[zh] resync page admission-controllers.

Author: Zhuzhenghao

content/zh-cn/docs/reference/access-authn-authz/_index.md

@@ -1,12 +1,12 @@
 ---
 title: API 访问控制
-weight: 15
+weight: 30
 no_list: true
 ---
 
 <!--
 title: API Access Control
-weight: 15
+weight: 30
 no_list: true
 -->
 
@@ -40,21 +40,21 @@ Reference documentation:
 - [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
   - including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 -->
+
 - [身份认证](/zh-cn/docs/reference/access-authn-authz/authentication/)
-   - [使用启动引导令牌来执行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
+  - [使用启动引导令牌来执行身份认证](/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/)
 - [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/)
-   - [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
+  - [动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
 - [鉴权与授权](/zh-cn/docs/reference/access-authn-authz/authorization/)
-   - [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
-   - [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
-   - [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
-   - [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
+  - [基于角色的访问控制](/zh-cn/docs/reference/access-authn-authz/rbac/)
+  - [基于属性的访问控制](/zh-cn/docs/reference/access-authn-authz/abac/)
+  - [节点鉴权](/zh-cn/docs/reference/access-authn-authz/node/)
+  - [Webhook 鉴权](/zh-cn/docs/reference/access-authn-authz/webhook/)
 - [证书签名请求](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/)
-   - 包含 [CSR 的批复](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
-     和[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
+  - 包含 [CSR 的批复](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection)
+    和[证书签名](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#signing)
 - 服务账号
   - [开发者指南](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)
   - [管理文档](/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/)
 - [Kubelet 认证和鉴权](/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/)
   - 包括 kubelet [TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
-

content/zh-cn/docs/reference/access-authn-authz/admission-controllers.md

@@ -1041,9 +1041,9 @@ This file may be json or yaml and has the following format:
 
 ```yaml
 podNodeSelectorPluginConfig:
- clusterDefaultNodeSelector: name-of-node-selector
- namespace1: name-of-node-selector
- namespace2: name-of-node-selector
+  clusterDefaultNodeSelector: name-of-node-selector
+  namespace1: name-of-node-selector
+  namespace2: name-of-node-selector
 ```
 
 <!--
@@ -1123,36 +1123,26 @@ PodNodeSelector 允许 Pod 强制在特定标签的节点上运行。
 {{< feature-state for_k8s_version="v1.25" state="stable" >}}
 
 <!--
-This is the replacement for the deprecated [PodSecurityPolicy](#podsecuritypolicy) admission controller
-defined in the next section. This admission controller acts on creation and modification of the pod and
-determines if it should be admitted based on the requested security context and the 
-[Pod Security Standards](/docs/concepts/security/pod-security-standards/).
-
-See the [Pod Security Admission documentation](/docs/concepts/security/pod-security-admission/)
-for more information.
+The PodSecurity admission controller checks new Pods before they are
+admitted, determines if it should be admitted based on the requested security context and the restrictions on permitted
+[Pod Security Standards](/docs/concepts/security/pod-security-standards/)
+for the namespace that the Pod would be in.
 -->
-这是下节所讨论的已被废弃的 [PodSecurityPolicy](#podsecuritypolicy) 准入控制器的替代品。
-此准入控制器负责在创建和修改 Pod 时，根据请求的安全上下文和
-[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)来确定是否可以执行请求。
-
-更多信息请参阅 [Pod 安全性准入控制器](/zh-cn/docs/concepts/security/pod-security-admission/)。
-
-### PodSecurityPolicy {#podsecuritypolicy}
-
-{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
+PodSecurity 准入控制器在新 Pod 被准入之前对其进行检查，
+根据请求的安全上下文和 Pod 所在命名空间允许的
+[Pod 安全性标准](/zh/docs/concepts/security/pod-security-standards/)的限制来确定新 Pod
+是否应该被准入。
 
 <!--
-This admission controller acts on creation and modification of the pod and determines if it should be admitted
-based on the requested security context and the available Pod Security Policies.
+See the [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
+documentation for more information.
 -->
-此准入控制器负责在创建和修改 Pod 时根据请求的安全上下文和可用的 Pod
-安全策略确定是否可以执行请求。
+更多信息请参阅 [Pod 安全性准入](/zh-cn/docs/concepts/security/pod-security-admission/)。
 
 <!--
-See also the [PodSecurityPolicy](/docs/concepts/security/pod-security-policy/) documentation
-for more information.
+PodSecurity replaced an older admission controller named PodSecurityPolicy.
 -->
-查看 [Pod 安全策略文档](/zh-cn/docs/concepts/security/pod-security-policy/)进一步了解其间细节。
+PodSecurity 取代了一个名为 PodSecurityPolicy 的旧准入控制器。
 
 ### PodTolerationRestriction {#podtolerationrestriction}
 
@@ -1364,7 +1354,7 @@ conditions.
 ### ValidatingAdmissionPolicy {#validatingadmissionpolicy}
 
 <!--
-[This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests. 
+[This admission controller](/docs/reference/access-authn-authz/validating-admission-policy/) implements the CEL validation for incoming matched requests.
 It is enabled when both feature gate `validatingadmissionpolicy` and `admissionregistration.k8s.io/v1alpha1` group/version are enabled.
 If any of the ValidatingAdmissionPolicy fails, the request fails.
 -->

content/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md

@@ -140,8 +140,8 @@ In the bootstrap initialization process, the following occurs:
 6. kubelet 现在拥有受限制的凭据来创建和取回证书签名请求（CSR）
 7. kubelet 为自己创建一个 CSR，并将其 signerName 设置为 `kubernetes.io/kube-apiserver-client-kubelet`
 8. CSR 被以如下两种方式之一批复：
-  * 如果配置了，kube-controller-manager 会自动批复该 CSR
-  * 如果配置了，一个外部进程，或者是人，使用 Kubernetes API 或者使用 `kubectl`
+   * 如果配置了，kube-controller-manager 会自动批复该 CSR
+   * 如果配置了，一个外部进程，或者是人，使用 Kubernetes API 或者使用 `kubectl`
     来批复该 CSR
 9. kubelet 所需要的证书被创建
 <!--
@@ -271,7 +271,7 @@ of provisioning.
 2. [令牌认证文件](#token-authentication-file)
 
 <!--
-Using Bootstrap tokens are a simpler and more easily managed method to authenticate kubelets, and do not require any additional flags when starting kube-apiserver.
+Using bootstrap tokens is a simpler and more easily managed method to authenticate kubelets, and does not require any additional flags when starting kube-apiserver.
 -->
 启动引导令牌是一种对 kubelet 进行身份认证的方法，相对简单且容易管理，
 且不需要在启动 kube-apiserver 时设置额外的标志。
@@ -589,7 +589,7 @@ roleRef:
 
 <!--
 The `csrapproving` controller that ships as part of
-[kube-controller-manager](/docs/admin/kube-controller-manager/) and is enabled
+[kube-controller-manager](/docs/reference/command-line-tools-reference/kube-controller-manager/) and is enabled
 by default. The controller uses the
 [`SubjectAccessReview` API](/docs/reference/access-authn-authz/authorization/#checking-api-access) to
 determine if a given user is authorized to request a CSR, then approves based on
@@ -787,7 +787,7 @@ or pass the following command line argument to the kubelet (deprecated):
 <!--
 Enabling `RotateKubeletServerCertificate` causes the kubelet **both** to request a serving
 certificate after bootstrapping its client credentials **and** to rotate that
-certificate. To enable this behavior, use the field `serverTLSBootstrap`  of 
+certificate. To enable this behavior, use the field `serverTLSBootstrap` of
 the [kubelet configuration file](/docs/tasks/administer-cluster/kubelet-config-file/)
 or pass the following command line argument to the kubelet (deprecated):
 -->
@@ -869,12 +869,12 @@ You have several options for generating these credentials:
 <!--
 ## kubectl approval
 
-CSRs can be approved outside of the approval flows builtin into the controller
+CSRs can be approved outside of the approval flows built into the controller
 manager.
 -->
 ## kubectl 批复    {#kubectl-approval}
 
-CSRs 可以在控制器管理其内置的批复工作流之外被批复。
+CSR 可以在编译进控制器内部的批复工作流之外被批复。
 
 <!--
 The signing controller does not immediately sign all certificate requests.

content/zh-cn/docs/reference/glossary/service.md

@@ -28,18 +28,32 @@ tags:
 ---
 -->
 
-
 <!--
-An abstract way to expose an application running on a set of {{< glossary_tooltip text="Pods" term_id="pod" >}} as a network service.
+A method for exposing a network application that is running as one or more
+{{< glossary_tooltip text="Pods" term_id="pod" >}} in your cluster.
 -->
 
-将运行在一组 {{< glossary_tooltip text="Pods" term_id="pod" >}} 上的应用程序公开为网络服务的抽象方法。
+将运行在一个或一组 {{< glossary_tooltip text="Pod" term_id="pod" >}} 上的网络应用程序公开为网络服务的方法。
 
 <!--more-->
 
 <!--
- The set of Pods targeted by a Service is (usually) determined by a {{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed, the set of Pods matching the selector will change. The Service makes sure that network traffic can be directed to the current set of Pods for the workload.
+The set of Pods targeted by a Service is (usually) determined by a
+{{< glossary_tooltip text="selector" term_id="selector" >}}. If more Pods are added or removed,
+the set of Pods matching the selector will change. The Service makes sure that network traffic
+can be directed to the current set of Pods for the workload.
 -->
 服务所针对的 Pod 集（通常）由{{< glossary_tooltip text="选择算符" term_id="selector" >}}确定。
 如果有 Pod 被添加或被删除，则与选择算符匹配的 Pod 集合将发生变化。
 服务确保可以将网络流量定向到该工作负载的当前 Pod 集合。
+
+<!--
+Kubernetes Services either use IP networking (IPv4, IPv6, or both), or reference an external name in
+the Domain Name System (DNS).
+
+The Service abstraction enables other mechanisms, such as Ingress and Gateway.
+-->
+
+Kubernetes Service 要么使用 IP 网络（IPv4、IPv6 或两者），要么引用位于域名系统 (DNS) 中的外部名称。
+
+Service 的抽象可以实现其他机制，如 Ingress 和 Gateway。

content/zh-cn/docs/reference/kubectl/cheatsheet.md

@@ -72,12 +72,12 @@ echo '[[ $commands[kubectl] ]] && source <(kubectl completion zsh)' >> ~/.zshrc
 ```
 
 <!--
-### A Note on `--all-namespaces`
+### A note on `--all-namespaces`
 -->
 ### 关于 `--all-namespaces` 的一点说明    {#a-note-on-all-namespaces}
 
 <!--
-Appending `--all-namespaces` happens frequently enough where you should be aware of the shorthand for `--all-namespaces`:
+Appending `--all-namespaces` happens frequently enough that you should be aware of the shorthand for `--all-namespaces`:
 -->
 我们经常用到 `--all-namespaces` 参数，你应该要知道它的简写：
 
@@ -178,6 +178,7 @@ alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1
 
 <!--
 ## Kubectl apply
+
 `apply` manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster through running `kubectl apply`. This is the recommended way of managing Kubernetes applications on production. See [Kubectl Book](http://kubectl.docs.kubernetes.io).
 -->
 ## Kubectl apply

content/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl.md

@@ -1,13 +1,15 @@
 ---
 title: 适用于 Docker 用户的 kubectl
 content_type: concept
+weight: 50
 ---
 <!--
 title: kubectl for Docker Users
 content_type: concept
 reviewers:
 - brendandburns
 - thockin
+weight: 50
 -->
 
 <!-- overview -->

content/zh-cn/docs/reference/using-api/_index.md

@@ -1,7 +1,7 @@
 ---
 title: API 概述
 content_type: concept
-weight: 10
+weight: 20
 no_list: true
 card:
   name: reference
@@ -16,7 +16,7 @@ reviewers:
 - lavalamp
 - jbeda
 content_type: concept
-weight: 10
+weight: 20
 no_list: true
 card:
   name: reference
@@ -218,7 +218,7 @@ part is omitted, it is treated as if `=true` is specified. For example:
 
  - to disable `batch/v1`, set `--runtime-config=batch/v1=false`
  - to enable `batch/v2alpha1`, set `--runtime-config=batch/v2alpha1`
- - to enable a specific version of an API, such as `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities` 
+ - to enable a specific version of an API, such as `storage.k8s.io/v1beta1/csistoragecapacities`, set `--runtime-config=storage.k8s.io/v1beta1/csistoragecapacities`
 -->
 ## 启用或禁用 API 组   {#enabling-or-disabling}