Merge pull request #33010 from my-git9/ingress-minikube2
[zh] Update access-cluster.md
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
bb45e8a2ed
|
|
@ -316,82 +316,32 @@ Python 客户端可以像 kubectl CLI 一样使用相同的
|
|||
## Accessing the API from a Pod
|
||||
|
||||
When accessing the API from a pod, locating and authenticating
|
||||
to the apiserver are somewhat different.
|
||||
|
||||
The recommended way to locate the apiserver within the pod is with
|
||||
the `kubernetes.default.svc` DNS name, which resolves to a Service IP which in turn
|
||||
will be routed to an apiserver.
|
||||
|
||||
The recommended way to authenticate to the apiserver is with a
|
||||
[service account](/docs/tasks/configure-pod-container/configure-service-account/) credential. By kube-system, a pod
|
||||
is associated with a service account, and a credential (token) for that
|
||||
service account is placed into the filesystem tree of each container in that pod,
|
||||
at `/var/run/secrets/kubernetes.io/serviceaccount/token`.
|
||||
to the API server are somewhat different.
|
||||
-->
|
||||
### 从 Pod 中访问 API {#accessing-the-api-from-a-pod}
|
||||
|
||||
当你从 Pod 中访问 API 时,定位和验证 apiserver 会有些许不同。
|
||||
|
||||
在 Pod 中定位 apiserver 的推荐方式是通过 `kubernetes.default.svc`
|
||||
这个 DNS 名称,该名称将会解析为服务 IP,然后服务 IP 将会路由到 apiserver。
|
||||
|
||||
向 apiserver 进行身份验证的推荐方法是使用
|
||||
[服务帐户](/zh/docs/tasks/configure-pod-container/configure-service-account/) 凭据。
|
||||
通过 kube-system,Pod 与服务帐户相关联,并且该服务帐户的凭证(token)
|
||||
被放置在该 Pod 中每个容器的文件系统中,位于
|
||||
`/var/run/secrets/kubernetes.io/serviceaccount/token`。
|
||||
当你从 Pod 中访问 API 时,定位和验证 API 服务器会有些许不同。
|
||||
|
||||
<!--
|
||||
If available, a certificate bundle is placed into the filesystem tree of each
|
||||
container at `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`, and should be
|
||||
used to verify the serving certificate of the apiserver.
|
||||
|
||||
Finally, the default namespace to be used for namespaced API operations is placed in a file
|
||||
at `/var/run/secrets/kubernetes.io/serviceaccount/namespace` in each container.
|
||||
Please check [Accessing the API from within a Pod](/docs/tasks/run-application/access-api-from-pod/)
|
||||
for more details.
|
||||
-->
|
||||
如果可用,则将证书放入每个容器的文件系统中的
|
||||
`/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`,
|
||||
并且应该用于验证 apiserver 的服务证书。
|
||||
|
||||
最后,名字空间作用域的 API 操作所使用的 default 名字空间将被放置在
|
||||
每个容器的 `/var/run/secrets/kubernetes.io/serviceaccount/namespace`
|
||||
文件中。
|
||||
|
||||
<!--
|
||||
From within a pod the recommended ways to connect to API are:
|
||||
|
||||
- run `kubectl proxy` in a sidecar container in the pod, or as a background
|
||||
process within the container. This proxies the
|
||||
Kubernetes API to the localhost interface of the pod, so that other processes
|
||||
in any container of the pod can access it.
|
||||
- use the Go client library, and create a client using the `rest.InClusterConfig()` and `kubernetes.NewForConfig()` functions.
|
||||
They handle locating and authenticating to the apiserver. [example](https://git.k8s.io/client-go/examples/in-cluster-client-configuration/main.go)
|
||||
|
||||
In each case, the credentials of the pod are used to communicate securely with the apiserver.
|
||||
-->
|
||||
在 Pod 中,建议连接 API 的方法是:
|
||||
|
||||
- 在 Pod 的边车容器中运行 `kubectl proxy`,或者以后台进程的形式运行。
|
||||
这将把 Kubernetes API 代理到当前 Pod 的 localhost 接口,
|
||||
所以 Pod 中的所有容器中的进程都能访问它。
|
||||
- 使用 Go 客户端库,并使用 `rest.InClusterConfig()` 和
|
||||
`kubernetes.NewForConfig()` 函数创建一个客户端。
|
||||
他们处理 apiserver 的定位和身份验证。
|
||||
[示例](https://git.k8s.io/client-go/examples/in-cluster-client-configuration/main.go)
|
||||
|
||||
在每种情况下,Pod 的凭证都是为了与 apiserver 安全地通信。
|
||||
请参阅[从 Pod 中访问 API](/zh/docs/tasks/run-application/access-api-from-pod/)
|
||||
了解更多详情。
|
||||
|
||||
<!--
|
||||
## Accessing services running on the cluster
|
||||
|
||||
The previous section describes how to connect to the Kubernetes API server. For information about connecting to other services running on a Kubernetes cluster, see [Access Cluster Services.](/docs/tasks/administer-cluster/access-cluster-services/)
|
||||
The previous section describes how to connect to the Kubernetes API server.
|
||||
For information about connecting to other services running on a Kubernetes cluster, see
|
||||
[Access Cluster Services](/docs/tasks/administer-cluster/access-cluster-services/).
|
||||
-->
|
||||
|
||||
## 访问集群上运行的服务 {#accessing-services-running-on-the-cluster}
|
||||
|
||||
上一节介绍了如何连接到 Kubernetes API 服务器。
|
||||
有关连接到 Kubernetes 集群上运行的其他服务的信息,请参阅[访问集群服务](/zh/docs/tasks/administer-cluster/access-cluster-services/)。
|
||||
|
||||
有关连接到 Kubernetes 集群上运行的其他服务的信息,请参阅
|
||||
[访问集群服务](/zh/docs/tasks/administer-cluster/access-cluster-services/)。
|
||||
|
||||
<!--
|
||||
## Requesting redirects
|
||||
|
|
|
|||
Loading…
Reference in New Issue