[zh-cn] sync ingress.md controlling-access.md

my-git9 · my-git9 · commit 6f04c6a8f310 · 2023-06-03T11:10:23.000+08:00
Signed-off-by: xin.li &lt;xin.li@daocloud.io&gt;
diff --git a/content/zh-cn/docs/concepts/security/controlling-access.md b/content/zh-cn/docs/concepts/security/controlling-access.md
@@ -4,14 +4,12 @@ content_type: concept
 weight: 50
 ---
 <!--
----
 reviewers:
 - erictune
 - lavalamp
 title: Controlling Access to the Kubernetes API
 content_type: concept
 weight: 50
----
 -->
 
 <!-- overview -->
@@ -40,11 +38,15 @@ following diagram:
 ## 传输安全 {#transport-security}
 
 <!--
-By default, the Kubernetes API server listens on port 6443 on the first non-localhost network interface, protected by TLS. In a typical production Kubernetes cluster, the API serves on port 443. The port can be changed with the `--secure-port`, and the listening IP address with the `--bind-address` flag.
+By default, the Kubernetes API server listens on port 6443 on the first non-localhost
+network interface, protected by TLS. In a typical production Kubernetes cluster, the
+API serves on port 443. The port can be changed with the `--secure-port`, and the
+listening IP address with the `--bind-address` flag.
 
 The API server presents a certificate. This certificate may be signed using
 a private certificate authority (CA), or based on a public key infrastructure linked
-to a generally recognized CA. The certificate and corresponding private key can be set by using the `--tls-cert-file` and `--tls-private-key-file` flags.
+to a generally recognized CA. The certificate and corresponding private key can be set
+by using the `--tls-cert-file` and `--tls-private-key-file` flags.
 -->
 默认情况下，Kubernetes API 服务器在第一个非 localhost 网络接口的 6443 端口上进行监听，
 受 TLS 保护。在一个典型的 Kubernetes 生产集群中，API 使用 443 端口。
@@ -65,17 +67,18 @@ Your client can present a TLS client certificate at this stage.
 
 你的客户端可以在此阶段出示 TLS 客户端证书。
 
-<!-- ## Authentication -->
-## 认证 {#authentication}
-
 <!--
+## Authentication
+
 Once TLS is established, the HTTP request moves to the Authentication step.
 This is shown as step **1** in the diagram.
 The cluster creation script or cluster admin configures the API server to run
 one or more Authenticator modules.
 Authenticators are described in more detail in
 [Authentication](/docs/reference/access-authn-authz/authentication/).
 -->
+## 认证 {#authentication}
+
 如上图步骤 **1** 所示，建立 TLS 后， HTTP 请求将进入认证（Authentication）步骤。
 集群创建脚本或者集群管理员配置 API 服务器，使之运行一个或多个身份认证组件。
 身份认证组件在[认证](/zh-cn/docs/reference/access-authn-authz/authentication/)节中有更详细的描述。
@@ -111,16 +114,20 @@ users in its API.
 反之，该用户被认证为特定的 `username`，并且该用户名可用于后续步骤以在其决策中使用。
 部分验证器还提供用户的组成员身份，其他则不提供。
 
-<!-- ## Authorization -->
-## 鉴权 {#authorization}
-
 <!--
-After the request is authenticated as coming from a specific user, the request must be authorized. This is shown as step **2** in the diagram.
+## Authorization
 
-A request must include the username of the requester, the requested action, and the object affected by the action. The request is authorized if an existing policy declares that the user has permissions to complete the requested action.
+After the request is authenticated as coming from a specific user, the request must
+be authorized. This is shown as step **2** in the diagram.
+
+A request must include the username of the requester, the requested action, and
+the object affected by the action. The request is authorized if an existing policy
+declares that the user has permissions to complete the requested action.
 
 For example, if Bob has the policy below, then he can read pods only in the namespace `projectCaribou`:
 -->
+## 鉴权 {#authorization}
+
 如上图的步骤 **2** 所示，将请求验证为来自特定的用户后，请求必须被鉴权。
 
 请求必须包含请求者的用户名、请求的行为以及受该操作影响的对象。
@@ -141,7 +148,8 @@ For example, if Bob has the policy below, then he can read pods only in the name
 }
 ```
 <!--
-If Bob makes the following request, the request is authorized because he is allowed to read objects in the `projectCaribou` namespace:
+If Bob makes the following request, the request is authorized because he is
+allowed to read objects in the `projectCaribou` namespace:
 -->
 如果 Bob 执行以下请求，那么请求会被鉴权，因为允许他读取 `projectCaribou` 名称空间中的对象。
 
@@ -160,11 +168,14 @@ If Bob makes the following request, the request is authorized because he is allo
 }
 ```
 <!--
-If Bob makes a request to write (`create` or `update`) to the objects in the `projectCaribou` namespace, his authorization is denied.
-If Bob makes a request to read (`get`) objects in a different namespace such as `projectFish`, then his authorization is denied.
-
-Kubernetes authorization requires that you use common REST attributes to interact with existing organization-wide or cloud-provider-wide access control systems.
-It is important to use REST formatting because these control systems might interact with other APIs besides the Kubernetes API.
+If Bob makes a request to write (`create` or `update`) to the objects in the
+`projectCaribou` namespace, his authorization is denied. If Bob makes a request
+to read (`get`) objects in a different namespace such as `projectFish`, then his authorization is denied.
+
+Kubernetes authorization requires that you use common REST attributes to interact
+with existing organization-wide or cloud-provider-wide access control systems.
+It is important to use REST formatting because these control systems might
+interact with other APIs besides the Kubernetes API.
 -->
 如果 Bob 在 `projectCaribou` 名字空间中请求写（`create` 或 `update`）对象，其鉴权请求将被拒绝。
 如果 Bob 在诸如 `projectFish` 这类其它名字空间中请求读取（`get`）对象，其鉴权也会被拒绝。
@@ -179,8 +190,8 @@ If more than one authorization modules are configured, Kubernetes checks each mo
 and if any module authorizes the request, then the request can proceed.
 If all of the modules deny the request, then the request is denied (HTTP status code 403).
 
-To learn more about Kubernetes authorization, including details about creating policies using the supported authorization modules,
-see [Authorization](/docs/reference/access-authn-authz/authorization/).
+To learn more about Kubernetes authorization, including details about creating
+policies using the supported authorization modules, see [Authorization](/docs/reference/access-authn-authz/authorization/).
 -->
 Kubernetes 支持多种鉴权模块，例如 ABAC 模式、RBAC 模式和 Webhook 模式等。
 管理员创建集群时，他们配置应在 API 服务器中使用的鉴权模块。
@@ -190,10 +201,9 @@ Kubernetes 支持多种鉴权模块，例如 ABAC 模式、RBAC 模式和 Webhoo
 要了解更多有关 Kubernetes 鉴权的更多信息，包括有关使用支持鉴权模块创建策略的详细信息，
 请参阅[鉴权](/zh-cn/docs/reference/access-authn-authz/authorization/)。
 
-<!-- ## Admission control -->
-## 准入控制 {#admission-control}
-
 <!--
+## Admission control 
+
 Admission Control modules are software modules that can modify or reject requests.
 In addition to the attributes available to Authorization modules, Admission
 Control modules can access the contents of the object that is being created or modified.
@@ -202,6 +212,8 @@ Admission controllers act on requests that create, modify, delete, or connect to
 Admission controllers do not act on requests that merely read objects.
 When multiple admission controllers are configured, they are called in order.
 -->
+## 准入控制 {#admission-control}
+
 准入控制模块是可以修改或拒绝请求的软件模块。
 除鉴权模块可用的属性外，准入控制模块还可以访问正在创建或修改的对象的内容。
 
@@ -295,5 +307,5 @@ You can learn about:
 
 你可以了解
 - Pod 如何使用
-  [Secrets](/zh-cn/docs/concepts/configuration/secret/#service-accounts-automatically-create-and-attach-secrets-with-api-credentials)
+  [Secret](/zh-cn/docs/concepts/configuration/secret/#service-accounts-automatically-create-and-attach-secrets-with-api-credentials)
   获取 API 凭证。
diff --git a/content/zh-cn/docs/concepts/services-networking/ingress.md b/content/zh-cn/docs/concepts/services-networking/ingress.md
@@ -8,7 +8,7 @@ weight: 30
 ---
 <!--
 reviewers:
-- bprashanth
+- bprashanthluster: A set of Nodes that run containerized app
 title: Ingress
 content_type: concept
 description: >-
@@ -36,10 +36,16 @@ For clarity, this guide defines the following terms:
 
 <!-- 
 * Node: A worker machine in Kubernetes, part of a cluster.
-* Cluster: A set of Nodes that run containerized applications managed by Kubernetes. For this example, and in most common Kubernetes deployments, nodes in the cluster are not part of the public internet.
-* Edge router: A router that enforces the firewall policy for your cluster. This could be a gateway managed by a cloud provider or a physical piece of hardware.
-* Cluster network: A set of links, logical or physical, that facilitate communication within a cluster according to the Kubernetes [networking model](/docs/concepts/cluster-administration/networking/).
-* Service: A Kubernetes {{< glossary_tooltip term_id="service" >}} that identifies a set of Pods using {{< glossary_tooltip text="label" term_id="label" >}} selectors. Unless mentioned otherwise, Services are assumed to have virtual IPs only routable within the cluster network.
+* Cluster: A set of Nodes that run containerized applications managed by Kubernetes.
+  For this example, and in most common Kubernetes deployments, nodes in the cluster
+  are not part of the public internet.
+* Edge router: A router that enforces the firewall policy for your cluster. This
+  could be a gateway managed by a cloud provider or a physical piece of hardware.
+* Cluster network: A set of links, logical or physical, that facilitate communication
+  within a cluster according to the Kubernetes [networking model](/docs/concepts/cluster-administration/networking/).
+* Service: A Kubernetes {{< glossary_tooltip term_id="service" >}} that identifies
+  a set of Pods using {{< glossary_tooltip text="label" term_id="label" >}} selectors.
+  Unless mentioned otherwise, Services are assumed to have virtual IPs only routable within the cluster network.
  -->
 * 节点（Node）: Kubernetes 集群中的一台工作机器，是集群的一部分。
 * 集群（Cluster）: 一组运行由 Kubernetes 管理的容器化应用程序的节点。
@@ -54,7 +60,8 @@ For clarity, this guide defines the following terms:
 <!--
 ## What is Ingress?
 
-[Ingress](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#ingress-v1-networking-k8s-io) exposes HTTP and HTTPS routes from outside the cluster to
+[Ingress](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#ingress-v1-networking-k8s-io)
+exposes HTTP and HTTPS routes from outside the cluster to
 {{< link text="services" url="/docs/concepts/services-networking/service/" >}} within the cluster.
 Traffic routing is controlled by rules defined on the Ingress resource.
 -->
@@ -73,7 +80,11 @@ Here is a simple example where an Ingress sends all its traffic to one Service:
 {{< figure src="/zh-cn/docs/images/ingress.svg" alt="ingress-diagram" class="diagram-large" caption="图. Ingress" link="https://mermaid.live/edit#pako:eNqNkktLAzEQgP9KSC8Ku6XWBxKlJz0IHsQeuz1kN7M2uC-SrA9sb6X26MFLFZGKoCC0CIIn_Td1139halZq8eJlE2a--TI7yRn2YgaYYCc6EDRpod39DSdCyAs4RGqhMRndffRfs6dxc9Euox0NgZR2NhpmF73sqos2XVFD-ctt_vY2uTnPh8PJ4BGV7Ro3ZKOoaH5Li6Bt19r56zi7fM4fupP-oC1BHHEPGnWzGlimruno87qXvd__qjdpw2pXErOlxl7Mmn_j1VkcImb-i0q5BT5KAsoj5PMgICXGmCWViA-BlHzfL_b2MWeqRVaSE8uLg1iQUqVS2ZiTHK7LQrFcXfNg9V8WnZu3eEEqFYjCNCslJdd15zXVmcacODP9TMcqJmBN5zL9VKdt_uLM1ZoBzIVNF8WqM06ELRyCCCln-oWcTVkHqxaE4GCitwx8mgbK0Y-no9E0YVTBNuMqFpj4NJBgYZqquH4aeZgokcIPtMWpvtywoDpfU3_yww" >}}
 
 <!-- 
-An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting. An [Ingress controller](/docs/concepts/services-networking/ingress-controllers) is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.
+An Ingress may be configured to give Services externally-reachable URLs,
+load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.
+An [Ingress controller](/docs/concepts/services-networking/ingress-controllers)
+is responsible for fulfilling the Ingress, usually with a load balancer, though
+it may also configure your edge router or additional frontends to help handle the traffic.
 -->
 Ingress 可为 Service 提供外部可访问的 URL、负载均衡流量、终止 SSL/TLS，以及基于名称的虚拟托管。
 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers)
@@ -93,16 +104,17 @@ Ingress 不会公开任意端口或协议。
 <!--
 ## Prerequisites
 
-You must have an [Ingress controller](/docs/concepts/services-networking/ingress-controllers) to satisfy an Ingress. Only creating an Ingress resource has no effect.
+You must have an [Ingress controller](/docs/concepts/services-networking/ingress-controllers)
+to satisfy an Ingress. Only creating an Ingress resource has no effect.
 -->
 ## 环境准备
 
 你必须拥有一个 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers) 才能满足 Ingress 的要求。
 仅创建 Ingress 资源本身没有任何效果。
 
 <!-- 
-You may need to deploy an Ingress controller such as [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/). You can choose from a number of
-[Ingress controllers](/docs/concepts/services-networking/ingress-controllers).
+You may need to deploy an Ingress controller such as [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/).
+You can choose from a number of [Ingress controllers](/docs/concepts/services-networking/ingress-controllers).
 -->
 你可能需要部署 Ingress 控制器，例如 [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/)。
 你可以从许多 [Ingress 控制器](/zh-cn/docs/concepts/services-networking/ingress-controllers) 中进行选择。
@@ -137,10 +149,10 @@ An Ingress needs `apiVersion`, `kind`, `metadata` and `spec` fields.
 The name of an Ingress object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 For general information about working with config files, see [deploying applications](/docs/tasks/run-application/run-stateless-application-deployment/), [configuring containers](/docs/tasks/configure-pod-container/configure-pod-configmap/), [managing resources](/docs/concepts/cluster-administration/manage-deployment/).
- Ingress frequently uses annotations to configure some options depending on the Ingress controller, an example of which
- is the [rewrite-target annotation](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/rewrite/README.md).
-Different [Ingress controllers](/docs/concepts/services-networking/ingress-controllers) support different annotations. Review the documentation for
- your choice of Ingress controller to learn which annotations are supported.
+Ingress frequently uses annotations to configure some options depending on the Ingress controller, an example of which
+is the [rewrite-target annotation](https://github.com/kubernetes/ingress-nginx/blob/main/docs/examples/rewrite/README.md).
+Different [Ingress controllers](/docs/concepts/services-networking/ingress-controllers) support different annotations.
+Review the documentation for your choice of Ingress controller to learn which annotations are supported.
 -->
 Ingress 需要指定 `apiVersion`、`kind`、 `metadata`和 `spec` 字段。
 Ingress 对象的命名必须是合法的 [DNS 子域名名称](/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)。
@@ -200,7 +212,8 @@ Each HTTP rule contains the following information:
   incoming request before the load balancer directs traffic to the referenced
   Service.
 * A backend is a combination of Service and port names as described in the
-  [Service doc](/docs/concepts/services-networking/service/) or a [custom resource backend](#resource-backend) by way of a {{< glossary_tooltip term_id="CustomResourceDefinition" text="CRD" >}}. HTTP (and HTTPS) requests to the
+  [Service doc](/docs/concepts/services-networking/service/) or a [custom resource backend](#resource-backend)
+  by way of a {{< glossary_tooltip term_id="CustomResourceDefinition" text="CRD" >}}. HTTP (and HTTPS) requests to the
   Ingress that match the host and path of the rule are sent to the listed backend.
 -->
 * 可选的 `host`。在此示例中，未指定 `host`，因此该规则适用于通过指定 IP 地址的所有入站 HTTP 通信。
@@ -379,6 +392,7 @@ Ingress 中的每个路径都需要有对应的路径类型（Path Type）。未
 
 <!-- 
 #### Multiple matches
+
 In some cases, multiple paths within an Ingress will match a request. In those
 cases precedence will be given first to the longest matching path. If two paths
 are still equally matched, precedence will be given to paths with an exact path
@@ -482,6 +496,7 @@ API（可能是一个定制资源（Custom Resource）），而它的
 `name` 则为此 API 确定了一个具体的集群作用域的资源。
 
 示例：
+
 ```yaml
 ---
 apiVersion: networking.k8s.io/v1
@@ -499,6 +514,7 @@ spec:
     kind: ClusterIngressParameter
     name: external-config-1
 ```
+
 {{% /tab %}}
 {{% tab name="命名空间作用域" %}}
 {{< feature-state for_k8s_version="v1.23" state="stable" >}}
@@ -702,9 +718,9 @@ Ingress 允许你将负载均衡器的数量降至最低。例如，这样的设
 {{< figure src="/zh-cn/docs/images/ingressFanOut.svg" alt="ingress-fanout-diagram" class="diagram-large" caption="图. Ingress 扇出" link="https://mermaid.live/edit#pako:eNqNUk1v0zAY_iuWewEpyRKnjM5FPY0DEgfEjk0PTvxmtZbGke3woW03NDjuChNCRRyQkMYFidP4NyXlX5DMjroykLg4j_x8vM6j9xhnkgOm-FCxao4ePx0nJUJZIaA0d6ary48_33xvvnyd3fUD9Kg8VKC131wum_Oz5t0r9CBVE7T-9mF9dbV6_3q9XK7efkaBPxFWOXUOD0X3R8FeFEQkDqKYzK6HOJHvT052cilPNKhnIoNoemAB6i_okIThbU_KVO8hf3oIHYUj59F1an_u18VZ8-PTjRhLuyltZiV5NH0i-ewvBLlFEEvE_yKGGwJKbmtlWu9DjqqCiRLloijogHPuaaPkEdBBnucO-88FN3M6rF54mSykooMwDMdbIUcj7SJispvBvf9KabntlKyotQHlkjZWOkjTdDuGbGLsxE1S36jXl9YD4nWldsc1irtj2D39htdumy1l69q-zH3H2MMLUAsmeLuux50uwWYOC0gwbSGHnNWFSXBSnrbSuuLMwEMujFSY5qzQ4GFWG3nwsswwNaqGXrQvWLsgC6c6_Q0zxBrK" >}}
 
 <!--
-would require an Ingress such as:
+It would require an Ingress such as:
 -->
-将需要一个如下所示的 Ingress：
+这将需要一个如下所示的 Ingress：
 
 {{< codenew file="service/networking/simple-fanout-example.yaml" >}}
 
@@ -786,7 +802,9 @@ Ingress 控制器 IP 地址的任何网络流量，而无需基于名称的虚
 
 <!-- 
 For example, the following Ingress routes traffic
-requested for `first.bar.com` to `service1`, `second.bar.com` to `service2`, and any traffic whose request host header doesn't match `first.bar.com` and `second.bar.com` to `service3`.
+requested for `first.bar.com` to `service1`, `second.bar.com` to `service2`,
+and any traffic whose request host header doesn't match `first.bar.com`
+and `second.bar.com` to `service3`.
 -->
 例如，以下 Ingress 会将请求 `first.bar.com` 的流量路由到 `service1`，将请求
 `second.bar.com` 的流量路由到 `service2`，而所有其他流量都会被路由到 `service3`。
