[zh] Sync extend-service-ip-ranges.md

windsonsea · windsonsea · commit 962628227918 · 2025-05-06T09:47:03.000+08:00
diff --git a/content/zh-cn/docs/tasks/network/extend-service-ip-ranges.md b/content/zh-cn/docs/tasks/network/extend-service-ip-ranges.md
@@ -30,9 +30,19 @@ This document shares how to extend the existing Service IP range assigned to a c
 
 {{< version-check >}}
 
+{{< note >}}
+<!--
+While you can use this feature with an earlier version, the feature is only GA and officially supported since v1.33.
+-->
+虽然你可以在更早的版本中使用此特性，但此特性只有从 v1.33 版本开始才进阶至 GA（正式发布）并获得官方支持。
+{{< /note >}}
+
 <!-- steps -->
 
-## API
+<!--
+## Extend Service IP Ranges
+-->
+## 扩展 Service IP 范围   {#extend-service-ip-ranges}
 
 <!--
 Kubernetes clusters with kube-apiservers that have enabled the `MultiCIDRServiceAllocator`
@@ -260,3 +270,108 @@ kubectl get servicecidr newcidr1
 ```
 Error from server (NotFound): servicecidrs.networking.k8s.io "newcidr1" not found
 ```
+
+## Kubernetes Service CIDR Policies
+
+Cluster administrators can implement policies to control the creation and
+modification of ServiceCIDR resources within the cluster. This allows for
+centralized management of the IP address ranges used for Services and helps
+prevent unintended or conflicting configurations. Kubernetes provides mechanisms
+like Validating Admission Policies to enforce these rules.
+
+### Preventing Unauthorized ServiceCIDR Creation/Update using Validating Admission Policy
+
+There can be situations that the cluster administrators want to restrict the
+ranges that can be allowed or to completely deny any changes to the cluster
+Service IP ranges.
+
+{{< note >}}
+The default "kubernetes" ServiceCIDR is created by the kube-apiserver
+to provide consistency in the cluster and is required for the cluster to work,
+so it always must be allowed. You can ensure your `ValidatingAdmissionPolicy`
+doesn't restrict the default ServiceCIDR by adding the clause:
+
+```yaml
+  matchConditions:
+  - name: 'exclude-default-servicecidr'
+    expression: "object.metadata.name != 'kubernetes'"
+```
+
+as in the examples below.
+{{</ note >}}
+
+#### Restrict Service CIDR ranges to some specific ranges
+
+The following is an example of a `ValidatingAdmissionPolicy` that only allows
+ServiceCIDRs to be created if they are subranges of the given `allowed` ranges.
+(So the example policy would allow a ServiceCIDR with `cidrs: ['10.96.1.0/24']`
+or `cidrs: ['2001:db8:0:0:ffff::/80', '10.96.0.0/20']` but would not allow a
+ServiceCIDR with `cidrs: ['172.20.0.0/16']`.) You can copy this policy and change
+the value of `allowed` to something appropriate for you cluster.
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "servicecidrs.default"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["networking.k8s.io"]
+      apiVersions: ["v1","v1beta1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["servicecidrs"]
+  matchConditions:
+  - name: 'exclude-default-servicecidr'
+    expression: "object.metadata.name != 'kubernetes'"
+  variables:
+  - name: allowed
+    expression: "['10.96.0.0/16','2001:db8::/64']"
+  validations:
+  - expression: "object.spec.cidrs.all(newCIDR, variables.allowed.exists(allowedCIDR, cidr(allowedCIDR).containsCIDR(newCIDR)))"
+  # For all CIDRs (newCIDR) listed in the spec.cidrs of the submitted ServiceCIDR
+  # object, check if there exists at least one CIDR (allowedCIDR) in the `allowed`
+  # list of the VAP such that the allowedCIDR fully contains the newCIDR.
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "servicecidrs-binding"
+spec:
+  policyName: "servicecidrs.default"
+  validationActions: [Deny,Audit]
+```
+
+Consult the [CEL documentation](https://kubernetes.io/docs/reference/using-api/cel/)
+to learn more about CEL if you want to write your own validation `expression`.
+
+#### Restrict any usage of the ServiceCIDR API
+
+The following example demonstrates how to use a `ValidatingAdmissionPolicy` and
+its binding to restrict the creation of any new Service CIDR ranges, excluding the default "kubernetes" ServiceCIDR:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "servicecidrs.deny"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["networking.k8s.io"]
+      apiVersions: ["v1","v1beta1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["servicecidrs"]
+  validations:
+  - expression: "object.metadata.name == 'kubernetes'"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "servicecidrs-deny-binding"
+spec:
+  policyName: "servicecidrs.deny"
+  validationActions: [Deny,Audit]
+```
