Merge pull request #47051 from salaxander/merged-main-dev-1.31

Merged main dev 1.31

Author: k8s-ci-robot

content/en/docs/tasks/debug/debug-application/debug-running-pod.md

@@ -632,10 +632,89 @@ When creating a debugging session on a node, keep in mind that:
 * The container runs in the host IPC, Network, and PID namespaces, although
   the pod isn't privileged, so reading some process information may fail,
   and `chroot /host` may fail.
-* If you need a privileged pod, create it manually.
+* If you need a privileged pod, create it manually or use the `--profile=sysadmin` flag.
 
 Don't forget to clean up the debugging Pod when you're finished with it:
 
 ```shell
 kubectl delete pod node-debugger-mynode-pdx84
 ```
+
+## Debugging Profiles {#debugging-profiles}
+
+When using `kubectl debug` to debug a node via a debugging Pod, a Pod via an ephemeral container, 
+or a copied Pod, you can apply a debugging profile to them using the `--profile` flag.
+By applying a profile, specific properties such as [securityContext](/docs/tasks/configure-pod-container/security-context/)
+are set, allowing for adaptation to various scenarios.
+
+
+The available profiles are as follows:
+
+| Profile      | Description                                                     |
+| ------------ | --------------------------------------------------------------- |
+| legacy       | A set of properties backwards compatibility with 1.22 behavior |
+| general      | A reasonable set of generic properties for each debugging journey |
+| baseline     | A set of properties compatible with [PodSecurityStandard baseline policy](/docs/concepts/security/pod-security-standards/#baseline) |
+| restricted   | A set of properties compatible with [PodSecurityStandard restricted policy](/docs/concepts/security/pod-security-standards/#restricted) |
+| netadmin     | A set of properties including Network Administrator privileges |
+| sysadmin     | A set of properties including System Administrator (root) privileges |
+
+
+{{< note >}}
+If you don't specify `--profile`, the `legacy` profile is used by default, but it is planned to be deprecated in the near future.
+So it is recommended to use other profiles such as `general`.
+{{< /note >}}
+
+
+Assume that you create a Pod and debug it.
+First, create a Pod named `myapp` as an example:
+
+```shell
+kubectl run myapp --image=busybox:1.28 --restart=Never -- sleep 1d
+```
+
+Then, debug the Pod using an ephemeral container.
+If the ephemeral container needs to have privilege, you can use the `sysadmin` profile:
+
+```shell
+kubectl debug -it myapp --image=busybox:1.28 --target=myapp --profile=sysadmin
+```
+
+```
+Targeting container "myapp". If you don't see processes from this container it may be because the container runtime doesn't support this feature.
+Defaulting debug container name to debugger-6kg4x.
+If you don't see a command prompt, try pressing enter.
+/ #
+```
+
+Check the capabilities of the ephemeral container process by running the following command inside the container:
+
+```shell
+/ # grep Cap /proc/$$/status
+```
+
+```
+...
+CapPrm:	000001ffffffffff
+CapEff:	000001ffffffffff
+...
+```
+
+This means the container process is granted full capabilities as a privileged container by applying `sysadmin` profile.
+See more details about [capabilities](/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container).
+
+You can also check that the ephemeral container was created as a privileged container:
+
+```shell
+kubectl get pod myapp -o jsonpath='{.spec.ephemeralContainers[0].securityContext}'
+```
+
+```
+{"privileged":true}
+```
+
+Clean up the Pod when you're finished with it:
+
+```shell
+kubectl delete pod myapp
+```

content/en/docs/tasks/debug/debug-cluster/kubectl-node-debug.md

@@ -75,7 +75,8 @@ When creating a debugging session on a Node, keep in mind that:
 * Although the container runs in the host IPC, Network, and PID namespaces,
   the pod isn't privileged. This means that reading some process information might fail
   because access to that information is restricted to superusers. For example, `chroot /host` will fail.
-  If you need a privileged pod, create it manually.
+  If you need a privileged pod, create it manually or use the `--profile=sysadmin` flag.
+* By applying [Debugging Profiles](/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles), you can set specific properties such as [securityContext](/docs/tasks/configure-pod-container/security-context/) to a debugging Pod.
 
 ## {{% heading "cleanup" %}}
 

content/en/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions.md

@@ -1645,7 +1645,6 @@ may also be used with field selectors when included in the `spec.versions[*].sel
 
 #### Selectable fields for custom resources {#crd-selectable-fields}
 
-{{< feature-state state="alpha" for_k8s_version="v1.30" >}}
 {{< feature-state feature_gate_name="CustomResourceFieldSelectors" >}}
 
 You need to enable the `CustomResourceFieldSelectors`

content/id/docs/concepts/extend-kubernetes/operator.md

@@ -130,7 +130,6 @@ menggunakan bahasa / _runtime_ yang dapat bertindak sebagai
 * Temukan "ready-made" _operators_ dalam [OperatorHub.io](https://operatorhub.io/) 
   untuk memenuhi use case kamu
 * Menggunakan perangkat yang ada untuk menulis Operator kamu sendiri, misalnya:
-  * menggunakan [KUDO](https://kudo.dev/) (Kubernetes Universal Declarative Operator)
   * menggunakan [Mast](https://docs.ansi.services/mast/user_guide/operator/)
   * menggunakan [kubebuilder](https://book.kubebuilder.io/)
   * menggunakan [Metacontroller](https://metacontroller.github.io/metacontroller/intro.html) bersama dengan

content/id/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md

@@ -103,9 +103,9 @@ percentageOfNodesToScore: 50
 
 `percentageOfNodesToScore` merupakan angka 1 sampai 100 dengan
 nilai bawaan yang dihitung berdasarkan ukuran klaster. Di sini juga terdapat
-batas bawah yang telah ditetapkan, yaitu 50 Node.
+batas bawah yang telah ditetapkan, yaitu 100 Node.
 
-{{< note >}}Pada klaster dengan kurang dari 50 Node layak, penjadwal masih
+{{< note >}}Pada klaster dengan kurang dari 100 Node layak, penjadwal masih
 terus memeriksa seluruh Node karena Node-Node layak belum mencukupi supaya
 penjadwal dapat menghentikan proses pencarian lebih awal.
 

content/ja/docs/concepts/architecture/leases.md

@@ -18,7 +18,7 @@ Kubernetesでは、kubeletのノードハートビートをKubernetes APIサー
 内部的には、kubeletのハートビートはこの`Lease`オブジェクトに対するUPDATEリクエストであり、Leaseの`spec.renewTime`フィールドを更新しています。
 Kubernetesのコントロールプレーンはこのフィールドのタイムスタンプを見て、`Node`が利用可能かを判断しています。
 
-詳しくは[Node Leaseオブジェクト](/ja/docs/concepts/architecture/nodes/#heartbeats)をご覧ください。
+詳しくは[Node Leaseオブジェクト](/ja/docs/concepts/architecture/nodes/#node-heartbeats)をご覧ください。
 
 ## リーダー選出
 

content/ja/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md

@@ -69,10 +69,10 @@ percentageOfNodesToScore: 50
 
 ## percentageOfNodesToScoreのチューニング
 
-`percentageOfNodesToScore`は1から100の間の範囲である必要があり、デフォルト値はクラスターのサイズに基づいて計算されます。また、クラスターのサイズの最小値は50ノードとハードコードされています。
+`percentageOfNodesToScore`は1から100の間の範囲である必要があり、デフォルト値はクラスターのサイズに基づいて計算されます。また、クラスターのサイズの最小値は100ノードとハードコードされています。
 
 {{< note >}}
-割り当て可能なノードが50以下のクラスターでは、スケジューラの検索を早期に停止するのに十分な割り当て可能なノードがないため、スケジューラはすべてのノードをチェックします。
+割り当て可能なノードが100以下のクラスターでは、スケジューラの検索を早期に停止するのに十分な割り当て可能なノードがないため、スケジューラはすべてのノードをチェックします。
 
 小規模クラスターでは、`percentageOfNodesToScore`に低い値を設定したとしても、同様の理由で変更による影響は全くないか、ほとんどありません。
 

content/ja/docs/reference/command-line-tools-reference/feature-gates/in-place-pod-vertical-scaling.md

@@ -0,0 +1,13 @@
+---
+title: InPlacePodVerticalScaling
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: alpha
+    defaultValue: false
+    fromVersion: "1.27"
+---
+Podリソースの再作成なしで垂直オートスケーリングができる機能を有効にします。

content/ko/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md

@@ -102,10 +102,10 @@ percentageOfNodesToScore: 50
 ### percentageOfNodesToScore 튜닝
 
 `percentageOfNodesToScore`는 1과 100 사이의 값이어야 하며
-기본값은 클러스터 크기에 따라 계산된다. 또한 50 노드로 하드 코딩된
+기본값은 클러스터 크기에 따라 계산된다. 또한 100 노드로 하드 코딩된
 최솟값도 있다.
 
-{{< note >}} 클러스터에서 적합한 노드가 50 미만인 경우, 스케줄러는 여전히
+{{< note >}} 클러스터에서 적합한 노드가 100 미만인 경우, 스케줄러는 여전히
 모든 노드를 확인한다. 그 이유는 스케줄러가 탐색을 조기 중단하기에는 적합한
 노드의 수가 충분하지 않기 때문이다.
 

content/zh-cn/blog/_posts/2024-04-25-structured-authentication-configuration-beta.md

@@ -283,7 +283,7 @@ jwt:
     url: https://issuer.example.com
     audiences:
     - example-client-id
-  certificateAuthority: <取值是 /path/to/ca.pem 文件的内容>
+    certificateAuthority: <取值是 /path/to/ca.pem 文件的内容>
   claimMappings:
     username:
       claim: username