diff --git a/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index e1a04e859e..7e22bc1b34 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -1,14 +1,14 @@
 ---
 title: 使用 kubeadm 进行证书管理
 content_type: task
-weight: 10
+weight: 80
 ---
 <!--
 reviewers:
 - sig-cluster-lifecycle
 title: Certificate Management with kubeadm
 content_type: task
-weight: 10
+weight: 80
 -->
 
 <!-- overview -->
@@ -23,13 +23,30 @@ to kubeadm certificate management.
 由 [kubeadm](/zh-cn/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
 本页说明如何使用 kubeadm 管理证书续订，同时也涵盖其他与 kubeadm 证书管理相关的说明。
 
+<!--
+The Kubernetes project recommends upgrading to the latest patch releases promptly, and
+to ensure that you are running a supported minor release of Kubernetes.
+Following this recommendation helps you to to stay secure.
+-->
+Kubernetes 项目建议及时升级到最新的补丁版本，并确保你正在运行受支持的 Kubernetes 次要版本。
+遵循这一建议有助于你确保安全。
+
 ## {{% heading "prerequisites" %}}
 
 <!--
 You should be familiar with [PKI certificates and requirements in Kubernetes](/docs/setup/best-practices/certificates/).
+
+This guide covers the usage of the `openssl` command (used for manual certificate signing,
+if you choose that approach), but you can use your preferred tools.
+
+Some of the steps here use `sudo` for administrator access. You can use any equivalent tool.
 -->
 你应该熟悉 [Kubernetes 中的 PKI 证书和要求](/zh-cn/docs/setup/best-practices/certificates/)。
 
+本指南将介绍如何使用 `openssl` 命令（用于手动证书签名），但你可以使用你喜欢的工具。
+
+这里的一些步骤使用 `sudo` 来获取管理员访问权限。你可以使用任何等效的工具。
+
 <!-- steps -->
 
 <!--
@@ -38,7 +55,6 @@ You should be familiar with [PKI certificates and requirements in Kubernetes](/d
 By default, kubeadm generates all the certificates needed for a cluster to run.
 You can override this behavior by providing your own certificates.
 -->
-
 ## 使用自定义的证书   {#custom-certificates}
 
 默认情况下，kubeadm 会生成运行一个集群所需的全部证书。
@@ -71,7 +87,6 @@ If all other certificates and kubeconfig files are in place, kubeadm recognizes
 this condition and activates the "External CA" mode. kubeadm will proceed without the
 CA key on disk.
 -->
-
 ## 外部 CA 模式   {#external-ca-mode}
 
 只提供了 `ca.crt` 文件但是不提供 `ca.key` 文件也是可以的
@@ -95,12 +110,17 @@ There are various ways to prepare the component credentials when using external
 
 [PKI certificates and requirements](/docs/setup/best-practices/certificates/) includes information
 on how to prepare all the required by kubeadm component credentials manually.
+
+This guide covers the usage of the `openssl` command (used for manual certificate signing,
+if you choose that approach), but you can use your preferred tools.
 -->
-### 手动准备组件证书
+### 手动准备组件证书   {#manual-preparation-of-component-credentials}
 
 [PKI 证书和要求](/zh-cn/docs/setup/best-practices/certificates/)包含有关如何手动准备
 kubeadm 组件证书所需的所有信息。
 
+本指南将介绍如何使用 `openssl` 命令（用于手动证书签名），但你可以使用你喜欢的工具。
+
 <!--
 ### Preparation of credentials by signing CSRs generated by kubeadm
 
@@ -108,7 +128,7 @@ kubeadm can [generate CSR files](#signing-csr) that you can sign manually with t
 `openssl` and your external CA. These CSR files will include all the specification for credentials
 that components deployed by kubeadm require.
 -->
-### 通过签署 kubeadm 生成的 CSR 来准备证书
+### 通过签署 kubeadm 生成的 CSR 来准备证书   {#preparation-of-credentials-by-signing-csrs-generated-by-kubeadm}
 
 kubeadm 可以[生成 CSR 文件](#signing-csr)，你可以使用 `openssl` 和外部 CA 等工具手动签署这些文件。
 这些 CSR 文件将包含 kubeadm 部署的组件所需的所有证书规范。
@@ -118,7 +138,7 @@ kubeadm 可以[生成 CSR 文件](#signing-csr)，你可以使用 `openssl` 和
 
 Alternatively, it is possible to use kubeadm phase commands to automate this process.
 -->
-### 使用 kubeadm 阶段自动准备组件证书
+### 使用 kubeadm 阶段自动准备组件证书   {#automated-preparation-of-component-credentials-by-using-kubeadm-phases}
 
 或者，可以使用 kubeadm 阶段命令来自动化此过程。
 
@@ -170,13 +190,21 @@ and its `pki` sub directory.
 kubeadm 将使用 `/etc/kubernetes/` 及其 `pki` 子目录下现有的 kubeconfig 和证书文件。
 
 <!--
-## Check certificate expiration
+## Certificate expiry and management {#check-certificate-expiration}
+-->
+## 证书过期和管理   {#check-certificate-expiration}
 
+{{< note >}}
+<!--
+`kubeadm` cannot manage certificates signed by an external CA.
+-->
+`kubeadm` 不能管理由外部 CA 签名的证书。
+{{< /note >}}
+
+<!--
 You can use the `check-expiration` subcommand to check when certificates expire:
 -->
-## 检查证书是否过期  {#check-certificate-expiration}
-
-你可以使用 `check-expiration` 子命令来检查证书何时过期
+你可以使用 `check-expiration` 子命令来检查证书何时过期：
 
 ```shell
 kubeadm certs check-expiration
@@ -222,38 +250,30 @@ user should take care of managing certificate renewal manually/using other tools
 另外，kubeadm 会通知用户证书是否由外部管理；
 在这种情况下，用户应该小心的手动/使用其他工具来管理证书更新。
 
-{{< warning >}}
 <!--
-`kubeadm` cannot manage certificates signed by an external CA.
--->
-`kubeadm` 不能管理由外部 CA 签名的证书。
-{{< /warning >}}
-
-{{< note >}}
-<!--
-`kubelet.conf` is not included in the list above because kubeadm configures kubelet
+The `kubelet.conf` configuration file is not included in the list above because kubeadm
+configures kubelet
 for [automatic certificate renewal](/docs/tasks/tls/certificate-rotation/)
 with rotatable certificates under `/var/lib/kubelet/pki`.
 To repair an expired kubelet client certificate see
 [Kubelet client certificate rotation fails](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert).
 -->
-上面的列表中没有包含 `kubelet.conf`，因为 kubeadm 将 kubelet
+上面的列表中没有包含 `kubelet.conf` 配置文件，因为 kubeadm 将 kubelet
 配置为[自动更新证书](/zh-cn/docs/tasks/tls/certificate-rotation/)。
 轮换的证书位于目录 `/var/lib/kubelet/pki`。
 要修复过期的 kubelet 客户端证书，请参阅
 [kubelet 客户端证书轮换失败](/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
-{{< /note >}}
 
-{{< warning >}}
+{{< note >}}
 <!--
-On nodes created with `kubeadm init`, prior to kubeadm version 1.17, there is a
+On nodes created with `kubeadm init` from versions prior to kubeadm version 1.17, there is a
 [bug](https://github.com/kubernetes/kubeadm/issues/1753) where you manually have to modify the
 contents of `kubelet.conf`. After `kubeadm init` finishes, you should update `kubelet.conf` to
 point to the rotated kubelet client certificates, by replacing `client-certificate-data` and
 `client-key-data` with:
 -->
-在通过 `kubeadm init` 创建的节点上，在 kubeadm 1.17
-版本之前有一个[缺陷](https://github.com/kubernetes/kubeadm/issues/1753)，
+在通过 kubeadm 1.17 之前的版本以 `kubeadm init` 创建的节点上，
+有一个[缺陷](https://github.com/kubernetes/kubeadm/issues/1753)，
 该缺陷使得你必须手动修改 `kubelet.conf` 文件的内容。
 `kubeadm init` 操作结束之后，你必须更新 `kubelet.conf` 文件将 `client-certificate-data`
 和 `client-key-data` 改为如下所示的内容以便使用轮换后的 kubelet 客户端证书：
@@ -262,7 +282,7 @@ point to the rotated kubelet client certificates, by replacing `client-certifica
 client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
 client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
 ```
-{{< /warning >}}
+{{< /note >}}
 
 <!--
 ## Automatic certificate renewal
@@ -285,13 +305,6 @@ your cluster up to date and reasonably secure.
 并且定期执行 Kubernetes 版本升级（每次升级之间的间隔时间少于 1 年），
 则 kubeadm 将确保你的集群保持最新状态并保持合理的安全性。
 
-{{< note >}}
-<!--
-It is a best practice to upgrade your cluster frequently in order to stay secure.
--->
-最佳的做法是经常升级集群以确保安全。
-{{< /note >}}
-
 <!--
 If you have more complex requirements for certificate renewal, you can opt out from the default
 behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm
@@ -300,29 +313,27 @@ upgrade node`.
 如果你对证书更新有更复杂的需求，则可通过将 `--certificate-renewal=false` 传递给
 `kubeadm upgrade apply` 或者 `kubeadm upgrade node`，从而选择不采用默认行为。
 
-{{< warning >}}
-<!--
-Prior to kubeadm version 1.17 there is a [bug](https://github.com/kubernetes/kubeadm/issues/1818)
-where the default value for `--certificate-renewal` is `false` for the `kubeadm upgrade node`
-command. In that case, you should explicitly set `--certificate-renewal=true`.
--->
-kubeadm 在 1.17 版本之前有一个[缺陷](https://github.com/kubernetes/kubeadm/issues/1818)，
-该缺陷导致 `kubeadm update node` 执行时 `--certificate-renewal` 的默认值被设置为 `false`。
-在这种情况下，你需要显式地设置 `--certificate-renewal=true`。
-{{< /warning >}}
-
 <!--
 ## Manual certificate renewal
 
-You can renew your certificates manually at any time with the `kubeadm certs renew` command, with the appropriate command line options.
+You can renew your certificates manually at any time with the `kubeadm certs renew` command,
+with the appropriate command line options. If you are running cluster with a replicated control
+plane, this command needs to be executed on all the control-plane nodes.
 -->
 ## 手动更新证书 {#manual-certificate-renewal}
 
 你能随时通过 `kubeadm certs renew` 命令手动更新你的证书，只需带上合适的命令行选项。
+如果你正在运行的集群具有多副本的控制平面，则需要在所有控制平面节点上执行此命令。
 
 <!--
 This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.
 
+`kubeadm certs renew` uses the existing certificates as the authoritative source for attributes
+(Common Name, Organization, subject alternative name) and does not rely on the `kubeadm-config`
+ConfigMap.
+Even so, the Kubernetes project recommends keeping the served certificate and the associated
+values in that ConfigMap synchronized, to avoid any risk of confusion.
+
 After running the command you should restart the control plane Pods. This is required since
 dynamic certificate reload is currently not supported for all components and certificates.
 [Static Pods](/docs/tasks/configure-pod-container/static-pod/) are managed by the local kubelet
@@ -335,6 +346,10 @@ the Pod and the certificate renewal for the component can complete.
 -->
 此命令用 CA（或者 front-proxy-CA ）证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
 
+`kubeadm certs renew` 使用现有的证书作为属性（Common Name、Organization、SAN 等）的权威来源，
+而不依赖于 `kubeadm-config` ConfigMap。强烈建议使它们保持同步。
+即便如此，Kubernetes 项目仍然建议使用的证书与 ConfigMap 中的关联值保持同步，以避免任何混淆的风险。
+
 执行完此命令之后你需要重启控制面 Pod。因为动态证书重载目前还不被所有组件和证书支持，所有这项操作是必须的。
 [静态 Pod](/zh-cn/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet
 而不是 API 服务器管理，所以 kubectl 不能用来删除或重启他们。
@@ -344,50 +359,41 @@ the Pod and the certificate renewal for the component can complete.
 在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去，kubelet 可以完成 Pod
 的重建，而组件的证书更新操作也得以完成。
 
-{{< warning >}}
 <!--
-If you are running an HA cluster, this command needs to be executed on all the control-plane nodes.
+`kubeadm certs renew` can renew any specific certificate or, with the subcommand `all`, it can renew all of them:
 -->
-如果你运行了一个 HA 集群，这个命令需要在所有控制面板节点上执行。
-{{< /warning >}}
-
-{{< note >}}
-<!--
-`certs renew` uses the existing certificates as the authoritative source for attributes (Common
-Name, Organization, SAN, etc.) instead of the `kubeadm-config` ConfigMap. It is strongly recommended
-to keep them both in sync.
--->
-`certs renew` 使用现有的证书作为属性（Common Name、Organization、SAN 等）的权威来源，
-而不是 `kubeadm-config` ConfigMap。强烈建议使它们保持同步。
-{{< /note >}}
+`kubeadm certs renew` 可以更新任何特定的证书，或者使用子命令 `all` 更新所有的证书：
 
 <!--
-`kubeadm certs renew` can renew any specific certificate or, with the subcommand `all`, it can renew all of them, as shown below:
--->
-`kubeadm certs renew` 可以更新任何特定的证书，或者使用子命令 `all`
-更新所有的证书，如下所示：
-
 ```shell
+# If you are running cluster with a replicated control plane, this command
+# needs to be executed on all the control-plane nodes.
+kubeadm certs renew all
+```
+-->
+```shell
+# 如果你运行的集群具有多副本的控制平面，则需要在所有控制平面节点上执行这条命令
 kubeadm certs renew all
 ```
 
-{{< note >}}
 <!--
+### Copying the administrator certificate (optional) {#admin-certificate-copy}
+
 Clusters built with kubeadm often copy the `admin.conf` certificate into
 `$HOME/.kube/config`, as instructed in [Creating a cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/).
 On such a system, to update the contents of `$HOME/.kube/config`
-after renewing the `admin.conf`, you must run the following commands:
+after renewing the `admin.conf`, you could run the following commands:
 -->
-使用 kubeadm 构建的集群通常会将 `admin.conf` 证书复制到 `$HOME/.kube/config` 中，
-如[使用 kubeadm 创建集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)中所指示的那样。
-在这样的系统中，为了在更新 `admin.conf` 后更新 `$HOME/.kube/config` 的内容，
-你必须运行以下命令：
+### 复制管理员证书（可选） {#admin-certificate-copy}
+
+使用 kubeadm 构建的集群通常会将 `admin.conf` 证书复制到 `$HOME/.kube/config`，
+参阅[使用 kubeadm 创建集群](/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)。
+在这样的系统上，若要在更新 `admin.conf` 后更新 `$HOME/.kube/config` 的内容，你可以运行以下命令：
 
 ```shell
 sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
 sudo chown $(id -u):$(id -g) $HOME/.kube/config
 ```
-{{< /note >}}
 
 <!--
 ## Renew certificates with the Kubernetes certificates API
@@ -420,7 +426,6 @@ The built-in signer is part of [`kube-controller-manager`](/docs/reference/comma
 To activate the built-in signer, you must pass the `--cluster-signing-cert-file` and
 `--cluster-signing-key-file` flags.
 -->
-
 ### 设置一个签名者（Signer） {#set-up-a-signer}
 
 Kubernetes 证书颁发机构不是开箱即用。你可以配置外部签名者，例如
@@ -489,7 +494,7 @@ Renewal of ceritficates is possible by generating new CSRs and signing them with
 For more details about working with CSRs generated by kubeadm see the section
 [Signing certificate signing requests (CSR) generated by kubeadm](#signing-csr).
 -->
-### 使用证书签名请求（CSR）续订
+### 使用证书签名请求（CSR）续订   {#renewal-by-using-certificate-signing-requests-csr}
 
 可以通过生成新的 CSR 并使用外部 CA 对其进行签名来对证书进行续约。
 有关使用 kubeadm 生成的 CSR 的更多详细信息，请参阅[对 kubeadm 生成的证书签名请求（CSR）进行签名](#signing-csr)部分。
@@ -643,28 +648,47 @@ IP 或域名请求服务证书。
 ## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
 
 <!--
-During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
-`Subject: O = system:masters, CN = kubernetes-admin`.
+During cluster creation, `kubeadm init` signs the certificate in the `super-admin.conf`
+to have `Subject: O = system:masters, CN = kubernetes-super-admin`.
 [`system:masters`](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
 is a break-glass, super user group that bypasses the authorization layer (for example,
-[RBAC](/docs/reference/access-authn-authz/rbac/)).
-Sharing the `admin.conf` with additional users is **not recommended**!
+[RBAC](/docs/reference/access-authn-authz/rbac/)). The file `admin.conf` is also created
+by kubeadm on control plane nodes and it contains a certificate with
+`Subject: O = kubeadm:cluster-admins, CN = kubernetes-admin`. `kubeadm:cluster-admins`
+is a group logically belonging to kubeadm. If your cluster uses RBAC
+(the kubeadm default), the `kubeadm:cluster-admins` group is bound to the
+[`cluster-admin`](/docs/reference/access-authn-authz/rbac/#user-facing-roles) ClusterRole.
 -->
-在集群创建过程中，kubeadm 对 `admin.conf` 中的证书进行签名时，将其配置为
-`Subject: O = system:masters, CN = kubernetes-admin`。
+在集群创建过程中，`kubeadm init` 对 `super-admin.conf` 中的证书进行签名时，将其配置为
+`Subject: O = system:masters, CN = kubernetes-super-admin`。
 [`system:masters`](/zh-cn/docs/reference/access-authn-authz/rbac/#user-facing-roles)
 是一个例外的超级用户组，可以绕过鉴权层（例如 [RBAC](/zh-cn/docs/reference/access-authn-authz/rbac/)）。
-强烈建议不要将 `admin.conf` 文件与任何人共享。
+文件 `admin.conf` 也由 kubeadm 在控制平面节点上创建，此文件包含设为
+`Subject: O = kubeadm:cluster-admins, CN = kubernetes-admin` 的证书。
+`kubeadm:cluster-admins` 是一个逻辑上属于 kubeadm 的组。
+如果你的集群使用 RBAC（kubeadm 的默认设置），则 `kubeadm:cluster-admins`
+组被绑定到 [`cluster-admin`](/zh-cn/docs/reference/access-authn-authz/rbac/#user-facing-roles) ClusterRole。
+
+{{< warning >}}
+<!--
+Avoid sharing the `super-admin.conf` or `admin.conf` files. Instead, create least
+privileged access even for people who work as administrators and use that least
+privilege alternative for anything other than break-glass (emergency) access.
+-->
+避免共享 `super-admin.conf` 或 `admin.conf` 文件。
+实际上，即使是管理员等工作人员，也只为其创建最小访问权限，
+这种最小权限的方案适用于除例外（应急）访问之外的所有场景。
+{{< /warning >}}
 
 <!--
-Instead, you can use the [`kubeadm kubeconfig user`](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
+You can use the [`kubeadm kubeconfig user`](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
 command to generate kubeconfig files for additional users.
 The command accepts a mixture of command line flags and
 [kubeadm configuration](/docs/reference/config-api/kubeadm-config.v1beta4/) options.
 The generated kubeconfig will be written to stdout and can be piped to a file using
 `kubeadm kubeconfig user ... > somefile.conf`.
 -->
-你要使用 [`kubeadm kubeconfig user`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
+你可以使用 [`kubeadm kubeconfig user`](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
 命令为其他用户生成 kubeconfig 文件，这个命令支持命令行参数和
 [kubeadm 配置结构](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/)。
 以上命令会将 kubeconfig 打印到终端上，也可以使用 `kubeadm kubeconfig user ... > somefile.conf`
@@ -768,31 +792,27 @@ file, similarly to commands such as `kubeadm init`. Any specification such
 as extra SANs and custom IP addresses must be stored in the same configuration
 file and used for all relevant kubeadm commands by passing it as `--config`.
 -->
-`kubeadm certs generate-csr` 命令为 kubeadm 所了解并管理的所有证书生成 CSR。
-该标志接受 [kubeadm 配置](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)文件，
+要将自定义选项传递给 `kubeadm certs generate-csr`，可以使用 `--config` 标志，
+此标志接受 [kubeadm 配置](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)文件，
 与诸如 `kubeadm init` 这类命令相似。
 所有规约（例如额外的 SAN 和自定义 IP 地址）都必须存储在同一配置文件中，
 并通过将其作为 `--config` 传递来用于所有相关的 kubeadm 命令。
 
 {{< note >}}
 <!--
-This guide will cover the usage of the `openssl` command for singing the CSRs,
-but you can use your preferred tools.
--->
-本指南将介绍如何使用 `openssl` 命令来执行 CSR，但你可以使用你喜欢的工具。
-{{< /note >}}
+This guide uses the default Kubernetes directory `/etc/kubernetes`, which requires
+a super user. If you are following this guide and are using directories that you can
+write to (typically, this means running `kubeadm` with `--cert-dir` and `--kubeconfig-dir`)
+then you can omit the `sudo` command).
 
-{{< note >}}
-<!--
-This guide will use the default Kubernetes directory `/etc/kubernetes`, which requires
-a super user. If you are following this guide with permissive directories
-(by passing `--cert-dir` and `--kubeconfig-dir`) you can omit the `sudo` command.
-But note that the resulted files must be copied to the `/etc/kubernetes` tree,
-so that `kubeadm init` or `kubeadm join` will find them.
+You must then copy the files that you produced over to within the `/etc/kubernetes`
+directory so that `kubeadm init` or `kubeadm join` will find them.
 -->
-本指南将使用默认的 Kubernetes 目录 `/etc/kubernetes`，需要超级用户权限。
-如果你按照本指南使用访问权限较低的目录（通过指定 `--cert-dir` 和 `--kubeconfig-dir`），可以省略 `sudo` 命令。
-但请注意，生成的文件必须被复制到 `/etc/kubernetes` 目录下，以便 `kubeadm init`
+本指南使用默认的 Kubernetes 目录 `/etc/kubernetes`，需要超级用户权限。
+如果你按照本指南使用你可以写入的目录
+（通常这意味着使用 `--cert-dir` 和 `--kubeconfig-dir` 运行 `kubeadm`），你可以省略 `sudo` 命令。
+
+然后，你必须将生成的文件复制到 `/etc/kubernetes` 目录下，以便 `kubeadm init`
 或 `kubeadm join` 能够找到它们。
 {{< /note >}}
 
@@ -802,7 +822,7 @@ so that `kubeadm init` or `kubeadm join` will find them.
 On the primary control plane node, where `kubeadm init` will be executed, call the following
 commands:
 -->
-### 准备 CA 和服务帐户文件
+### 准备 CA 和服务帐户文件   {#preparing-ca-and-service-account-files}
 
 在将执行` kubeadm init` 的主控制平面节点上，执行以下命令：
 
@@ -825,12 +845,13 @@ private keys) that kubeadm needs for a control plane node.
 {{< note >}}
 <!--
 If you are using an external CA, you must generate the same files out of band and manually
-copy them to the primary control plane node in `/etc/kubernetes`. Once all CSRs
-are signed, you can delete the root CA key (`ca.key`) as noted in the
+copy them to the primary control plane node in `/etc/kubernetes`.
+
+Once all CSRs are signed, you can delete the root CA key (`ca.key`) as noted in the
 [External CA mode](#external-ca-mode) section.
 -->
-如果你使用外部 CA，则必须在带外生成相同的文件，并手动将它们复制到
-主控制平面节点上的 `/etc/kubernetes`。
+如果你使用外部 CA，则你必须在带外生成相同的文件，并手动将它们复制到主控制平面节点上的 `/etc/kubernetes`。
+
 所有 CSR 被签名后，你可以删除根 CA 密钥（`ca.key`），如[外部 CA 模式](#external-ca-mode)部分中所述。
 {{< /note >}}
 
@@ -903,9 +924,14 @@ for signing new kubelet client certificates.
 Processing the `kubelet.conf.csr` on the primary control plane node
 (`kubeadm init`) is required, because that is considered the node that
 bootstraps the cluster and a pre-populated `kubelet.conf` is needed.
+
+You must process the `kubelet.conf.csr` file on the primary control plane node
+(the host where you originally ran `kubeadm init`). This is because `kubeadm`
+considers that as the node that bootstraps the cluster, and a pre-populated
+`kubelet.conf` is needed.
 -->
-你仍需要在主控制平面节点（`kubeadm init`）上处理 `kubelet.conf.csr`，
-因为该节点被视为引导集群的节点，并且需要预先填充的 `kubelet.conf`。
+你必须在主控制平面节点（你最初运行 `kubeadm init` 的主机）上处理 `kubelet.conf.csr`，
+这是因为 `kubeadm` 将该节点视为引导集群的节点，并且需要预先填充的 `kubelet.conf`。
 {{< /note >}}
 
 <!--
@@ -964,13 +990,13 @@ the steps for worker nodes entirely.
 <!--
 ### Signing CSRs for all certificates
 -->
-### 签署所有证书的 CSR
+### 签署所有证书的 CSR   {#signing-csrs-for-all-certificates}
 
 {{< note >}}
 <!--
 If you are using external CA and already have CA serial number files (`.srl`) for
-`openssl` you can copy such files to a kubeadm node where CSRs will be processed.
-`.srl` files to copy are `/etc/kubernetes/pki/ca.srl`,
+`openssl`, you can copy such files to a kubeadm node where CSRs will be processed.
+The `.srl` files to copy are `/etc/kubernetes/pki/ca.srl`,
 `/etc/kubernetes/pki/front-proxy-ca.srl` and `/etc/kubernetes/pki/etcd/ca.srl`.
 The files can be then moved to a new node where CSR files will be processed.
 
@@ -989,8 +1015,9 @@ documentation for the `--CAserial` flag.
 
 如果节点上的 CA 缺少 `.srl` 文件，下面的脚本将生成一个具有随机起始序列号的新 SRL 文件。
 
-要了解有关 `.srl` 文件的更多信息，请参阅 `--CAserial` 标志的
-[`openssl`](https://www.openssl.org/docs/man3.0/man1/openssl-x509.html) 文档。
+要了解有关 `.srl` 文件的更多信息，请参阅
+[`openssl`](https://www.openssl.org/docs/man3.0/man1/openssl-x509.html)
+关于 `--CAserial` 标志的文档。
 {{< /note >}}
 
 <!--
@@ -1006,6 +1033,7 @@ present in the `/etc/kubernetes` tree.
 该脚本将为 `/etc/kubernetes` 目录下存在的所有 CSR 文件生成证书。
 
 <!--
+```bash
 # Set certificate expiration time in days
 # Process all CSR files except those for front-proxy and etcd
 # Trim the extension
@@ -1063,7 +1091,7 @@ Write the following script in the `/etc/kubernetes` directory, navigate to the d
 and execute the script. The script will take the `.crt` files that were signed for
 kubeconfig files from CSRs in the previous step and will embed them in the kubeconfig files.
 -->
-### 在 kubeconfig 文件中嵌入证书
+### 在 kubeconfig 文件中嵌入证书   {#embedding-certificates-in-kubeconfig-files}
 
 对具有 CSR 文件的所有节点重复此步骤。
 
@@ -1099,9 +1127,15 @@ and execute the script.
 在 `/etc/kubernetes` 目录中编写以下脚本，进入该目录并执行脚本。
 
 <!--
+```bash
+#!/bin/bash
+
 # Cleanup CSR files
-# Clean all CSR files
+rm -f ./*.csr ./pki/*.csr ./pki/etcd/*.csr # Clean all CSR files
+
 # Cleanup CRT files that were already embedded in kubeconfig files
+rm -f ./*.crt
+```
 -->
 ```bash
 #!/bin/bash
@@ -1133,7 +1167,7 @@ to create a Kubernetes cluster from these nodes. During `init` and `join`, kubea
 uses existing certificates, encryption keys and kubeconfig files that it finds in the
 `/etc/kubernetes` tree on the host's local filesystem.
 -->
-### kubeadm 节点初始化
+### kubeadm 节点初始化   {#kubeadm-node-initialization}
 
 一旦 CSR 文件被签名并且所需的证书在要用作节点的主机上就位，你就可以使用命令
 `kubeadm init` 和 `kubeadm join` 使用这些节点创建 Kubernetes 集群。