Merge branch 'kubernetes:main' into patch-1

Author: Ananya2001-an

content/en/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md

@@ -274,16 +274,11 @@ After 15 seconds, view Pod events to verify that the liveness check has not fail
 kubectl describe pod etcd-with-grpc
 ```
 
-Before Kubernetes 1.23, gRPC health probes were often implemented using
-[grpc-health-probe](https://github.com/grpc-ecosystem/grpc-health-probe/),
-as described in the blog post
-[Health checking gRPC servers on Kubernetes](/blog/2018/10/01/health-checking-grpc-servers-on-kubernetes/).
-The built-in gRPC probe's behavior is similar to the one implemented by grpc-health-probe.
-When migrating from grpc-health-probe to built-in probes, remember the following differences:
-
-- Built-in probes run against the pod IP address, unlike grpc-health-probe that often runs against
-  `127.0.0.1`. Be sure to configure your gRPC endpoint to listen on the Pod's IP address.
-- Built-in probes do not support any authentication parameters (like `-tls`).
+When using a gRPC probe, there are some technical details to be aware of:
+
+- The probes run against the pod IP address or its hostname.
+  Be sure to configure your gRPC endpoint to listen on the Pod's IP address.
+- The probes do not support any authentication parameters (like `-tls`).
 - There are no error codes for built-in probes. All errors are considered as probe failures.
 - If `ExecProbeTimeout` feature gate is set to `false`, grpc-health-probe does **not**
   respect the `timeoutSeconds` setting (which defaults to 1s), while built-in probe would fail on timeout.
@@ -425,23 +420,6 @@ liveness and readiness checks:
   See [probe-level `terminationGracePeriodSeconds`](#probe-level-terminationgraceperiodseconds)
   for more detail.
 
-{{< note >}}
-Before Kubernetes 1.20, the field `timeoutSeconds` was not respected for exec probes:
-probes continued running indefinitely, even past their configured deadline,
-until a result was returned.
-
-This defect was corrected in Kubernetes v1.20. You may have been relying on the previous behavior,
-even without realizing it, as the default timeout is 1 second.
-As a cluster administrator, you can disable the [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
-`ExecProbeTimeout` (set it to `false`) on each kubelet to restore the behavior from older versions,
-then remove that override once all the exec probes in the cluster have a `timeoutSeconds` value set.
-If you have pods that are impacted from the default 1 second timeout, you should update their
-probe timeout so that you're ready for the eventual removal of that feature gate.
-
-With the fix of the defect, for exec probes, on Kubernetes `1.20+` with the `dockershim` container runtime,
-the process inside the container may keep running even after probe returned failure because of the timeout.
-{{< /note >}}
-
 {{< caution >}}
 Incorrect implementation of readiness probes may result in an ever growing number
 of processes in the container, and resource starvation if this is left unchecked.
@@ -518,34 +496,19 @@ to resolve it.
 
 {{< feature-state for_k8s_version="v1.28" state="stable" >}}
 
-Prior to release 1.21, the Pod-level `terminationGracePeriodSeconds` was used
-for terminating a container that failed its liveness or startup probe. This
-coupling was unintended and may have resulted in failed containers taking an
-unusually long time to restart when a Pod-level `terminationGracePeriodSeconds`
-was set.
-
 In 1.25 and above, users can specify a probe-level `terminationGracePeriodSeconds`
 as part of the probe specification. When both a pod- and probe-level
 `terminationGracePeriodSeconds` are set, the kubelet will use the probe-level value.
 
-{{< note >}}
-Beginning in Kubernetes 1.25, the `ProbeTerminationGracePeriod` feature is enabled
-by default. For users choosing to disable this feature, please note the following:
+When setting the `terminationGracePeriodSeconds`, please note the following:
 
-* The `ProbeTerminationGracePeriod` feature gate is only available on the API Server.
-  The kubelet always honors the probe-level `terminationGracePeriodSeconds` field if
+* The kubelet always honors the probe-level `terminationGracePeriodSeconds` field if 
   it is present on a Pod.
 
 * If you have existing Pods where the `terminationGracePeriodSeconds` field is set and
   you no longer wish to use per-probe termination grace periods, you must delete
   those existing Pods.
 
-* When you or the control plane, or some other components create replacement
-  Pods, and the feature gate `ProbeTerminationGracePeriod` is disabled, then the
-  API server ignores the Probe-level `terminationGracePeriodSeconds` field, even if
-  a Pod or pod template specifies it.
-{{< /note >}}
-
 For example:
 
 ```yaml

content/en/docs/tasks/tools/install-kubectl-macos.md

@@ -280,7 +280,7 @@ Depending on how you installed `kubectl`, use one of the following methods.
 1.  Locate the `kubectl` binary on your system:
 
     ```bash
-    where kubectl
+    which kubectl
     ```
 
 1.  Remove the `kubectl` binary:

content/en/examples/admin/resource/limit-range-pod-3.yaml

@@ -6,6 +6,7 @@ spec:
   containers:
   - name: busybox-cnt01
     image: busybox:1.28
+    command: ["sleep", "3600"]
     resources:
       limits:
         memory: "300Mi"

content/en/examples/pods/share-process-namespace.yaml

@@ -9,6 +9,7 @@ spec:
     image: nginx
   - name: shell
     image: busybox:1.28
+    command: ["sleep", "3600"]
     securityContext:
       capabilities:
         add:

content/en/examples/pods/storage/projected-secret-downwardapi-configmap.yaml

@@ -6,6 +6,7 @@ spec:
   containers:
   - name: container-test
     image: busybox:1.28
+    command: ["sleep", "3600"]
     volumeMounts:
     - name: all-in-one
       mountPath: "/projected-volume"

content/en/examples/pods/storage/projected-secrets-nondefault-permission-mode.yaml

@@ -6,6 +6,7 @@ spec:
   containers:
   - name: container-test
     image: busybox:1.28
+    command: ["sleep", "3600"]
     volumeMounts:
     - name: all-in-one
       mountPath: "/projected-volume"

content/en/examples/pods/storage/projected-service-account-token.yaml

@@ -6,6 +6,7 @@ spec:
   containers:
   - name: container-test
     image: busybox:1.28
+    command: ["sleep", "3600"]
     volumeMounts:
     - name: token-vol
       mountPath: "/service-account"

content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md

@@ -497,9 +497,9 @@ Resources is a list of resources this rule applies to.
 <p>For example:
 'pods' matches pods.
 'pods/log' matches the log subresource of pods.
-'<em>' matches all resources and their subresources.
-'pods/</em>' matches all subresources of pods.
-'*/scale' matches all scale subresources.</p>
+'&ast;' matches all resources and their subresources.
+'pods/&ast;' matches all subresources of pods.
+'&ast;/scale' matches all scale subresources.</p>
 -->
   <p>例如：</p>
   <ul>
@@ -767,10 +767,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <td>
    <!--
    NonResourceURLs is a set of URL paths that should be audited.
-   <em>s are allowed, but only as the full, final step in the path.
+   &ast;s are allowed, but only as the full, final step in the path.
    Examples:
    &quot;/metrics&quot; - Log requests for apiserver metrics
-   &quot;/healthz</em>&quot; - Log all health checks</p>
+   &quot;/healthz&ast;&quot; - Log all health checks</p>
    -->
 
    <p>

content/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3.md

@@ -145,7 +145,7 @@ kubeadm 所提供的默认值在必要时也会保证其在多个组件之间是
 
 <!--
 <p>Users are always allowed to override default values, with the only exception of a small subset of setting with
-relevance for security (e.g. enforce authorization-mode Node and RBAC on api server)</p>
+relevance for security (e.g. enforce authorization-mode Node and RBAC on api server).</p>
 <p>If the user provides a configuration types that is not expected for the action you are performing, kubeadm will
 ignore those types and print a warning.</p>
 -->
@@ -1409,7 +1409,7 @@ HostPathMount contains elements describing volumes that are mounted from the hos
 </td>
 </tr>
 <tr><td><code>pathType</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#hostpathtype-v1-core"><code>core/v1.HostPathType</code></a>
 </td>
 <td>
    <!--
@@ -1700,14 +1700,14 @@ Defaults to the hostname of the node if not provided.
 <td>
    <!--
    <code>criSocket</code> is used to retrieve container runtime info.
-This information will be annotated to the Node API object, for later re-use
+This information will be annotated to the Node API object, for later re-use.
    -->
    <p><code>criSocket</code> 用来读取容器运行时的信息。
 此信息会被以注解的方式添加到 Node API 对象至上，用于后续用途。</p>
 </td>
 </tr>
 <tr><td><code>taints</code> <B><!--[Required]-->[必需]</B><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#taint-v1-core"><code>[]core/v1.Taint</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#taint-v1-core"><code>[]core/v1.Taint</code></a>
 </td>
 <td>
    <!--
@@ -1750,14 +1750,19 @@ command line except without leading dash(es).
 <td>
    <!--
    <code>ignorePreflightErrors</code> provides a list of pre-flight errors to be ignored when
-the current node is registered.
+the current node is registered, e.g.
+  <code>IsPrevilegedUser,Swap</code>.
+  Value <code>all</code> ignores errors from all checks.
    -->
-   <p><code>ignorePreflightErrors</code> 提供一组在当前节点被注册时可以
-忽略掉的预检错误。</p>
+   <p>
+      <code>ignorePreflightErrors</code> 提供一组在当前节点被注册时可以忽略掉的预检错误。
+      例如：<code>IsPrevilegedUser,Swap</code>。
+      取值 <code>all</code> 忽略所有检查的错误。
+   </p>
 </td>
 </tr>
 <tr><td><code>imagePullPolicy</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#pullpolicy-v1-core"><code>core/v1.PullPolicy</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#pullpolicy-v1-core"><code>core/v1.PullPolicy</code></a>
 </td>
 <td>
    <!--
@@ -1881,7 +1886,7 @@ for, so other administrators can know its purpose.
 </td>
 </tr>
 <tr><td><code>expires</code><br/>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#time-v1-meta"><code>meta/v1.Time</code></a>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#time-v1-meta"><code>meta/v1.Time</code></a>
 </td>
 <td>
    <!--

content/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1.md

@@ -132,9 +132,9 @@ auth 是一个映射，包含传递给 kubelet 的身份验证信息。
 <!--
 Each key in the map is a pattern which can optionally contain a port and a path.
 Globs can be used in the domain, but not in the port or the path. Globs are supported
-as subdomains like <code>&ast;.k8s.io</code> or <code>k8s.&ast;.io</code>, and top-level-domains such as <code>k8s.&ast;</code>.
-Matching partial subdomains like <code>app&ast;.k8s.io</code> is also supported. Each glob can only match
-a single subdomain segment, so <code>&ast;.io</code> does not match <code>&ast;.k8s.io</code>.</p>
+as subdomains like '&ast;.k8s.io' or 'k8s.&ast;.io', and top-level-domains such as 'k8s.&ast;'.
+Matching partial subdomains like 'app&ast;.k8s.io' is also supported. Each glob can only match
+a single subdomain segment, so &ast;.io does not match &ast;.k8s.io.</p>
 -->
 <p>
 映射中的每个主键都可以包含端口和路径。