sync volume-pvc-datasource volume-snapshot-classes topology-spread-constraints security-checklist

Author: asa3311

content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md

@@ -415,7 +415,7 @@ confusing and troubleshooting is less straightforward.
 You need a mechanism to ensure that all the nodes in a topology domain (such as a
 cloud provider region) are labelled consistently.
 To avoid you needing to manually label nodes, most clusters automatically
-populate well-known labels such as `topology.kubernetes.io/hostname`. Check whether
+populate well-known labels such as `kubernetes.io/hostname`. Check whether
 your cluster supports this.
 -->
 ## 一致性 {#Consistency}
@@ -428,7 +428,7 @@ your cluster supports this.
 
 你需要一种机制来确保拓扑域（例如云提供商区域）中的所有节点具有一致的标签。
 为了避免你需要手动为节点打标签，大多数集群会自动填充知名的标签，
-例如 `topology.kubernetes.io/hostname`。检查你的集群是否支持此功能。
+例如 `kubernetes.io/hostname`。检查你的集群是否支持此功能。
 
 <!--
 ## Topology spread constraint examples

content/zh-cn/docs/concepts/security/security-checklist.md

@@ -775,6 +775,8 @@ has permissions to use the image.
 
 - [RBAC Good Practices](/docs/concepts/security/rbac-good-practices/) for
   further information on authorization.
+- [Securing a Cluster](/docs/tasks/administer-cluster/securing-a-cluster/) for
+  information on protecting a cluster from accidental or malicious access.
 - [Cluster Multi-tenancy guide](/docs/concepts/security/multi-tenancy/) for
   configuration options recommendations and best practices on multi-tenancy.
 - [Blog post "A Closer Look at NSA/CISA Kubernetes Hardening Guidance"](/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#building-secure-container-images)
@@ -783,6 +785,7 @@ has permissions to use the image.
 ## 接下来  {#what-is-next}
 
 - [RBAC 良好实践](/zh-cn/docs/concepts/security/rbac-good-practices/)提供有关授权的更多信息。
+- [保护集群](/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/)提供如何保护集群免受意外或恶意访问的信息。
 - [集群多租户指南](/zh-cn/docs/concepts/security/multi-tenancy/)提供有关多租户的配置选项建议和最佳实践。
 - [博文“深入了解 NSA/CISA Kubernetes 强化指南”](/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/#building-secure-container-images)为强化
   Kubernetes 集群提供补充资源。

content/zh-cn/docs/concepts/storage/volume-pvc-datasource.md

@@ -18,7 +18,8 @@ weight: 60
 <!-- overview -->
 
 <!--
-This document describes the concept of cloning existing CSI Volumes in Kubernetes.  Familiarity with [Volumes](/docs/concepts/storage/volumes) is suggested.
+This document describes the concept of cloning existing CSI Volumes in Kubernetes.  
+Familiarity with [Volumes](/docs/concepts/storage/volumes) is suggested.
 -->
 本文档介绍 Kubernetes 中克隆现有 CSI 卷的概念。阅读前建议先熟悉
 [卷](/zh-cn/docs/concepts/storage/volumes)。
@@ -28,7 +29,9 @@ This document describes the concept of cloning existing CSI Volumes in Kubernete
 <!--
 ## Introduction
 
-The {{< glossary_tooltip text="CSI" term_id="csi" >}} Volume Cloning feature adds support for specifying existing {{< glossary_tooltip text="PVC" term_id="persistent-volume-claim" >}}s in the `dataSource` field to indicate a user would like to clone a {{< glossary_tooltip term_id="volume" >}}.
+The {{< glossary_tooltip text="CSI" term_id="csi" >}} Volume Cloning feature adds 
+support for specifying existing {{< glossary_tooltip text="PVC" term_id="persistent-volume-claim" >}}s 
+in the `dataSource` field to indicate a user would like to clone a {{< glossary_tooltip term_id="volume" >}}.
 -->
 ## 介绍
 
@@ -38,13 +41,18 @@ The {{< glossary_tooltip text="CSI" term_id="csi" >}} Volume Cloning feature add
 来表示用户想要克隆的 {{< glossary_tooltip term_id="volume" >}}。
 
 <!--
-A Clone is defined as a duplicate of an existing Kubernetes Volume that can be consumed as any standard Volume would be.  The only difference is that upon provisioning, rather than creating a "new" empty Volume, the back end device creates an exact duplicate of the specified Volume.
+A Clone is defined as a duplicate of an existing Kubernetes Volume that can be 
+consumed as any standard Volume would be.  The only difference is that upon 
+provisioning, rather than creating a "new" empty Volume, the back end device 
+creates an exact duplicate of the specified Volume.
 -->
 克隆（Clone），意思是为已有的 Kubernetes 卷创建副本，它可以像任何其它标准卷一样被使用。
 唯一的区别就是配置后，后端设备将创建指定完全相同的副本，而不是创建一个“新的”空卷。
 
 <!--
-The implementation of cloning, from the perspective of the Kubernetes API, adds the ability to specify an existing PVC as a dataSource during new PVC creation. The source PVC must be bound and available (not in use).
+The implementation of cloning, from the perspective of the Kubernetes API, adds 
+the ability to specify an existing PVC as a dataSource during new PVC creation. 
+The source PVC must be bound and available (not in use).
 
 Users need to be aware of the following when using this feature:
 -->
@@ -58,11 +66,13 @@ Users need to be aware of the following when using this feature:
 * Cloning support (`VolumePVCDataSource`) is only available for CSI drivers.
 * Cloning support is only available for dynamic provisioners.
 * CSI drivers may or may not have implemented the volume cloning functionality.
-* You can only clone a PVC when it exists in the same namespace as the destination PVC (source and destination must be in the same namespace).
+* You can only clone a PVC when it exists in the same namespace as the destination PVC 
+  (source and destination must be in the same namespace).
 * Cloning is supported with a different Storage Class.
     - Destination volume can be the same or a different storage class as the source.
     - Default storage class can be used and storageClassName omitted in the spec.
-* Cloning can only be performed between two volumes that use the same VolumeMode setting (if you request a block mode volume, the source MUST also be block mode)
+* Cloning can only be performed between two volumes that use the same VolumeMode setting 
+  (if you request a block mode volume, the source MUST also be block mode)
 -->
 * 克隆支持（`VolumePVCDataSource`）仅适用于 CSI 驱动。
 * 克隆支持仅适用于 动态供应器。
@@ -103,21 +113,27 @@ spec:
 
 {{< note >}}
 <!--
-You must specify a capacity value for `spec.resources.requests.storage`, 
-and the value you specify must be the same or larger than the capacity of the source volume.
+You must specify a capacity value for `spec.resources.requests.storage`, and the 
+value you specify must be the same or larger than the capacity of the source volume.
 -->
 你必须为 `spec.resources.requests.storage` 指定一个值，并且你指定的值必须大于或等于源卷的值。
 {{< /note >}}
 
 <!--
-The result is a new PVC with the name `clone-of-pvc-1` that has the exact same content as the specified source `pvc-1`.
+The result is a new PVC with the name `clone-of-pvc-1` that has the exact same 
+content as the specified source `pvc-1`.
 -->
 结果是一个名称为 `clone-of-pvc-1` 的新 PVC 与指定的源 `pvc-1` 拥有相同的内容。
 
 <!--
 ## Usage
 
-Upon availability of the new PVC, the cloned PVC is consumed the same as other PVC.  It's also expected at this point that the newly created PVC is an independent object.  It can be consumed, cloned, snapshotted, or deleted independently and without consideration for it's original dataSource PVC.  This also implies that the source is not linked in any way to the newly created clone, it may also be modified or deleted without affecting the newly created clone.
+Upon availability of the new PVC, the cloned PVC is consumed the same as other PVC.  
+It's also expected at this point that the newly created PVC is an independent object.  
+It can be consumed, cloned, snapshotted, or deleted independently and without 
+consideration for it's original dataSource PVC.  This also implies that the source 
+is not linked in any way to the newly created clone, it may also be modified or 
+deleted without affecting the newly created clone.
 -->
 ## 使用
 

content/zh-cn/docs/concepts/storage/volume-snapshot-classes.md

@@ -43,7 +43,8 @@ of a class when first creating VolumeSnapshotClass objects, and the objects cann
 be updated once they are created.
 
 {{< note >}}
-Installation of the CRDs is the responsibility of the Kubernetes distribution. Without the required CRDs present, the creation of a VolumeSnapshotClass fails.  
+Installation of the CRDs is the responsibility of the Kubernetes distribution. 
+Without the required CRDs present, the creation of a VolumeSnapshotClass fails.
 {{< /note >}}
 
 -->
@@ -104,9 +105,14 @@ used for provisioning VolumeSnapshots. This field must be specified.
 <!--
 ### DeletionPolicy
 
-Volume snapshot classes have a deletionPolicy. It enables you to configure what happens to a VolumeSnapshotContent when the VolumeSnapshot object it is bound to is to be deleted. The deletionPolicy of a volume snapshot class can either be `Retain` or `Delete`. This field must be specified.
+Volume snapshot classes have a deletionPolicy. It enables you to configure what 
+happens to a VolumeSnapshotContent when the VolumeSnapshot object it is bound to 
+is to be deleted. The deletionPolicy of a volume snapshot class can either be 
+`Retain` or `Delete`. This field must be specified.
 
-If the deletionPolicy is `Delete`, then the underlying storage snapshot will be deleted along with the VolumeSnapshotContent object. If the deletionPolicy is `Retain`, then both the underlying snapshot and VolumeSnapshotContent remain.
+If the deletionPolicy is `Delete`, then the underlying storage snapshot will be 
+deleted along with the VolumeSnapshotContent object. If the deletionPolicy is `Retain`, 
+then both the underlying snapshot and VolumeSnapshotContent remain.
 -->
 ### 删除策略 {#deletion-policy}