[zh] resync page admission-controllers.
This commit is contained in:
zhuzhenghao
parent
88299991bd
commit
43d3ffa532
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
title: API 访问控制
|
||||
weight: 15
|
||||
weight: 30
|
||||
no_list: true
|
||||
---
|
||||
|
||||
<!--
|
||||
title: API Access Control
|
||||
weight: 15
|
||||
weight: 30
|
||||
no_list: true
|
||||
-->
|
||||
|
||||
|
|
@ -40,6 +40,7 @@ Reference documentation:
|
|||
- [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
|
||||
- including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
|
||||
-->
|
||||
|
||||
- [身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
|
||||
- [使用启动引导令牌来执行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
|
||||
- [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
|
||||
|
|
@ -57,4 +58,3 @@ Reference documentation:
|
|||
- [管理文档](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
|
||||
- [Kubelet 认证和鉴权](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)
|
||||
- 包括 kubelet [TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
|
||||
|
||||
|
|
|
|||
|
|
@ -1123,36 +1123,26 @@ PodNodeSelector 允许 Pod 强制在特定标签的节点上运行。
|
|||
{{< feature-state for_k8s_version="v1.25" state="stable" >}}
|
||||
|
||||
<!--
|
||||
This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
|
||||
defined in the next section. This admission controller acts on creation and modification of the pod and
|
||||
determines if it should be admitted based on the requested security context and the
|
||||
[Pod Security Standards](/docs/concepts/security/pod-security-standards/).
|
||||
|
||||
See the [Pod Security Admission documentation](/docs/concepts/security/pod-security-admission/)
|
||||
for more information.
|
||||
The PodSecurity admission controller checks new Pods before they are
|
||||
admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted
|
||||
[Pod Security Standards](/docs/concepts/security/pod-security-standards/)
|
||||
for the namespace that the Pod would be in.
|
||||
-->
|
||||
这是下节所讨论的已被废弃的 [PodSecurityPolicy](#podsecuritypolicy) 准入控制器的替代品。
|
||||
此准入控制器负责在创建和修改 Pod 时,根据请求的安全上下文和
|
||||
[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)来确定是否可以执行请求。
|
||||
|
||||
更多信息请参阅 [Pod 安全性准入控制器](/zh-cn/docs/concepts/security/pod-security-admission/)。
|
||||
|
||||
### PodSecurityPolicy {#podsecuritypolicy}
|
||||
|
||||
{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
|
||||
PodSecurity 准入控制器在新 Pod 被准入之前对其进行检查,
|
||||
根据请求的安全上下文和 Pod 所在命名空间允许的
|
||||
[Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)的限制来确定新 Pod
|
||||
是否应该被准入。
|
||||
|
||||
<!--
|
||||
This admission controller acts on creation and modification of the pod and determines if it should be admitted
|
||||
based on the requested security context and the available Pod Security Policies.
|
||||
See the [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
|
||||
documentation for more information.
|
||||
-->
|
||||
此准入控制器负责在创建和修改 Pod 时根据请求的安全上下文和可用的 Pod
|
||||
安全策略确定是否可以执行请求。
|
||||
更多信息请参阅 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)。
|
||||
|
||||
<!--
|
||||
See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
|
||||
for more information.
|
||||
PodSecurity replaced an older admission controller named PodSecurityPolicy.
|
||||
-->
|
||||
查看 [Pod 安全策略文档](/zh-cn/docs/concepts/security/pod-security-policy/)进一步了解其间细节。
|
||||
PodSecurity 取代了一个名为 PodSecurityPolicy 的旧准入控制器。
|
||||
|
||||
### PodTolerationRestriction {#podtolerationrestriction}
|
||||
|
||||
|
|
|
|||
|
|
@ -271,7 +271,7 @@ of provisioning.
|
|||
2. [令牌认证文件](#token-authentication-file)
|
||||
|
||||
<!--
|
||||
Using Bootstrap tokens are a simpler and more easily managed method to authenticate kubelets, and do not require any additional flags when starting kube-apiserver.
|
||||
Using bootstrap tokens is a simpler and more easily managed method to authenticate kubelets, and does not require any additional flags when starting kube-apiserver.
|
||||
-->
|
||||
启动引导令牌是一种对 kubelet 进行身份认证的方法,相对简单且容易管理,
|
||||
且不需要在启动 kube-apiserver 时设置额外的标志。
|
||||
|
|
@ -589,7 +589,7 @@ roleRef:
|
|||
|
||||
<!--
|
||||
The `csrapproving` controller that ships as part of
|
||||
[kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled
|
||||
[kube-controller-manager](/docs/reference/command-line-tools-reference/kube-controller-manager/) and is enabled
|
||||
by default. The controller uses the
|
||||
[`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to
|
||||
determine if a given user is authorized to request a CSR, then approves based on
|
||||
|
|
@ -869,12 +869,12 @@ You have several options for generating these credentials:
|
|||
<!--
|
||||
## kubectl approval
|
||||
|
||||
CSRs can be approved outside of the approval flows builtin into the controller
|
||||
CSRs can be approved outside of the approval flows built into the controller
|
||||
manager.
|
||||
-->
|
||||
## kubectl 批复 {#kubectl-approval}
|
||||
|
||||
CSRs 可以在控制器管理其内置的批复工作流之外被批复。
|
||||
CSR 可以在编译进控制器内部的批复工作流之外被批复。
|
||||
|
||||
<!--
|
||||
The signing controller does not immediately sign all certificate requests.
|
||||
|
|
|
|||
|
|
@ -28,18 +28,32 @@ tags:
|
|||
---
|
||||
-->
|
||||
|
||||
|
||||
<!--
|
||||
An abstract way to expose an application running on a set of {{< glossary_tooltip text="Pods" term_id="pod" >}} as a network service.
|
||||
A method for exposing a network application that is running as one or more
|
||||
{{< glossary_tooltip text="Pods" term_id="pod" >}} in your cluster.
|
||||
-->
|
||||
|
||||
将运行在一组 {{< glossary_tooltip text="Pods" term_id="pod" >}} 上的应用程序公开为网络服务的抽象方法。
|
||||
将运行在一个或一组 {{< glossary_tooltip text="Pod" term_id="pod" >}} 上的网络应用程序公开为网络服务的方法。
|
||||
|
||||
<!--more-->
|
||||
|
||||
<!--
|
||||
The set of Pods targeted by a Service is (usually) determined by a {{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed, the set of Pods matching the selector will change. The Service makes sure that network traffic can be directed to the current set of Pods for the workload.
|
||||
The set of Pods targeted by a Service is (usually) determined by a
|
||||
{{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed,
|
||||
the set of Pods matching the selector will change. The Service makes sure that network traffic
|
||||
can be directed to the current set of Pods for the workload.
|
||||
-->
|
||||
服务所针对的 Pod 集(通常)由{{< glossary_tooltip text="选择算符" term_id="selector" >}}确定。
|
||||
如果有 Pod 被添加或被删除,则与选择算符匹配的 Pod 集合将发生变化。
|
||||
服务确保可以将网络流量定向到该工作负载的当前 Pod 集合。
|
||||
|
||||
<!--
|
||||
Kubernetes Services either use IP networking (IPv4, IPv6, or both), or reference an external name in
|
||||
the Domain Name System (DNS).
|
||||
|
||||
The Service abstraction enables other mechanisms, such as Ingress and Gateway.
|
||||
-->
|
||||
|
||||
Kubernetes Service 要么使用 IP 网络(IPv4、IPv6 或两者),要么引用位于域名系统 (DNS) 中的外部名称。
|
||||
|
||||
Service 的抽象可以实现其他机制,如 Ingress 和 Gateway。
|
||||
|
|
|
|||
|
|
@ -72,12 +72,12 @@ echo '[[ $commands[kubectl] ]] && source <(kubectl completion zsh)' >> ~/.zshrc
|
|||
```
|
||||
|
||||
<!--
|
||||
### A Note on `--all-namespaces`
|
||||
### A note on `--all-namespaces`
|
||||
-->
|
||||
### 关于 `--all-namespaces` 的一点说明 {#a-note-on-all-namespaces}
|
||||
|
||||
<!--
|
||||
Appending `--all-namespaces` happens frequently enough where you should be aware of the shorthand for `--all-namespaces`:
|
||||
Appending `--all-namespaces` happens frequently enough that you should be aware of the shorthand for `--all-namespaces`:
|
||||
-->
|
||||
我们经常用到 `--all-namespaces` 参数,你应该要知道它的简写:
|
||||
|
||||
|
|
@ -178,6 +178,7 @@ alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1
|
|||
|
||||
<!--
|
||||
## Kubectl apply
|
||||
|
||||
`apply` manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster through running `kubectl apply`. This is the recommended way of managing Kubernetes applications on production. See [Kubectl Book](https://kubectl.docs.kubernetes.io).
|
||||
-->
|
||||
## Kubectl apply
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
title: 适用于 Docker 用户的 kubectl
|
||||
content_type: concept
|
||||
weight: 50
|
||||
---
|
||||
<!--
|
||||
title: kubectl for Docker Users
|
||||
|
|
@ -8,6 +9,7 @@ content_type: concept
|
|||
reviewers:
|
||||
- brendandburns
|
||||
- thockin
|
||||
weight: 50
|
||||
-->
|
||||
|
||||
<!-- overview -->
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
title: API 概述
|
||||
content_type: concept
|
||||
weight: 10
|
||||
weight: 20
|
||||
no_list: true
|
||||
card:
|
||||
name: reference
|
||||
|
|
@ -16,7 +16,7 @@ reviewers:
|
|||
- lavalamp
|
||||
- jbeda
|
||||
content_type: concept
|
||||
weight: 10
|
||||
weight: 20
|
||||
no_list: true
|
||||
card:
|
||||
name: reference
|
||||
|
|
|
|||
Loading…
Reference in New Issue