Merge pull request #52065 from my-git9/npa-25341

k8s-ci-robot · web-flow · commit 996e7f0b31ba · 2025-09-09T18:13:56.000-07:00
[zh-cn]sync certificate-signing-requests.md
diff --git a/content/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests.md b/content/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests.md
@@ -684,6 +684,171 @@ you like. If you want to add a note for human consumption, use the
 这是一个命名约定，但你也可以随你的个人喜好设置。
 如果你想添加一个供人类使用的注释，那就用 `status.conditions.message` 字段。
 
+## PodCertificateRequests {#pod-certificate-requests}
+
+{{< feature-state feature_gate_name="PodCertificateRequest" >}}
+
+{{< note >}}
+<!--
+In Kubernetes {{< skew currentVersion >}}, you must enable support for Pod
+Certificates using the `PodCertificateRequest` [feature
+gate](/docs/reference/command-line-tools-reference/feature-gates/) and the
+`--runtime-config=certificates.k8s.io/v1alpha1/podcertificaterequests=true`
+kube-apiserver flag.
+-->
+在 Kubernetes {{< skew currentVersion >}} 中，你必须使用 `PodCertificateRequest`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)和 
+`--runtime-config=certificates.k8s.io/v1alpha1/podcertificaterequests=true` kube-apiserver
+标志来启用对 Pod 证书的支持。
+{{< /note >}}
+
+<!--
+PodCertificateRequests are API objects tailored to provisioning certificates to
+workloads running as Pods within a cluster.  The user typically does not
+interact with PodCertificateRequests directly, but uses [podCertificate
+projected volume sources](
+/docs/concepts/storage/projected-volumes#podcertificate), which are a `kubelet`
+feature that handles secure key provisioning and automatic certificate refresh.
+The application inside the pod only needs to know how to read the certificates
+from the filesystem.
+
+PodCertificateRequests are similar to CertificateSigningRequests, but have a
+simpler format enabled by their narrower use case.
+-->
+PodCertificateRequest 是专门为集群内以 Pod 形式运行的工作负载提供证书的 API 对象。
+用户通常不直接与 PodCertificateRequests 交互，而是使用
+[podCertificate 投射卷源](/zh-cn/docs/concepts/storage/projected-volumes#podcertificate)，
+这是 `kubelet` 的一个特性，处理安全密钥配置和自动证书刷新。
+Pod 内的应用程序只需要知道如何从文件系统读取证书。
+
+PodCertificateRequest 类似于 CertificateSigningRequest，但由于其使用场景更窄，因此格式更简单。
+
+<!--
+A PodCertificateRequest has the following spec fields:
+* `signerName`: The signer to which this request is addressed.
+* `podName` and `podUID`: The Pod that Kubelet is requesting a certificate for.
+* `serviceAccountName` and `serviceAccountUID`: The ServiceAccount corresponding to the Pod.
+* `nodeName` and `nodeUID`: The Node corresponding to the Pod.
+* `maxExpirationSeconds`: The maximum lifetime that the workload author will
+  accept for this certificate.  Defaults to 24 hours if not specified.
+* `pkixPublicKey`: The public key for which the certificate should be issued.
+* `proofOfPossession`: A signature demonstrating that the requester controls the
+  private key corresponding to `pkixPublicKey`.
+-->
+PodCertificateRequest 包含以下 spec 字段：
+
+* `signerName`：此请求所指向的签名者。
+* `podName` 和 `podUID`：kubelet 为其请求证书的 Pod。
+* `serviceAccountName` 和 `serviceAccountUID`：与 Pod 对应的 ServiceAccount。
+* `nodeName` 和 `nodeUID`：与 Pod 对应的 Node。
+* `maxExpirationSeconds`：工作负载作者将接受的此证书的最长生命周期。如果未指定，默认为 24 小时。
+* `pkixPublicKey`：应为其颁发证书的公钥。
+* `proofOfPossession`：一个签名，证明请求者控制着与 `pkixPublicKey` 对应的私钥。
+
+<!--
+Nodes automatically receive permissions to create PodCertificateRequests and
+read PodCertificateRequests related to them (as determined by the
+`spec.nodeName` field).  The `NodeRestriction` admission plugin, if enabled,
+ensures that nodes can only create PodCertificateRequests that correspond to a
+real pod that is currently running on the node.
+
+After creation, the `spec` of a PodCertificateRequest is immutable.
+-->
+节点自动获得创建与其相关的 PodCertificateRequests 以及读取与其相关的
+PodCertificateRequest（由 `spec.nodeName` 字段决定）的权限。
+如果启用了 `NodeRestriction` 准入插件，它会确保节点只能创建对应于当前正在该节点上运行的真实
+Pod 的 PodCertificateRequest。
+
+创建后，PodCertificateRequest 的 `spec` 是不可变的。
+
+<!--
+Unlike CSRs, PodCertificateRequests do not have an
+approval phase.  Once the PodCertificateRequest is created, the signer's
+controller directly decides to issue or deny the request.  It also has the
+option to mark the request as failed, if it encountered a permanent error when
+attempting to issue the request.
+
+To take any of these actions, the signing controller needs to have the
+appropriate permissions on both the PodCertificateRequest type, as well as on
+the signer name:
+* Verbs: **update**, group: `certificates.k8s.io`, resource:
+  `podcertificaterequests/status`
+* Verbs: **sign**, group: `certificates.k8s.io`, resource: `signers`,
+  resourceName: `<signerNameDomain>/<signerNamePath>` or `<signerNameDomain>/*`
+-->
+与 CSR 不同，PodCertificateRequests 没有批准阶段。一旦创建了 PodCertificateRequest，
+签名者的控制器会直接决定是发放还是拒绝请求。它还有权在尝试发放请求时遇到永久性错误的情况下，将请求标记为失败。
+
+要执行这些操作之一，签名控制器需要具有针对给定 PodCertificateRequest 类型以及签名者的适当权限：
+
+* 动词：**update**，组：`certificates.k8s.io`，资源：`podcertificaterequests/status`
+* 动词：**sign**，组：`certificates.k8s.io`，资源：`signers`，
+  资源名称：`<signerNameDomain>/<signerNamePath>` 或 `<signerNameDomain>/*`
+
+<!--
+The signing controller is free to consider other information beyond what's
+contained in the request, but it can rely on the information in the request to
+be accurate.  For example, the signing controller might load the Pod and read
+annotations set on it, or perform a SubjectAccessReview on the ServiceAccount.  
+-->
+签名控制器可以考察除请求中包含的信息之外的其他信息，但它可以相信请求中的信息是准确的。
+例如，签名控制器可能会加载 Pod 并读取 Pod 上设置的注解，或者对 ServiceAccount
+执行 SubjectAccessReview。
+
+<!--
+To issue a certificate in response to a request, the signing controller:
+* Adds an `Issued` condition to `status.conditions`.
+* Puts the issued certificate in `status.certificateChain`
+* Puts the `NotBefore` and `NotAfter` fields of the certificate in the
+  `status.notBefore` and `status.notAfter` fields &mdash; these fields are
+  denormalized into the Kubernetes API in order to aid debugging
+* Suggests a time to begin attempting to refresh the certificate using
+  `status.beginRefreshAt`.
+-->
+为了响应请求颁发证书，签署控制器会：
+
+* 在 `status.conditions` 中添加一个 `Issued` 状况。
+* 将颁发的证书放入 `status.certificateChain`。
+* 将证书的 `NotBefore` 和 `NotAfter` 字段分别放入 `status.notBefore` 和
+  `status.notAfter` 字段 — 这些字段被反规范化到 Kubernetes API 中，以帮助调试。
+* 建议使用 `status.beginRefreshAt` 开始尝试刷新证书的时间。
+
+<!--
+To deny a request, the signing controller adds a "Denied" condition to
+`status.conditions[]`.
+
+To mark a request failed, the signing controller adds a "Failed" condition to
+`status.conditions[]`.
+
+All of these conditions are mutually-exclusive, and must have status "True".  No
+other condition types are permitted on PodCertificateRequests.  In addition,
+once any of these conditions are set, the `status` field becomes immutable.
+-->
+为了拒绝请求，签署控制器会在 `status.conditions[]` 中添加一个 "Denied" 状况。
+
+为了标记请求失败，签署控制器会在 `status.conditions[]` 中添加一个 "Failed" 状况。
+
+所有这些状况都是互斥的，且必须具有 “True” 状态。不允许在 PodCertificateRequest
+上设置其他类型的状况信息。此外，一旦设置了所列的任一状况，`status` 字段将变为不可变。
+
+<!--
+Like all conditions, the `status.conditions[].reason` field is meant to contain
+a machine-readable code describing the condition in TitleCase.  The
+`status.conditions[].message` field is meant for a free-form explanation for
+human consumption.
+
+To ensure that terminal PodCertificateRequests do not build up in the cluster, a
+`kube-controller-manager` controller deletes all PodCertificateRequests older
+than 15 minutes.  All certificate issuance flows are expected to complete within
+this 15-minute limit.
+-->
+像所有其他状况一样，`status.conditions[].reason` 字段用于包含描述状况的机器可读代码，
+使用 TitleCase 表示。`status.conditions[].message` 字段用于包含供人阅读的自由格式解释。
+
+为了确保终端 PodCertificateRequests 不会在集群中积累，`kube-controller-manager`
+控制器会删除所有超过 15 分钟的 PodCertificateRequests。
+所有证书颁发流程都应在这一 15 分钟限制内完成。
+
 <!--
 ## Cluster trust bundles {#cluster-trust-bundles}
 -->
