4610],{"id":3455,"depth":1085,"text":3456},{"id":3695,"depth":1085,"text":3696},{"id":3797,"depth":1085,"text":3798},{"id":3992,"depth":1067,"text":3992,"children":4612},[4613,4614,4615],{"id":3995,"depth":1085,"text":3995},{"id":4050,"depth":1085,"text":4050},{"id":4138,"depth":1085,"text":4138},{"id":4195,"depth":1067,"text":4195,"children":4617},[4618,4619],{"id":4198,"depth":1085,"text":4198},{"id":4380,"depth":1085,"text":4380},{"id":4427,"depth":1067,"text":4427,"children":4621},[4622,4623,4624,4625],{"id":4430,"depth":1085,"text":4430},{"id":4470,"depth":1085,"text":4470},{"id":4506,"depth":1085,"text":4506},{"id":4536,"depth":1085,"text":3992},"md",{},{"title":657,"description":11},"tutorials\u002Fcloud\u002Fkubernetes\u002Fk8s-network-security","goHo980QNAwc1677UsNqUJ5DQP_E3CQfODstNu3pFes",1775496415881]