Merge pull request #41596 from windsonsea/ipmasq

k8s-ci-robot · web-flow · commit 515cd45a4a50 · 2023-06-12T17:39:57.000-07:00
[zh] sync developing-cloud-controller-manager, ip-masq-agent, and guaranteed-scheduling-pods
diff --git a/content/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager.md b/content/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager.md
@@ -3,7 +3,6 @@ title: 开发云控制器管理器
 content_type: task
 weight: 190
 ---
-
 <!--
 reviewers:
 - luxas
@@ -27,7 +26,7 @@ weight: 190
 
 Since cloud providers develop and release at a different pace compared to the Kubernetes project, abstracting the provider-specific code to the `cloud-controller-manager` binary allows cloud vendors to evolve independently from the core Kubernetes code.
 -->
-## 背景
+## 背景   {#background}
 
 由于云驱动的开发和发布与 Kubernetes 项目本身步调不同，将特定于云环境的代码抽象到
 `cloud-controller-manager` 二进制组件有助于云厂商独立于 Kubernetes
@@ -45,7 +44,7 @@ Kubernetes 核心代码导入软件包来实现一个 cloud-controller-manager
 <!--
 ## Developing
 -->
-## 开发
+## 开发   {#developing}
 
 ### 树外（Out of Tree）
 
@@ -84,4 +83,3 @@ For in-tree cloud providers, you can run the in-tree cloud controller manager as
 对于树内（In-Tree）驱动，你可以将树内云控制器管理器作为集群中的
 {{< glossary_tooltip term_id="daemonset" text="DaemonSet" >}} 来运行。
 有关详细信息，请参阅[云控制器管理器管理](/zh-cn/docs/tasks/administer-cluster/running-cloud-controller/)。
-
diff --git a/content/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md b/content/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods.md
@@ -3,12 +3,20 @@ title: 关键插件 Pod 的调度保证
 content_type: concept
 weight: 220
 ---
+<!--
+reviewers:
+- davidopp
+- filipg
+- piosz
+title: Guaranteed Scheduling For Critical Add-On Pods
+content_type: concept
+weight: 220
+-->
 
 <!-- overview -->
 
 <!-- 
-Kubernetes core components such as the API server, scheduler, and controller-manager run on a control plane node. 
-However, add-ons must run on a regular cluster node.
+Kubernetes core components such as the API server, scheduler, and controller-manager run on a control plane node. However, add-ons must run on a regular cluster node.
 Some of these add-ons are critical to a fully functional cluster, such as metrics-server, DNS, and UI.
 A cluster may stop working properly if a critical add-on is evicted (either manually or as a side effect of another operation like upgrade)
 and becomes pending (for example when the cluster is highly utilized and either there are other pending pods that schedule into the space
@@ -18,7 +26,8 @@ Kubernetes 核心组件（如 API 服务器、调度器、控制器管理器）
 但是插件必须在常规集群节点上运行。
 其中一些插件对于功能完备的集群至关重要，例如 Heapster、DNS 和 UI。
 如果关键插件被逐出（手动或作为升级等其他操作的副作用）或者变成挂起状态，集群可能会停止正常工作。
-关键插件进入挂起状态的例子有：集群利用率过高；被逐出的关键插件 Pod 释放了空间，但该空间被之前悬决的 Pod 占用；由于其它原因导致节点上可用资源的总量发生变化。
+关键插件进入挂起状态的例子有：集群利用率过高；被逐出的关键插件 Pod 释放了空间，但该空间被之前悬决的
+Pod 占用；由于其它原因导致节点上可用资源的总量发生变化。
 
 <!--
 Note that marking a pod as critical is not meant to prevent evictions entirely; it only prevents the pod from becoming permanently unavailable.
@@ -35,9 +44,7 @@ A static pod marked as critical, can't be evicted. However, a non-static pods ma
 ### 标记关键 Pod
 
 <!--
-To mark a Pod as critical, set priorityClassName for that Pod to `system-cluster-critical` or `system-node-critical`. `system-node-critical` is the highest available priority, even higher than `system-cluster-critical`
+To mark a Pod as critical, set priorityClassName for that Pod to `system-cluster-critical` or `system-node-critical`. `system-node-critical` is the highest available priority, even higher than `system-cluster-critical`.
 -->
 要将 Pod 标记为关键性（critical），设置 Pod 的 priorityClassName 为 `system-cluster-critical` 或者 `system-node-critical`。
 `system-node-critical` 是最高级别的可用性优先级，甚至比 `system-cluster-critical` 更高。
-
-
diff --git a/content/zh-cn/docs/tasks/administer-cluster/ip-masq-agent.md b/content/zh-cn/docs/tasks/administer-cluster/ip-masq-agent.md
@@ -23,10 +23,12 @@ This page shows how to configure and enable the `ip-masq-agent`.
 <!--
 ## IP Masquerade Agent User Guide
 -->
-## IP Masquerade Agent 用户指南
+## IP Masquerade Agent 用户指南   {#ip-masquerade-agent-user-guide}
 
 <!--
-The `ip-masq-agent` configures iptables rules to hide a pod's IP address behind the cluster node's IP address. This is typically done when sending traffic to destinations outside the cluster's pod [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) range.
+The `ip-masq-agent` configures iptables rules to hide a pod's IP address behind the cluster
+node's IP address. This is typically done when sending traffic to destinations outside the
+cluster's pod [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) range.
 -->
 `ip-masq-agent` 配置 iptables 规则以隐藏位于集群节点 IP 地址后面的 Pod 的 IP 地址。
 这通常在将流量发送到集群的 Pod
@@ -36,19 +38,22 @@ The `ip-masq-agent` configures iptables rules to hide a pod's IP address behind
 <!--
 ### **Key Terms**
 -->
-### **关键术语**
+### **关键术语**   {#key-terms}
 
 <!--
 * **NAT (Network Address Translation)**
-  Is a method of remapping one IP address to another by modifying either the source and/or destination address information in the IP header.  Typically performed by a device doing IP routing.
+  Is a method of remapping one IP address to another by modifying either the source and/or
+  destination address information in the IP header. Typically performed by a device doing IP routing.
 -->
-* **NAT (网络地址转译)**
+* **NAT (网络地址转换)**
   是一种通过修改 IP 地址头中的源和/或目标地址信息将一个 IP 地址重新映射
   到另一个 IP 地址的方法。通常由执行 IP 路由的设备执行。
 
 <!--
 * **Masquerading**
-  A form of NAT that is typically used to perform a many to one address translation, where multiple source IP addresses are masked behind a single address, which is typically the device doing the IP routing. In Kubernetes this is the Node's IP address.
+  A form of NAT that is typically used to perform a many to one address translation, where
+  multiple source IP addresses are masked behind a single address, which is typically the
+  device doing the IP routing. In Kubernetes this is the Node's IP address.
 -->    
 * **伪装**
   NAT 的一种形式，通常用于执行多对一地址转换，其中多个源 IP 地址被隐藏在
@@ -57,7 +62,10 @@ The `ip-masq-agent` configures iptables rules to hide a pod's IP address behind
 
 <!--
 * **CIDR (Classless Inter-Domain Routing)**
-  Based on the variable-length subnet masking, allows specifying arbitrary-length prefixes. CIDR introduced a new method of representation for IP addresses, now commonly known as **CIDR notation**, in which an address or routing prefix is written with a suffix indicating the number of bits of the prefix, such as 192.168.2.0/24.
+  Based on the variable-length subnet masking, allows specifying arbitrary-length prefixes.
+  CIDR introduced a new method of representation for IP addresses, now commonly known as
+  **CIDR notation**, in which an address or routing prefix is written with a suffix indicating
+  the number of bits of the prefix, such as 192.168.2.0/24.
 -->
 * **CIDR (无类别域间路由)**
   基于可变长度子网掩码，允许指定任意长度的前缀。
@@ -66,14 +74,29 @@ The `ip-masq-agent` configures iptables rules to hide a pod's IP address behind
 
 <!--
 * **Link Local**
-  A link-local address is a network address that is valid only for communications within the network segment or the broadcast domain that the host is connected to. Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation.
+  A link-local address is a network address that is valid only for communications within the
+  network segment or the broadcast domain that the host is connected to. Link-local addresses
+  for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation.
 -->
 * **本地链路**
   本地链路是仅对网段或主机所连接的广播域内的通信有效的网络地址。
   IPv4 的本地链路地址在 CIDR 表示法的地址块 169.254.0.0/16 中定义。
 
 <!--
-The ip-masq-agent configures iptables rules to handle masquerading node/pod IP addresses when sending traffic to destinations outside the cluster node's IP and the Cluster IP range.  This essentially hides pod IP addresses behind the cluster node's IP address.  In some environments, traffic to "external" addresses must come from a known machine address. For example, in Google Cloud, any traffic to the internet must come from a VM's IP.  When containers are used, as in Google Kubernetes Engine, the Pod IP will be rejected for egress. To avoid this, we must hide the Pod IP behind the VM's own IP address - generally known as "masquerade". By default, the agent is configured to treat the three private IP ranges specified by [RFC 1918](https://tools.ietf.org/html/rfc1918) as non-masquerade [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).  These ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The agent will also treat link-local (169.254.0.0/16) as a non-masquerade CIDR by default.  The agent is configured to reload its configuration from the location */etc/config/ip-masq-agent* every 60 seconds, which is also configurable.
+The ip-masq-agent configures iptables rules to handle masquerading node/pod IP addresses when
+sending traffic to destinations outside the cluster node's IP and the Cluster IP range. This
+essentially hides pod IP addresses behind the cluster node's IP address. In some environments,
+traffic to "external" addresses must come from a known machine address. For example, in Google
+Cloud, any traffic to the internet must come from a VM's IP. When containers are used, as in
+Google Kubernetes Engine, the Pod IP will be rejected for egress. To avoid this, we must hide
+the Pod IP behind the VM's own IP address - generally known as "masquerade". By default, the
+agent is configured to treat the three private IP ranges specified by
+[RFC 1918](https://tools.ietf.org/html/rfc1918) as non-masquerade
+[CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
+These ranges are `10.0.0.0/8`, `172.16.0.0/12`, and `192.168.0.0 16`.
+The agent will also treat link-local (169.254.0.0/16) as a non-masquerade CIDR by default.
+The agent is configured to reload its configuration from the location
+*/etc/config/ip-masq-agent* every 60 seconds, which is also configurable.
 -->
 ip-masq-agent 配置 iptables 规则，以便在将流量发送到集群节点的 IP 和集群 IP 范围之外的目标时
 处理伪装节点或 Pod 的 IP 地址。这本质上隐藏了集群节点 IP 地址后面的 Pod IP 地址。
@@ -93,13 +116,15 @@ ip-masq-agent 配置 iptables 规则，以便在将流量发送到集群节点
 ![masq/non-masq example](/images/docs/ip-masq.png)
 
 <!--
-The agent configuration file must be written in YAML or JSON syntax, and may contain three optional keys:
+The agent configuration file must be written in YAML or JSON syntax, and may contain three
+optional keys:
 -->
 代理配置文件必须使用 YAML 或 JSON 语法编写，并且可能包含三个可选值：
 
 <!--
 * `nonMasqueradeCIDRs`: A list of strings in
-  [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation that specify the non-masquerade ranges.
+  [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation that specify
+  the non-masquerade ranges.
 -->
 * `nonMasqueradeCIDRs`：
   [CIDR](https://zh.wikipedia.org/wiki/%E6%97%A0%E7%B1%BB%E5%88%AB%E5%9F%9F%E9%97%B4%E8%B7%AF%E7%94%B1)
@@ -120,7 +145,11 @@ The agent configuration file must be written in YAML or JSON syntax, and may con
   例如 '30s'，其中 's' 是秒，'ms' 是毫秒。
 
 <!--
-Traffic to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) ranges will NOT be masqueraded. Any other traffic (assumed to be internet) will be masqueraded.  An example of a local destination from a pod could be its Node's IP address as well as another node's address or one of the IP addresses in Cluster's IP range.   Any other traffic will be masqueraded by default.  The below entries show the default set of rules that are applied by the ip-masq-agent:
+Traffic to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 ranges will NOT be masqueraded. Any
+other traffic (assumed to be internet) will be masqueraded.  An example of a local destination
+from a pod could be its Node's IP address as well as another node's address or one of the IP
+addresses in Cluster's IP range. Any other traffic will be masqueraded by default. The
+below entries show the default set of rules that are applied by the ip-masq-agent:
 -->
 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16 范围内的流量不会被伪装。
 任何其他流量（假设是互联网）将被伪装。
@@ -132,12 +161,12 @@ iptables -t nat -L IP-MASQ-AGENT
 ```
 
 ```none
+target     prot opt source               destination
 RETURN     all  --  anywhere             169.254.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
 RETURN     all  --  anywhere             10.0.0.0/8           /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
 RETURN     all  --  anywhere             172.16.0.0/12        /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
 RETURN     all  --  anywhere             192.168.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
 MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
-
 ```
 
 <!--
@@ -159,7 +188,7 @@ to your cluster.
 ## Create an ip-masq-agent
 To create an ip-masq-agent, run the following kubectl command:
 -->
-## 创建 ip-masq-agent
+## 创建 ip-masq-agent   {#create-ip-masq-agent}
 
 通过运行以下 kubectl 指令创建 ip-masq-agent:
 
@@ -168,7 +197,8 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/ip-masq-agent
 ```
 
 <!--
-You must also apply the appropriate node label to any nodes in your cluster that you want the agent to run on.
+You must also apply the appropriate node label to any nodes in your cluster that you want the
+agent to run on.
 -->
 你必须同时将适当的节点标签应用于集群中希望代理运行的任何节点。
 
@@ -179,10 +209,16 @@ kubectl label nodes my-node node.kubernetes.io/masq-agent-ds-ready=true
 <!--
 More information can be found in the ip-masq-agent documentation [here](https://github.com/kubernetes-sigs/ip-masq-agent)
 -->
-更多信息可以通过 ip-masq-agent 文档 [这里](https://github.com/kubernetes-sigs/ip-masq-agent) 找到。
+更多信息可以通过 ip-masq-agent 文档[这里](https://github.com/kubernetes-sigs/ip-masq-agent)找到。
 
 <!--
-In most cases, the default set of rules should be sufficient; however, if this is not the case for your cluster, you can create and apply a [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) to customize the IP ranges that are affected.  For example, to allow only 10.0.0.0/8 to be considered by the ip-masq-agent, you can create the following [ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) in a file called "config".
+In most cases, the default set of rules should be sufficient; however, if this is not the case
+for your cluster, you can create and apply a
+[ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) to customize the IP
+ranges that are affected.  For example, to allow
+only 10.0.0.0/8 to be considered by the ip-masq-agent, you can create the following
+[ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) in a file called
+"config".
 -->
 在大多数情况下，默认的规则集应该足够；但是，如果你的集群不是这种情况，则可以创建并应用
 [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)
@@ -192,7 +228,8 @@ In most cases, the default set of rules should be sufficient; however, if this i
 
 {{< note >}}
 <!--
-It is important that the file is called config since, by default, that will be used as the key for lookup by the `ip-masq-agent`:
+It is important that the file is called config since, by default, that will be used as the key
+for lookup by the `ip-masq-agent`:
 -->
 重要的是，该文件之所以被称为 config，因为默认情况下，该文件将被用作
 `ip-masq-agent` 查找的主键：
@@ -214,7 +251,8 @@ kubectl create configmap ip-masq-agent --from-file=config --namespace=kube-syste
 ```
 
 <!--
-This will update a file located at `/etc/config/ip-masq-agent` which is periodically checked every `resyncInterval` and applied to the cluster node.
+This will update a file located at `/etc/config/ip-masq-agent` which is periodically checked
+every `resyncInterval` and applied to the cluster node.
 After the resync interval has expired, you should see the iptables rules reflect your changes:
 -->
 这将更新位于 `/etc/config/ip-masq-agent` 的一个文件，该文件以 `resyncInterval`
@@ -234,7 +272,9 @@ MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent:
 ```
 
 <!--
-By default, the link local range (169.254.0.0/16) is also handled by the ip-masq agent, which sets up the appropriate iptables rules.  To have the ip-masq-agent ignore link local, you can set `masqLinkLocal` to true in the ConfigMap.
+By default, the link local range (169.254.0.0/16) is also handled by the ip-masq agent, which
+sets up the appropriate iptables rules. To have the ip-masq-agent ignore link local, you can
+set `masqLinkLocal` to true in the ConfigMap.
 -->
 默认情况下，本地链路范围 (169.254.0.0/16) 也由 ip-masq agent 处理，
 该代理设置适当的 iptables 规则。 要使 ip-masq-agent 忽略本地链路，
@@ -246,4 +286,3 @@ nonMasqueradeCIDRs:
 resyncInterval: 60s
 masqLinkLocal: true
 ```
-
