@@ -5,13 +5,11 @@ api_metadata:
55 kind : " CertificateSigningRequest"
66content_type : " api_reference"
77description : " CertificateSigningRequest 对象提供了一种通过提交证书签名请求并异步批准和颁发 x509 证书的机制。"
8- title : " 证书签名请求 "
8+ title : CertificateSigningRequest
99weight : 4
10- auto_generated : true
1110---
1211
1312<!--
14- ---
1513api_metadata:
1614 apiVersion: "certificates.k8s.io/v1"
1715 import: "k8s.io/api/certificates/v1"
@@ -21,18 +19,6 @@ description: "CertificateSigningRequest objects provide a mechanism to obtain x5
2119title: "CertificateSigningRequest"
2220weight: 4
2321auto_generated: true
24- ---
25- -->
26-
27- <!--
28- The file is auto-generated from the Go source code of the component using a generic
29- [generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
30- to generate the reference documentation, please read
31- [Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
32- To update the reference content, please follow the
33- [Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
34- guide. You can file document formatting bugs against the
35- [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
3622-->
3723
3824<!--
@@ -59,8 +45,9 @@ Kubelets use this API to obtain:
5945CertificateSigningRequest 对象提供了一种通过提交证书签名请求并异步批准和颁发 x509 证书的机制。
6046
6147Kubelets 使用 CertificateSigningRequest API 来获取:
62- 1 . 向 kube-apiserver 进行身份认证的客户端证书(使用 “kubernetes.io/kube-apiserver-client-kubelet” signerName)。
63- 2 . kube-apiserver 可以安全连接到 TLS 端点的服务证书(使用 “kubernetes.io/kubelet-serving” signerName)。
48+
49+ 1 . 向 kube-apiserver 进行身份认证的客户端证书(使用 “kubernetes.io/kube-apiserver-client-kubelet” signerName)。
50+ 2 . kube-apiserver 可以安全连接到 TLS 端点的服务证书(使用 “kubernetes.io/kubelet-serving” signerName)。
6451
6552<!--
6653This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName),
@@ -117,21 +104,19 @@ or to obtain certificates from custom non-Kubernetes signers.
117104
118105CertificateSigningRequestSpec contains the certificate request.
119106-->
120- ## 证书签名请求规范 CertificateSigningRequestSpec {#CertificateSigningRequestSpec}
107+ ## CertificateSigningRequestSpec {#CertificateSigningRequestSpec}
121108
122109CertificateSigningRequestSpec 包含证书请求。
123110
124- <!--
125111<hr >
126-
112+ <!--
127113- **request** ([]byte), required
128114
129115 *Atomic: will be replaced during a merge*
130116
131117 request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block.
132118 When serialized as JSON or YAML, the data is additionally base64-encoded.
133119-->
134- <hr >
135120
136121- ** request** ([ ] byte),必需
137122
@@ -153,7 +138,7 @@ CertificateSigningRequestSpec 包含证书请求。
153138
154139 CertificateSigningRequests 的 list/watch 请求可以使用 “spec.signerName=NAME” 字段选择器进行过滤。
155140
156- <!--
141+ <!--
157142 Well-known Kubernetes signers are:
158143 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver.
159144 Requests for this signer are never auto-approved by kube-controller-manager,
@@ -166,8 +151,9 @@ CertificateSigningRequestSpec 包含证书请求。
166151 and can be issued by the "csrsigning" controller in kube-controller-manager.
167152
168153 More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
169- -->
154+ -->
170155 众所周知的 Kubernetes 签名者有:
156+
171157 1 . “kubernetes.io/kube-apiserver-client”:颁发客户端证书,用于向 kube-apiserver 进行身份验证。
172158 对此签名者的请求永远不会被 kube-controller-manager 自动批准,
173159 可以由 kube-controller-manager 中的 “csrsigning” 控制器颁发。
@@ -180,7 +166,7 @@ CertificateSigningRequestSpec 包含证书请求。
180166
181167 更多详细信息,请访问 https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers
182168
183- <!--
169+ <!--
184170 Custom signerNames can also be specified. The signer defines:
185171 1. Trust distribution: how trust (CA bundles) are distributed.
186172 2. Permitted subjects: and behavior when a disallowed subject is requested.
@@ -190,8 +176,9 @@ CertificateSigningRequestSpec 包含证书请求。
190176 4. Required, permitted, or forbidden key usages / extended key usages.
191177 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.
192178 6. Whether or not requests for CA certificates are allowed.
193- -->
179+ -->
194180 也可以指定自定义 signerName。签名者定义如下:
181+
195182 1 . 信任分发:信任(CA 证书包)是如何分发的。
196183 2 . 许可的主体:当请求不允许的主体时的行为。
197184 3 . 请求中必需、许可或禁止的 x509 扩展(包括是否允许 subjectAltNames、哪些类型、对允许值的限制)
@@ -214,16 +201,16 @@ CertificateSigningRequestSpec 包含证书请求。
214201 证书签署者可以颁发具有不同有效期的证书,
215202 因此客户端必须检查颁发证书中 notBefore 和 notAfter 字段之间的增量以确定实际持续时间。
216203
217- <!--
204+ <!--
218205 The v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field
219206 as long as the requested duration is not greater than the maximum duration they will honor per the
220207 --cluster-signing-duration CLI flag to the Kubernetes controller manager.
221- -->
208+ -->
222209 众所周知的 Kubernetes 签名者在 v1.22+ 版本内实现将遵守此字段,
223210 只要请求的持续时间不大于最大持续时间,它们将遵守 Kubernetes 控制管理器的
224211 --cluster-signing-duration CLI 标志。
225212
226- <!--
213+ <!--
227214 Certificate signers may not honor this field for various reasons:
228215
229216 1. Old signer that is unaware of the field (such as the in-tree
@@ -232,7 +219,7 @@ CertificateSigningRequestSpec 包含证书请求。
232219 3. Signer whose configured minimum is longer than the requested duration
233220
234221 The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
235- -->
222+ -->
236223 由于各种原因,证书签名者可能忽略此字段:
237224
238225 1 . 不认识此字段的旧签名者(如 v1.22 版本之前的实现)
@@ -299,7 +286,7 @@ CertificateSigningRequestSpec 包含证书请求。
299286
300287 TLS 服务证书的请求通常要求:"key encipherment"、"digital signature"、"server auth"。
301288
302- <!--
289+ <!--
303290 Valid values are:
304291 "signing", "digital signature", "content commitment",
305292 "key encipherment", "key agreement", "data encipherment",
@@ -308,15 +295,15 @@ CertificateSigningRequestSpec 包含证书请求。
308295 "code signing", "email protection", "s/mime",
309296 "ipsec end system", "ipsec tunnel", "ipsec user",
310297 "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
311- -->
298+ -->
312299 有效值:
313- "signing"、"digital signature"、"content commitment"、
314- "key encipherment"、"key agreement"、"data encipherment"、
315- "cert sign"、"crl sign"、"encipher only"、"decipher only"、"any"、
316- "server auth"、"client auth"、
317- "code signing"、"email protection"、"s/mime"、
318- "ipsec end system"、"ipsec tunnel"、"ipsec user"、
319- "timestamping"、"ocsp signing"、"microsoft sgc"、"netscape sgc"。
300+ "signing"、"digital signature"、"content commitment"、
301+ "key encipherment"、"key agreement"、"data encipherment"、
302+ "cert sign"、"crl sign"、"encipher only"、"decipher only"、"any"、
303+ "server auth"、"client auth"、
304+ "code signing"、"email protection"、"s/mime"、
305+ "ipsec end system"、"ipsec tunnel"、"ipsec user"、
306+ "timestamping"、"ocsp signing"、"microsoft sgc"、"netscape sgc"。
320307
321308<!--
322309- **username** (string)
@@ -337,7 +324,7 @@ and the issued certificate.
337324
338325<hr>
339326-->
340- ## 证书签名请求状态 CertificateSigningRequestStatus {#CertificateSigningRequestStatus}
327+ ## CertificateSigningRequestStatus {#CertificateSigningRequestStatus}
341328
342329CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败状态和颁发证书的状况。
343330
@@ -363,30 +350,31 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
363350 如果证书签名请求被拒绝,则添加类型为 “Denied” 的状况,并且保持该字段为空。
364351 如果签名者不能颁发证书,则添加类型为 “Failed” 的状况,并且保持该字段为空。
365352
366- <!--
353+ <!--
367354 Validation requirements:
368355 1. certificate must contain one or more PEM blocks.
369356 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data
370357 must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.
371358 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated,
372359 to allow for explanatory text as described in section 5.2 of RFC7468.
373- -->
360+ -->
374361 验证要求:
362+
375363 1 . 证书必须包含一个或多个 PEM 块。
376364 2 . 所有的 PEM 块必须有 “CERTIFICATE” 标签,不包含头和编码的数据,
377365 必须是由 BER 编码的 ASN.1 证书结构,如 RFC5280 第 4 节所述。
378366 3 . 非 PEM 内容可能出现在 “CERTIFICATE”PEM 块之前或之后,并且是未验证的,
379367 允许如 RFC7468 5.2 节中描述的解释性文本。
380368
381- <!--
369+ <!--
382370 If more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise,
383371 the first block is the issued certificate, and subsequent blocks should be treated as
384372 intermediate certificates and presented in TLS handshakes.
385- -->
373+ -->
386374 如果存在多个 PEM 块,并且所请求的 spec.signerName 的定义没有另外说明,
387375 那么第一个块是颁发的证书,后续的块应该被视为中间证书并在 TLS 握手中呈现。
388376
389- <!--
377+ <!--
390378 The certificate is encoded in PEM format.
391379
392380 When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:
@@ -396,17 +384,19 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
396384 ...
397385 -----END CERTIFICATE-----
398386 )
399- -->
387+ -->
400388 证书编码为 PEM 格式。
401389
402390 当序列化为 JSON 或 YAML 时,数据额外采用 base64 编码,它包括:
391+
403392 ```
404393 base64(
405394 -----BEGIN CERTIFICATE-----
406395 ...
407396 -----END CERTIFICATE-----
408397 )
409398```
399+
410400<!--
411401- **conditions** ([]CertificateSigningRequestCondition)
412402 *Map: unique values on key type will be kept during a merge*
@@ -420,21 +410,21 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
420410
421411 ** Map:键类型的唯一值将在合并期间保留**
422412
423- 应用于请求的状况。已知的状况有 "Approved"、"Denied" 与 "Failed"。
413+ 应用于请求的状况。已知的状况有 "Approved"、"Denied" 与 "Failed"。
424414
425- <a name =" CertificateSigningRequestCondition " ></a >
426- ** CertificateSigningRequestCondition 描述 CertificateSigningRequest 对象的状况。**
415+ <a name =" CertificateSigningRequestCondition " ></a >
416+ ** CertificateSigningRequestCondition 描述 CertificateSigningRequest 对象的状况。**
427417
428- <!--
418+ <!--
429419 - **conditions.status** (string), required
430420
431421 status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be "False" or "Unknown".
432- -->
422+ -->
433423 - ** conditions.status** (string),必需
434424
435425 状况的状态,True、False、Unknown 之一。Approved、Denied 与 Failed 的状况不可以是 "False" 或 "Unknown"。
436426
437- <!--
427+ <!--
438428 - **conditions.type** (string), required
439429 type of the condition. Known conditions are "Approved", "Denied", and "Failed".
440430
@@ -447,7 +437,7 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
447437 Approved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added.
448438
449439 Only one condition of a given type is allowed.
450- -->
440+ -->
451441 - ** conditions.type** (string),必需
452442
453443 状况的类型。已知的状况是 "Approved"、"Denied" 与 "Failed"。
@@ -462,7 +452,7 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
462452
463453 给定类型只允许设置一种状况。
464454
465- <!--
455+ <!--
466456 - **conditions.lastTransitionTime** (Time)
467457
468458 lastTransitionTime is the time the condition last transitioned from one status to another.
@@ -472,7 +462,7 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
472462 <a name="Time"></a>
473463 *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.
474464 Wrappers are provided for many of the factory methods that the time package offers.*
475- -->
465+ -->
476466
477467 - ** conditions.lastTransitionTime** (Time)
478468
@@ -482,36 +472,36 @@ CertificateSigningRequestStatus 包含用于指示请求的批准/拒绝/失败
482472 <a name =" Time " ></a >
483473 ** Time 是 time.Time 的包装器,支持正确编码为 YAML 和 JSON。为 time 包提供的许多工厂方法提供了包装器。**
484474
485- <!--
475+ <!--
486476 - **conditions.lastUpdateTime** (Time)
487477
488478 lastUpdateTime is the time of the last update to this condition
489479
490480 <a name="Time"></a>
491481 *Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON.
492482 Wrappers are provided for many of the factory methods that the time package offers.*
493- -->
483+ -->
494484 - ** conditions.lastUpdateTime** (Time)
495485
496486 lastUpdateTime 是该状况最后一次更新的时间。
497487
498488 <a name =" Time " ></a >
499489 ** Time 是 time.Time 的包装器,支持正确编组为 YAML 和 JSON。为 time 包提供的许多工厂方法提供了包装器。**
500490
501- <!--
491+ <!--
502492 - **conditions.message** (string)
503493
504494 message contains a human readable message with details about the request state
505- -->
495+ -->
506496 - ** conditions.message** (string)
507497
508498 message 包含一个人类可读的消息,包含关于请求状态的详细信息。
509499
510- <!--
500+ <!--
511501 - **conditions.reason** (string)
512502
513503 reason indicates a brief reason for the request state
514- -->
504+ -->
515505 - ** conditions.reason** (string)
516506
517507 reason 表示请求状态的简短原因。
@@ -523,7 +513,7 @@ CertificateSigningRequestList is a collection of CertificateSigningRequest objec
523513
524514<hr>
525515-->
526- ## 证书签名请求列表 CertificateSigningRequestList {#CertificateSigningRequestList}
516+ ## CertificateSigningRequestList {#CertificateSigningRequestList}
527517
528518CertificateSigningRequestList 是 CertificateSigningRequest 对象的集合。
529519
@@ -550,11 +540,8 @@ CertificateSigningRequestList 是 CertificateSigningRequest 对象的集合。
550540
551541 items 是 CertificateSigningRequest 对象的集合。
552542
553-
554543<!--
555544## Operations {#Operations}
556-
557- <hr>
558545-->
559546## 操作 {#Operations}
560547
@@ -1597,4 +1584,4 @@ DELETE /apis/certificates.k8s.io/v1/certificatesigningrequests
15971584
15981585200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a >): OK
15991586
1600- 401: Unauthorized
1587+ 401: Unauthorized
0 commit comments