Update admission-controllers.md

Vickey-Wu · web-flow · commit 772684dc4562 · 2020-08-20T11:15:06.000+08:00
fix: add missing content about CertificateApproval, CertificateSigning and CertificateSubjectRestrictions
diff --git a/content/zh/docs/reference/access-authn-authz/admission-controllers.md b/content/zh/docs/reference/access-authn-authz/admission-controllers.md
@@ -205,6 +205,42 @@ Rejects all requests. AlwaysDeny is DEPRECATED as no real meaning.
 -->
 拒绝所有的请求。由于没有实际意义，已废弃。
 
+### CertificateApproval
+
+<!--
+This admission controller observes requests to 'approve' CertificateSigningRequest resources and performs additional authorization checks to ensure the approving user has permission to approve certificate requests with the spec.signerName requested on the CertificateSigningRequest resource.
+-->
+
+此准入控制器获取“审批”CertificateSigningRequest资源的请求并执行额外的授权检查，以确保审批请求的用户有权限审批`spec.signerName`请求CertificateSigningRequest资源的证书请求。
+
+<!--
+See Certificate Signing Requests for more information on the permissions required to perform different actions on CertificateSigningRequest resources.
+-->
+
+有关对证书签名请求资源执行不同操作所需权限的详细信息，请参阅[证书签名请求](/docs/reference/access-authn-authz/certificate-signing-requests/)
+
+### CertificateSigning
+
+<!--
+This admission controller observes updates to the status.certificate field of CertificateSigningRequest resources and performs an additional authorization checks to ensure the signing user has permission to sign certificate requests with the spec.signerName requested on the CertificateSigningRequest resource.
+-->
+
+此准入控制器获取CertificateSigningRequest资源的`status.certificate`字段更新请求并执行额外的授权检查，以确保签发证书的用户有权限为`spec.signerName`请求CertificateSigningRequest资源的证书请求`签发`证书。
+
+<!--
+See Certificate Signing Requests for more information on the permissions required to perform different actions on CertificateSigningRequest resources.
+-->
+
+有关对证书签名请求资源执行不同操作所需权限的详细信息，请参阅[证书签名请求](/docs/reference/access-authn-authz/certificate-signing-requests/)
+
+### CertificateSubjectRestrictions 
+
+<!--
+This admission controller observes creation of CertificateSigningRequest resources that have a spec.signerName of kubernetes.io/kube-apiserver-client. It rejects any request that specifies a 'group' (or 'organization attribute') of system:masters.
+-->
+
+此准入控制器获取具有`kubernetes.io/kube-apiserver-client`的`spec.signerName`的CertificateSigningRequest资源创建请求，它拒绝任何包含了`system:masters`一个“组”（或者“组织”）的请求。
+
 ### DefaultStorageClass {#defaultstorageclass}
 
 <!--
