Merge pull request #40203 from Zhuzhenghao/socks5-proxy-access-api

k8s-ci-robot · web-flow · commit a045f626f597 · 2023-03-22T08:40:36.000-07:00
[zh] resync page socks5-proxy-access-api
diff --git a/content/zh-cn/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md b/content/zh-cn/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
@@ -67,7 +67,7 @@ graph LR;
   client([client])-- local <br> traffic .->  local_ssh[Local SSH <br> SOCKS5 proxy];
   end
   local_ssh[SSH <br>SOCKS5 <br> proxy]-- SSH Tunnel --\>sshd
-  
+
   subgraph remote[Remote server]
   sshd[SSH <br> server]-- local traffic --\>service1;
   end
@@ -110,86 +110,62 @@ Figure 1. SOCKS5 tutorial components
 <!--
 ## Using ssh to create a SOCKS5 proxy
 
-This command starts a SOCKS5 proxy between your client machine and the remote server.
-The SOCKS5 proxy lets you connect to your cluster's API server.
+The following command starts a SOCKS5 proxy between your client machine and the remote SOCKS server:
 -->
 ## 使用 SSH 创建 SOCKS5 代理
 
-此命令在你的客户端计算机和远程服务器之间启动一个 SOCKS5 代理。
-SOCKS5 代理允许你连接到集群的 API 服务器。
+下面的命令在你的客户端计算机和远程 SOCKS 服务器之间启动一个 SOCKS5 代理：
 
 ```shell
 # 运行此命令后，SSH 隧道继续在前台运行
 ssh -D 1080 -q -N username@kubernetes-remote-server.example
 ```
 
 <!--
+The SOCKS5 proxy lets you connect to your cluster's API server based on the following configuration:
 * `-D 1080`: opens a SOCKS proxy on local port :1080.
 * `-q`: quiet mode. Causes most warning and diagnostic messages to be suppressed.
 * `-N`: Do not execute a remote command. Useful for just forwarding ports.
-* `username@kubernetes-remote-server.example`: the remote SSH server where the Kubernetes cluster is running.
+* `username@kubernetes-remote-server.example`: the remote SSH server behind which the Kubernetes cluster
+  is running (eg: a bastion host).
 -->
 * `-D 1080`: 在本地端口 1080 上打开一个 SOCKS 代理。
 * `-q`: 静音模式。导致大多数警告和诊断消息被抑制。
 * `-N`: 不执行远程命令。仅用于转发端口。
-* `username@kubernetes-remote-server.example`：运行 Kubernetes 集群的远程 SSH 服务器。
+* `username@kubernetes-remote-server.example`：运行 Kubernetes 集群的远程 SSH 服务器（例如：堡垒主机）。
 
 <!--
 ## Client configuration
 
-To explore the Kubernetes API you'll first need to instruct your clients to send their queries through
-the SOCKS5 proxy we created earlier.
-
-For command-line tools, set the `https_proxy` environment variable and pass it to commands that you run.
+To access the Kubernetes API server through the proxy you must instruct `kubectl` to send queries through
+the `SOCKS` proxy we created earlier. Do this by either setting the appropriate environment variable,
+or via the `proxy-url` attribute in the kubeconfig file. Using an environment variable:
 -->
 ## 客户端配置
 
-要探索 Kubernetes API，你首先需要指示你的客户端通过我们之前创建的 SOCKS5
-代理发送他们的查询。
-对于命令行工具，设置 `https_proxy` 环境变量并将其传递给你运行的命令。
+要通过代理访问 Kubernetes API 服务器，你必须指示 `kubectl` 通过我们之前创建的 SOCKS5
+代理发送查询。
+这可以通过设置适当的环境变量或通过 kubeconfig 文件中的 `proxy-url` 属性来实现。
+使用环境变量：
 
 ```shell
-export https_proxy=socks5h://localhost:1080
+export HTTPS_PROXY=socks5://localhost:1080
 ```
 
 <!--
-When you set the `https_proxy` variable, tools such as `curl` route HTTPS traffic through the proxy
-you configured. For this to work, the tool must support SOCKS5 proxying.
--->
-当你设置 `https_proxy` 变量时，`curl` 等工具会通过你配置的代理路由 HTTPS 流量。
-为此，该工具必须支持 SOCKS5 代理。
-
-{{< note >}}
-<!--
-In the URL https://localhost:6443/api, `localhost` does not refer to your local client computer.
-Instead, it refers to the endpoint on the remote server known as `localhost`.
-The `curl` tool sends the hostname from the HTTPS URL over SOCKS, and the remote server
-resolves that locally (to an address that belongs to its loopback interface).
+To always use this setting on a specific `kubectl` context, specify the `proxy-url` attribute in the relevant
+`cluster` entry within the `~/.kube/config` file. For example:
 -->
-在 URL https://localhost:6443/api 中，`localhost` 不是指你的本地客户端计算机。
-它指的是远程服务器上称为 `localhost` 的端点。
-`curl` 工具通过 SOCKS 从 HTTPS URL 发送主机名，远程服务器在本地解析（到属于其环回接口的地址）。
-{{< /note >}}
-
-```shell
-curl -k -v https://localhost:6443/api
-```
-
-<!--
-To use the official Kubernetes client `kubectl` with a proxy, set the `proxy-url` element
-for the relevant `cluster` entry within  your `~/.kube/config` file. For example:
--->
-要将 Kubernetes 官方客户端 `kubectl` 与代理一起使用，
-请在 `~/.kube/config` 文件中为相关的
-`cluster` 条目设置 `proxy-url` 元素。例如：
+要始终在特定的 `kubectl` 上下文中使用此设置，请在 `~/.kube/config` 文件中为相关的
+`cluster` 条目设置 `proxy-url` 属性。例如：
 
 ```yaml
 apiVersion: v1
 clusters:
 - cluster:
     certificate-authority-data: LRMEMMW2 # 简化以便阅读
     # “Kubernetes API”服务器，换言之，kubernetes-remote-server.example 的 IP 地址
-    server: https://<API_SERVER_IP_ADRESS>:6443  
+    server: https://<API_SERVER_IP_ADRESS>:6443
     # 上图中的“SSH SOCKS5代理”（内置 DNS 解析）
     proxy-url: socks5://localhost:1080
   name: default
@@ -209,10 +185,11 @@ users:
 ```
 
 <!--
-If the tunnel is operating and you use `kubectl` with a context that uses this cluster, you can interact with your cluster through that proxy. For example:
+Once you have created the tunnel via the ssh command mentioned earlier, and defined either the environment variable or
+the `proxy-url` attribute, you can interact with your cluster through that proxy. For example:
 -->
-如果隧道能够正常工作，并且你调用 `kubectl` 时使用此集群的上下文，
-则可以通过该代理与你的集群交互。例如：
+一旦你通过前面提到的 SSH 命令创建了隧道，并定义了环境变量或 `proxy-url` 属性，
+你就可以通过该代理与你的集群交互。例如：
 
 ```shell
 kubectl get pods
@@ -223,6 +200,39 @@ NAMESPACE     NAME                                     READY   STATUS      RESTA
 kube-system   coredns-85cb69466-klwq8                  1/1     Running     0          5m46s
 ```
 
+{{< note >}}
+<!--
+- Before `kubectl` 1.24, most `kubectl` commands worked when using a socks proxy, except `kubectl exec`.
+- `kubectl` supports both `HTTPS_PROXY` and `https_proxy` environment variables. These are used by other
+  programs that support SOCKS, such as `curl`. Therefore in some cases it
+  will be better to define the environment variable on the command line:
+-->
+- 在 `kubectl` 1.24 之前，大多数 `kubectl` 命令在使用 socks 代理时都有效，除了 `kubectl exec`。
+- `kubectl` 支持读取 `HTTPS_PROXY` 和 `https_proxy` 环境变量。 这些被其他支持 SOCKS 的程序使用，例如 `curl`。
+  因此在某些情况下，在命令行上定义环境变量会更好：
+  ```shell
+  HTTPS_PROXY=socks5://localhost:1080 kubectl get pods
+  ```
+<!--
+- When using `proxy-url`, the proxy is used only for the relevant `kubectl` context,
+  whereas the environment variable will affect all contexts.
+-->
+- 使用 `proxy-url` 时，代理仅用于相关的 `kubectl` 上下文，而环境变量将影响所有上下文。
+<!--
+- The k8s API server hostname can be further protected from DNS leakage by using the `socks5h` protocol name
+  instead of the more commonly known `socks5` protocol shown above. In this case, `kubectl` will ask the proxy server
+  (such as an ssh bastion) to resolve the k8s API server domain name, instead of resolving it on the system running
+  `kubectl`. Note also that with `socks5h`, a k8s API server URL like `https://localhost:6443/api` does not refer
+  to your local client computer. Instead, it refers to `localhost` as known on the proxy server (eg the ssh bastion).
+-->
+- 通过使用 `socks5h` 协议名称而不是上面显示的更广为人知的 `socks5` 协议，
+  可以进一步保护 k8s API 服务器主机名免受 DNS 泄漏影响。
+  这种情况下，`kubectl` 将要求代理服务器（例如 SSH 堡垒机）解析 k8s API 服务器域名，
+  而不是在运行 `kubectl` 的系统上进行解析。
+  另外还要注意，使用 `socks5h` 时，像 `https://localhost:6443/api` 这样的 k8s API 服务器 URL 并不是指你的本地客户端计算机。
+  相反，它指向的是代理服务器（例如 SSH 堡垒机）上已知的 `localhost`。
+{{</ note >}}
+
 <!--
 ## Clean up
 
@@ -244,4 +254,3 @@ Type `unset https_proxy` in a terminal to stop forwarding http traffic through t
 ## 进一步阅读
 
 * [OpenSSH 远程登录客户端](https://man.openbsd.org/ssh)
-
