Merge pull request #33598 from TinySong/zh-update-windows-nodes

k8s-ci-robot · web-flow · commit c965d048e968 · 2022-05-17T18:06:53.000-07:00
[zh] sync tasks/administer-cluster/kubeadm/*.md
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md b/content/zh/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes.md
@@ -25,7 +25,6 @@ You can use Kubernetes to run a mixture of Linux and Windows nodes, so you can m
 混合使用运行于 Linux 上的 Pod 和运行于 Windows 上的 Pod。
 本页面展示如何将 Windows 节点注册到你的集群。
 
-
 ## {{% heading "prerequisites" %}}
  {{< version-check >}}
 
@@ -36,6 +35,7 @@ If you are using VXLAN/Overlay networking you must have also have [KB4489899](ht
 
 * A Linux-based Kubernetes kubeadm cluster in which you have access to the control plane (see [Creating a single control-plane cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)).
 -->
+
 * 获取 [Windows Server 2019 或更高版本的授权](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing)
   以便配置托管 Windows 容器的 Windows 节点。
   如果你在使用 VXLAN/覆盖（Overlay）联网设施，则你还必须安装 [KB4489899](https://support.microsoft.com/help/4489899)。
@@ -275,55 +275,12 @@ Windows 工作节点上具有提升的权限（Administrator）。
 {{< /note >}}
 
 {{< tabs name="tab-windows-kubeadm-runtime-installation" >}}
-{{% tab name="Docker EE" %}}
-
-<!--
-#### Install Docker EE
-
-Install the `Containers` feature
--->
-#### 安装 Docker EE
-
-```powershell
-Install-WindowsFeature -Name containers
-```
-<!--
-Install Docker
-Instructions to do so are available at [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker).
--->
-安装 Docker
-操作指南在 [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker)。
-
-<!--
-#### Install wins, kubelet, and kubeadm.
--->
-#### 安装 wins、kubelet 和 kubeadm
-
-   ```PowerShell
-   curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
-   .\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}}
-   ```
-
-<!--
-#### Run `kubeadm` to join the node
 
-    Use the command that was given to you when you ran `kubeadm init` on a control plane host.
-    If you no longer have this command, or the token has expired, you can run `kubeadm token create -print-join-command`
-    (on a control plane host) to generate a new token and join command.
--->
-#### 运行 `kubeadm` 添加节点
-
-   当你在控制面主机上运行 `kubeadm init` 时，输出了一个命令。现在运行这个命令。
-   如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
-   `kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
-
-{{% /tab %}}
 {{% tab name="CRI-containerD" %}}
 
 <!--
 #### Install containerD
 -->
-
 #### 安装 containerD
 
 ```powershell
@@ -335,16 +292,12 @@ curl.exe -LO https://github.com/kubernetes-sigs/sig-windows-tools/releases/lates
 <!--
 To install a specific version of containerD specify the version with -ContainerDVersion.
 -->
-要安装特定版本的 containerD，使用参数 -ContainerDVersion指定版本。
+要安装特定版本的 containerD，使用参数 -ContainerDVersion 指定版本。
 
 ```powershell
 # Example
 .\Install-Containerd.ps1 -ContainerDVersion 1.4.1
 ```
-
-{{< /note >}}
-
-{{< note >}}
 <!--
 If you're using a different interface rather than Ethernet (i.e. "Ethernet0 2") on the Windows nodes, specify the name with `-netAdapterName`.
 -->
@@ -360,12 +313,18 @@ If you're using a different interface rather than Ethernet (i.e. "Ethernet0 2")
 <!--
 #### Install wins, kubelet, and kubeadm
 -->
-#### 安装 wins，kubelet 和 kubeadm
+#### 安装 wins、kubelet 和 kubeadm
 
 ```PowerShell
 curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
 .\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}} -ContainerRuntime containerD
 ```
+<!--
+Install `crictl` from the [cri-tools project](https://github.com/kubernetes-sigs/cri-tools)
+which is required so that kubeadm can talk to the CRI endpoint.
+-->
+从 [cri-tools](https://github.com/kubernetes-sigs/cri-tools) 项目安装 `crtctl`。
+`crictl` 是必需的，kubeadm 使用它与 CRI 端点通信。
 
 <!--
 #### Run `kubeadm` to join the node
@@ -376,14 +335,92 @@ If you no longer have this command, or the token has expired, you can run `kubea
 -->
 #### 运行 `kubeadm` 添加节点
 
-   使用当你在控制面主机上运行 `kubeadm init` 时得到的命令。
-   如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
-   `kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
+ 使用当你在控制面主机上运行 `kubeadm init` 时得到的命令。
+ 如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
+ `kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
+
+
+{{% /tab %}}
+
+
+{{% tab name="Docker Engine" %}}
 
+<!--
+#### Install Docker Engine
+
+Install the `Containers` feature
+-->
+
+#### 安装 Docker Engine
+
+安装 `Containers` 功能特性
+
+```powershell
+Install-WindowsFeature -Name containers
+```
+
+<!--
+Install Docker
+Instructions to do so are available at [Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker).
+-->
+
+安装 Docker
+
+操作指南在
+[Install Docker Engine - Enterprise on Windows Servers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker)。
+
+<!--
+[Install cri-dockerd](https://github.com/Mirantis/cri-dockerd) which is required so that the kubelet
+can communicate with Docker on a CRI compatible endpoint.
+-->
+
+[安装 cri-dockerd](https://github.com/Mirantis/cri-dockerd)。kubelet 可以通过 cri-dockerd
+在 CRI 兼容的节点上与 Docker 通信。
+ 
 {{< note >}}
-If using **CRI-containerD** add `--cri-socket "npipe:////./pipe/containerd-containerd"` to the kubeadm call
+<!--
+Docker Engine does not implement the [CRI](/docs/concepts/architecture/cri/)
+which is a requirement for a container runtime to work with Kubernetes.
+For that reason, an additional service [cri-dockerd](https://github.com/Mirantis/cri-dockerd)
+has to be installed. cri-dockerd is a project based on the legacy built-in
+Docker Engine support that was [removed](/dockershim) from the kubelet in version 1.24.
+-->
+Docker Engine 没有实现 [CRI](/zh/docs/concepts/architecture/cri/)，
+而 CRI 是容器运行时能够与 Kubernetes 一起工作的要求。
+出于这个原因，必须安装一个额外的服务 [cri-dockerd](https://github.com/Mirantis/cri-dockerd)。
+cri-dockerd 是一个基于原来的内置 Docker Engine 支持的项目，
+而这一支持在 1.24 版本的 kubelet 中[已被移除](/zh/dockershim)。
 {{< /note >}}
 
+<!--
+Install `crictl` from the [cri-tools project](https://github.com/kubernetes-sigs/cri-tools)
+which is required so that kubeadm can talk to the CRI endpoint.
+-->
+从 [cri-tools](https://github.com/kubernetes-sigs/cri-tools) 项目安装 `crictl`。
+kubeadm 需要 `crictl` 才能与 CRI 端点通信。
+
+<!--
+#### Install wins, kubelet, and kubeadm.
+-->
+#### 安装 wins、kubelet 和 kubeadm
+
+```PowerShell
+curl.exe -LO https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/kubeadm/scripts/PrepareNode.ps1
+.\PrepareNode.ps1 -KubernetesVersion {{< param "fullversion" >}}
+```
+<!--
+# ### Run `kubeadm` to join the node
+
+Use the command that was given to you when you ran `kubeadm init` on a control plane host.
+If you no longer have this command, or the token has expired, you can run `kubeadm token create -print-join-command`
+(on a control plane host) to generate a new token and join command.
+-->
+#### 运行 `kubeadm` 添加节点
+
+当你在控制面主机上运行 `kubeadm init` 时，输出了一个命令。现在运行这个命令。
+如果你找不到这个命令，或者命令中对应的令牌已经过期，你可以（在一个控制面主机上）运行
+`kubeadm token create --print-join-command` 来生成新的令牌和 join 命令。
+
 {{% /tab %}}
 {{< /tabs >}}
 
diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -16,10 +16,13 @@ weight: 10
 {{< feature-state for_k8s_version="v1.15" state="stable" >}}
 
 <!-- 
-Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year. This page explains how to manage certificate renewals with kubeadm. 
+Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year. 
+This page explains how to manage certificate renewals with kubeadm. It also covers other tasks related
+to kubeadm certificate management.
+
 -->
 由 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
-本页说明如何使用 kubeadm 管理证书续订。
+本页说明如何使用 kubeadm 管理证书续订，同时也涵盖其他与 kubeadm 证书管理相关的说明。
 
 ## {{% heading "prerequisites" %}}
 
@@ -253,7 +256,7 @@ the Pod and the certificate renewal for the component can complete.
 所以 kubectl 不能用来删除或重启他们。
 要重启静态 Pod 你可以临时将清单文件从 `/etc/kubernetes/manifests/` 移除并等待 20 秒
 （参考 [KubeletConfiguration 结构](/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值）。
-如果 Pod 不在清单目录里，kubelet将会终止它。
+如果 Pod 不在清单目录里，kubelet 将会终止它。
 在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去，为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。
 
 <!-- 
@@ -312,27 +315,24 @@ These are advanced topics for users who need to integrate their organization's c
 ### Set up a signer
 
 The Kubernetes Certificate Authority does not work out of the box.
-You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the build-in signer.
+You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the built-in signer.
 The built-in signer is part of [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/).
 To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
 -->
 
 ### 设置一个签名者（Signer）
 
-Kubernetes 证书颁发机构不是开箱即用。
-你可以配置外部签名者，例如
-[cert-manager](https://cert-manager.io/docs/configuration/ca/)，
+Kubernetes 证书颁发机构不是开箱即用。你可以配置外部签名者，例如 [cert-manager](https://cert-manager.io/docs/configuration/ca/)，
 也可以使用内置签名者。
 内置签名者是
-[`kube-controller-manager`](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/)
-的一部分。
+[`kube-controller-manager`](/zh/docs/reference/command-line-tools-reference/kube-controller-manager/) 的一部分。
 要激活内置签名者，请传递 `--cluster-signing-cert-file` 和 `--cluster-signing-key-file` 参数。
 
 <!--
-If you're creating a new cluster, you can use a kubeadm [configuration file](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3): 
+If you're creating a new cluster, you can use a kubeadm [configuration file](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3):
 -->
 如果你正在创建一个新的集群，你可以使用 kubeadm 的
-[配置文件](/docs/reference/config-api/kubeadm-config.v1beta3/)。
+[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
 
 ```yaml
 apiVersion: kubeadm.k8s.io/v1beta3
@@ -570,3 +570,80 @@ CSRs requesting serving certificates for any IP or domain name.
 只有完成彻底的检查，才有可能避免有恶意的、能够访问 kubelet 客户端证书的第三方
 为任何 IP 或域名请求服务证书。
 
+<!--
+## Generating kubeconfig files for additional users {#kubeconfig-additional-users}
+-->
+##  为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
+
+<!--
+During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
+`Subject: O = system:masters, CN = kubernetes-admin`.
+[`system:masters`](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+is a break-glass, super user group that bypasses the authorization layer (e.g. RBAC).
+Sharing the `admin.conf` with additional users is **not recommended**!
+-->
+在集群创建过程中，kubeadm 对 `admin.conf` 中的证书进行签名时，将其配置为
+`Subject: O = system:masters, CN = kubernetes-admin`。
+[`system:masters`](/zh/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+是一个例外的超级用户组，可以绕过鉴权层（例如 RBAC）。
+强烈建议不要将 `admin.conf` 文件与任何人共享。
+
+<!--
+Instead, you can use the [`kubeadm kubeconfig user`](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
+command to generate kubeconfig files for additional users.
+The command accepts a mixture of command line flags and
+[kubeadm configuration](/docs/reference/config-api/kubeadm-config.v1beta3/) options.
+The generated kubeconfig will be written to stdout and can be piped to a file
+using `kubeadm kubeconfig user ... > somefile.conf`.
+-->
+你要使用 [`kubeadm kubeconfig user`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
+命令为其他用户生成 kubeconfig 文件，这个命令支持命令行参数和 
+[kubeadm 配置结构](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
+以上命令会将 kubeconfig 打印到终端上，也可以使用 `kubeadm kubeconfig user ... > somefile.conf`
+输出到一个文件中。
+
+<!--
+Example configuration file that can be used with `--config`:
+-->
+如下 kubeadm 可以 在`--config` 后加的配置文件示例：
+
+```yaml
+# example.yaml
+apiVersion: kubeadm.k8s.io/v1beta3
+kind: ClusterConfiguration
+# kubernetes 将作为 kubeconfig 中集群名称
+clusterName: "kubernetes"
+# some-dns-address:6443 将作为集群 kubeconfig 文件中服务地址（IP 或者 DNS 名称）
+controlPlaneEndpoint: "some-dns-address:6443"
+# 从本地挂载集群的 CA 秘钥和 CA 证书
+certificatesDir: "/etc/kubernetes/pki"
+```
+
+<!--
+Make sure that these settings match the desired target cluster settings.
+To see the settings of an existing cluster use:
+-->
+确保这些设置与所需的目标集群设置相匹配。可以使用以下命令查看现有集群的设置：
+
+```shell
+kubectl get cm kubeadm-config -n kube-system -o=jsonpath="{.data.ClusterConfiguration}"
+```
+
+<!--
+The following example will generate a kubeconfig file with credentials valid for 24 hours
+for a new user `johndoe` that is part of the `appdevs` group:
+-->
+以下示例将为在 `appdevs` 组的 `johndoe` 用户创建一个有效期为 24 小时的 kubeconfig 文件：
+
+```shell
+kubeadm kubeconfig user --config example.yaml --org appdevs --client-name johndoe --validity-period 24h
+```
+
+<!--
+The following example will generate a kubeconfig file with administrator credentials valid for 1 week:
+-->
+以下示例将为管理员创建一个有效期有一周的 kubeconfig 文件：
+
+```shell
+kubeadm kubeconfig user --config example.yaml --client-name admin --validity-period 168h
+```
