[zh-cn] sync node-labels namepaces security-context assign-cpu-resource

Signed-off-by: xin.li <xin.li@daocloud.io>
2023-08-03 08:37:31 +08:00 · 2023-08-03 08:37:31 +08:00 · a9e4bfbf10
parent a652804415
commit a9e4bfbf10
4 changed files with 91 additions and 16 deletions
--- a/content/zh-cn/docs/reference/node/node-labels.md
+++ b/content/zh-cn/docs/reference/node/node-labels.md
@ -0,0 +1,71 @@
+content_type: "reference"
+title: 由 kubelet 填充的节点标签
+weight: 40
+
+<!--
+content_type: "reference"
+title: Node Labels Populated By The Kubelet
+weight: 40
+-->
+
+<!--
+Kubernetes {{< glossary_tooltip text="nodes" term_id="node" >}} come pre-populated
+with a standard set of {{< glossary_tooltip text="labels" term_id="label" >}}.
+
+You can also set your own labels on nodes, either through the kubelet configuration or
+using the Kubernetes API.
+-->
+Kubernetes {{< glossary_tooltip text="节点" term_id="node" >}}预先填充了一组标准
+{{< glossary_tooltip text="标签" term_id="label" >}}。
+
+你还可以通过 kubelet 配置或使用 Kubernetes API 在节点上设置自己的标签。
+
+<!--
+## Preset labels
+
+The preset labels that Kubernetes sets on nodes are:
+-->
+## 预设标签
+
+Kubernetes 在节点上设置的预设标签有：
+
+<!--
+* [`kubernetes.io/arch`](/docs/reference/labels-annotations-taints/#kubernetes-io-arch)
+* [`kubernetes.io/hostname`](/docs/reference/labels-annotations-taints/#kubernetes-io-hostname)
+* [`kubernetes.io/os`](/docs/reference/labels-annotations-taints/#kubernetes-io-os)
+* [`node.kubernetes.io/instance-type`](/docs/reference/labels-annotations-taints/#nodekubernetesioinstance-type)
+  (if known to the kubelet &ndash; Kubernetes may not have this information to set the label)
+* [`topology.kubernetes.io/region`](/docs/reference/labels-annotations-taints/#topologykubernetesioregion)
+  (if known to the kubelet &ndash; Kubernetes may not have this information to set the label)
+* [`topology.kubernetes.io/zone`](/docs/reference/labels-annotations-taints/#topologykubernetesiozone)
+  (if known to the kubelet &ndash; Kubernetes may not have this information to set the label)
+-->
+* [`kubernetes.io/arch`](/zh-cn/docs/reference/labels-annotations-taints/#kubernetes-io-arch)
+* [`kubernetes.io/hostname`](/zh-cn/docs/reference/labels-annotations-taints/#kubernetes-io-hostname)
+* [`kubernetes.io/os`](/zh-cn/docs/reference/labels-annotations-taints/#kubernetes-io-os)
+* [`node.kubernetes.io/instance-type`](/zh-cn/docs/reference/labels-annotations-taints/#nodekubernetesioinstance-type)
+  （如果 kubelet 知道此信息 &ndash; Kubernetes 可能没有这些信息来设置标签）
+* [`topology.kubernetes.io/region`](/zh-cn/docs/reference/labels-annotations-taints/#topologykubernetesioregion)
+  （如果 kubelet 知道此信息 &ndash; Kubernetes 可能没有这些信息来设置标签）
+* [`topology.kubernetes.io/zone`](/zh-cn/docs/reference/labels-annotations-taints/#topologykubernetesiozone)
+  （如果 kubelet 知道此信息 &ndash; Kubernetes 可能没有这些信息来设置标签）
+
+{{<note>}}
+<!--
+The value of these labels is cloud provider specific and is not guaranteed to be reliable.
+For example, the value of `kubernetes.io/hostname` may be the same as the node name in some environments
+and a different value in other environments.
+-->
+这些标签的值是特定于云提供商的，并且不保证其可靠性。
+例如，`kubernetes.io/hostname` 的值在某些环境中可能与节点名称相同，
+而在其他环境中可能与节点名称不同。
+{{</note>}}
+
+## {{% heading "whatsnext" %}}
+
+<!--
+- See [Well-Known Labels, Annotations and Taints](/docs/reference/labels-annotations-taints/) for a list of common labels.
+- Learn how to [add a label to a node](/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node).
+-->
+- 有关常见标签的列表，请参阅[众所周知的标签、注释和污点](/zh-cn/docs/reference/labels-annotations-taints/)。
+- 了解如何[向节点添加标签](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/#add-a-label-to-a-node)。
--- a/content/zh-cn/docs/tasks/administer-cluster/namespaces.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/namespaces.md
@ -49,30 +49,35 @@ List the current namespaces in a cluster using:
 kubectl get namespaces
 ```
 ```console
-NAME          STATUS    AGE
-default       Active    11d
-kube-system   Active    11d
-kube-public   Active    11d
+NAME              STATUS   AGE
+default           Active   11d
+kube-node-lease   Active   11d
+kube-public       Active   11d
+kube-system       Active   11d
 ```

 <!--
-Kubernetes starts with three initial namespaces:
+Kubernetes starts with four initial namespaces:
 -->
-初始状态下，Kubernetes 具有三个名字空间：
+初始状态下，Kubernetes 具有四个名字空间：

 <!--
 * `default` The default namespace for objects with no other namespace
-* `kube-system` The namespace for objects created by the Kubernetes system
+* `kube-node-lease` This namespace holds [Lease](/docs/concepts/architecture/leases/) objects associated with each node. Node leases allow the kubelet to send [heartbeats](/docs/concepts/architecture/nodes/#heartbeats) so that the control plane can detect node failure.
 * `kube-public` This namespace is created automatically and is readable by all users
  (including those not authenticated). This namespace is mostly reserved for cluster usage,
  in case that some resources should be visible and readable publicly throughout the whole cluster.
  The public aspect of this namespace is only a convention, not a requirement.
+* `kube-system` The namespace for objects created by the Kubernetes system
 -->
 * `default` 无名字空间对象的默认名字空间
-* `kube-system` 由 Kubernetes 系统创建的对象的名字空间
+* `kube-node-lease` 此名字空间保存与每个节点关联的[租约（Lease）](/zh-cn/docs/concepts/architecture/leases/)对象。
+  节点租约允许 kubelet 发送[心跳](/zh-cn/docs/concepts/architecture/nodes/#heartbeats），
+  以便控制平面可以检测节点故障。
 * `kube-public` 自动创建且被所有用户可读的名字空间（包括未经身份认证的）。
  此名字空间通常在某些资源在整个集群中可见且可公开读取时被集群使用。
  此名字空间的公共方面只是一个约定，而不是一个必要条件。
+* `kube-system` 由 Kubernetes 系统创建的对象的名字空间

 <!--
 You can also get the summary of a specific namespace using:
--- a/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource.md
@ -97,7 +97,7 @@ in the Container resource manifest. To specify a CPU limit, include `resources:l
 In this exercise, you create a Pod that has one container. The container has a request
 of 0.5 CPU and a limit of 1 CPU. Here is the configuration file for the Pod:

-{{< codenew file="pods/resource/cpu-request-limit.yaml" >}}
+{{% code file="pods/resource/cpu-request-limit.yaml" %}}

 The `args` section of the configuration file provides arguments for the container when it starts.
 The `-cpus "2"` argument tells the Container to attempt to use 2 CPUs.
@ -112,7 +112,7 @@ Create the Pod:
 在本练习中，你将创建一个具有一个容器的 Pod。容器将会请求 0.5 个 CPU，而且最多限制使用 1 个 CPU。
 这是 Pod 的配置文件：

-{{< codenew file="pods/resource/cpu-request-limit.yaml" >}}
+{{% code file="pods/resource/cpu-request-limit.yaml" %}}

 配置文件的 `args` 部分提供了容器启动时的参数。
 `-cpus "2"` 参数告诉容器尝试使用 2 个 CPU。
@ -250,7 +250,7 @@ the capacity of any Node in your cluster. Here is the configuration file for a P
 that has one Container. The Container requests 100 CPU, which is likely to exceed the
 capacity of any Node in your cluster.

-{{< codenew file="pods/resource/cpu-request-limit-2.yaml" >}}
+{{% code file="pods/resource/cpu-request-limit-2.yaml" %}}

 Create the Pod:
 -->
--- a/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
@ -108,7 +108,7 @@ Here is a configuration file for a Pod that has a `securityContext` and an `empt
 对象。你为 Pod 所设置的安全性配置会应用到 Pod 中所有 Container 上。
 下面是一个 Pod 的配置文件，该 Pod 定义了 `securityContext` 和一个 `emptyDir` 卷：

-{{% codenew file="pods/security/security-context.yaml" %}}
+{{% code file="pods/security/security-context.yaml" %}}

 <!--
 In the configuration file, the `runAsUser` field specifies that for any Containers in
@ -371,7 +371,7 @@ Pod 层面设置的内容发生重叠时，会重写 Pod 层面的设置。Conta
 下面是一个 Pod 的配置文件，其中包含一个 Container。Pod 和 Container 都有
 `securityContext` 字段：

-{{% codenew file="pods/security/security-context-2.yaml" %}}
+{{% code file="pods/security/security-context-2.yaml" %}}

 <!--
 Create the Pod:
@ -454,7 +454,7 @@ Here is configuration file that does not add or remove any Container capabilitie
 首先，看一下不包含 `capabilities` 字段时候会发生什么。
 下面是一个配置文件，其中没有添加或移除容器的权能：

-{{% codenew file="pods/security/security-context-3.yaml" %}}
+{{% code file="pods/security/security-context-3.yaml" %}}

 <!--
 Create the Pod:
@ -546,7 +546,7 @@ adds the `CAP_NET_ADMIN` and `CAP_SYS_TIME` capabilities:
 下面是一个 Pod 的配置，其中运行一个容器。配置为容器添加 `CAP_NET_ADMIN` 和
 `CAP_SYS_TIME` 权能：

-{{% codenew file="pods/security/security-context-4.yaml" %}}
+{{% code file="pods/security/security-context-4.yaml" %}}

 <!--
 Create the Pod:
@ -872,4 +872,3 @@ kubectl delete pod security-context-demo-4
 * [AllowPrivilegeEscalation 的设计文档（英文）](https://github.com/kubernetes/design-proposals-archive/blob/main/auth/no-new-privs.md)
 * 关于在 Linux 系统中的安全机制的更多信息，可参阅
  [Linux 内核安全性能力概述](https://www.linux.com/learn/overview-linux-kernel-security-features)（注意：部分信息已过时）。
-