Merge pull request #50926 from my-git9/npa-1809

k8s-ci-robot · web-flow · commit 574d6059dc42 · 2025-05-18T05:03:14.000-07:00
[zh-cn]sync kubelet-config.v1alpha1.md
diff --git a/content/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1.md b/content/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1.md
@@ -43,12 +43,130 @@ providers is a list of credential provider plugins that will be enabled by the k
 Multiple providers may match against a single image, in which case credentials
 from all providers will be returned to the kubelet. If multiple providers are called
 for a single image, the results are combined. If providers return overlapping
-auth keys, the value from the provider earlier in this list is used.
+auth keys, the value from the provider earlier in this list is attempted first.
 -->
   <code>providers</code> 是一组凭据提供者插件，这些插件会被 kubelet 启用。
 多个提供者可以匹配到同一镜像上，这时，来自所有提供者的凭据信息都会返回给 kubelet。
 如果针对同一镜像调用了多个提供者，则结果会被组合起来。如果提供者返回的认证主键有重复，
-列表中先出现的提供者所返回的值将被使用。
+列表中先出现的提供者所返回的值将第一个被尝试使用。
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImagePullIntent`     {#kubelet-config-k8s-io-v1alpha1-ImagePullIntent}
+
+<p>
+<!--
+ImagePullIntent is a record of the kubelet attempting to pull an image.
+-->
+ImagePullIntent 是 kubelet 尝试拉取镜像的记录。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>kubelet.config.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>ImagePullIntent</code></td></tr>
+  
+<tr><td><code>image</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<p>
+<!--
+Image is the image spec from a Container's <code>image</code> field.
+The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
+characters like ':' and '/'.
+-->
+image 是容器 <code>image</code> 字段中的镜像规约。
+文件名是此值的 SHA-256 哈希，这样做是为了避免文件名中不安全的字符，如 ':' 和 '/'。
+</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImagePulledRecord`     {#kubelet-config-k8s-io-v1alpha1-ImagePulledRecord}
+
+<p>
+<!--
+ImagePullRecord is a record of an image that was pulled by the kubelet.
+-->
+ImagePullRecord 是 kubelet 拉取的镜像的记录。
+</p>
+<p>
+<!--
+If there are no records in the <code>kubernetesSecrets</code> field and both <code>nodeWideCredentials</code>
+and <code>anonymous</code> are <code>false</code>, credentials must be re-checked the next time an
+image represented by this record is being requested.
+-->
+如果 <code>kubernetesSecrets</code> 字段中没有记录，且 <code>nodeWideCredentials</code>
+和 <code>anonymous</code> 均为 <code>false</code>，则当请求此记录表示的镜像时，必须重新检查凭据。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr>
+<tbody>
+    
+<tr><td><code>apiVersion</code><br/>string</td><td><code>kubelet.config.k8s.io/v1alpha1</code></td></tr>
+<tr><td><code>kind</code><br/>string</td><td><code>ImagePulledRecord</code></td></tr>
+
+<tr><td><code>lastUpdatedTime</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#time-v1-meta"><code>meta/v1.Time</code></a>
+</td>
+<td>
+<p>
+<!--
+LastUpdatedTime is the time of the last update to this record
+-->
+lastUpdatedTime 是此记录上次更新的时间
+</p>
+</td>
+</tr>
+<tr><td><code>imageRef</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<p>
+<!--
+ImageRef is a reference to the image represented by this file as received
+from the CRI.
+The filename is a SHA-256 hash of this value. This is to avoid filename-unsafe
+characters like ':' and '/'.
+-->
+imageRef 是从 CRI 接收到的此文件所代表的镜像的引用。
+文件名是此值的 SHA-256 哈希。这是为了避免文件名中不安全的字符，如 ':' 和 '/'。
+</p>
+</td>
+</tr>
+<tr><td><code>credentialMapping</code> <B><!--[Required]-->[必需]</B><br/>
+<a href="#kubelet-config-k8s-io-v1alpha1-ImagePullCredentials"><code>map[string]ImagePullCredentials</code></a>
+</td>
+<td>
+<p>
+<!--
+CredentialMapping maps <code>image</code> to the set of credentials that it was
+previously pulled with.
+<code>image</code> in this case is the content of a pod's container <code>image</code> field that's
+got its tag/digest removed.
+-->
+credentialMapping 将 <code>image</code> 映射到之前拉取它时使用的凭据集。
+这里的 <code>image</code> 是 Pod 的容器中 <code>image</code> 字段的内容，
+已去除其标签/摘要。
+</p>
+<p>
+<!--
+Example:
+Container requests the <code>hello-world:latest@sha256:91fb4b041da273d5a3273b6d587d62d518300a6ad268b28628f74997b93171b2</code> image:
+-->
+示例：
+容器请求 <code>hello-world:latest@sha256:91fb4b041da273d5a3273b6d587d62d518300a6ad268b28628f74997b93171b2</code> 镜像：
+&quot;credentialMapping&quot;: {
+&quot;hello-world&quot;: { &quot;nodePodsAccessible&quot;: true }
+}
+</p>
 </td>
 </tr>
 </tbody>
@@ -62,6 +180,8 @@ auth keys, the value from the provider earlier in this list is used.
 **出现在：**
 
 - [CredentialProviderConfig](#kubelet-config-k8s-io-v1alpha1-CredentialProviderConfig)
+- [ImagePullIntent](#kubelet-config-k8s-io-v1alpha1-ImagePullIntent)
+- [ImagePulledRecord](#kubelet-config-k8s-io-v1alpha1-ImagePulledRecord)
 
 <!--
 CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only
@@ -78,13 +198,18 @@ CredentialProvider 代表的是要被 kubelet 调用的一个 exec 插件。
 <code>string</code>
 </td>
 <td>
-   <!--name is the required name of the credential provider. It must match the name of the
+<p>
+<!--
+name is the required name of the credential provider. It must match the name of the
 provider executable as seen by the kubelet. The executable must be in the kubelet's
-bin directory (set by the --image-credential-provider-bin-dir flag).</td>
+bin directory (set by the --image-credential-provider-bin-dir flag).
+Required to be unique across all providers.
 -->
   <code>name</code> 是凭据提供者的名称（必需）。此名称必须与 kubelet
   所看到的提供者可执行文件的名称匹配。可执行文件必须位于 kubelet 的
   <code>bin</code> 目录（通过 <code>--image-credential-provider-bin-dir</code> 设置）下。
+  必须在所有提供商之间保持唯一。
+<p>
 </td>
 </tr>
 
@@ -229,3 +354,120 @@ ExecEnvVar 用来在执行基于 exec 的凭据插件时设置环境变量。
 </tbody>
 </table>
 
+## `ImagePullCredentials`     {#kubelet-config-k8s-io-v1alpha1-ImagePullCredentials}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [ImagePulledRecord](#kubelet-config-k8s-io-v1alpha1-ImagePulledRecord)
+
+
+<p>
+<!--
+ImagePullCredentials describe credentials that can be used to pull an image.
+-->
+ImagePullCredentials 描述了可以用于拉取镜像的凭据。
+</p>
+
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+    
+  
+<tr><td><code>kubernetesSecrets</code><br/>
+<a href="#kubelet-config-k8s-io-v1alpha1-ImagePullSecret"><code>[]ImagePullSecret</code></a>
+</td>
+<td>
+<p>
+<!--
+KuberneteSecretCoordinates is an index of coordinates of all the kubernetes
+secrets that were used to pull the image.
+-->
+kuberneteSecretCoordinates 是用于拉取镜像的所有 Kubernetes
+Secret 的坐标索引。
+</p>
+</td>
+</tr>
+<tr><td><code>nodePodsAccessible</code><br/>
+<code>bool</code>
+</td>
+<td>
+<p>
+<!--
+NodePodsAccessible is a flag denoting the pull credentials are accessible
+by all the pods on the node, or that no credentials are needed for the pull.
+-->
+nodePodsAccessible 是一个标志，表示节点上的所有 Pod 都可以访问拉取凭据，
+或者拉取不需要凭据。
+</p>
+<p>
+<!--
+If true, it is mutually exclusive with the <code>kubernetesSecrets</code> field.
+-->
+如果为 true，则与 <code>kubernetesSecrets</code> 字段互斥。
+</p>
+</td>
+</tr>
+</tbody>
+</table>
+
+## `ImagePullSecret`     {#kubelet-config-k8s-io-v1alpha1-ImagePullSecret}
+    
+<!--
+**Appears in:**
+-->
+**出现在：**
+
+- [ImagePullCredentials](#kubelet-config-k8s-io-v1alpha1-ImagePullCredentials)
+
+<p>
+<!--
+ImagePullSecret is a representation of a Kubernetes secret object coordinates along
+with a credential hash of the pull secret credentials this object contains.
+-->
+ImagePullSecret 是 Kubernetes Secret 对象坐标的表示，
+以及此对象包含的拉取 Secret 凭据的哈希值。
+</p>
+
+<table class="table">
+<thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead>
+<tbody>
+
+<tr><td><code>uid</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <span class="text-muted"><!--No description provided.-->没有提供描述。</span></td>
+</tr>
+<tr><td><code>namespace</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <span class="text-muted"><!--No description provided.-->没有提供描述。</span></td>
+</tr>
+<tr><td><code>name</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+   <span class="text-muted"><!--No description provided.-->没有提供描述。</span></td>
+</tr>
+<tr><td><code>credentialHash</code> <B><!--[Required]-->[必需]</B><br/>
+<code>string</code>
+</td>
+<td>
+<p>
+<!--
+CredentialHash is a SHA-256 retrieved by hashing the image pull credentials
+content of the secret specified by the UID/Namespace/Name coordinates.
+-->
+credentialHash 是通过对镜像拉取凭据的内容进行哈希计算获得的 SHA-256 值，
+这些凭据由 UID/命名空间/名称坐标指定的 Secret 提供。
+</p>
+</td>
+</tr>
+</tbody>
+</table>
+
