[zh] resync page admission-controllers.

2023-02-27 22:07:35 +08:00 · 2023-02-27 22:07:35 +08:00 · 43d3ffa532
parent 88299991bd
commit 43d3ffa532
7 changed files with 61 additions and 54 deletions
--- a/content/zh-cn/docs/reference/access-authn-authz/_index.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/_index.md
@ -1,12 +1,12 @@
 ---
 title: API 访问控制
-weight: 15
+weight: 30
 no_list: true
 ---
 <!--
 title: API Access Control
-weight: 15
+weight: 30
 no_list: true
 -->
@ -40,6 +40,7 @@ Reference documentation:
 - [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
  - including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 -->
 - [身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
  - [使用启动引导令牌来执行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
 - [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
@ -57,4 +58,3 @@ Reference documentation:
  - [管理文档](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
 - [Kubelet 认证和鉴权](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)
  - 包括 kubelet [TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
--- a/content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md
@ -1123,36 +1123,26 @@ PodNodeSelector 允许 Pod 强制在特定标签的节点上运行。
 {{< feature-state for_k8s_version="v1.25" state="stable" >}}
 <!--
-This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
+The PodSecurity admission controller checks new Pods before they are
-defined in the next section. This admission controller acts on creation and modification of the pod and
+admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted
-determines if it should be admitted based on the requested security context and the 
+[Pod Security Standards](/docs/concepts/security/pod-security-standards/)
-[Pod Security Standards](/docs/concepts/security/pod-security-standards/).
+for the namespace that the Pod would be in.
 See the [Pod Security Admission documentation](/docs/concepts/security/pod-security-admission/)
 for more information.
 -->
-这是下节所讨论的已被废弃的 [PodSecurityPolicy](#podsecuritypolicy) 准入控制器的替代品。
+PodSecurity 准入控制器在新 Pod 被准入之前对其进行检查，
-此准入控制器负责在创建和修改 Pod 时，根据请求的安全上下文和
+根据请求的安全上下文和 Pod 所在命名空间允许的
-[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)来确定是否可以执行请求。
+[Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)的限制来确定新 Pod
-
+是否应该被准入。
 更多信息请参阅 [Pod 安全性准入控制器](/zh-cn/docs/concepts/security/pod-security-admission/)。
 ### PodSecurityPolicy {#podsecuritypolicy}
 {{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
 <!--
-This admission controller acts on creation and modification of the pod and determines if it should be admitted
+See the [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
-based on the requested security context and the available Pod Security Policies.
+documentation for more information.
 -->
-此准入控制器负责在创建和修改 Pod 时根据请求的安全上下文和可用的 Pod
+更多信息请参阅 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)。
 安全策略确定是否可以执行请求。
 <!--
-See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
+PodSecurity replaced an older admission controller named PodSecurityPolicy.
 for more information.
 -->
-查看 [Pod 安全策略文档](/zh-cn/docs/concepts/security/pod-security-policy/)进一步了解其间细节。
+PodSecurity 取代了一个名为 PodSecurityPolicy 的旧准入控制器。
 ### PodTolerationRestriction {#podtolerationrestriction}
--- a/content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
@ -271,7 +271,7 @@ of provisioning.
 2. [令牌认证文件](#token-authentication-file)
 <!--
-Using Bootstrap tokens are a simpler and more easily managed method to authenticate kubelets, and do not require any additional flags when starting kube-apiserver.
+Using bootstrap tokens is a simpler and more easily managed method to authenticate kubelets, and does not require any additional flags when starting kube-apiserver.
 -->
 启动引导令牌是一种对 kubelet 进行身份认证的方法，相对简单且容易管理，
 且不需要在启动 kube-apiserver 时设置额外的标志。
@ -589,7 +589,7 @@ roleRef:
 <!--
 The `csrapproving` controller that ships as part of
-[kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled
+[kube-controller-manager](/docs/reference/command-line-tools-reference/kube-controller-manager/) and is enabled
 by default. The controller uses the
 [`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to
 determine if a given user is authorized to request a CSR, then approves based on
@ -869,12 +869,12 @@ You have several options for generating these credentials:
 <!--
 ## kubectl approval
-CSRs can be approved outside of the approval flows builtin into the controller
+CSRs can be approved outside of the approval flows built into the controller
 manager.
 -->
 ## kubectl 批复    {#kubectl-approval}
-CSRs 可以在控制器管理其内置的批复工作流之外被批复。
+CSR 可以在编译进控制器内部的批复工作流之外被批复。
 <!--
 The signing controller does not immediately sign all certificate requests.
--- a/content/zh-cn/docs/reference/glossary/service.md
+++ b/content/zh-cn/docs/reference/glossary/service.md
@ -28,18 +28,32 @@ tags:
 ---
 -->
 <!--
-An abstract way to expose an application running on a set of {{< glossary_tooltip text="Pods" term_id="pod" >}} as a network service.
+A method for exposing a network application that is running as one or more
 {{< glossary_tooltip text="Pods" term_id="pod" >}} in your cluster.
 -->
-将运行在一组 {{< glossary_tooltip text="Pods" term_id="pod" >}} 上的应用程序公开为网络服务的抽象方法。
+将运行在一个或一组 {{< glossary_tooltip text="Pod" term_id="pod" >}} 上的网络应用程序公开为网络服务的方法。
 <!--more-->
 <!--
- The set of Pods targeted by a Service is (usually) determined by a {{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed, the set of Pods matching the selector will change. The Service makes sure that network traffic can be directed to the current set of Pods for the workload.
+The set of Pods targeted by a Service is (usually) determined by a
 {{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed,
 the set of Pods matching the selector will change. The Service makes sure that network traffic
 can be directed to the current set of Pods for the workload.
 -->
 服务所针对的 Pod 集（通常）由{{< glossary_tooltip text="选择算符" term_id="selector" >}}确定。
 如果有 Pod 被添加或被删除，则与选择算符匹配的 Pod 集合将发生变化。
 服务确保可以将网络流量定向到该工作负载的当前 Pod 集合。
 <!--
 Kubernetes Services either use IP networking (IPv4, IPv6, or both), or reference an external name in
 the Domain Name System (DNS).
 The Service abstraction enables other mechanisms, such as Ingress and Gateway.
 -->
 Kubernetes Service 要么使用 IP 网络（IPv4、IPv6 或两者），要么引用位于域名系统 (DNS) 中的外部名称。
 Service 的抽象可以实现其他机制，如 Ingress 和 Gateway。
--- a/content/zh-cn/docs/reference/kubectl/cheatsheet.md
+++ b/content/zh-cn/docs/reference/kubectl/cheatsheet.md
@ -72,12 +72,12 @@ echo '[[ $commands[kubectl] ]] && source <(kubectl completion zsh)' >> ~/.zshrc
 ```
 <!--
-### A Note on `--all-namespaces`
+### A note on `--all-namespaces`
 -->
 ### 关于 `--all-namespaces` 的一点说明    {#a-note-on-all-namespaces}
 <!--
-Appending `--all-namespaces` happens frequently enough where you should be aware of the shorthand for `--all-namespaces`:
+Appending `--all-namespaces` happens frequently enough that you should be aware of the shorthand for `--all-namespaces`:
 -->
 我们经常用到 `--all-namespaces` 参数，你应该要知道它的简写：
@ -178,6 +178,7 @@ alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1
 <!--
 ## Kubectl apply
 `apply` manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster through running `kubectl apply`. This is the recommended way of managing Kubernetes applications on production. See [Kubectl Book](https://kubectl.docs.kubernetes.io).
 -->
 ## Kubectl apply
--- a/content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md
+++ b/content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md
@ -1,6 +1,7 @@
 ---
 title: 适用于 Docker 用户的 kubectl
 content_type: concept
 weight: 50
 ---
 <!--
 title: kubectl for Docker Users
@ -8,6 +9,7 @@ content_type: concept
 reviewers:
 - brendandburns
 - thockin
 weight: 50
 -->
 <!-- overview -->
--- a/content/zh-cn/docs/reference/using-api/_index.md
+++ b/content/zh-cn/docs/reference/using-api/_index.md
@ -1,7 +1,7 @@
 ---
 title: API 概述
 content_type: concept
-weight: 10
+weight: 20
 no_list: true
 card:
  name: reference
@ -16,7 +16,7 @@ reviewers:
 - lavalamp
 - jbeda
 content_type: concept
-weight: 10
+weight: 20
 no_list: true
 card:
  name: reference