Merge pull request #29368 from howieyuen/tutorial

[zh]sync tutorials files for 1.22
2021-08-16 20:16:00 -07:00 · 2021-08-16 20:16:00 -07:00 · bb3e36d473
parent 2429254d6b 9075aa237f
commit bb3e36d473
9 changed files with 156 additions and 34 deletions
--- a/content/zh/docs/tutorials/_index.md
+++ b/content/zh/docs/tutorials/_index.md
@ -99,11 +99,11 @@ Kubernetes 文档的这一部分包含教程。每个教程展示了如何完成
 <!--
 ## Clusters

-* [AppArmor](/docs/tutorials/clusters/apparmor/)
+* [seccomp](/docs/tutorials/clusters/seccomp/)
 -->
 ## 集群

-* [AppArmor](/zh/docs/tutorials/clusters/apparmor/)
+* [seccomp](/zh/docs/tutorials/clusters/seccomp/)

 <!--
 ## Services
--- a/content/zh/docs/tutorials/clusters/apparmor.md
+++ b/content/zh/docs/tutorials/clusters/apparmor.md
@ -447,6 +447,15 @@ node with the required profile. -->
 <!-- ### Restricting profiles with the PodSecurityPolicy -->
 ### 使用 PodSecurityPolicy 限制配置文件

+{{< note >}}
+<!-- 
+PodSecurityPolicy is deprecated in Kubernetes v1.21, and will be removed in v1.25.
+See [PodSecurityPolicy documentation](/docs/concepts/policy/pod-security-policy/) for more information.
+-->
+PodSecurityPolicy 在 Kubernetes v1.21 版本中已被废弃，将在 v1.25 版本移除。
+查看 [PodSecurityPolicy 文档](/zh/docs/concepts/policy/pod-security-policy/)获取更多信息。
+{{< /note >}}
+
 <!-- If the PodSecurityPolicy extension is enabled, cluster-wide AppArmor restrictions can be applied. To
 enable the PodSecurityPolicy, the following flag must be set on the `apiserver`: -->
 如果启用了 PodSecurityPolicy 扩展，则可以应用群集范围的 AppArmor 限制。要启用 PodSecurityPolicy，必须在“apiserver”上设置以下标志：
--- a/content/zh/docs/tutorials/clusters/seccomp.md
+++ b/content/zh/docs/tutorials/clusters/seccomp.md
@ -2,6 +2,7 @@
 title: 使用 Seccomp 限制容器的系统调用
 content_type: tutorial
 weight: 20
+min-kubernetes-server-version: v1.22
 ---

 <!-- overview -->
@ -10,7 +11,7 @@ weight: 20

 <!--
 Seccomp stands for secure computing mode and has been a feature of the Linux
-kernel since version 2.6.12.  It can be used to sandbox the privileges of a
+kernel since version 2.6.12. It can be used to sandbox the privileges of a
 process, restricting the calls it is able to make from userspace into the
 kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a
 Node to your Pods and containers.
@ -49,20 +50,118 @@ Kubernetes 允许你将加载到节点上的 seccomp 配置文件自动应用于

 ## {{% heading "prerequisites" %}}

+{{< version-check >}}
+
 <!--
 In order to complete all steps in this tutorial, you must install
 [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) and
 [kubectl](/docs/tasks/tools/). This tutorial will show examples
-with both alpha (pre-v1.19) and generally available seccomp functionality, so
+both alpha (new in v1.22) and generally available seccomp functionality. You should
 make sure that your cluster is [configured
 correctly](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version)
 for the version you are using.
 -->
 为了完成本教程中的所有步骤，你必须安装 [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) 
-和 [kubectl](/zh/docs/tasks/tools/)。本教程将显示同时具有 alpha（v1.19 之前的版本）
-和通常可用的 seccomp 功能的示例，因此请确保为所使用的版本[正确配置](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version)了集群。
+和 [kubectl](/zh/docs/tasks/tools/)。本教程将显示同时具有 alpha（v1.22 新版本）
+和通常可用的 seccomp 功能的示例。
+你应该确保为所使用的版本[正确配置](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version)了集群。

 <!-- steps -->
+
+<!-- 
+## Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads
+
+{{< feature-state state="alpha" for_k8s_version="v1.22" >}}
+
+`SeccompDefault` is an optional kubelet
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates) as
+well as corresponding `--seccomp-default`
+[command line flag](/docs/reference/command-line-tools-reference/kubelet).
+Both have to be enabled simultaneously to use the feature.
+-->
+## 启用 `RuntimeDefault` 作为所有工作负载的默认 seccomp 配置文件
+
+{{< feature-state state="alpha" for_k8s_version="v1.22" >}}
+
+`SeccompDefault` 是一个可选的 kubelet
+[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates)，
+相应地，`--seccomp-default` 是此特性门控的
+[命令行标志](/zh/docs/reference/command-line-tools-reference/kubelet)。
+必须同时启用两者才能使用该功能。
+
+<!-- 
+If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is 
+defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode. 
+The default profiles aim to provide a strong set
+of security defaults while preserving the functionality of the workload. It is
+possible that the default profiles differ between container runtimes and their
+release versions, for example when comparing those from CRI-O and containerd.
+-->
+如果启用，kubelet 将默认使用 `RuntimeDefault` seccomp 配置，
+而不是使用 `Unconfined`（禁用 seccomp）模式，该配置由容器运行时定义。
+默认配置旨在提供一组强大的安全默认值设置，同时避免影响工作负载的功能。
+不同的容器运行时之间及其不同的发布版本之间的默认配置可能不同，
+例如在比较 CRI-O 和 containerd 的配置文件时（就会发现这点）。
+
+<!-- 
+Some workloads may require a lower amount of syscall restrictions than others.
+This means that they can fail during runtime even with the `RuntimeDefault`
+profile. To mitigate such a failure, you can:
+
+- Run the workload explicitly as `Unconfined`.
+- Disable the `SeccompDefault` feature for the nodes. Also making sure that
+  workloads get scheduled on nodes where the feature is disabled.
+- Create a custom seccomp profile for the workload.
+-->
+某些工作负载可能相比其他工作负载需要更少的系统调用限制。
+这意味着即使使用 `RuntimeDefault` 配置文件，它们也可能在运行时失败。
+要处理此类失效，你可以：
+
+- 将工作负载显式运行为 `Unconfined`。
+- 禁用节点的 `SeccompDefault` 功能。
+  还要确保工作负载被安排在禁用该功能的节点上。
+- 为工作负载创建自定义 seccomp 配置文件。
+
+<!-- 
+If you were introducing this feature into production-like cluster, the Kubernetes project
+recommends that you enable this feature gate on a subset of your nodes and then
+test workload execution before rolling the change out cluster-wide.
+
+More detailed information about a possible upgrade and downgrade strategy can be
+found in the [related Kubernetes Enhancement Proposal (KEP)](https://github.com/kubernetes/enhancements/tree/a70cc18/keps/sig-node/2413-seccomp-by-default#upgrade--downgrade-strategy).
+-->
+如果你将此功能引入到类似生产的集群中，
+Kubernetes 项目建议你在节点的子集上启用此特性门控，
+然后在集群范围内推出更改之前测试工作负载的执行情况。
+
+有关可能的升级和降级策略的更多详细信息，
+请参见[相关 Kubernetes 增强提案 (KEP)](https://github.com/kubernetes/enhancements/tree/a70cc18/keps/sig-node/2413-seccomp-by-default#upgrade--downgrade-strategy)。
+
+<!-- 
+Since the feature is in alpha state it is disabled per default. To enable it,
+pass the flags `--feature-gates=SeccompDefault=true --seccomp-default` to the
+`kubelet` CLI or enable it via the [kubelet configuration
+file](/docs/tasks/administer-cluster/kubelet-config-file/). To enable the
+feature gate in [kind](https://kind.sigs.k8s.io), ensure that `kind` provides
+the minimum required Kubernetes version and enables the `SeccompDefault` feature
+[in the kind configuration](https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster):
+-->
+由于该功能处于 alpha 状态，因此默认情况下是被禁用的。要启用它，
+请将标志 `--feature-gates=SeccompDefault=true --seccomp-default` 
+传递给 `kubelet` CLI 或通过
+[kubelet 配置文件](/zh/docs/tasks/administer-cluster/kubelet-config-file/)启用它。
+要在 [kind](https://kind.sigs.k8s.io) 中启用特性门控，
+请确保 `kind` 提供所需的最低 Kubernetes 版本并
+[在 kind 配置中](https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster)
+启用 `SeccompDefault` 功能：
+
+```yaml
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  SeccompDefault: true
+```
+
 <!--
 ## Create Seccomp Profiles

@ -151,14 +250,14 @@ audit.json  fine-grained.json  violation.json
 ```

 <!--
-## Create a Pod with a Seccomp profile for syscall auditing
+## Create a Pod with a seccomp profile for syscall auditing

 To start off, apply the `audit.json` profile, which will log all syscalls of the
 process, to a new Pod.

 Download the correct manifest for your Kubernetes version:
 -->
-## 使用 Seccomp 配置文件创建 Pod 以进行系统调用审核
+## 使用 seccomp 配置文件创建 Pod 以进行系统调用审核

 首先，将 `audit.json` 配置文件应用到新的 Pod 中，该配置文件将记录该进程的所有系统调用。

@ -297,14 +396,14 @@ kubectl delete svc/audit-pod
 ```

 <!--
-## Create Pod with Seccomp Profile that Causes Violation
+## Create Pod with seccomp Profile that Causes Violation

 For demonstration, apply a profile to the Pod that does not allow for any
 syscalls.

 Download the correct manifest for your Kubernetes version:
 -->
-## 使用导致违规的 Seccomp 配置文件创建 Pod
+## 使用导致违规的 seccomp 配置文件创建 Pod

 为了进行演示，请将不允许任何系统调用的配置文件应用于 Pod。

@ -364,7 +463,7 @@ kubectl delete svc/violation-pod
 ```

 <!--
-## Create Pod with Seccomp Profile that Only Allows Necessary Syscalls
+## Create Pod with seccomp Profile that Only Allows Necessary Syscalls

 If you take a look at the `fine-pod.json`, you will notice some of the syscalls
 seen in the first example where the profile set `"defaultAction":
@ -375,7 +474,7 @@ sent to `syslog`.

 Download the correct manifest for your Kubernetes version:
 -->
-## 使用设置仅允许需要的系统调用的配置文件来创建 Pod
+## 使用设置仅允许需要的系统调用的 seccomp 配置文件来创建 Pod

 如果你看一下 `fine-pod.json` 文件，你会注意到在第一个示例中配置文件设置为 `"defaultAction": "SCMP_ACT_LOG"` 的一些系统调用。
 现在，配置文件设置为 `"defaultAction": "SCMP_ACT_ERRNO"`，但是在 `"action": "SCMP_ACT_ALLOW"` 块中明确允许一组系统调用。
@ -482,7 +581,7 @@ kubectl delete svc/fine-pod
 ```

 <!--
-## Create Pod that uses the Container Runtime Default Seccomp Profile
+## Create Pod that uses the Container Runtime Default seccomp Profile

 Most container runtimes provide a sane set of default syscalls that are allowed
 or not. The defaults can easily be applied in Kubernetes by using the
@ -491,7 +590,7 @@ of a pod or container to `RuntimeDefault`.

 Download the correct manifest for your Kubernetes version:
 -->
-## 使用容器运行时默认的 Seccomp 配置文件创建 Pod
+## 使用容器运行时默认的 seccomp 配置文件创建 Pod

 大多数容器运行时都提供一组允许或不允许的默认系统调用。通过使用 `runtime/default` 注释
 或将 Pod 或容器的安全上下文中的 seccomp 类型设置为 `RuntimeDefault`，可以轻松地在 Kubernetes 中应用默认值。
@ -518,10 +617,10 @@ The default seccomp profile should provide adequate access for most workloads.
 <!--
 Additional resources:

-* [A Seccomp Overview](https://lwn.net/Articles/656307/)
+* [A seccomp Overview](https://lwn.net/Articles/656307/)
 * [Seccomp Security Profiles for Docker](https://docs.docker.com/engine/security/seccomp/)
 -->
 额外的资源：

-* [Seccomp 概要](https://lwn.net/Articles/656307/)
+* [seccomp 概要](https://lwn.net/Articles/656307/)
 * [Seccomp 在 Docker 中的安全配置](https://docs.docker.com/engine/security/seccomp/)
--- a/content/zh/docs/tutorials/configuration/configure-redis-using-configmap.md
+++ b/content/zh/docs/tutorials/configuration/configure-redis-using-configmap.md
@ -79,7 +79,7 @@ Apply the ConfigMap created above, along with a Redis pod manifest:

 ```shell
 kubectl apply -f example-redis-config.yaml
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/pods/config/redis-pod.yaml
+kubectl apply -f https://k8s.io/examples/pods/config/redis-pod.yaml
 ```

 <!--
@ -298,7 +298,7 @@ values from associated ConfigMaps. Let's delete and recreate the Pod:

 ```shell
 kubectl delete pod redis
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/pods/config/redis-pod.yaml
+kubectl apply -f https://k8s.io/examples/pods/config/redis-pod.yaml
 ```

 <!--
--- a/content/zh/docs/tutorials/hello-minikube.md
+++ b/content/zh/docs/tutorials/hello-minikube.md
@ -110,19 +110,32 @@ This tutorial provides a container image that uses NGINX to echo back all the re
 4. 仅限 Katacoda 环境：输入“30000”，然后单击 **显示端口**。

 <!--
-The `dashboard` command enables the dashboard add-on and opens the proxy in the default web browser. You can create Kubernetes resources on the dashboard such as Deployment and Service.
+The `dashboard` command enables the dashboard add-on and opens the proxy in the default web browser. 
+You can create Kubernetes resources on the dashboard such as Deployment and Service.

 If you are running in an environment as root, see [Open Dashboard with URL](#open-dashboard-with-url).

-To stop the proxy, run `Ctrl+C` to exit the process. The dashboard remains running.
+By default, the dashboard is only accessible from within the internal Kubernetes virtual network.
+The `dashboard` command creates a temporary proxy to make the dashboard accessible from outside the Kubernetes virtual network.
+
+To stop the proxy, run `Ctrl+C` to exit the process.
+After the command exits, the dashboard remains running in Kubernetes cluster.
+You can run the `dashboard` command again to create another proxy to access the dashboard.
 -->
 {{< note >}}
-`dashboard` 命令启用仪表板插件，并在默认的 Web 浏览器中打开代理。你可以在仪表板上创建 Kubernetes 资源，例如 Deployment 和 Service。
+`dashboard` 命令启用仪表板插件，并在默认的 Web 浏览器中打开代理。
+你可以在仪表板上创建 Kubernetes 资源，例如 Deployment 和 Service。

 如果你以 root 用户身份在环境中运行，
 请参见[使用 URL 打开仪表板](#open-dashboard-with-url)。

+默认情况下，仪表板只能从内部 Kubernetes 虚拟网络中访问。
+`dashboard` 命令创建一个临时代理，使仪表板可以从 Kubernetes 虚拟网络外部访问。
+
 要停止代理，请运行 `Ctrl+C` 退出该进程。仪表板仍在运行中。
+命令退出后，仪表板仍然在 Kubernetes 集群中运行。
+你可以再次运行 `dashboard` 命令创建另一个代理来访问仪表板。
+
 {{< /note >}}

 <!--
@ -387,7 +400,7 @@ Minikube 有一组内置的 {{< glossary_tooltip text="插件" term_id="addons"
   输出结果类似于这样：

   ```
-   metrics-server was successfully enabled
+   The 'metrics-server' addon is enabled
   ```

 <!--
--- a/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md
+++ b/content/zh/docs/tutorials/stateful-application/basic-stateful-set.md
@ -1239,16 +1239,16 @@ kubectl get pods -w -l app=nginx

 <!--
 Use [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands/#delete) to delete the
-StatefulSet. Make sure to supply the `--cascade=false` parameter to the
+StatefulSet. Make sure to supply the `--cascade=orphan` parameter to the
 command. This parameter tells Kubernetes to only delete the StatefulSet, and to
 not delete any of its Pods.
 -->

 使用 [`kubectl delete`](/zh/docs/reference/generated/kubectl/kubectl-commands/#delete) 删除 StatefulSet。
-请确保提供了 `--cascade=false` 参数给命令。这个参数告诉 Kubernetes 只删除 StatefulSet 而不要删除它的任何 Pod。
+请确保提供了 `--cascade=orphan` 参数给命令。这个参数告诉 Kubernetes 只删除 StatefulSet 而不要删除它的任何 Pod。

 ```shell
-kubectl delete statefulset web --cascade=false
+kubectl delete statefulset web --cascade=orphan
 ```
 ```
 statefulset.apps "web" deleted
@ -1416,9 +1416,10 @@ kubectl get pods -w -l app=nginx

 <!--
 In another terminal, delete the StatefulSet again. This time, omit the
+`--cascade=orphan` parameter.
 -->

-在另一个窗口中再次删除这个 StatefulSet。这次省略 `--cascade=false` 参数。
+在另一个窗口中再次删除这个 StatefulSet。这次省略 `--cascade=orphan` 参数。

 ```shell
 kubectl delete statefulset web
--- a/content/zh/docs/tutorials/stateful-application/cassandra.md
+++ b/content/zh/docs/tutorials/stateful-application/cassandra.md
@ -87,14 +87,14 @@ To complete this tutorial, you should already have a basic familiarity with
 ### Additional Minikube setup instructions

 {{< caution >}}
-[Minikube](https://minikube.sigs.k8s.io/docs/) defaults to 1024MiB of memory and 1 CPU.
+[Minikube](https://minikube.sigs.k8s.io/docs/) defaults to 2048MB of memory and 2 CPU.
 Running Minikube with the default resource configuration results in insufficient resource
 errors during this tutorial. To avoid these errors, start Minikube with the following settings:
 -->
 ### 额外的 Minikube 设置说明

 {{< caution >}}
-[Minikube](https://minikube.sigs.k8s.io/docs/)默认为 1024MiB 内存和 1 个 CPU。
+[Minikube](https://minikube.sigs.k8s.io/docs/)默认为 2048MB 内存和 2 个 CPU。
 在本教程中，使用默认资源配置运行 Minikube 会导致资源不足的错误。为避免这些错误，请使用以下设置启动 Minikube：

 ```shell
--- a/content/zh/docs/tutorials/stateful-application/zookeeper.md
+++ b/content/zh/docs/tutorials/stateful-application/zookeeper.md
@ -1412,7 +1412,7 @@ drain the node on which the `zk-0` Pod is scheduled.
 来隔离和腾空 `zk-0` Pod 调度所在的节点。

 ```shell
-kubectl drain $(kubectl get pod zk-0 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data
+kubectl drain $(kubectl get pod zk-0 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-emptydir-data
 ```

 ```
@ -1453,7 +1453,7 @@ Keep watching the `StatefulSet`'s Pods in the first terminal and drain the node
 在第一个终端中持续观察 StatefulSet 的 Pods 并腾空 `zk-1` 调度所在的节点。

 ```shell
-kubectl drain $(kubectl get pod zk-1 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data "kubernetes-node-ixsl" cordoned
+kubectl drain $(kubectl get pod zk-1 --template {{.spec.nodeName}}) --ignore-daemonsets --force -delete-emptydir-data "kubernetes-node-ixsl" cordoned
 ```

 ```
@ -1504,7 +1504,7 @@ Continue to watch the Pods of the stateful set, and drain the node on which
 继续观察 StatefulSet 中的 Pods 并腾空 `zk-2` 调度所在的节点。

 ```shell
-kubectl drain $(kubectl get pod zk-2 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data
+kubectl drain $(kubectl get pod zk-2 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-emptydir-data
 ```
 ```
 node "kubernetes-node-i4c4" cordoned
@ -1610,7 +1610,7 @@ Attempt to drain the node on which `zk-2` is scheduled.
 尝试腾空 `zk-2` 调度所在的节点。

 ```shell
-kubectl drain $(kubectl get pod zk-2 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data
+kubectl drain $(kubectl get pod zk-2 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-emptydir-data
 ```

 <!--
--- a/content/zh/docs/tutorials/stateless-application/guestbook.md
+++ b/content/zh/docs/tutorials/stateless-application/guestbook.md
@ -32,11 +32,11 @@ This tutorial shows you how to build and deploy a simple _(not production ready)
 一个简单的_(非面向生产)的_多层 web 应用程序。本例由以下组件组成：

 <!--
-* A single-instance [Redis](https://www.redis.com/) to store guestbook entries
+* A single-instance [Redis](https://www.redis.io/) to store guestbook entries
 * Multiple web frontend instances
 -->

-* 单实例 [Redis](https://www.redis.com/) 以保存留言板条目
+* 单实例 [Redis](https://www.redis.io/) 以保存留言板条目
 * 多个 web 前端实例

 ## {{% heading "objectives" %}}