kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[zh] resync page admission-controllers.

This commit is contained in:
zhuzhenghao 2023-02-27 22:07:35 +08:00
parent 88299991bd
commit 43d3ffa532
7 changed files with 61 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
content/zh-cn/docs/reference/access-authn-authz/_index.md
View File

@ -1,12 +1,12 @@
---
title: API 访问控制
weight: 15
weight: 30
no_list: true
---
<!--
title: API Access Control
weight: 15
weight: 30
no_list: true
-->
@ -40,21 +40,21 @@ Reference documentation:
- [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
- including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
-->
- [身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
- [使用启动引导令牌来执行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
- [使用启动引导令牌来执行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
- [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
- [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
- [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
- [鉴权与授权](/zh-cn/docs/reference/access-authn-authz/authorization/)
- [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
- [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
- [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
- [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
- [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
- [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
- [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
- [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
- [证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
- 包含 [CSR 的批复](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
和[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
- 包含 [CSR 的批复](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
和[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
- 服务账号
- [开发者指南](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
- [管理文档](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
- [Kubelet 认证和鉴权](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)
- 包括 kubelet [TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)

44
content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
View File

@ -1041,9 +1041,9 @@ This file may be json or yaml and has the following format:
```yaml
podNodeSelectorPluginConfig:
clusterDefaultNodeSelector: name-of-node-selector
namespace1: name-of-node-selector
namespace2: name-of-node-selector
clusterDefaultNodeSelector: name-of-node-selector
namespace1: name-of-node-selector
namespace2: name-of-node-selector
```
<!--
@ -1123,36 +1123,26 @@ PodNodeSelector 允许 Pod 强制在特定标签的节点上运行。
{{< feature-state for_k8s_version="v1.25" state="stable" >}}
<!--
This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
defined in the next section. This admission controller acts on creation and modification of the pod and
determines if it should be admitted based on the requested security context and the
[Pod Security Standards](/docs/concepts/security/pod-security-standards/).
See the [Pod Security Admission documentation](/docs/concepts/security/pod-security-admission/)
for more information.
The PodSecurity admission controller checks new Pods before they are
admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted
[Pod Security Standards](/docs/concepts/security/pod-security-standards/)
for the namespace that the Pod would be in.
-->
这是下节所讨论的已被废弃的 [PodSecurityPolicy](#podsecuritypolicy) 准入控制器的替代品。
此准入控制器负责在创建和修改 Pod 时,根据请求的安全上下文和
[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)来确定是否可以执行请求。
更多信息请参阅 [Pod 安全性准入控制器](/zh-cn/docs/concepts/security/pod-security-admission/)。
### PodSecurityPolicy {#podsecuritypolicy}
{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
PodSecurity 准入控制器在新 Pod 被准入之前对其进行检查,
根据请求的安全上下文和 Pod 所在命名空间允许的
[Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)的限制来确定新 Pod
是否应该被准入。
<!--
This admission controller acts on creation and modification of the pod and determines if it should be admitted
based on the requested security context and the available Pod Security Policies.
See the [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
documentation for more information.
-->
此准入控制器负责在创建和修改 Pod 时根据请求的安全上下文和可用的 Pod
安全策略确定是否可以执行请求。
更多信息请参阅 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)。
<!--
See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
for more information.
PodSecurity replaced an older admission controller named PodSecurityPolicy.
-->
查看 [Pod 安全策略文档](/zh-cn/docs/concepts/security/pod-security-policy/)进一步了解其间细节
PodSecurity 取代了一个名为 PodSecurityPolicy 的旧准入控制器
### PodTolerationRestriction {#podtolerationrestriction}
@ -1364,7 +1354,7 @@ conditions.
### ValidatingAdmissionPolicy {#validatingadmissionpolicy}
<!--
[This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests.
[This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests.
It is enabled when both feature gate `validatingadmissionpolicy` and `admissionregistration.k8s.io/v1alpha1` group/version are enabled.
If any of the ValidatingAdmissionPolicy fails, the request fails.
-->

14
content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
View File

@ -140,8 +140,8 @@ In the bootstrap initialization process, the following occurs:
6. kubelet 现在拥有受限制的凭据来创建和取回证书签名请求CSR
7. kubelet 为自己创建一个 CSR并将其 signerName 设置为 `kubernetes.io/kube-apiserver-client-kubelet`
8. CSR 被以如下两种方式之一批复:
* 如果配置了kube-controller-manager 会自动批复该 CSR
* 如果配置了,一个外部进程,或者是人,使用 Kubernetes API 或者使用 `kubectl`
* 如果配置了kube-controller-manager 会自动批复该 CSR
* 如果配置了,一个外部进程,或者是人,使用 Kubernetes API 或者使用 `kubectl`
来批复该 CSR
9. kubelet 所需要的证书被创建
<!--
@ -271,7 +271,7 @@ of provisioning.
2. [令牌认证文件](#token-authentication-file)
<!--
Using Bootstrap tokens are a simpler and more easily managed method to authenticate kubelets, and do not require any additional flags when starting kube-apiserver.
Using bootstrap tokens is a simpler and more easily managed method to authenticate kubelets, and does not require any additional flags when starting kube-apiserver.
-->
启动引导令牌是一种对 kubelet 进行身份认证的方法,相对简单且容易管理,
且不需要在启动 kube-apiserver 时设置额外的标志。
@ -589,7 +589,7 @@ roleRef:
<!--
The `csrapproving` controller that ships as part of
[kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled
[kube-controller-manager](/docs/reference/command-line-tools-reference/kube-controller-manager/) and is enabled
by default. The controller uses the
[`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to
determine if a given user is authorized to request a CSR, then approves based on
@ -787,7 +787,7 @@ or pass the following command line argument to the kubelet (deprecated):
<!--
Enabling `RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
certificate after bootstrapping its client credentials **and** to rotate that
certificate. To enable this behavior, use the field `serverTLSBootstrap` of
certificate. To enable this behavior, use the field `serverTLSBootstrap` of
the [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
or pass the following command line argument to the kubelet (deprecated):
-->
@ -869,12 +869,12 @@ You have several options for generating these credentials:
<!--
## kubectl approval
CSRs can be approved outside of the approval flows builtin into the controller
CSRs can be approved outside of the approval flows built into the controller
manager.
-->
## kubectl 批复 {#kubectl-approval}
CSRs 可以在控制器管理其内置的批复工作流之外被批复。
CSR 可以在编译进控制器内部的批复工作流之外被批复。
<!--
The signing controller does not immediately sign all certificate requests.

22
content/zh-cn/docs/reference/glossary/service.md
View File

@ -28,18 +28,32 @@ tags:
---
-->
<!--
An abstract way to expose an application running on a set of {{< glossary_tooltip text="Pods" term_id="pod" >}} as a network service.
A method for exposing a network application that is running as one or more
{{< glossary_tooltip text="Pods" term_id="pod" >}} in your cluster.
-->
将运行在一组 {{< glossary_tooltip text="Pods" term_id="pod" >}} 上的应用程序公开为网络服务的抽象方法。
将运行在一个或一组 {{< glossary_tooltip text="Pod" term_id="pod" >}} 上的网络应用程序公开为网络服务的方法。
<!--more-->
<!--
The set of Pods targeted by a Service is (usually) determined by a {{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed, the set of Pods matching the selector will change. The Service makes sure that network traffic can be directed to the current set of Pods for the workload.
The set of Pods targeted by a Service is (usually) determined by a
{{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed,
the set of Pods matching the selector will change. The Service makes sure that network traffic
can be directed to the current set of Pods for the workload.
-->
服务所针对的 Pod 集(通常)由{{< glossary_tooltip text="选择算符" term_id="selector" >}}确定。
如果有 Pod 被添加或被删除,则与选择算符匹配的 Pod 集合将发生变化。
服务确保可以将网络流量定向到该工作负载的当前 Pod 集合。
<!--
Kubernetes Services either use IP networking (IPv4, IPv6, or both), or reference an external name in
the Domain Name System (DNS).
The Service abstraction enables other mechanisms, such as Ingress and Gateway.
-->
Kubernetes Service 要么使用 IP 网络IPv4、IPv6 或两者),要么引用位于域名系统 (DNS) 中的外部名称。
Service 的抽象可以实现其他机制,如 Ingress 和 Gateway。

5
content/zh-cn/docs/reference/kubectl/cheatsheet.md
View File

@ -72,12 +72,12 @@ echo '[[ $commands[kubectl] ]] && source <(kubectl completion zsh)' >> ~/.zshrc
```
<!--
### A Note on `--all-namespaces`
### A note on `--all-namespaces`
-->
### 关于 `--all-namespaces` 的一点说明 {#a-note-on-all-namespaces}
<!--
Appending `--all-namespaces` happens frequently enough where you should be aware of the shorthand for `--all-namespaces`:
Appending `--all-namespaces` happens frequently enough that you should be aware of the shorthand for `--all-namespaces`:
-->
我们经常用到 `--all-namespaces` 参数,你应该要知道它的简写:
@ -178,6 +178,7 @@ alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1
<!--
## Kubectl apply
`apply` manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster through running `kubectl apply`. This is the recommended way of managing Kubernetes applications on production. See [Kubectl Book](https://kubectl.docs.kubernetes.io).
-->
## Kubectl apply

2
content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md
View File

@ -1,6 +1,7 @@
---
title: 适用于 Docker 用户的 kubectl
content_type: concept
weight: 50
---
<!--
title: kubectl for Docker Users
@ -8,6 +9,7 @@ content_type: concept
reviewers:
- brendandburns
- thockin
weight: 50
-->
<!-- overview -->

6
content/zh-cn/docs/reference/using-api/_index.md
View File

@ -1,7 +1,7 @@
---
title: API 概述
content_type: concept
weight: 10
weight: 20
no_list: true
card:
name: reference
@ -16,7 +16,7 @@ reviewers:
- lavalamp
- jbeda
content_type: concept
weight: 10
weight: 20
no_list: true
card:
name: reference
@ -218,7 +218,7 @@ part is omitted, it is treated as if `=true` is specified. For example:
- to disable `batch/v1`, set `--runtime-config=batch/v1=false`
- to enable `batch/v2alpha1`, set `--runtime-config=batch/v2alpha1`
- to enable a specific version of an API, such as `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`
- to enable a specific version of an API, such as `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`
-->
## 启用或禁用 API 组 {#enabling-or-disabling}