[zh] sync /containers/images.md

windsonsea · windsonsea · commit 91774e874395 · 2022-12-18T08:29:29.000+08:00
diff --git a/content/zh-cn/docs/concepts/containers/images.md b/content/zh-cn/docs/concepts/containers/images.md
@@ -321,12 +321,15 @@ Credentials can be provided in several ways:
 ## 使用私有仓库   {#using-a-private-registry}
 
 从私有仓库读取镜像时可能需要密钥。
-凭证可以用以下方式提供:
+凭据可以用以下方式提供:
 
 <!--
   - Configuring Nodes to Authenticate to a Private Registry
     - all pods can read any configured private registries
     - requires node configuration by cluster administrator
+  - Kubelet Credential Provider to dynamically fetch credentials for private registries
+    - kubelet can be configured to use credential provider exec plugin 
+      for the respective private registry.
   - Pre-pulled Images
     - all pods can use any images cached on a node
     - requires root access to all nodes to set up
@@ -340,6 +343,8 @@ Credentials can be provided in several ways:
 - 配置节点向私有仓库进行身份验证
   - 所有 Pod 均可读取任何已配置的私有仓库
   - 需要集群管理员配置节点
+- kubelet 凭据提供程序，动态获取私有仓库的凭据
+ - kubelet 可以被配置为使用凭据提供程序 exec 插件来访问对应的私有镜像库
 - 预拉镜像
   - 所有 Pod 都可以使用节点上缓存的所有镜像
   - 需要所有节点的 root 访问权限才能进行设置
@@ -370,7 +375,27 @@ task. That example uses a private registry in Docker Hub.
 -->
 有关配置私有容器镜像仓库的示例，
 请参阅任务[从私有镜像库中拉取镜像](/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry)。
-该示例使用 Docker Hub 中的私有注册表。
+该示例使用 Docker Hub 中的私有镜像仓库。
+
+{{< note >}}
+<!--
+This approach is especially suitable when kubelet needs to fetch registry credentials dynamically.
+Most commonly used for registries provided by cloud providers where auth tokens are short-lived.
+-->
+此方法尤其适合 kubelet 需要动态获取仓库凭据时。
+最常用于由云提供商提供的仓库，其中身份认证令牌的生命期是短暂的。
+{{< /note >}}
+
+<!--
+You can configure the kubelet to invoke a plugin binary to dynamically fetch registry credentials for a container image.
+This is the most robust and versatile way to fetch credentials for private registries, but also requires kubelet-level configuration to enable.
+
+See [Configure a kubelet image credential provider](/docs/tasks/administer-cluster/kubelet-credential-provider/) for more details.
+-->
+你可以配置 kubelet，以调用插件可执行文件的方式来动态获取容器镜像的仓库凭据。
+这是为私有仓库获取凭据最稳健和最通用的方法，但也需要 kubelet 级别的配置才能启用。
+
+有关更多细节请参见[配置 kubelet 镜像凭据提供程序](/docs/tasks/administer-cluster/kubelet-credential-provider/)。
 
 <!--
 ### Interpretation of config.json {#config-json}
@@ -459,7 +484,7 @@ would match successfully:
 The kubelet performs image pulls sequentially for every found credential. This
 means, that multiple entries in `config.json` are possible, too:
 -->
-kubelet 为每个找到的凭证的镜像按顺序拉取。这意味着在 `config.json` 中可能有多项：
+kubelet 为每个找到的凭据的镜像按顺序拉取。这意味着在 `config.json` 中可能有多项：
 
 ```json
 {
