Merge pull request #47999 from mengjiao-liu/sync-example-access-zh-cn

[zh-cn] Resync access and admin related examples files

Author: k8s-ci-robot

content/zh-cn/examples/access/deployment-replicas-policy.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1alpha1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "deploy-replica-policy.example.com"

content/zh-cn/examples/access/image-matches-namespace-environment.policy.yaml

@@ -3,7 +3,7 @@
 # 例如，如果命名空间的标签为 {"environment": "staging"}，则所有容器镜像必须是
 # staging.example.com/* 或根本不包含 “example.com”，除非 Deployment 有
 # {"exempt": "true"} 标签。
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "image-matches-namespace-environment.policy.example.com"

content/zh-cn/examples/access/validating-admission-policy-audit-annotation.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1alpha1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "demo-policy.example.com"
@@ -11,6 +11,8 @@ spec:
       operations:  ["CREATE", "UPDATE"]
       resources:   ["deployments"]
   validations:
-    - key: "high-replica-count"
-      expression: "object.spec.replicas > 50"
+    - expression: "object.spec.replicas > 50"
       messageExpression: "'Deployment spec.replicas set to ' + string(object.spec.replicas)"
+  auditAnnotations:
+    - key: "high-replica-count"
+      valueExpression: "'Deployment spec.replicas set to ' + string(object.spec.replicas)"

content/zh-cn/examples/access/validating-admission-policy-match-conditions.yaml

@@ -1,4 +1,4 @@
-apiVersion: admissionregistration.k8s.io/v1alpha1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "demo-policy.example.com"

content/zh-cn/examples/admin/resource/limit-range-pod-3.yaml

@@ -6,6 +6,7 @@ spec:
   containers:
   - name: busybox-cnt01
     image: busybox:1.28
+    command: ["sleep", "3600"]
     resources:
       limits:
         memory: "300Mi"

content/zh-cn/examples/admin/sched/my-scheduler.yaml

@@ -17,6 +17,33 @@ roleRef:
   name: system:kube-scheduler
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: my-scheduler-as-volume-scheduler
+subjects:
+- kind: ServiceAccount
+  name: my-scheduler
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: system:volume-scheduler
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: my-scheduler-extension-apiserver-authentication-reader
+  namespace: kube-system
+roleRef:
+  kind: Role
+  name: extension-apiserver-authentication-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: my-scheduler
+  namespace: kube-system
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -31,19 +58,6 @@ data:
     leaderElection:
       leaderElect: false
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: my-scheduler-as-volume-scheduler
-subjects:
-- kind: ServiceAccount
-  name: my-scheduler
-  namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: system:volume-scheduler
-  apiGroup: rbac.authorization.k8s.io
----
 apiVersion: apps/v1
 kind: Deployment
 metadata: