From 4e25e0c0339f95f596e1f9d61714ee9a56200070 Mon Sep 17 00:00:00 2001
From: shaohq <shaohq@foxmail.com>
Date: Thu, 31 Mar 2022 22:39:38 +0800
Subject: [PATCH] 4C Security Model

---
 .vuepress/config-sidebar.js                   |  73 +++++++------
 .../k8s-advanced/sec/overview.assets/4c.png   | Bin 0 -> 21381 bytes
 learning/k8s-advanced/sec/overview.md         | 103 ++++++++++++++++++
 learning/k8s-advanced/sec/psa.md              |  11 ++
 learning/k8s-advanced/sec/pss.md              |  11 ++
 learning/k8s-advanced/sec/secure-a-cluster.md |  15 +++
 6 files changed, 181 insertions(+), 32 deletions(-)
 create mode 100644 learning/k8s-advanced/sec/overview.assets/4c.png
 create mode 100644 learning/k8s-advanced/sec/overview.md
 create mode 100644 learning/k8s-advanced/sec/psa.md
 create mode 100644 learning/k8s-advanced/sec/pss.md
 create mode 100644 learning/k8s-advanced/sec/secure-a-cluster.md

diff --git a/.vuepress/config-sidebar.js b/.vuepress/config-sidebar.js
index 918a9fe..f137a54 100644
--- a/.vuepress/config-sidebar.js
+++ b/.vuepress/config-sidebar.js
@@ -372,36 +372,45 @@ let sidebar = {
       collapsable: true,
       children: [
         {
-          title: '认证及授权',
+          title: '安全',
           collapsable: true,
           children: [
+            'k8s-advanced/sec/overview',
+            'k8s-advanced/sec/pss',
+            'k8s-advanced/sec/psa',
             {
-              title: '用户认证',
+              title: '认证及授权',
               collapsable: true,
               children: [
-                'k8s-advanced/sec/authenticate/',
-                'k8s-advanced/sec/sa-admin',
-                // 'k8s-advanced/sec/authenticate/install',
-                // 'k8s-advanced/sec/authenticate/ldap',
-              ]
-            }, {
-              title: '用户授权',
-              collapsable: true,
-              children: [
-                // 'k8s-advanced/sec/kuboard',
-                'k8s-advanced/sec/rbac/auth-namespace.html',
-                // 'k8s-advanced/sec/rbac/list-namespace.html',
-                // 'k8s-advanced/sec/rbac/logs.html',
-                'k8s-advanced/sec/rbac/api',
-                'k8s-advanced/sec/rbac/default',
-                'k8s-advanced/sec/rbac/escalation',
-                'k8s-advanced/sec/rbac/cmd',
-                'k8s-advanced/sec/rbac/sa',
-                'k8s-advanced/sec/rbac/permissive',
-                'k8s-advanced/sec/rbac/example',
+                {
+                  title: '用户认证',
+                  collapsable: true,
+                  children: [
+                    'k8s-advanced/sec/authenticate/',
+                    'k8s-advanced/sec/sa-admin',
+                    // 'k8s-advanced/sec/authenticate/install',
+                    // 'k8s-advanced/sec/authenticate/ldap',
+                  ]
+                }, {
+                  title: '用户授权',
+                  collapsable: true,
+                  children: [
+                    // 'k8s-advanced/sec/kuboard',
+                    'k8s-advanced/sec/rbac/auth-namespace.html',
+                    // 'k8s-advanced/sec/rbac/list-namespace.html',
+                    // 'k8s-advanced/sec/rbac/logs.html',
+                    'k8s-advanced/sec/rbac/api',
+                    'k8s-advanced/sec/rbac/default',
+                    'k8s-advanced/sec/rbac/escalation',
+                    'k8s-advanced/sec/rbac/cmd',
+                    'k8s-advanced/sec/rbac/sa',
+                    'k8s-advanced/sec/rbac/permissive',
+                    'k8s-advanced/sec/rbac/example',
+                  ]
+                },
               ]
             },
-          ]
+          ],
         },
         {
           title: '问题诊断',
@@ -431,19 +440,19 @@ let sidebar = {
             'k8s-advanced/logs/loki-addon'
           ]
         },
-        {
-          title: '调度',
-          collapsable: true,
-          children: [
-            'k8s-advanced/schedule/',
-            'k8s-advanced/schedule/tuning',
-            'k8s-advanced/schedule/framework',
-          ]
-        },
         {
           title: '策略',
           collapsable: true,
           children: [
+            {
+              title: '调度',
+              collapsable: true,
+              children: [
+                'k8s-advanced/schedule/',
+                'k8s-advanced/schedule/tuning',
+                'k8s-advanced/schedule/framework',
+              ]
+            },
             {
               title: 'Limit Range',
               collapsable: true,
diff --git a/learning/k8s-advanced/sec/overview.assets/4c.png b/learning/k8s-advanced/sec/overview.assets/4c.png
new file mode 100644
index 0000000000000000000000000000000000000000..100a1567420fdb9b63aae09a8aaae22ff8730784
GIT binary patch
literal 21381
zcmeFZcT`i|(=d7vk={jm69EMY0wTQ#N)=EPA`n2j^w6aUC;_A+i1eZ~X+e7E8bCTo
z4ILv*x|GmEzQgnU-uvBu@4EM{``-0^u7xCf&z_kxZO@)Phlt0z>eLi$6aWBFYic~u
z2Y@Rm03iNFMhuRaIY(E3zb@O|*SQY>6>*ej79`+z9xDxf9RTnX0Dxcw0GxnB!G8e2
z>ka^{y#N5&6aZj`XEZ#K2LPhp$B&*pBoGK7%vrniN|i)qlwgn*2lN3WGXu%sCy3KC
z77;#*qi<5Vfj3yLQn<XhlOM0yUSc@kW@)4&`2C~s139jmtjBA8c7%Di#Nhjon^)h!
zW%kFMW=ig;-lcgD=Q*8rWw}Ocq%WJF;#^bcGe3~nUh@Vb#FhBYVr?Rwuu(KzXX;|3
zF^rCS<74nZQDh(c>GV$l3-eVM2h;rQsP^W9c}$a$f%b#@GBwE5HS7<<!9-$A0OYp7
zn*iti^?}pf(aoiwd7rC1y>o=b-&)$HobHZ)Z*En55IH&0_1NHj)z|u@q_Y05cHHLZ
z;%t9tSmAI_MO$?+B_*Y?v9X+-91jmqK|#Ug%a@s$nD+PgYiep178U{n1M~CqPft%>
zTwD?p6X)mWSy)(xhK5#FR-BxihKGkC5XhT1Z?v?uL_|d1zklD@*hpA-OIXV#{7EBV
z0|*;sguQ;k=?-D%J7M0VuJ6DvXX{<@->!)x!Y?1~pjC0_WsBJLsl^k*R$X$<E@AmS
z;b2nMW5qCRjc~lQzH_GH`$y7s**ST$;M+c7F><F-Qka+ARO4!x9jB3zQG0v)g9i`R
z*46|B1SrWbB_$<&{P;0GK7Pa}`7x+VB1>)c2f#ZLP7Ux2Ib6fY0{~dkFMfzLy+S^K
zgQT9CIuA(~NSNu!$oI)BuK>W~&zcYJKYKN`IU5mlwe!;-|D=zsB7Btg06Po$CRxby
zK3k_d_i7hd%B5l#G^7&Z-LJ1MXWbUm{YLXE{u|Lo?rGMIxyD0$eR+vr_Uh{D&?7w`
zFG5SU2glFbY<c&UiW`d?N+?0f|L^{r(gFZFVKfQwQ){|yj2cjOB4Y-Wg%OlM4%5Xb
z1@;o~G89e(RI7lFWXuZ#fHFD=5N!Cr7?>=gq_D1>2LKvwT|4pf-(^Ogzp)%P_XWOv
zr#`5uH(jN{Jk~UDJW6`6nhOB^9Bi!YhMPhw0x%(y@HmdwOh8UiZaHV->e}E#R8Po{
zY}`>qUh6UtJRTj(sx&~E)EDmfGQ){TS?!A_&PE=l@R0Y1TH?7rF)+38Q;hdVcqIq2
za;QvIGboh^*z|zC`(E28`p6C?fMBuJx&m1D(DO!arkJJlz*%Qy`zA$zu9P7Q-l;o{
zcVe(Ylw#iEtL36V&a5uSwT|()YXx^e0&XcTM9Nn<Ij?nmw0oH+3R8V3*5{@Ibma}*
z>l1loj`|V$!VJVb`e_{Fkq?2{EPp3f4&!A0+@Ww+pBZ^y?BhO^382evv;0~U5^7Hg
z)g(LU1%j#AnLdBWhf_0k?Bul;0Kw9nu5Pv#J!l&$RLT=FAl3VG2QRb--4RR)h;O4<
z`gBnztZ*XbWlm>jON$1yBoB=s9(NgN-+Zp^SU=2!{4AZYpUeo*)zLrc(?a=8+$9Fw
ze|@17*{De`hT|f!d97(c@DX*?Tr{FYuPI@l8H8=EFw}L=7lM(9{pUOVlP(R^ggG<d
zj(sd#C82)}a&YT%Fb9is853yeKaKvec0L&Cyj?PA>9U*F!s&|i5J0&T{O^ASOUK4?
z`8qp22Y@N-R~tv~a}mNwcnp`)$9*3bpz_be&b6tBs5RNo#ga0T3KEpS%f$NCBF!<R
zDx#zxD|@3#GROgY7s%<qrrY1^*{qA2N+}x>TX6IXb0AWFWLp@`U1ddj@?8gYDMQ{R
zK%vk!@x1nu^2Z`iPC?k_>bM2(@}K}-ge15$J)QaYUrqE_LvEYOZ2|n|<zV^eSARbr
z*`p+f)~Kr0Ehn6tT~b!;BNLn1*jGUt%!=>|q<$a*IK|~|JxHvgBu}0nvT)l97@k)L
zy5ja$+TkAR;NW1lRdgMYlY32|1O8OvE?M%R1#b!oEx;)`y*Q(SUc#~Mi32$c%V{Q{
zZ_4Z5q2&S?zD|tB!O=@%0s^8p@SDWJ9I}G350##4pkTQiH!lZ2=%Wx*LDAg(m8N&%
zPYN7YPqg=en51u9X1{t#`TBsA*y43q77^yz@VpGrRr1g+8ZNnh*$xHph*1s&MKVIB
z=?g$W_hr8FrR%U-v2oA^+zUGHU>z9LDTsLPQ>r|eaZH9AsfE6Pz5+A`@}yNzY3_)J
zFd#m!=!;-IS@M#kKpU}gLO}-$)}bdwI%!{u8rXG$tZh)Cmk^G!tFCOo;$$fuqU2UM
zIWur00xlU917d!nhWfl&rH#rEZFd@;zYBC#Q9cQZWrTpCzDOAb#&j^&gGLXA{p+xc
z9pEAAVl#+>6J59gxD|l09|Q%r0nlZ@9pV3r1xZe*Yqr-4F9VC6i=)5$E@6iyVRnO$
z1n@MMf^YPR*8YT`lb)d<k4hX&0~Ustgn@YWWKq-RFH@50sJoQOJ>xY}<*g(@y$61i
zUEI`;JXsB!mM+y|CpE8m(o76!*1L}#iAj6qaDPDvzk!=dtJeaHSz4Iu*x~Ci%0v}d
zbHcvK6(GU;IE-!uLWkTBcO3XLzLYl)0phPng{HXr1@dCoJW;yjZtrig0y#~$+O4Zb
zKno6Uv+-PKv#SHXxi5XD(;0x=fMrr+GU%YL{CGv8;Qd!CX(>)yFTuqxQJ|?xHjn^Z
z7}3b?0^65#NZqh?bRMb;jL(1ThcB#ltQ(%m_|}&dc)aB9v0hIGC2f=Jlz#<~!K;e6
z%Mc|Y*feHnVxSM8%x22CH$;1l0XY!rX#7u%2B3%(0oW=fCREc+V)gI}kT=pVU<*RT
zhW4_+#d7I@OU)zg@lkNE+b}8=kb_LO%!22O!0av}wJ9c-;K>imq`<JciL4%y0C||0
zE=Q1oLbT+qxko3?M8K+-<|78AXQ<;F9SMM^-HZ47R*g1F_9~LqO>ET%Trv4jOckZi
zgnYQ8Htb3PXjGLv(Q~Iq(u6u{!L&|vhyZ(U%}4aeXQ5GeFCw1Nr7u+yWYA7@hhiu|
z_dAmAAA3~%*B)80k+p-63u}$PQup~hfd9fW_22w=H{$<>e)Ydu`tK3n{<j|ff2xOk
zC~EHY_Q9z$?t8dqD+y7K3_`mQj^D^VFpP31`bmc!7KAAgQ25EuFrZo$RZWh`d|vsm
z9{3XmUu8h*{a(AabSZ}!ov(?Siz+wyKnZTS$z0fzy8|vyAb>0{%owp=#Ztg{60q+w
zybYdK-@)zakt}*}a5jw>CJW9^G=k_}hQL?pAlrS>adW3lI)ZsFPr=pKFXoA*MC+6s
zrw`BXS^YD_hUoRk`@3*Ym(bWhq;dhohFJHg6UnaI@i%WY6$RNLLg(K{%{+v0*X;Ro
ze;t%xx)dLX&<=suH(s4{SvgevbLrLxO64_r2>OEZMefi;@=wBGkX(|<s0`$6f?>LN
z$9{NQ3n04><_jRsi>%@%^FOJ?e-<H?mGn+B$pJ4gyI}gGJG}h}_!0u*LjQ{kOh~|t
zBb63omyMaE41p8<WWe@3M=72jXUb*IoL8R=aR<2-3Ya4(gFli%KcaD4g4|=aoxb~>
zK4;KR0f&2R+~AS5NF7zlh#Yhwwe5Vpf66VDwiuWWC(=+rC#AyiXSs*$q3ifVCCVT<
z5Ox)WWk6<Q<W!d^G0a$3QZxw<o(!sn#$napqj7;plG<d<!TWqLR`O&eJ)gBX2E}HO
zFAXJh(tEh?6&Uwx_f8+7_1VGJcYYti?CD}62Hw0b6N9tZ?9XnL3g0@_MFDx-*d8^M
zqE}%P>D;+y^>y$;FDTO^<*3!3ajVI7gR$UWm^qKFU5me*Akk7D*d$r9Nrsva4-B}g
zjuO9yq-C3Z0}6%XLMSfW`!whNAflp&C^G2JW^l#mbr?eUj~Rke*#Q(Olcy;7Fg2iB
zC>p?wF5Vd2O-W`icoYHk@^<Tj<TY%MCMu(!VqIi^SBd%`AYpdw32I1TW`)fEzXU`N
zS>ZAtttSTOnGnK^*ppHV_{@6Nnf&6W^1pmPK+W_zk2UHphEsQ1Gk|b`2w_U>E{t&0
z<~MI&r@1};U(yz*LuS9eY9Wo2kaAHf@fZ9@-pL2plV7jnP6WRyo=tev(XK@|{44dT
z@ZRaNLzR}XZNKd!-@mW_9W|oB_<x#T*HZ$M0r6nCjUbFWVD48sezFrZjB_%mH+t;m
zJ?@syca+Lk=#W&Q!U5bW^I*PAqHKZ?*2Yrw_cK2l0OH9J+NbblT)ka{A-<zyD@$*C
z{(N%9Yy1}DKib)+#hAD@ulF&RDwY2Yxv2vZ8;*n9@WQqf6p@E9=U=fN8lb38=#h^Q
zy|bL>RkDZhxT|40X@dU(UWd6#_Ay`<{t+5Gwt-UyW}!|2=IGRP$PC0fCHUlgWKdnS
z7igSaWdA3XT!-C11c~WK!Re7X|JO7uY=u3k9^zcv<|bUjUdkc9FvizIH>J5B2>nMZ
z>{tgBlf{2oAZSx@Z_AxG%nldrEdI;*@1b$NA-@BD&v1FmTzDoi0<;NtQTW+;X0TZD
zDb=Us1(3bF%Aoy1e7t|0ZU>!pb8dUZ&o}SQb#BFQBU&!Z_aC3Z*l{;+y9xdsvKU#?
z`Bzxch~D`^Ih@PU&9ncq9xc?|iL@3<rO+1iNLe0ODml3BE)DePjS5Jf6d^2u^;>V7
zrbgp-8e`^Y{>8I_STC!a!{4|8Ge2wEnFjsh!uRswtaJGNflN^se_HZDztbo=A4Pl<
zmX9ADY77mf(`>!+EedXP8&<{(WA$F&?Jto+p!{&l$^8oPa9(H7S9U@2xPksCwA;?6
zPui=SSd}R-RxRB}Rj%n^eJUcJF#pey)p7P>L#a8G=Tfis_|NtJt~ddh20N%pc{1p|
zA{WytTH3jWydE$9wOn%M;V>}H(V~+yg`T<kE9TH}n8lpH(V^Ag39B~*ZZniL#TVj0
z<~?~nTPEz<@_KJL8B@aLy&6*|+U=981jDp`;BE~NUR7e+js6$WL#d@z5kk0&DWmJe
zX1&)~YK7ZmbEnO^l@#(6?KPR2e&qc@kGlQsztH#VAb#r5k3JdnBgt9zyT1$Y*t*%{
zaLg=xwqdn?+u(|+#>G*P3n3f=!O)=ON8Q@lrRL9ehYbcJL?!1M4i1uC=bCsSb8vM2
zmiuOmb~3U^U9yUW>LuU54}7J&h}Ctp*`W4MnvA!8jkum?x8dxw)`omGn=tK%180BJ
z-7~yzttzqYM*fE*XdA;`{<Mfk<)^iT+oO`}A!{1B@T}DW9M;DL5wj5d91LPhShMKL
zp`^x~m=cSUnDXO+pl-G9g&?VB?q>V&-gF6%0PkZF9?+9R;IG#f7xAy=sks}nZ%(=F
z{`@xfwd04l*4B-v^l?+y=R{9is@uG}l{_gGE|IrK!0qXfgR@x=Pz8pRfodr6o3~-m
zGs^e#)mQA?#Xp@sk%LL$^*n1LB>R+2=pmr#rA{ZtDMs(~|D9CNWSjaFf(+vrDWSkH
zIX+q<eBp#h#w`>td_Mff`&09RnP%J@_7AjkF`LbQ>;1#l@uCTVR-c{cXi_tF@(H!V
z%NtR`-?0t64ma?2s=D+LPV~~iz@4T;dydVMvk|?fY(zclq+7QH^Vg~L8f=5H6znaW
zm!B+|279uBr-{P7yCK`F#QOE1c8VS&_Z^!cLD$;!J8?goTIM0jlMG{$T|M`?U`F%g
zb;Lc2rm$`sNyoo_RVyeBCjDR6E{?Zz_Kci=#fXu&>sjH{jC@a|Y#Pp_Ox^968q|sA
zizG_uG$MBnnw3$*+>mX3B+Uy*Kmn|X)4eDrWAS{8`Sm(#?(5d8vB}d_k@erEyUYgb
zsNg&n*VQjddgRaq?Ao92=xly`?F0XA8q@uj@@I7}T`!Igx={S`a(2?`&P~`^nKsio
zuXTo8(HjVOz9`J=<BTT~w#|=6K1er(N&vIphvgiS4@JjBOAdve9X9+v{$t~F@@uR(
z%k)fqRf%<XwKC-ftcU{hY&Jy9$5>DQMjv93OF|JUYWiNRVYl{BC0=S)t=q-)Zjf(V
zYQ(EaiEVu3ikoZI0waURzb8(|igUe??4TLHB(_MmHxdaR9cJ<YZ7oiD3SV0Thn%MJ
z(=qaGmD+}@b9Y=`w>8J-Y0bq*L7L09{9}YQud_lsu4A<fP_|9!?FNmEhl}VqRu`Mm
zGN}N{a90%R@m&3K;L&G~j1!#|D~wA$R$R2rW<GUY<2o;M2i3*GYw{!Ymjce`Hplm_
zZsbn;usGXHBtvJf9S`Kr`As8-4D=!)CfrR2v21pe+$}Cjy&dVEl;ri0_DdJ5b@j$u
zy%RR82B+haOeTHSd(x93rYE~voAfO{Eq4_I6@G=d_RzL0%wJzPu~}GvN<Vtn4vUnP
z3b{Dx+fBH$18a@+xU0<Awdbe-KM0l-_}j>ZFBHbEJ-fg?+rtjHZx^J*os4|ASTRCX
z59Gx9Toe<EC@~~qFyL{gju@+RxamcCqMMhw@f(qHu&@pln2C_KdHJ<0U%v_j*Dc~6
zt?<!;V}fmxP@h6mun3i|gMY~n<D|l@dSIvR0A+~jwf7ispVJLrN8e!oPNbY9tdbEG
zm=h28x(6#{7MS#72Lh1hPL^t5x#SgU(H>dyffC@@hA}46`(XHC5s3BuTQ#CmfO5V2
zlXq49cn%OdP4aEbL)(`?@NNNJqKD2o3s}XV!K~J6+IA2JyFYz*yd2BOfV_d`w|n`n
zWaASN&mm;~rMn_8R!az0D4M~j0{>(L9D6@Bd)1hV15<|Y@JvMoDZK_@F|B8O^i5z6
z1M&gd>tugFZ%3i=Kw#u9u=o>K=gOjVX(c^FM+3zG5~CC{{r#Ig8Dd`V9$I4xma;$Y
zENt!OmoP8swI16Fg7n+lY^43wYAAtS+rWy|dIUn41e>OH5<?7-r(_ss*ncuc2%BP0
zT&sY1`~Jb#g0NKzjA+a5k&PU!$|YrQdgSFcT+JaZ?&418$^RqOx(*iP-iXCAEgNzi
zNeTdId@!*v$J*}(_ASR#3z#R_zPf!k@JOQI%NMi_M201L1x>*^5HZlr3)>0nJ#1(_
zARN31r&u8YPY;d=?JBrVdWb|12~QnavKdy^mD?~627uvzl?nNDfLsjJP}eOqc$iwA
zE#l~lB#qZYXqUh<5Bu(Cw8rnJlL86KsA>vKw9kQjVLh<OfE^ZsMYVXDuOtQ@0?L=j
zk`1wG44`E$a$d~rz2#*NZsLO(hn6_ReOb+$R|J0gBD7cFI{f$pqTm5Om~6QAjsJXf
zriS*1ZJYbz(FBtn%I)pITi2hhDxY=}D;LlqU$u=zk_`qqY>mn|%Iv1v3ti!1CWEGf
z()PKE^LomMEDpaC>L^t0x#!_jK*V$U&s@@BXyDkW%s+GMAIPL+bQ%Ebe;D(ijuRd5
z_(rGvgC0_buK9V?$Ku!sSaV!3O>Z0YHT_C(G#|__)Uo18oi0B<_EK;PJ){}!)pEZM
zrNJEBcQIEo6u<5??0OS;$BrGo4a2HJAfA^%%E`9a1~??o#4aIFj!60JLd<EYRIB4x
z1yR5vfE~UGThR-(i6RdLcHhA58IXG(QF|6+410aOKs+s?WDMS~<6kWa8>oWl>V&Fm
zyXdFv%aO~<D#^+9CV0IJhu5$nJ+AxOEhhwW-`D%0R5Njd>Vy|o7A8DtotZ8x(N^2Q
z>Sf{L&~qj**e)q_9R{A)hVQ}lG+TY>O7^1WilkS5%Y<s8a`@5t&Zr~bM0<}h2@Tr2
z_WMpDhvX~&bKGWm-0W$TL{*htVgKG2QlkQ?ekFMPLxeU4UeWmUW0AILw#nBZxf0tX
zE}r{O5tK#`P@dGxPsPPIN>2(S><~3Pv>dwkl)AERz`CxZ^X*Xu34tp-ip&CzVWS=`
zPY%$Ns}fJ6MzThpR#jEG2i$WEIP0sfk+rliRCE|Zb!+_!WnEY<dOEUYG9lAh^Wse9
zJkZw7!NKo`&tv`9l|}YG-d!Yn_p9s*BCaRgN8P1n7OoR_QVR?(34<24r^+-c*=5wd
zkq~-H_$cElDs)#bTt~*|>GmY$7Qb7;hE#<_$>TYUtcrcgeqO)P7is%KM?(dT=689m
z`WFshhf1N$wy9*2T)C6^<Y%dCT9X&oqp`IN0v=17OlY`dh&Tg}QXBn&$=SF-amV0%
zw4^W@GlMG1m>T-0rLMx_TapFkt{m(z;A6w}>9eAGBag!#O^KJ{u$A`3)YQq<Tc_0G
zg@NFej)F+`qjSIAzWt4jYQL1@GhNi;^WLNW`qe54hY1_6r%U$wTXF?+D}@=fJ%Tdo
zsCYW`m;<WdGp6A606)Ive)M8$(TS>q%xzh_aV?$6JK^`&oW<&Y&9ntH*}dNJJ)D<w
z*zoEJ3b!9@4Y!?z>&gr|aJ`gwomUiHPUS+h(?LYqItHU}C(;+m9jje=Ij87!v(q+l
z4T_HGU!~l|3`iJZ({@JT<HwiJ;gcRBi>oD72b_YNn#XpV{(XK*tnt7FKiAT=bxrQ%
z-x;xfum%}P+?MiTq)ug#e8e!<`Dl_*yMu7VZdA*q!{@d#MPZ5Fv@08NvLsd6h6)bj
z>@qw=7iO;`NQVp!d0q7>{3rG0!Q&Q!t|dZBtnd<giLZB=@N8s`t4BPuB75xhsL{H;
zoiFWmi+`NOyTt^yCOxei8rnP0U~ZWa;?u(MkQP&YXjE8gr?5h>)<q?pU+2Y;K})b}
zX8}ju#2ZGWF$gZ9tLG8yS?y%=jF%DXXMIJtd>EWI6*7HlIU!z=jy-Mz4ORY;R2o;X
z4l*##)&y&LW|Xo+Uns)j)7rg8tCor<a8xmk17@yD0A}YnAAq2=S4J7rKnv~cGBi&V
zLQ?u8Pe!mMxfX(5hu9pr$aBIsaW!4LQ7z<@|2V=i49=TL2JOYBtvl68KTdhQdm8ZR
z+}Qvt3*7^ui||X#Wg{=14x#x8hcl&v$0G>JZa$bu__~T+TgMypMmhtLhtP80*!RSP
zN8U?K@IklZHUr6$$DBA1+e?uzvBioIBQJ^gtLQOzlx}u}VTSoxCFiWAngz|5`vGH@
z=JygU%?f&1Z{Moqb>IsB%VkPMhN=FWbvcR!xt7Xvpv?=@0I#+bVDDp@&QGA)y###8
z$HopbJzqMw5hHFew`gR{@vR-gjx%|0C>Y*->p<dQ(}N!E)e|@#%qdRBoZ$5aF3E|k
zA~J9P5m<G--2qc>vN28s;U}X$zV|}^+UE9oM!EgU#@qw)<UPb%0ET3q(*Z5%9AxMd
ztt7QM8L7A`O26CpDjW<R{n8v?b0p9eXjj7+Lg_4CCkkuX_%`G5Q=l+|oNZ+g#h-rY
z#QjG%Bb$mUx$*udyAqZ41{i3aVF+!mtDcIfa+B}jyhcC##nzNV;J2)Zu#sPVe_+;k
zTiIKk%S>Q>H$+EUwk>x@`%0U%D(Wxwvf1_5i#-WH>zjE*66W~b7xU%ti>x7vr##Ry
zE)Oi*ar{Z;hC-Lcl|->Bm1Lm8C{nn@#!xbZT8pz47e~Q*+cd%z)u+r3VLJmm_a)iV
zl_V7MV~>n_Pu{lKn2Wef`NipG$?_?=ACw+nU11MfKWoBwHxb;g!!*V-SOj1?z9N6h
zH;jgUZr`hGKNuD@ULCjGn>YXC_`@e+*mv;d>9cQ2wrhy>4~)pYt&#prMOUO+mNN_F
z6!m%UE(OTbzxR^wzbQ}`uo<qT6LzM@<^y!<=q7!=LamlE2s}F(xWIJzg^c}DMu=m!
zpb>}M{inOvJd~NiLW&^c(}5@+kd+V8x~Md9Hfg1!fDgL?BU-h847oD17335o*zfY&
zVK?@js&5rkc^q(x_6@wsy8XMYOwYSEqLElE{i-?{)Z=ZTMth(E1iVNaeoLoL4)yr)
zmR&z6?#MNe;13Qui*tIpT*10?kk2i9TZr>WwVt1p5RSJ^O$p<}8B`JLdBnl?ifgyP
z<EHczJDIU)y4JI?^1#ES-9~f#8kDfr^6MIgQ?D|R5_t6Qt#0S@Ojd&^m9v65VHf)@
z$?iZ_;DyoE&d=x70<c(B97Mz&8CY-3>Yll92?o575p5^K%67#IAMI8%tMqvNWrAhQ
zT>?5kv&7c6L9n~5Wp(yBw=vM~qQ`Zluy)Bo3l#v~cTeosb=WyC#`-T-&IoCKZt}}f
zapF7rDTlyi03+jedp9@=?wk3g5vlcY9n(r3Fhp1Y?CNaOPh&4B*NWW3@nyh$n+*>s
z_}o=du7S))#X*zSwE~k=TtL(EgGEUgqU49gU~HbjBGYLL4Tq;B6cWpDDR{7yE<Bg}
z<_(yEE>}rwgM-B!i|1=5&w`Q&cah5cTfounNB6{X<KbhnvbP7u9D7OX7q+DCk5KZN
zsk^(UIS~cVAA49z|K4gq2v2<a$|-WKAo}d=cgYlS7(oJEdUVW6!*EGCX;PEd%ynz!
zF1Gj<20qKmwyRx=Bsw}x!*#VfS2Os&PelNat<>IORdvq6Glyg>O}Lq}wYOI2pTpKu
zA3_vCrz>Z@k0V3`_)>GTz2cvAURjWqQY@(UoY~J}sA;rYsujvCRe_&|zFAF!$!pgD
zJl|#l68Ff-p?G&rskahL-cH*apFL8Mt}W*$hs%<BEyby((!RE7d<cL}gR|Aa7Jm&(
zAt@_B`!{q;5Ov4HR)16q+(J78LDs^1#wXqc!WogWG@OZyM0%lhD`y+~MMbyFzk&^O
z1%-p+1DAqNuIYA1xOApnoCw%t-TT;N`uhe3?#b(P_}&IyF23Da@O1Ih;zY`hZ&<6K
znL7ULSPdCoBL>pkHeQW*fQ&v<k88SjFXNxy46BQFjcdgZQP<f?fa=oY`t6HW7P<dB
zja%Q(|8^?jWmdPT0UiKbj0-0mMfu6hpX2m`v`<cnfiEhkVmwwf3%b9_t;r1Jf%V)y
zn<!5r<r6xHsFca!R?uN{BC=HwZ+Z!kCQI(^9&aY4O;T5S&V59>dMUV?2UeTr^d16e
z@S$xe`mTXP`@Asy*?)%E(PKO&d6d9#C|qXJ4<`7}=NsGDla<yDCk0=YwN-^-62Lxw
z8;;*o;<MHEQ*HowNOn1p1(grMPn^5#$bzbiPt?0?NaBCE+TCSE65CzyH@wRNkuw==
zkyEbCTZsc%zri1bb+7aybbPPmSKu`T;^Uh_g&k_Ql>EK3L3oNKVc2_hlfk8CHVzHX
z5!^~%YZMUA=SzW^KW7p%`4Ox=w;h=4FSB}LH$1NfHk@#Tt`E+u^&5`D>sL?I|7k*r
zIYX>x&#MiLw}tC1y$*_Y9~3;y?mj(Vchw9MB;pZtXGAJ}8Km<Pu=wBst7Uc=#U<yp
zCIaz{_2kJ-uez%WhxD!EMFn>=4eHP1_v;vdU0zYFJ~49T{nJqxitD^9o)VDd7sVzJ
zBRhw*N3Fr3Zx=&11hFSo0VlTiUWso7mPa%yiEj}wd9BGnJf#ddCOeG-USt$XoA&Bk
z6%y&1c+ph@S-b%Y+KiNLoc(++*wwa+pZnVtHsB|b40-a*+O6NC(SmVX1Zy+Y;$-t_
z+~?Sa#YmfjK_Hl>OC5C%$yU$`$_hGsJ?7|lAU(`+LTc)i4YuXHkAvf()x<$@fn)(j
zgV$j$yP<BaLHziBu(9W2U2ci(%6CB}g+RJnCR$z%W-|n&11*h=zSXoK@XlNj%@1`u
zmcTs-Y*C*JLClA@-ZTHgr6BRc;vBB9Wy#MBc&dOf*)vKiexpmG7<`!M7O9VWCo%2~
zsifXfXI^VM5Kj!Y%FJx9o=$aN{qdzcawy9GiP_w1^ZjBpf8CM|=7J7*B~pEMlvM~5
zZ3-vPRtP+4?=!|kksb!^wzPE4xftjjydW0`JRd;N{K?!(#cR=C@V}FMgw-;Cz1f|V
zDZaIixGWj=IE7h1hQ}%&d5D!az*dG|OPzY93n7PD^^=t}1pLeM@sn9%Dbu(h@gPq4
zo2wUK>WjQE_v4+aaH3*cYm{WeHf8e8solB%93_g2Upt;Chi{h-dD0ul{VHUCBq|(-
z#{G@hzWw|cGW_=aE5Wf{s;EmJxu>%lvS;M{a|K{6$LwAQqShCzs&Juk<tG)sfA;@0
z23x(Gdp|~L7l=Ld%37;%n+D~NzZ~4xtBP8D+WO@wyB!gxinN9sM>7)W87nl-+Ej6w
z6}$>0#Zo*E+(>^yPnVYlZ~lv1DXv<ATyVwcPKQ+T9&0_RaP5rV&K{-25YL}C;<6sa
zb|;(%UQ%9O;(@*CjdLW0nPwgTHAHRfnT@ftj<dS|gO`UCds17nH5TVsdo#c(i?Zs<
z^JR_`!J0#gz<ZN*O8j_gun(*^5VZzTszo|qU$H^;*0&@__zx|SW1eoujEk<t%|Cxj
z1&Dz#=aUA9Yn|f*x`(gVqk{H1*aG&?I()W74$b7NmtV?L2gpt~5+0qfQvgQEczEb-
zrCRTIL0EJ1fbs!;e(pxWjx`S93wgDRo??qz&yGSBe)&E3vPo>1tz^E9k=Z{&Me%om
zorfFY+KO&}cdZ;-3s+pcROH<SUwDqCZ+vI42CZkgjj8f%;?WrG`Fxm9uc9GKz{dNF
zRjqyD+7P94h%{{Z7Ub~9sh4@m%C5;WM_cyW>?d;{_I<7b;t()zGYWLdD&Os+3wTy;
zlEoKdySeu0=|4<?lL@_X>l>aHf%@C4LOy+7+gWz*7T-+YX8%K=u{2!R`gkX5>as$G
zdG~9d2Zp#;j?WB(8c0Dc@faG>Cc^?@D~QpMDWOSBQuTpf<ze3|{k<>o<Odh_^V~)O
zM)*_Qcy{!r@JY|!cB#ICKQ`(arb<1F$nZI8R3JPEY;B_eQa|G0p)mXeH?lBpRy$eV
z{|{|4_LMtYogA|OxiI4<aV}(Qcj4=an=m~t{9+KVVcyx^LeQ(TY75ljRyg7P{vr6N
zA`4iG#*+#e#)Y}P)0##F{L8uAWj_H^B?UhQwtw)<fOz7UIu9mpbsZLK$Elb(On3<3
z6-a^~^}a%#4;%O#yS+?q*iv}4uR5{m^)amI{uFn@c>&l+2)4`ef^JfGU>rmhXn4U>
zUnM6}$%o{&QsDWoA-um*^@(v~3t{zqgj8}peo5<Vs{meyB=~l(_k{~7mHT5wj6SOm
zIw+n0=?LNGo-f(Uv70}h?zm8}QEeO3*E8uaCWBkA54+L?j+$(5+UjWqoZo$waS%c{
zHUf=tr{^C;jo&MT7r7<IsLHs;JT(<gcB+2K$!}R+SlF#;Y=Yj&Ukhd5Q8gA(E(}eo
z*(ir_z((`rl(y<7Iqs~*54nv`R9a-PMqVK7HbrF-_BTK|ABit=ijNJv4_fAopWW-+
z7}8UER?grLUa;~Q)>A^i{q6NP&{(-TaX28>rhYD@NxP=RkG&N9YDo^Jl$MQYCfoHm
z&6juc5!!cRwdvRhk1xCd1L(>(!q+u5Y)U1Jw}!rTjtl#4D9kRwfJw#JqnnGjw!xdu
zcLud>xN>B1H`D#pRd<YE^Iy~W-mMRKs=+do?NEi>CfX{noltR-29wQ3UB9uq8F!{y
zeA>cZMl?xzdIs%ch2W^>{|_;rZ*l69_)RT|U=CaK4LI2XW|p|K#uN^Y;__OHfOwlp
zn&gI3&1O7YXPo~=b~mHZ!6?-V(YQ60q{2cYBxvkXH)+6W-M_G`wBQE(RMB;!Lg5tn
zRaH2U(vx}jrCw0b`QK2Fn8iX~y@KCAmj42Dh0)>Ko3z}D8kL1G&)K>{+gAeAQ<SmU
z((8>al)ge<Gw++R|9Z+4&s^ixl5=|`L|AuDGvwf!-hkR;3y-S?mk1qiR6toQx8-}k
zqs?YCujx<R{`T97;A}zijFht#?=d|81n5G6;&gQvgZ@dwhPRZ!kD>MoJI&wxEjl?2
z7S2=mrLM9{2p}|0B!OFrczE;4p=)EQQAo_72W#NbkOxNauvv$av#w|}_ndEaThR01
zq-&?5qT>B~i~=_wOgV-Fu|7u7SD;|Otq}0Lv1PH!Uum{Ah_KUK9Hl!)>wiTu>D*j1
zNbXa4ZfAJt=7gjACM_c*M~w?@gIuOC4c~x_6tAED6iZKg-$eo8m~cdIORg`Fl4I7b
ztklzAQ{}vefdpFba@>&-e!or;RGlV82nRRMpJNeiw#Xl`V76%++w?=X*o1}wiBTck
z1EzY_QEcU^-uDDbh4&xx3C9gZCKel%KX1!R4390EFP`VP0kc9-PJWDo8?DEy)=e8&
z6@2r<|GWb$l~>cY&TOYYJQRG^rM8)#_FDEnD&AR!9J=7u<>1~?wIa%;5V-8GGd~~X
z!u60!X1J@zs@nR2ZI6$k!!yp?A6g?Bkcqjux$1aYF5JALxVW+Z_<H-Fn}z6{{3b*R
zR@PeP*U5K|1cg_Agmb+^s<@!)SjZeLXL-dgi^vmFinvoH+iItc__I(>h*2*6iml#&
zE{Bv}95uI6-ausio?Krmy`VX3ZK04~7Ocr{7d5M<ELBeq4FTD6Eo_+XY9%Y1v+@-d
zj&pk)Zf&UhEa>M6c%;vi-vY0bo+}mz!E(25`1`knvm)v5qjE}S5WTSQ83R|{M%gw4
z!rk$O_|D2*mNM2o$y>kFj#~vo+Pof6*ZxrJvl#pOq@Y4fre@)9iVXkxJEOaMA-0o!
z@YKQ~GUn<J+3--L>UqWYH|>Qu?p{zPT?(bl-!z}WQHyu|JaS`l+YT<r(H|a<KIy{d
z9;lZQC+sF$Sssyr#nd8>P>_cJ(VL3Pu?P$3l)l8hw-9?Yh(qX)#wR{`m|%we-tzZ$
zt6k<Sc#QOH<#=RfwUSV5=A)BAYK~`FXoDcmO4&Bt?L3oZm9m^a7n0PMAX}ef3ygJa
zmy0>aVftH%T~MRJ>t7BTV<vp)!V}Ith)F+|z*E=bv&YGyf37tQt|Ow7I$tJjbYmOp
z!ot^aIhX6PY`E+nvKy=k)PnfVD>M)&wz!ezxLYDu>r-#ySoG19Oay2zy=tn0nuzfA
zJhGd~>`2ut9a`#6g@wBXHp*7V6v;I-_1*~`A=xUT6ZyXno^IY(Gvvzk%KfyEePsmO
zKlwM@e6Qtn7T#^%EdKj1*NalQ7<!G?j8I`TE<XJmC<0Z=6_lBR?}S+%F4BWZR0=lt
z(ClMwIRoUSs4G?+!%LX(tIq4(t$*$teQnI?XmJd_5{)r;L;jYu)V=E2CTYlye6mhc
z-b(RO*cI#Wm8Sj{$g)Xvs8^l^D*6eAUhZ*t=H%A${FTY-1wKW=03V?GL*qYkX@1#k
z0>b)V9!&cB;{`q1M*8@~(Lpd8v$5ha=*CHYjzCbd^_rtp#(AYeLD41V-Z!y}ekV3>
zqoekkedkKXwWqz`i?8u;lPjh^MCC{=l=tb*fiACljvRx7I@%OBlv|W_$UfQ)>#ZM*
z$T{Xv-{6!!TSvuW0u|9D%`vs(6bfwyKAi3n;KS8EnQl9!S>^OXdj6i>?KUcqw+vrj
z{PV8SV<g3HEA+SyiwKe`$`zammyjVo>Cs1hCg_}1ommeWr{#PH<v5gb_?a(^v9q*n
zP5~>sd{1L@@rIILSCzr1<0r={^gbD0GybJNQHK_G%w`2`s^;Z(0<eYtGo8{p8X0j=
zWtn{p)ZF5N*3Xl}?h^QyO&pw-|9q+U);@QiNX&t5c)%P0JHx*S39B}aj(YYEM#vw>
z2Uo=zkZ*FVj=hS!x|BFk|41|Qt6+6pOiU^?kfWC7wH#KTT2_Ad<UKU3!(y9@Wp}DG
zx4gtztZyMkuv8n)S-Jf}zNcX}niu<a&WxUzl^lA@I(yhy1gRQ$o4fzwvFHi1SgV6b
zYoFhZjnqFX63ZvJId>F#PCBQ>_I&sx2OXUqG*CHpR-Zq-hvULw!#9KLX^y{tZ|DFQ
z&p#Qw#~eQE?4clBYvz%A?{~mHuFYj|Lp@V^BW!&vw{s>_vUHl9x!U`4k_~u`2lYv0
zW&v$ZYQ|XV-OSA_Q0a|{;cBsQF`V2oi?f8)KYzYRn0t?+@JaN?(~MbhSuDOb8-FJz
zy4G9l*!(x+@uKy)<#AnwUarY;F3Z`z%EcTGVodfF(C?XMOcBQ69IuSJudLJsCd64S
zi2*k(OOu|$Zc#!fvox5J(sG7y8*_NlA%&AIf7};WBVQ^&Q=0dIj0Bd=;p8ixoAykF
zkO<xw#lNF};`He%xXvfL#!{kzaB}dXd{2}^5PT~lgX7w3Rtk*no<#on8773PE=7+F
zAZN9=37_2$)uyRW%ND|gE1ly+b&fif2wD4e)PVc?gD7I;XsF|tiP0@q@Xe{F>yaYV
zDDVxVE&VR0pF}`|+>HmWj+q*!sAyhj)t&_S29~r?`zyy(4Rch3KSKIZJ;0NwOI7EW
z1HS5%P!ccGPXZWu?tZ0HC^Nhsie1ZsBNZ<LT?tU*X$ih&>>A|G@}=O7_X}ka<LvKy
z;M6f5S(HGfni;yWh6#3yCK(pKVHQdY#1n;wO}k~>0at7>SsrN&o7(`&=^4_H2Nj_u
z>JD_sEv+Z-+H%W+$^aljPR5d|?uSVxY4!o!Yx^pK&I&AIRQt4d8CKjKEs)QXg3Zq2
zL)02#!L}=R;OE59f?DkZ^Tx`gEx4CYvQ0yK#X`7RsudY9B_rdv$YdlU_Ol=t!G<Vl
zY#fGO{n%y&0L~n>L4LHl)e<K5w9x#z@;ealCRT`MzqY9(Q4z}~M0@!){W*q!3rYrn
zRcKMQ-AN+^J0(_9Q_)yiS?^+8-`Hq#rAaiaoCHuN)(ms}Vp){xSUDm{TvJ>348Kv5
z?sK@LLjqP;WRf1C{CXJAJ)j|>5taTd&mf9(&&|sASU-MT`sUcQsSdX1%l-*KdHYd%
z4PukVCQ6*F9c?5x5;r#44qbMp1_40COByEEJg%&r*;u(y-O^H7xt`IoCe?te94efg
zc{wQ12I|@KE=*x<bnM5J*^6W|NP1y;q-9Xe&Wh1&KG@2y&PfH0lYfA!XlC7gvA1uq
zu=BBUI*d}881NjafK%(RXigd1OMjf2X7C?U99c7zL*|hKKeY?dV|;=XYQn>|dH$?h
zk>LAzihy#V*G-s>70OEromx`RboFx`Y)zO&Kx;|s)SC-@^#N*!9%DXkH+Xu0A6X?m
z^^0HztWDL?lDyY-t~yOs&M-PScYJMZwD{3$OmPM1D%M4m+-^6fnp|5m#>M_N#Prv^
z*lg?)0C+-W>5y8F7RquGHp_}U`SAuMKzji(mhGwu=i0~W>VCB_Fwxx!FM+<p4R~o6
zXva3NfK?{74ld-U&l8(3>l!Ay=zz-G2k@lO=MH$I^t^lG*0JCVcuzL4Z13#VEQqI7
zsBYkEK&(7laO#LJCbYG!u#A;U!BmlQFuW$mt!Lwin}YZ;un=fEgB6OvTQ`i=G>ArK
zEUTobeEPYe>PJCxnszx!<&#ovvTXp@`7FsOeGtmK(Q+dH&deP0?1QMxbF%DD?)Ev4
zZ{oHlxaqK%bsBwobnGmG?m%L5|06}{8~r@|4{xn}GR-w6H1hZ3@|{XPMVWX?x9}3Z
zGbMM`?>{iu;)BXizG&g)o{GjT+G{Vql)rTCly{N*R0F4uyuWTmJfJp69FyGQpT&#V
z`C$8{uQx1R&nyD(_{?He(UZ;<<*h|1Z}MA2(oO3q4Qlmbjc0#pC4M#Nb28cyPd=`>
zisU>s(n9a`b%f;>y~I{-KRamNm`iEZ$iFE{tpUrx7GGVQuOZClLkt6;`R%i+3;D9a
zf6fAH)?WSA7KW9q4|F+pv(y++x0xZ!$K}5_FhZ=lBvbY=%(tExraxy>{rKs;<$fbf
zB(%hdvoDeF^G>Ch{^}}c{A+v9IbnU2(74-Hg2ShsN}rxJo6dm0jmoH;&?9t>71!@O
zjJxiq`DcS+6R1=DFdJX(cQN_Njh0qMUbeof8?qf@=Z%(%&lFWmyB#00a2uH?Ot)^&
z)hLZsHht)xO7QzO7d9cDRqW`h?X)?G^_x5@B-_1j_Qrok5iWn@^g3;0%~i<y3$yaS
zx4pNMlS8A<sCWese=4%dUntd|Nwmw)e*w3m&<XUI<C)0xiPD@*sJ5EtJ)b2(7(IKV
zzoVt2m5q&RY0tb%xAUxd1J>C1+Vpx!iOTKrc_#KX$mz7UPYkWgR+P@^aqT^+x~0c1
z51lq$*bXHc_}hEt#>1NBeqZaP_!NEmcG!x#J_Amj^g2;ki{Ib+>8+%`8EV`C(-l8|
z`N><6J1$<|ex3>>^5s?Hg2|6R)DYY$C@`^29@#4c3!f*PuZ?@mS9*MX+&uSo1;@sX
z+-D2Qs|;xV@w5ES6YqiT6Z42PcJXJoQp06Vmq^-4`zXJ%)v=iK`>$!lHPyZ<%C2hH
z$W1{@KD(o)C2Z=`Y*+luDw@`r?UR^aZLylwfNPBTW<7SzI5}>Hv3D)Zh83~^ZB(0X
zFoc$dyj`EJe6f3Fk9@JLvDjgtw#Da|^hO>R)_e?_^*E7k1CFDbs=C)#Prjv5YE9GM
z;Qyn{!%ElNuW!LSzxc^dgrr@?d=|O589rBu2iAO$Nm^RSCN33t%Y;ugU4d8p7mkLy
znA!QPx#ZFFm6=lCYX;@*H=XZ~8@|deoN#Qp^RT6X*I!FR?0}qCdG9wlCVmGK;9~%}
zbl{X;QQ}_dvgr7b|IzC;CcekQ4r@OO8oo0loh#~FT3o1FO4T<aVidNGkYhMpKedHo
z#PJ=O;3}o3$xRR3#a2b{4Cja*k!3O6^i@VazsVGNFu0lqFA9lT<67|cE;YFlGAP$g
z{I26of_$$@sSwl|Wo>_jRA4cawBH?<o+)zK6?SdkPa92>ykp17&El!()-Nok_&VEn
zh4Z+OE&DO9xGUdkVb^y_R`Qtnc{KB)-3wMF{hJ@*-61>frPlo2mTESd8*JPk6`r=;
zkbw0Tzib@CPJKNet8>iP+*-JCuz9Um!VE3H|5B;%Y@u`#Yh1T-m2aNnyKluMo3ll(
z<n2V>MlDIKkP$Hpj=1@SLcVMYR8pX_>t~Ub+b)p-v(OiEOsoR*!FjWoxoviRLhgV(
zItOFIQT{yW@m^BTN*Y-JzZ&Pm`!PSPM-~g;SAF^MTC~i%IWJRXqi`&k_#Gc?xBQ(^
zvW^!*Z^}fHcHii=@lLqo!`ZLSOn;D^NRf&<NON@?7%%HKIY?noNA8_rrx>;-klOtN
zzcfhKVx#($lQQ4Lp55BcuExfe^gVqb=Zz{2@nxb%J^yN*^erHmKqHA=^OzcUrKKw4
zxBPBE70^7+X@m0H@Mr3W>i=zJz&3q;i;p-hQ~HV@4$FAkbL%EmeY~t2!tvYWb04p^
zG|dXTXAVYqKO;~)?zBuuuT;V6z6#7oPNeCI#zLfjpWEb|i<!>%=ZE2rIvs9p62G-h
zD5LL^L4ujS5c&8$%swV=l!Ym5k#5}AZIxjuzO47?HcDx$vqW7-61)58Q=Lk+Rm{f>
zisQ>IbN5#mO**Q7ysasJ@G4emD}`vLLh(I*SZM40Smho<*$?c=SSSm`ltoX>ZWtSX
z49QKlB-mh1TGB$EFd<`_k@>H4@1=`t`KyFFLeCw1iX2}%T8#v>Crp?p<w~#rU1-^f
zN_KFrVu$29XqO1Tg?|^k3nMxFQF*M|EDOsTpWsU&Ur~Sk)1>qdS1!bW_TVkrhEVz9
zUf<NV=E03$(wQr`1G)0L#Tmoh*|LMA%bB&6Z|z&F&FY-xNS}k{G?6ekwV$YOlVxT>
zLP(i2@4*-sn<TcOvBJg$S;2d+*1OKer?!173-?a)lwLffalm`;$98Rd%g(%w6inO1
z(n@uM5ps0(E$ypRr4LaqWPRB)3S-!{a_VHSJLLm|UW4k|Yp-DS)@w-WWV=^Zbsclt
zw@`H<W91kRr65!fQF(jatFoZaF9v1y!?bmyM4yu}>)#B6%Pep%E%i)onK~|wt@UhG
zX5>`V3Dcf!ZW*`UjjU>@ED)$Khp@Lo{TEwcMn=%q`8kss?x7lApCF%(Nh>Q4=l)l+
z3xUf84F^GWQvK#$Mc++^&0pl*H=mG!493|?Tu)kqC(Y2m8@prIT4?#$M1CnT1ohT;
zt2-@(iw?4KXo!j&xE!Cuw4ddc!lYo1+ED)zHrB#0$nDcLYc<4;eEV1Pq>=Pl6d$Zn
zN71?i+Td-;$^1dTe@3x`JX!E^=r6cI465gV4)Rq*?%Ykc3S0b2fceV)xWsI(W!9VB
z&|WU%VmOFU4>fwV`@APs;$4-wR(8hewk5szus|$a(!YBF+zERJSmPZ82)@ibaZql*
zlB2*{QZ6CSd#>4EdVcEKe`!1cOpj!coLJ<&yV?eoE7tq6d!#z5jB@wOF^QFF9<ZA7
z_T#SD>BcG5(6f&FX&v-PTTu%Jb5u$X<w#CYmn2qUc7gS-ky1sbSc;@%`ET8_b%~%_
z=1tmXXDgq=evF;}UD)#c7I8CCVna5yg0)V&_UXRTD`ouno}Yh-o(a>;V#;gwQeXao
z%-(_Sn#^K&5})%6+8Y94@XdRt@wlXG$Yv(nI7;{Li}UhD=C6Xn^iWSc?4qGfw0pOI
z2u+Ph$x93?G|J*qY5(>;=Pp(J_?!`We`OxJe0Iot7;W4=TVFIiNhbCeXUu(5T8vHH
z++$PNZEJ%|X|sd^8h7~8dU#$o$B+%plrDKbOQ!ujQydBDm;A#uH0`$b(`u8^f*YP_
z;!@0guy7DZF!LaC@9xiuHXhO)LDVd{bjbXGA}5`S1z<Lgd{np%61#{LKca_&Of98@
zo23oz=H;R=LlXZ?reSdJsjsS<skhwTcvf-Pee+eC;iBwsjZ7Bw7@CP^+A)GJ^eYbh
z<1aWvq2_^Fjf26zioy!`hlfJXJ6f_bTRwlSoq2p(+3SpXIF#jxmG>}meq^#%zMs5^
z3?exdY@G?Q|5E2Y_UxhacbBSzrTE6Bt^G9OY{kJhZv*#il7*RYi?+W;*Ex5a%z{u4
zw&PbAF-;7I1G}_#XP>lwaF5T-L!G_M#o}TjTR7_<%9|+i##oYJX7fU9Oe_jjq{Es#
zn(&R^N;t{-qo~p+Su2^Pa7K)5VLvjRM-5N`>GOtH6b7BBpY_cyk}7b!ZEvMJK(b9A
z);zBclKazmsTXx<V`4W~d?60^lH<>(5sqdN{ww6`_K^x}v@rc!60Q)L>`yFTeMsZK
zQgI8xX2~)x#Wbzeu-|zZ_a-A7JD#MRq3XGeQ;Z}Y$WV6d9(j?k9#%5n8Z+_}k%@fk
zq1I)_XHc4Y+ngOz7!@)esMm7n-0karSX69QF4wF&u=PiZ`_7Y<q*vo^xMF{r{q#>l
zM&wLe&~GpKlPw=obkHI3WQWE^Vuf7y<V15*$=^*s>Q_$6axbd;O~Wh1BzQN;y=Y#d
zmZf<A<D#pN5YxKO-BELWjBP1PT={6JbHbr0^o;wi;wbkW7;EvXO;lW6VDnQU1Eu2Y
z<_EgC@EJj=tWHMA!mS?uc`)Q_dCU781l%u1de%R6%Njqj`L#}(ko?p0mBr=<6Q<9b
zYTDn@$T0eUZON6xm{44oc6mOLbfKr1i-jIg3wqzBM>-D(@%fN3yYt4vA4(hE9B&^l
zX8b(XJe$;yMB<z)8h5wXeqkeTPb8fETANFwz@GFBFZU!g5Y{5yvh$OY`f*<uq8-ne
z)VAm#iz>I%H(Hzm%99!$Jo8mNeN>%Np@L#(LGIsbi?XbYzJRZwwEu`~NU0RldU`l7
zx#c)x71SGT&RJq|zUdyk!3XOKWkDN6-&tf3R)d-uCtrWUygpTj<T}<jn`_sYtmKdo
z*^I#Bkj)|$LM648$gNh9?Fs?PS`JxU;H;D#YZnnZ6!wl6hNmCrVLzPsu(#YFrPNcB
zwZST*pR6!9v9>m4K5Z@$SmR2CTyz#zG1GE4$2*vM^^#${+mb8M=9Y_n4?cZ+ploeU
zg<a!{SN#%(6`!gqMb`)%`1tr7#>5uEoukGKDgu1kSo~)<r}UvQFlZ-zziQO<vaFbu
zbWKp*klmzZuOQHsAq^(7PR}7mpYmg33|NuW6(uv0Z8d`Tq&l=02p`9sZS%b|;pFS}
zQgu?%-l2m{^HyCXKq{j;YVqXs%91{l@ij+rSmVG|A10)Mn~#6n(f00C7)Mg~%H%%6
z(SNdg?8GqFD#0XU=~8fM1V7ASCFN&9O5IkJspO=}x$SG$F*1zl@esaD(l^b~N+&k;
z;2F}eG-B^yF?wvNAL4Q2n!{xC18#ta{Wp2C5GJroNLT_UIwrfw&s&SZ^qD)CigvfX
z>2<Kg{*Pj=J)G%>i}O>IOY)nDO+r-D+$9Somz0XM8CfQpRc^)BV!8aPbzzI2uzt0c
zOUY%(gs;me<T6@H6Jp*qRK_%7n9IBOzxSW_@Ao|CdCp&-^PKaX^T&D4b3TVLv=%x(
zUbA(!faDMOOW(01>m+Z>FZyMKVAc9^xWZwaHMx6uFs?x?ITGP?4HcDJ*#u**?yn&~
z-fEey8Lb)@-2V6mW8UJsZ=R%^2LAR!vTodx)Fhj#Qd7_ap#Y}&=4tUp%?75krT>>N
zyrmM}I6)?D*AR&&EXz*!G3vWB6FTKB=e;DNkw{dBALq^o8!22kaYJ4sn~IKC)oj+K
z`Qo_+C*2h#g$u3}flby(n$)8ia_nFk$f6C~QE#&uoTg}?69cGc`{iYzft-LYGLS`2
z&faGBNNEG!cS^uI^gi5J5ZXo_00fy|bj4+)=HuYe+s=)7e?1_V_Fk9CnQ83p0%(?b
zw%?`U#?D0c$v;S67tQv~-BI48d&SrEyZ%=<Y~6AJABkTcS~QFN9;Y}o=?g6DTh^t%
zOWl5A*_^_RZRM4v8n;i6A~-MnnhCMhetO#Ze#O_Li}fFC#QU_05y#ovqz;!Sj=n(b
z$E6^kLdJLflHUt(TQ^FBc>8)^EB{yLtu5rzeeTAfZ^Xb93b5Gnf`iq0hgJ^7pIGg8
z*<2XC_v}MQy4`$Hy0*7}GIYV<&eR8AJt&}J%>KX&+mWk%%bA-tXf5W{dyKi>ZL!bl
znWFGCK7O4-ZMfHNSRQSHn#3GSgnB@sEFZ?e_2^1vPpqupMW#n~INClV>zGbod{&Ca
z7m|N}we*ya21c6l_YY#pCf%gSW@n>onQN*hr6uwu%jX>KK^r&ck%O_r*c~rx?s&y|
z=I+s}J)u2akP5mSP}3K2BP2iQ<RL_>-IB~zWLqQ%Xm%p|FSva1J*^W_6tv?mV&<yj
z8F%%Z<Kxepp@&uQP&779^mdDoWp>X82|&XU3Do=|r9@|cKl;Fl0n;k+-gUo6Ao$pu
z2(MG;{}fJ2-Gme3UK_O1q={#pa^nZ=upi<UE6-&P+1a2Is7j^(Kme3vqiac>)jhLe
zZ7-o{XSq+PX@os1@l&_n)p=S^tuTX-rUeywErjIt7BJo%_o;~QsThMG_66Rulhvhi
z37QE#e=#Tm_fHtDTsQbOizSDOz9+bSQCHdwCB>?!TGAv3@hV!^K6$tD(>@H}WN=li
zS7I<{ZF(N#%iZxjaJ@<x&&^+cojv(s%Y}fB7JIurHE^fOD=2NpR`S4xbfBI`m)^_^
z09#0NQl*OAIVx@6DS#PRi4@o*9lSWoV}`u51sitOKOlRry+13uSX;C4jH*__P#hX+
zu;4`KGA!rhlDywh|BgDcs2+dF4GAQy678Q+TGcwKTsa0dCFj^gz16p9D~6)k6D#*w
zb)s@d?OAf^7~3?YjfXl@P%nTk%?x=18I}g>w3W2M%2?QRAFQnuiWW}9P}lXW(tT0S
zg!;evem~0{myjj#-TfM<sKQOUv(Fz2GRKEzdY&(`HR{Qacw%~G7<c<?F7tt`b^IT@
zizm6;i7vTW5knxI^2u%$EsHU)qphavu`zbTt_AmD`-A(t`g68=_=g$?H(kjt`}qTl
z%XEJ+2|-mn%t^I3NP2S?8R>+~^UX0VKYM>%jTQsH@g8!dh3xb*68P+C-;me$jrwEC
zV-;;48WvRt4;B$?$BH);Dw~8eu4v2;iIPcly{U~pz!+?GVL6PDMt2x%3-6ff%>}X6
zLNUoiB%s<KS1cJ$iF40;dEj3pi=8TPh(#QS7d_&d4Keo!{#A`*{KFp@2_8hFa!}VC
zR-Qci<7#CUtM6bg|6VwrxvajeEf@SGlaR*z$ORfbrf*qCPvCHGBF_%G`0lLb!-y*6
z(u*4-I+8vaiBfh6jxg|Wbo=Nj$KBV3(TC~%wOE3xN2OLVngkAQB<AiZ(KwX>!>1%)
zewJv^6+Ew#bu3f1S?BoW6eL7<oBc@QFwwgi@=}BHRVLwN+?O;pxkk9_Y%Nz5)qQ@b
zvCxIH_4WiZc0bjm{cRDK*DdBS42pR3?Cf*rso7(P9BAO={Du}ZX1Fg1sy#(zsU@-@
zChoZFt@c0Y(?iyGF|(Xqrg60kYx#kNPj6O%8VP9xBuGkO&Si0<B}f75S$CClV;$Q_
zp2sdN3*n6DHg0dBG^QDzG#WMxjE3}9*I`$vSd99vqR^Rhrx!FO!~``Z>^z@|;IO=$
zLFAhW5#ZY2#X)zNLG?sVdz2EJOQ$gSO*aX+IokjqcG!$e>_l7YZE>GBNP&2np+{yb
z&SBnyVWODV`Q=Y*!8S+3VlZn3S?pJeJMaFfMhjhO?L&<0tajw~U+dlVfOnDrjiiGD
z6*9cL?wGp|Lei)CBSA#7#%45z&v)p+tsYAjC@6G!MFC?USFUPZY@|I5QpgChmS10{
z9FUXmQ~ZY@@&*0>Remk5E1q7-c$~1NB9#YXiuVY>UpSA)!oy;*a-(2lW$g&FvWMB&
zBCPkrtq#c5+{y}WWu@A5TmI_rzW`A&7cPaz|8D?E=(OQKsUGt<<z9Xy<mSHt;TA2U

literal 0
HcmV?d00001

diff --git a/learning/k8s-advanced/sec/overview.md b/learning/k8s-advanced/sec/overview.md
new file mode 100644
index 0000000..810be9f
--- /dev/null
+++ b/learning/k8s-advanced/sec/overview.md
@@ -0,0 +1,103 @@
+---
+layout: LearningLayout
+description: Kubernetes教程_本文面向集群管理员，概述了云原生安全的相关概念。
+meta:
+  - name: keywords
+    content: Kubernetes 教程,Cloud Native Security
+---
+
+# 云原生安全概述
+
+本文档主要参考了 Kubernetes 官方文档：[Overview of Cloud Native Security](https://kubernetes.io/docs/concepts/security/overview/)
+
+<AdSenseTitle/>
+
+本文概述了云原生环境中 Kubernetes 的安全需要考量的主要方面。
+
+## 云原生 4C 安全模型
+
+云原生 4C 安全模型，是指在四个层面上考虑云原生的安全：
+* Cloud（云或基础设施层）
+* Cluster（Kubernetes 集群层）
+* Container（容器层）
+* Code（代码层）
+
+如下图所示，云原生的每一层安全防护都是基于其外层防护之上的。没有Cloud层、Cluster层、Container层的安全防护，Code层的防护将形同虚设。因为，您在代码层所做的任何安全防护，都不能保护其外层（Cloud层、Cluster层、Container层）经受住安全入侵的攻击。
+
+![云原生 4C 安全模型](./overview.assets/4c.png)
+
+下面我们将逐个介绍每一层安全防护需要考量的内容。
+
+## Cloud 云或基础设施层安全
+
+通常，Kubernetes 集群都认为其所依赖的基础设施（云、服务器、或者企业的数据中心）是安全和可信的。如果基础本身不安全（或者没有进行合理的安全防护配置），将无法保证构建在其上的组件是安全的。每一个云供应商都给出了相关的安全建议。
+
+### 云安全
+
+如果您的 Kubernetes 集群运行在您自己的硬件上，您需要自行考虑基础设施层面的安全防护。下表给出了部分云供应商提供的安全文档：
+
+| IaaS 供应商  |  链接   |
+| ----------- | ----------- |
+| 阿里云       | [https://www.alibabacloud.com/trust-center](https://www.alibabacloud.com/trust-center)       |
+| 亚马逊云     | [https://aws.amazon.com/security/](https://aws.amazon.com/security/)        |
+| 微软 Azure   | [https://docs.microsoft.com/en-us/azure/security/azure-security](https://docs.microsoft.com/en-us/azure/security/azure-security)        |
+
+### 基础设施安全
+
+与 Kubernetes 相关的基础设施安全建议：
+
+| 关注点       |  建议        |
+| ----------- | ----------- |
+| APIServer的网络（控制节点） | 空直接点上所有端口都不应该暴露在互联网上 |
+| 节点的网络 | 工作节点的端口应该只允许接受来自控制节点的网络访问，同时可以暴露一些 Service 的节点端口。工作节点应该尽可能不暴露在公网上 |
+| ETCD的网络 | ETCD（Kubernetes的数据存储）应该只允许控制节点访问。尽可能使用 ETCD 的 TLS 连接（基于 kuboard-spray安装的集群已经确保了这一点）。更多信息请参考 [ETCD 文档](https://github.com/etcd-io/etcd/tree/master/Documentation) |
+| ETCD 加密 | 如果可能，尽量加密存储 etcd 数据所使用的磁盘 |
+
+## Cluster 集群层安全
+
+Kubernetes 集群的安全主要考虑如下两方面因素：
+* 集群组件的安全防护
+* 集群中运行的应用程序的安全防护
+
+### 集群的组件
+
+如果您希望保护您的集群组件以避免非法访问，请参考文档 [集群的安全防护](./secure-a-cluster)
+
+### 集群中应用的安全（您的应用程序）
+
+不同类型的应用程序可能会暴露不同的易受安全攻击的点，因此，您最好是有针对性地进行安全防护。例如：如果您在集群上运行了应用A和应用B，其中应用A是一个关键应用，而应用B很容易受到攻击而导致资源（CPU/内存）耗尽，在这种情况下，如果您不限制应用B的最大资源（CPU/内存）使用量，应用A也会被应用B所牵连。
+
+下表罗列了在 Kubernetes 集群中运行应用程序时应该主要关注的安全因素以及相关建议：
+
+| 关注点       |  建议       |
+| ----------- | ----------- |
+| 用户认证（API Server） | [用户认证概述](./authenticate/) |
+| RBAC授权（API Server） | [授权用户访问名称空间](./rbac/auth-namespace) |
+| 密文管理（以及存储加密） | [Secret概述](/learning/k8s-intermediate/config/secrets/)<br> [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) |
+| Pod Security Standards | [Pod Security Standards](./pss) |
+| Quality Of Service（集群资源管理） | [Configure Quality of Service for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/) <br> [管理容器的计算资源](/learning/k8s-intermediate/config/computing-resource.html) |
+| Network Policies | [网络策略 Network Policies](/learning/k8s-intermediate/service/np.html) |
+| Ingress TLS | [为 Ingress 配置 HTTPS 证书](/learning/k8s-intermediate/service/ingress.html#实战-使用-ingress-访问-web-应用) |
+
+## Container 容器层安全
+
+本文档将不会展开容器安全的话题，下面是一些建议以及可以参考的链接：
+
+| 关注点       |  建议       |
+| ----------- | ----------- |
+| 容器安全扫描以及操作系统相关的安全性 | 在容器镜像的构建阶段，您应该对容器执行安全扫描，以便发现和修复已知的安全漏洞 |
+| 镜像签名 | 使用已签名的第三方容器镜像，以确保您使用的镜像来源是可靠的。 |
+| 避免使用 root 用户 | 在容器中使用非 root 用户，并避免过度授权 |
+<!-- | 使用安全隔离性更强的容器运行时配置 | 选择隔离性更好的 [container runtime class](https://kubernetes.io/docs/concepts/containers/runtime-class/) | -->
+
+## Code 代码层安全
+
+应用程序的代码是最容易受到攻击，同时也是您掌控面最大的地方。以下是一些建议：
+
+| 关注点       |  建议       |
+| ----------- | ----------- |
+| 使用 TLS    | 如果您的代码需要 TCP 通信，请使用 TLS 传输协议。 |
+| 减少通信端口 | 只暴露必须的服务通信端口或者性能信息采集端口 |
+| 第三方依赖安全性 | 定期扫描应用程序的第三方依赖库，以排除潜在的安全漏洞 |
+| 静态代码分析 | 执行代码安全扫描，以排除潜在的安全漏洞 |
+| 动态漏洞扫描 | 使用漏洞扫描工具发现可能的安全漏洞，例如 SQL注入、CSRF、XSS 等 |
\ No newline at end of file
diff --git a/learning/k8s-advanced/sec/psa.md b/learning/k8s-advanced/sec/psa.md
new file mode 100644
index 0000000..ec7c3ee
--- /dev/null
+++ b/learning/k8s-advanced/sec/psa.md
@@ -0,0 +1,11 @@
+---
+layout: LearningLayout
+description: Kubernetes教程_本文面向集群管理员，阐述 Pod Security Admission 的相关概念。
+meta:
+  - name: keywords
+    content: Kubernetes 教程,Pod Security Admission
+---
+
+# Pod Security Admission
+
+<AdSenseTitle/>
\ No newline at end of file
diff --git a/learning/k8s-advanced/sec/pss.md b/learning/k8s-advanced/sec/pss.md
new file mode 100644
index 0000000..5f6343a
--- /dev/null
+++ b/learning/k8s-advanced/sec/pss.md
@@ -0,0 +1,11 @@
+---
+layout: LearningLayout
+description: Kubernetes教程_本文面向集群管理员，阐述Pod Security Standards 的概念。
+meta:
+  - name: keywords
+    content: Kubernetes 教程,Pod Security Standards
+---
+
+# Pod Security Standards
+
+<AdSenseTitle/>
\ No newline at end of file
diff --git a/learning/k8s-advanced/sec/secure-a-cluster.md b/learning/k8s-advanced/sec/secure-a-cluster.md
new file mode 100644
index 0000000..005233f
--- /dev/null
+++ b/learning/k8s-advanced/sec/secure-a-cluster.md
@@ -0,0 +1,15 @@
+---
+layout: LearningLayout
+description: Kubernetes教程_本文面向集群管理员，概述了云原生安全的相关概念。
+meta:
+  - name: keywords
+    content: Kubernetes 教程,Secure a Cluster
+---
+
+# 集群的安全防护
+
+本文档主要参考了 Kubernetes 官方文档：[Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/)
+
+<AdSenseTitle/>
+
+...文档待完善
\ No newline at end of file