Prune a few things that shouldn't have been in the dictionary. (#3622)

2019-03-11 11:35:52 -07:00 · 2019-03-11 11:35:52 -07:00 · fbd2b162fb
parent 13078d97cd
commit fbd2b162fb
12 changed files with 28 additions and 34 deletions
--- a/.spelling
+++ b/.spelling
@ -81,7 +81,6 @@ base64
 BigQuery
 bitpipe
 BluePerf
-BluePerf
 boilerplates
 Bookinfo
 boolean
@ -206,7 +205,6 @@ HTTP2
 http2
 httpbin
 httpbin.org
-httpReqTimeout
 https
 hyperkube
 Hystrix
@ -276,9 +274,7 @@ macOS
 Mandar
 Manolache
 memcached
-memcached
 memcached-2's
-memquota
 MeshPolicy
 Mesos
 mesos-dns
@ -293,14 +289,11 @@ misconfigured
 misordered
 MongoDB
 mongodb
-MSG_PEEK
 Multicloud
 multicloud
 Multicluster
 multicluster
-mutatingwebhookconfiguration
 mutual-tls
-mTLS
 myapp
 MySQL
 mysql
@ -425,7 +418,8 @@ SLOs
 Snell-Feikema
 SNI
 SolarWinds
-spiffe
+SPIFFE
+SPIFFE-compliant
 SREs
 Stackdriver
 Statsd
--- a/content/docs/concepts/security/index.md
+++ b/content/docs/concepts/security/index.md
@ -92,7 +92,7 @@ across heterogeneous environments.

 Istio and SPIFFE share the same identity document: [SVID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md) (SPIFFE Verifiable Identity Document).
 For example, in Kubernetes, the X.509 certificate has the URI field in the format of
-"spiffe://\<domain\>/ns/\<namespace\>/sa/\<serviceaccount\>".
+`spiffe://\<domain\>/ns/\<namespace\>/sa/\<serviceaccount\>`.
 This enables Istio services to establish and accept connections with other SPIFFE-compliant systems.

 Istio security and [SPIRE](https://spiffe.io/spire/), which is the implementation of SPIFFE, differ in the PKI implementation details.
--- a/content/docs/examples/multicluster/gateways/index.md
+++ b/content/docs/examples/multicluster/gateways/index.md
@ -117,7 +117,7 @@ running in a second cluster.

    The configurations above will result in all traffic in `cluster1` for
    `httpbin.bar.global` on *any port* to be routed to the endpoint
-    `<IPofCluster2IngressGateway>:15443` over an mTLS connection.
+    `<IPofCluster2IngressGateway>:15443` over a mutual TLS connection.

    The gateway for port 15443 is a special SNI-aware Envoy
    preconfigured and installed as part of the multicluster Istio installation step
--- a/content/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md
+++ b/content/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md
@ -169,7 +169,7 @@ with `kubectl edit mutatingwebhookconfiguration
 istio-sidecar-injector`.

 {{< warning >}}
-The sidecar injector pod(s) should be restarted after modifying the mutatingwebhookconfiguration.
+The sidecar injector pod(s) should be restarted after modifying the `mutatingwebhookconfiguration`.
 {{< /warning >}}

 The `istio-sidecar-injector` ConfigMap in the `istio-system` namespace has the default
--- a/content/docs/setup/kubernetes/install/kubernetes/index.md
+++ b/content/docs/setup/kubernetes/install/kubernetes/index.md
@ -55,7 +55,7 @@ This permits customization of Istio to operator specific requirements.
 {{< tabset cookie-name="profile" >}}

 {{% tab name="permissive mTLS" cookie-value="permissive" %}}
-When using the mTLS permissive mode, all services accept both plain text and
+When using the permissive mutual TLS mode, all services accept both plain text and
 mutual TLS traffic. Clients send plain text traffic unless configured for
 [mutual migration](/docs/tasks/security/mtls-migration/#configure-clients-to-send-mutual-tls-traffic).
 Visit our [mutual TLS permissive mode page](/docs/concepts/security/#permissive-mode)
@ -188,7 +188,7 @@ The uninstall deletes the RBAC permissions, the `istio-system` namespace, and
 all resources hierarchically under it. It is safe to ignore errors for
 non-existent resources because they may have been deleted hierarchically.

-* Uninstall the `demo profile` corresponding to the mTLS mode you enabled:
+* Uninstall the `demo profile` corresponding to the mutual TLS mode you enabled:

 {{< tabset cookie-name="profile" >}}

--- a/content/docs/tasks/policy-enforcement/rate-limiting/index.md
+++ b/content/docs/tasks/policy-enforcement/rate-limiting/index.md
@ -52,10 +52,10 @@ so the configuration to enable rate limiting on both adapters is the same.
        * `QuotaSpecBinding` conditionally associates `QuotaSpec` with one or more services.
    * Mixer Side
        * `quota instance` defines how quota is dimensioned by Mixer.
-        * `memquota adapter` defines memquota adapter configuration.
-        * `quota rule` defines when quota instance is dispatched to the memquota adapter.
+        * `memquota adapter` defines `memquota` adapter configuration.
+        * `quota rule` defines when quota instance is dispatched to the `memquota` adapter.

-    Run the following command to enable rate limits using memquota:
+    Run the following command to enable rate limits using `memquota`:

    {{< text bash >}}
    $ kubectl apply -f @samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml@
--- a/content/docs/tasks/security/plugin-ca-cert/index.md
+++ b/content/docs/tasks/security/plugin-ca-cert/index.md
@ -16,14 +16,14 @@ operator-specified root certificate. This task demonstrates an example to plug c
 * Set up Istio by following the instructions in the
 [quick start](/docs/setup/kubernetes/install/kubernetes/) with global mutual TLS enabled:

-  Follow the [installation instructions](/docs/setup/kubernetes/install/kubernetes/#installation-steps) install Istio with the **strict mTLS mode** enabled.
+  Follow the [installation instructions](/docs/setup/kubernetes/install/kubernetes/#installation-steps) install Istio with the **strict mutual TLS mode** enabled.

  _**OR**_

  Using [Helm](/docs/setup/kubernetes/install/helm/) with mutual TLS enabled.

 {{< tip >}}
-Starting with Istio 0.7, you can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/)
+You can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/)
 {{< /tip >}}

 ## Plugging in the existing certificate and key
--- a/content/help/ops/setup/injection/index.md
+++ b/content/help/ops/setup/injection/index.md
@ -167,7 +167,7 @@ Warning  FailedCreate  3m (x17 over 8m)  replicaset-controller  Error creating:
 `x509: certificate signed by unknown authority` errors are typically
 caused by an empty `caBundle` in the webhook configuration.

-Verify the `caBundle` in the mutatingwebhookconfiguration matches the
+Verify the `caBundle` in the `mutatingwebhookconfiguration` matches the
   root certificate mounted in the `istio-sidecar-injector` pod.

 {{< text bash >}}
--- a/content_zh/docs/reference/commands/sidecar-injector/index.md
+++ b/content_zh/docs/reference/commands/sidecar-injector/index.md
@ -32,7 +32,7 @@ $ sidecar-injector [选项]
 | `--port <int>`                     | Webhook 端口（默认为 `443`）                                 |
 | `--tlsCertFile <string>`           | HTTPS x509 证书文件（默认为 `/etc/istio/certs/cert-chain.pem`） |
 | `--tlsKeyFile <string>`            | 和 `--tlsCertFile` 匹配的 x509 私钥文件（默认为 `/etc/istio/certs/key.pem`） |
-| `--webhookConfigName <string>`     | Kubernetes mutatingwebhookconfiguration 资源名（默认为 `istio-sidecar-injector`） |
+| `--webhookConfigName <string>`     | Kubernetes `mutatingwebhookconfiguration` 资源名（默认为 `istio-sidecar-injector`） |
 | `--webhookName <string>`           | webhook 配置中 webhook 项名（默认为 `sidecar-injector.istio.io`） |

 ## sidecar-injector probe
@ -65,7 +65,7 @@ $ sidecar-injector probe [选项]
 | `--probe-path <string>`            | 检查可用性的文件路径（默认为 `''`）                          |
 | `--tlsCertFile <string>`           | HTTPS x509 证书文件（默认为 `/etc/istio/certs/cert-chain.pem`） |
 | `--tlsKeyFile <string>`            | 和 `--tlsCertFile` 匹配的 x509 私钥文件（默认为 `/etc/istio/certs/key.pem`） |
-| `--webhookConfigName <string>`     | Kubernetes mutatingwebhookconfiguration 资源名（默认为 `istio-sidecar-injector`） |
+| `--webhookConfigName <string>`     | Kubernetes `mutatingwebhookconfiguration` 资源名（默认为 `istio-sidecar-injector`） |
 | `--webhookName <string>`           | webhook 配置中 webhook 项名（默认为 `sidecar-injector.istio.io`） |

 ## sidecar-injector version
@ -97,5 +97,5 @@ $ sidecar-injector version [选项]
 | `--short`                          | `-s` | 显示版本信息的短格式                                         |
 | `--tlsCertFile <string>`           |      | HTTPS x509 证书文件（默认为 `/etc/istio/certs/cert-chain.pem`） |
 | `--tlsKeyFile <string>`            |      | 和 `--tlsCertFile` 匹配的 x509 私钥文件（默认为 `/etc/istio/certs/key.pem`） |
-| `--webhookConfigName <string>`     |      | Kubernetes mutatingwebhookconfiguration 资源名（默认为 `istio-sidecar-injector`） |
+| `--webhookConfigName <string>`     |      | Kubernetes `mutatingwebhookconfiguration` 资源名（默认为 `istio-sidecar-injector`） |
 | `--webhookName <string>`           |      | webhook 配置中，webhook 项的名字（默认为 `sidecar-injector.istio.io`） |
--- a/content_zh/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md
+++ b/content_zh/docs/setup/kubernetes/additional-setup/sidecar-injection/index.md
@ -142,7 +142,7 @@ sleep-776b7bcdcd-gmvnr   1/1       Running       0          2s
 被 Kubernetes 调用 Webhook 时，[admissionregistration.k8s.io/v1beta1#MutatingWebhookConfiguration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#mutatingwebhookconfiguration-v1beta1-admissionregistration-k8s-io) 会进行配置。Istio 提供的缺省配置，会在带有 `istio-injection=enabled` 标签的命名空间中选择 Pod。使用 `kubectl edit mutatingwebhookconfiguration istio-sidecar-injector` 命令可以编辑目标命名空间的范围。

 {{< warning >}}
-修改 mutatingwebhookconfiguration 之后，应该重新启动已经被注入 Sidecar 的 Pod。
+修改 `mutatingwebhookconfiguration` 之后，应该重新启动已经被注入 Sidecar 的 Pod。
 {{< /warning >}}

 `istio-system` 命名空间中的 ConfigMap `istio-sidecar-injector` 中包含了缺省的注入策略以及 Sidecar 的注入模板。
--- a/content_zh/docs/setup/kubernetes/install/kubernetes/index.md
+++ b/content_zh/docs/setup/kubernetes/install/kubernetes/index.md
@ -44,9 +44,9 @@ keywords: [kubernetes]

 {{< tabset cookie-name="profile" >}}

-{{% tab name="宽容模式的 mTLS" cookie-value="permissive" %}}
+{{% tab name="宽容模式的 mutual TLS" cookie-value="permissive" %}}

-如果使用 mTLS 的宽容模式，所有的服务会同时允许明文和双向 TLS 的流量。在没有明确[配置客户端进行双向 TLS 通信](/zh/docs/tasks/security/mtls-migration/#配置客户端进行双向-tls-通信)的情况下，客户端会发送明文流量。可以进一步阅读了解[双向 TLS 中的宽容模式](/docs/concepts/security/#permissive-mode)的相关内容。
+如果使用 mutual TLS 的宽容模式，所有的服务会同时允许明文和双向 TLS 的流量。在没有明确[配置客户端进行双向 TLS 通信](/zh/docs/tasks/security/mtls-migration/#配置客户端进行双向-tls-通信)的情况下，客户端会发送明文流量。可以进一步阅读了解[双向 TLS 中的宽容模式](/docs/concepts/security/#permissive-mode)的相关内容。

 这种方式的适用场景：

@ -64,7 +64,7 @@ $ kubectl apply -f install/kubernetes/istio-demo.yaml

 {{% /tab %}}

-{{% tab name="严格模式的 mTLS" cookie-value="strict" %}}
+{{% tab name="严格模式的 mutual TLS" cookie-value="strict" %}}
 这种方案会在所有的客户端和服务器之间使用
 [双向 TLS](/zh/docs/concepts/security/#双向-tls-认证)。

@ -146,11 +146,11 @@ $ istioctl kube-inject -f <your-app-spec>.yaml | kubectl apply -f -

 删除 RBAC 权限、`istio-system` 命名空间及其所有资源。因为有些资源会被级联删除，因此会出现一些无法找到资源的提示，可以忽略。

-* 根据启用的 mTLS 模式进行删除：
+* 根据启用的 mutual TLS 模式进行删除：

 {{< tabset cookie-name="profile" >}}

-{{% tab name="宽容模式的 mTLS" cookie-value="permissive" %}}
+{{% tab name="宽容模式的 mutual TLS" cookie-value="permissive" %}}

 {{< text bash >}}
 $ kubectl delete -f install/kubernetes/istio-demo.yaml
@ -158,7 +158,7 @@ $ kubectl delete -f install/kubernetes/istio-demo.yaml

 {{% /tab %}}

-{{% tab name="严格模式的 mTLS" cookie-value="strict" %}}
+{{% tab name="严格模式的 mutual TLS" cookie-value="strict" %}}

 {{< text bash >}}
 $ kubectl delete -f install/kubernetes/istio-demo-auth.yaml
--- a/content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md
+++ b/content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md
@ -31,7 +31,7 @@ keywords: [policies,quotas]

 在此任务中，您将 Istio 配置为根据 IP 地址将流量限制到访问 `productpage` 的用户。您将使用 `X-Forwarded-For` 请求 http header 作为客户端 IP 地址。您还将使用免除登录用户的条件速率限制。

-为方便起见，您可以配置 [memquota](/zh/docs/reference/config/policy-and-telemetry/adapters/memquota/) 适配器启用速率限制。但是，在生产系统上，你需要 [`Redis`](http://redis.io/) ，然后配置 [`redisquota`](/zh/docs/reference/config/policy-and-telemetry/adapters/redisquota/) 适配器。 `memquota` 和 `redisquota` 适配器都支持 [quota template](/zh/docs/reference/config/policy-and-telemetry/templates/quota/)，因此，在两个适配器上启用速率限制的配置是相同的。
+为方便起见，您可以配置 [`memquota`](/zh/docs/reference/config/policy-and-telemetry/adapters/memquota/) 适配器启用速率限制。但是，在生产系统上，你需要 [`Redis`](http://redis.io/) ，然后配置 [`redisquota`](/zh/docs/reference/config/policy-and-telemetry/adapters/redisquota/) 适配器。 `memquota` 和 `redisquota` 适配器都支持 [quota template](/zh/docs/reference/config/policy-and-telemetry/templates/quota/)，因此，在两个适配器上启用速率限制的配置是相同的。

 1. 速率限制配置分为两部分。
    * 客户端
@ -39,10 +39,10 @@ keywords: [policies,quotas]
        * `QuotaSpecBinding` 有条件地将 `QuotaSpec` 与一个或多个服务相关联。
    * Mixer 端
        * `quota instance` 定义了 Mixer 如何确定配额的大小。
-        * `memquota adapter` 定义了 memquota 适配器配置。
-        * `quota rule` 定义何时将配额实例分派给 memquota 适配器。
+        * `memquota adapter` 定义了 `memquota` 适配器配置。
+        * `quota rule` 定义何时将配额实例分派给 `memquota` 适配器。

-    运行以下命令以使用 memquota 启用速率限制：
+    运行以下命令以使用 `memquota` 启用速率限制：

    {{< text bash >}}
    $ kubectl apply -f @samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml@
@ -338,7 +338,7 @@ spec:

 `memquota` 适配器使用一个为亚秒级分辨率的滑动窗口来实现速率限制。

-适配器配置中的 `maxAmount` 设置了关联到 Quota 实例中的所有计数器的缺省限制。如果所有 `overrides` 条目都无法匹配到一个请求，就只能使用 `maxAmount` 限制了。Memquota 会选择适合请求的第一条 `override`。`override` 条目无需定义所有 quota dimension， 例如例子中的 `0.2 qps` 条目在 4 条 quota dimensions 中只选用了三条。
+适配器配置中的 `maxAmount` 设置了关联到 Quota 实例中的所有计数器的缺省限制。如果所有 `overrides` 条目都无法匹配到一个请求，就只能使用 `maxAmount` 限制了。`memquota` 会选择适合请求的第一条 `override`。`override` 条目无需定义所有 quota dimension， 例如例子中的 `0.2 qps` 条目在 4 条 quota dimensions 中只选用了三条。

 如果要把上面的策略应用到某个命名空间而非整个 Istio 网格，可以把所有 `istio-system` 替换成为给定的命名空间。