Merge pull request #27796 from tengqm/zh-sync-concepts-14

k8s-ci-robot · web-flow · commit ac63e4c22a4b · 2021-05-27T08:36:23.000-07:00
[zh] Resync concepts section (14)
diff --git a/content/zh/docs/concepts/policy/pod-security-policy.md b/content/zh/docs/concepts/policy/pod-security-policy.md
@@ -12,7 +12,12 @@ content_type: concept
 weight: 30
 -->
 
-{{< feature-state state="beta" >}}
+{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
+
+<!--
+PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25.
+-->
+PodSecurityPolicy 在 Kubernetes v1.21 版本中被启用，将在 v1.25 中删除。
 
 <!--
 Pod Security Policies enable fine-grained authorization of pod creation and
diff --git a/content/zh/docs/concepts/policy/resource-quotas.md b/content/zh/docs/concepts/policy/resource-quotas.md
@@ -103,13 +103,15 @@ Neither contention nor changes to quota will affect already created resources.
 ## Enabling Resource Quota
 
 Resource Quota support is enabled by default for many Kubernetes distributions.  It is
-enabled when the API server `--enable-admission-plugins=` flag has `ResourceQuota` as
+enabled when the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} `--enable-admission-plugins=` flag has `ResourceQuota` as
 one of its arguments.
 -->
 ## 启用资源配额
 
-资源配额的支持在很多 Kubernetes 版本中是默认开启的。当 API 服务器的 `--enable-admission-plugins=`
-参数中包含 `ResourceQuota` 时，资源配额会被启用。
+资源配额的支持在很多 Kubernetes 版本中是默认启用的。
+当 {{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}
+的命令行标志 `--enable-admission-plugins=` 中包含 `ResourceQuota` 时，
+资源配额会被启用。
 
 <!--
 A resource quota is enforced in a particular namespace when there is a
@@ -245,6 +247,16 @@ In release 1.8, quota support for local ephemeral storage is added as an alpha f
 | `limits.ephemeral-storage` | 在命名空间的所有 Pod 中，本地临时存储限制值的总和不能超过此值。 |
 | `ephemeral-storage` | 与 `requests.ephemeral-storage` 相同。 |
 
+{{< note >}}
+<!--
+When using a CRI container runtime, container logs will count against the ephemeral storage quota. This can result in the unexpected eviction of pods that have exhausted their storage quotas. Refer to [Logging Architecture](/docs/concepts/cluster-administration/logging/) for details.
+-->
+如果所使用的是 CRI 容器运行时，容器日志会被计入临时存储配额。
+这可能会导致存储配额耗尽的 Pods 被意外地驱逐出节点。
+参考[日志架构](/zh/docs/concepts/cluster-administration/logging/)
+了解详细信息。
+{{< /note >}}
+
 <!--
 ## Object Count Quota
 
@@ -371,6 +383,7 @@ Resources specified on the quota outside of the allowed set results in a validat
 | `BestEffort` | Match pods that have best effort quality of service. |
 | `NotBestEffort` | Match pods that do not have best effort quality of service. |
 | `PriorityClass` | Match pods that references the specified [priority class](/docs/concepts/configuration/pod-priority-preemption). |
+| `CrossNamespacePodAffinity` | Match pods that have cross-namespace pod [(anti)affinity terms](/docs/concepts/scheduling-eviction/assign-pod-node). |
 -->
 | 作用域 | 描述 |
 | ----- | ----------- |
@@ -379,6 +392,7 @@ Resources specified on the quota outside of the allowed set results in a validat
 | `BestEffort` | 匹配所有 Qos 是 BestEffort 的 Pod。 |
 | `NotBestEffort` | 匹配所有 Qos 不是 BestEffort 的 Pod。 |
 | `PriorityClass` | 匹配所有引用了所指定的[优先级类](/zh/docs/concepts/configuration/pod-priority-preemption)的 Pods。 |
+| `CrossNamespacePodAffinity` | 匹配那些设置了跨名字空间 [（反）亲和性条件](/zh/docs/concepts/scheduling-eviction/assign-pod-node)的 Pod。 |
 
 <!--
 The `BestEffort` scope restricts a quota to tracking the following resource:
@@ -684,12 +698,105 @@ pods        0     10
 ```
 
 <!--
-## Requests vs Limits
+### Cross-namespace Pod Affinity Quota
+-->
+### 跨名字空间的 Pod 亲和性配额   {#cross-namespace-pod-affinity-quota}
+
+{{< feature-state for_k8s_version="v1.21" state="alpha" >}}
+
+<!--
+Operators can use `CrossNamespacePodAffinity` quota scope to limit which namespaces are allowed to
+have pods with affinity terms that cross namespaces. Specifically, it controls which pods are allowed
+to set `namespaces` or `namespaceSelector` fields in pod affinity terms.
+-->
+集群运维人员可以使用 `CrossNamespacePodAffinity` 配额作用域来
+限制哪个名字空间中可以存在包含跨名字空间亲和性规则的 Pod。
+更为具体一点，此作用域用来配置哪些 Pod 可以在其 Pod 亲和性规则
+中设置 `namespaces` 或 `namespaceSelector` 字段。
+
+<!--
+Preventing users from using cross-namespace affinity terms might be desired since a pod
+with anti-affinity constraints can block pods from all other namespaces 
+from getting scheduled in a failure domain. 
+-->
+禁止用户使用跨名字空间的亲和性规则可能是一种被需要的能力，因为带有
+反亲和性约束的 Pod 可能会阻止所有其他名字空间的 Pod 被调度到某失效域中。
+
+<!--
+Using this scope operators can prevent certain namespaces (`foo-ns` in the example below) 
+from having pods that use cross-namespace pod affinity by creating a resource quota object in
+that namespace with `CrossNamespaceAffinity` scope and hard limit of 0:
+-->
+使用此作用域操作符可以避免某些名字空间（例如下面例子中的 `foo-ns`）运行
+特别的 Pod，这类 Pod 使用跨名字空间的 Pod 亲和性约束，在该名字空间中创建
+了作用域为 `CrossNamespaceAffinity` 的、硬性约束为 0 的资源配额对象。
+
+```yaml
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: disable-cross-namespace-affinity
+  namespace: foo-ns
+spec:
+  hard:
+    pods: "0"
+  scopeSelector:
+    matchExpressions:
+    - scopeName: CrossNamespaceAffinity
+```
+
+<!--
+If operators want to disallow using `namespaces` and `namespaceSelector` by default, and 
+only allow it for specific namespaces, they could configure `CrossNamespaceAffinity` 
+as a limited resource by setting the kube-apiserver flag -admission-control-config-file
+to the path of the following configuration file:
+-->
+如果集群运维人员希望默认禁止使用 `namespaces` 和 `namespaceSelector`，而
+仅仅允许在特定名字空间中这样做，他们可以将 `CrossNamespaceAffinity` 作为一个
+被约束的资源。方法是为 `kube-apiserver` 设置标志
+`--admission-control-config-file`，使之指向如下的配置文件：
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: "ResourceQuota"
+  configuration:
+    apiVersion: apiserver.config.k8s.io/v1
+    kind: ResourceQuotaConfiguration
+    limitedResources:
+    - resource: pods
+      matchScopes:
+      - scopeName: CrossNamespaceAffinity
+```
+
+<!--
+With the above configuration, pods can use `namespaces` and `namespaceSelector` in pod affinity only
+if the namespace where they are created have a resource quota object with 
+`CrossNamespaceAffinity` scope and a hard limit greater than or equal to the number of pods using those fields.
+-->
+基于上面的配置，只有名字空间中包含作用域为 `CrossNamespaceAffinity` 且
+硬性约束大于或等于使用 `namespaces` 和 `namespaceSelector` 字段的 Pods
+个数时，才可以在该名字空间中继续创建在其 Pod 亲和性规则中设置 `namespaces`
+或 `namespaceSelector` 的新 Pod。
+
+<!--
+This feature is alpha and disabled by default. You can enable it by setting the
+[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+`PodAffinityNamespaceSelector` in both kube-apiserver and kube-scheduler.
+-->
+此功能特性处于 Alpha 阶段，默认被禁用。你可以通过为 kube-apiserver 和
+kube-scheduler 设置
+[特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
+`PodAffinityNamespaceSelector` 来启用此特性。
+
+<!--
+## Requests compared to Limits {#requests-vs-limits}
 
 When allocating compute resources, each container may specify a request and a limit value for either CPU or memory.
 The quota can be configured to quota either value.
 -->
-## 请求与限制   {#requests-vs-limits}
+## 请求与限制的比较   {#requests-vs-limits}
 
 分配计算资源时，每个容器可以为 CPU 或内存指定请求和约束。
 配额可以针对二者之一进行设置。
@@ -917,22 +1024,42 @@ plugins:
 ```
 
 <!--
-Now, "cluster-services" pods will be allowed in only those namespaces where a quota object with a matching `scopeSelector` is present.
-
-For example:
+Then, create a resource quota object in the `kube-system` namespace:
 -->
-现在，仅当命名空间中存在匹配的 `scopeSelector` 的配额对象时，才允许使用 "cluster-services" Pod。
+现在在 `kube-system` 名字空间中创建一个资源配额对象：
 
-示例：
+{{< codenew file="policy/priority-class-resourcequota.yaml" >}}
 
-```yaml
-    scopeSelector:
-      matchExpressions:
-      - scopeName: PriorityClass
-        operator: In
-        values: ["cluster-services"]
+```shell
+kubectl apply -f https://k8s.io/examples/policy/priority-class-resourcequota.yaml -n kube-system
+```
+
+```
+resourcequota/pods-cluster-services created
 ```
 
+<!--
+In this case, a pod creation will be allowed if:
+
+1.  the Pod's `priorityClassName` is not specified.
+1.  the Pod's `priorityClassName` is specified to a value other than `cluster-services`.
+1.  the Pod's `priorityClassName` is set to `cluster-services`, it is to be created
+   in the `kube-system` namespace, and it has passed the resource quota check.
+-->
+在这里，当以下条件满足时可以创建 Pod：
+
+1. Pod 未设置 `priorityClassName`
+1. Pod 的 `priorityClassName` 设置值不是 `cluster-services`
+1. Pod 的 `priorityClassName` 设置值为 `cluster-services`，它将被创建于
+   `kube-system` 名字空间中，并且它已经通过了资源配额检查。
+
+<!--
+A Pod creation request is rejected if its `priorityClassName` is set to `cluster-services`
+and it is to be created in a namespace other than `kube-system`.
+-->
+如果 Pod 的 `priorityClassName` 设置为 `cluster-services`，但要被创建到
+`kube-system` 之外的别的名字空间，则 Pod 创建请求也被拒绝。
+
 ## {{% heading "whatsnext" %}}
 
 <!--
diff --git a/content/zh/examples/policy/priority-class-resourcequota.yaml b/content/zh/examples/policy/priority-class-resourcequota.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: pods-cluster-services
+spec:
+  scopeSelector:
+    matchExpressions:
+      - operator : In
+        scopeName: PriorityClass
+        values: ["cluster-services"]
