diff --git a/content/zh/docs/reference/access-authn-authz/admission-controllers.md b/content/zh/docs/reference/access-authn-authz/admission-controllers.md
index e1fedb1033..893d1891d5 100644
--- a/content/zh/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/zh/docs/reference/access-authn-authz/admission-controllers.md
@@ -207,6 +207,55 @@ Rejects all requests. AlwaysDeny is DEPRECATED as no real meaning.
 -->
 拒绝所有的请求。由于没有实际意义，已废弃。
 
+### CertificateApproval
+
+<!--
+This admission controller observes requests to 'approve' CertificateSigningRequest resources
+and performs additional authorization checks to ensure the approving user has permission 
+to approve certificate requests with the spec.signerName requested on the CertificateSigningRequest resource.
+-->
+
+此准入控制器获取“审批” CertificateSigningRequest 资源的请求并执行额外的授权检查，
+以确保审批请求的用户有权限审批 `spec.signerName` 请求 CertificateSigningRequest 资源的证书请求。
+
+<!--
+See Certificate Signing Requests for more information on the permissions required 
+to perform different actions on CertificateSigningRequest resources.
+-->
+
+有关对证书签名请求资源执行不同操作所需权限的详细信息，
+请参阅[证书签名请求](/docs/reference/access-authn-authz/certificate-signing-requests/)
+
+### CertificateSigning
+
+<!--
+This admission controller observes updates to the status.certificate field of CertificateSigningRequest resources 
+and performs an additional authorization checks to ensure the signing user has permission 
+to sign certificate requests with the spec.signerName requested on the CertificateSigningRequest resource.
+-->
+
+此准入控制器获取 CertificateSigningRequest 资源的 `status.certificate` 字段更新请求并执行额外的授权检查，
+以确保签发证书的用户有权限为 `spec.signerName` 请求 CertificateSigningRequest 资源的证书请求`签发`证书。
+
+<!--
+See Certificate Signing Requests for more information on the permissions required 
+to perform different actions on CertificateSigningRequest resources.
+-->
+
+有关对证书签名请求资源执行不同操作所需权限的详细信息，
+请参阅[证书签名请求](/docs/reference/access-authn-authz/certificate-signing-requests/)
+
+### CertificateSubjectRestrictions 
+
+<!--
+This admission controller observes creation of CertificateSigningRequest resources 
+that have a spec.signerName of kubernetes.io/kube-apiserver-client. It rejects any request 
+that specifies a 'group' (or 'organization attribute') of system:masters.
+-->
+
+此准入控制器获取具有 `kubernetes.io/kube-apiserver-client` 的 `spec.signerName` 的 CertificateSigningRequest 资源创建请求，
+它拒绝任何包含了 `system:masters` 一个“组”（或者“组织”）的请求。
+
 ### DefaultStorageClass {#defaultstorageclass}
 
 <!--