[zh]Resync Tutorials (1)

Author: CaoDonghui123

content/zh/docs/tutorials/_index.md

@@ -51,10 +51,14 @@ Kubernetes 文档的这一部分包含教程。每个教程展示了如何完成
 <!--
 ## Configuration
 
+* [Example: Configuring a Java Microservice](/docs/tutorials/configuration/configure-java-microservice/)
+
 * [Configuring Redis Using a ConfigMap](/docs/tutorials/configuration/configure-redis-using-configmap/)
 -->
 ## 配置
 
+* [示例：配置 Java 微服务](/zh/docs/tutorials/configuration/configure-java-microservice/)
+
 * [使用一个 ConfigMap 配置 Redis](/zh/docs/tutorials/configuration/configure-redis-using-configmap/)
 
 <!--

content/zh/docs/tutorials/clusters/apparmor.md

@@ -1,12 +1,14 @@
 ---
-title: AppArmor
+title: 使用 AppArmor 限制容器对资源的访问
 content_type: tutorial
+weight: 10
 ---
 <!-- ---
 reviewers:
 - stclair
-title: AppArmor
+title: Restrict a Container's Access to Resources with AppArmor
 content_type: tutorial
+weight: 10
 --- -->
 
 <!-- overview -->
@@ -17,11 +19,15 @@ content_type: tutorial
 <!-- AppArmor is a Linux kernel security module that supplements the standard Linux user and group based
 permissions to confine programs to a limited set of resources. AppArmor can be configured for any
 application to reduce its potential attack surface and provide greater in-depth defense. It is
-configured through profiles tuned to whitelist the access needed by a specific program or container,
+configured through profiles tuned to allow the access needed by a specific program or container,
 such as Linux capabilities, network access, file permissions, etc. Each profile can be run in either
 *enforcing* mode, which blocks access to disallowed resources, or *complain* mode, which only reports
 violations. -->
-Apparmor 是一个 Linux 内核安全模块，它补充了标准的基于 Linux 用户和组的安全模块将程序限制为有限资源集的权限。AppArmor 可以配置为任何应用程序减少潜在的攻击面，并且提供更加深入的防御。AppArmor 是通过配置文件进行配置的，这些配置文件被调整为报名单，列出了特定程序或者容器所需要的访问权限，如 Linux 功能、网络访问、文件权限等。每个配置文件都可以在*强制*模式(阻止访问不允许的资源)或*投诉*模式(仅报告冲突)下运行。
+Apparmor 是一个 Linux 内核安全模块，它补充了标准的基于 Linux 用户和组的安全模块将程序限制为有限资源集的权限。
+AppArmor 可以配置为任何应用程序减少潜在的攻击面，并且提供更加深入的防御。
+AppArmor 是通过配置文件进行配置的，这些配置文件被调整为允许特定程序或者容器访问，如 Linux 功能、网络访问、文件权限等。
+每个配置文件都可以在*强制（enforcing）*模式（阻止访问不允许的资源）或*投诉（complain）*模式
+（仅报告冲突）下运行。
 
 
 
@@ -244,9 +250,8 @@ k8s-apparmor-example-deny-write (enforce)
 <!-- *This example assumes you have already set up a cluster with AppArmor support.* -->
 *本例假设您已经使用 AppArmor 支持设置了一个集群。*
 
-<!-- First, we need to load the profile we want to use onto our nodes. The profile we'll use simply
-denies all file writes: -->
-首先，我们需要将要使用的配置文件加载到节点上。我们将使用的配置文件仅拒绝所有文件写入：
+<!-- First, we need to load the profile we want to use onto our nodes. This profile denies all file writes: -->
+首先，我们需要将要使用的配置文件加载到节点上。配置文件拒绝所有文件写入：
 
 ```shell
 #include <tunables/global>
@@ -259,9 +264,12 @@ profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
 ```
 
 <!-- Since we don't know where the Pod will be scheduled, we'll need to load the profile on all our
-nodes. For this example we'll just use SSH to install the profiles, but other approaches are
-discussed in [Setting up nodes with profiles](#setting-up-nodes-with-profiles). -->
-由于我们不知道 Pod 将被安排在那里，我们需要在所有节点上加载配置文件。在本例中，我们将只使用 SSH 来安装概要文件，但是在[使用配置文件设置节点](#setting-up-nodes-with-profiles)中讨论了其他方法。
+nodes. For this example we'll use SSH to install the profiles, but other approaches are
+discussed in [Setting up nodes with profiles](#setting-up-nodes-with-profiles). 
+-->
+由于我们不知道 Pod 将被调度到哪里，我们需要在所有节点上加载配置文件。
+在本例中，我们将使用 SSH 来安装概要文件，但是在[使用配置文件设置节点](#setting-up-nodes-with-profiles)
+中讨论了其他方法。
 
 ```shell
 NODES=(
@@ -403,9 +411,9 @@ Events:
   23s          23s         1        {kubelet e2e-test-stclair-node-pool-t1f5}             Warning        AppArmor    Cannot enforce AppArmor: profile "k8s-apparmor-example-allow-write" is not loaded
 ```
 
-<!-- Note the pod status is Failed, with a helpful error message: `Pod Cannot enforce AppArmor: profile
+<!-- Note the pod status is Pending, with a helpful error message: `Pod Cannot enforce AppArmor: profile
 "k8s-apparmor-example-allow-write" is not loaded`. An event was also recorded with the same message. -->
-注意 pod 呈现失败状态，并且显示一条有用的错误信息：`Pod Cannot enforce AppArmor: profile
+注意 pod 呈现 Pending 状态，并且显示一条有用的错误信息：`Pod Cannot enforce AppArmor: profile
 "k8s-apparmor-example-allow-write" 未加载`。还用相同的消息记录了一个事件。
 
 <!-- ## Administration -->

content/zh/docs/tutorials/clusters/seccomp.md

@@ -52,14 +52,14 @@ Kubernetes 允许你将加载到节点上的 seccomp 配置文件自动应用于
 <!--
 In order to complete all steps in this tutorial, you must install
 [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) and
-[kubectl](/docs/tasks/tools/install-kubectl/). This tutorial will show examples
+[kubectl](/docs/tasks/tools/). This tutorial will show examples
 with both alpha (pre-v1.19) and generally available seccomp functionality, so
 make sure that your cluster is [configured
 correctly](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version)
 for the version you are using.
 -->
 为了完成本教程中的所有步骤，你必须安装 [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) 
-和 [kubectl](/zh/docs/tasks/tools/install-kubectl/)。本教程将显示同时具有 alpha（v1.19 之前的版本）
+和 [kubectl](/zh/docs/tasks/tools/)。本教程将显示同时具有 alpha（v1.19 之前的版本）
 和通常可用的 seccomp 功能的示例，因此请确保为所使用的版本[正确配置](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version)了集群。
 
 <!-- steps -->
@@ -91,8 +91,8 @@ into the cluster.
 
 For simplicity, [kind](https://kind.sigs.k8s.io/) can be used to create a single
 node cluster with the seccomp profiles loaded. Kind runs Kubernetes in Docker,
-so each node of the cluster is actually just a container. This allows for files
-to be mounted in the filesystem of each container just as one might load files
+so each node of the cluster is a container. This allows for files
+to be mounted in the filesystem of each container similar to loading files
 onto a node.
 
 Download the example above, and save it to a file named `kind.yaml`. Then create
@@ -101,8 +101,8 @@ the cluster with the configuration.
 ## 使用 Kind 创建一个本地 Kubernetes 集群
 
 为简单起见，可以使用 [kind](https://kind.sigs.k8s.io/) 创建一个已经加载 seccomp 配置文件的单节点集群。
-Kind 在 Docker 中运行 Kubernetes，因此集群的每个节点实际上只是一个容器。这允许将文件挂载到每个容器的文件系统中，
-就像将文件挂载到节点上一样。
+Kind 在 Docker 中运行 Kubernetes，因此集群的每个节点都是一个容器。这允许将文件挂载到每个容器的文件系统中，
+类似于将文件挂载到节点上。
 
 {{< codenew file="pods/security/seccomp/kind.yaml" >}}
 <br>

content/zh/docs/tutorials/hello-minikube.md

@@ -112,15 +112,15 @@ This tutorial provides a container image that uses NGINX to echo back all the re
 <!--
 The `dashboard` command enables the dashboard add-on and opens the proxy in the default web browser. You can create Kubernetes resources on the dashboard such as Deployment and Service.
 
-If you are running in an environment as root, see [Open Dashboard with URL](/docs/tutorials/hello-minikube#open-dashboard-with-url).
+If you are running in an environment as root, see [Open Dashboard with URL](#open-dashboard-with-url).
 
 To stop the proxy, run `Ctrl+C` to exit the process. The dashboard remains running.
 -->
 {{< note >}}
 `dashboard` 命令启用仪表板插件，并在默认的 Web 浏览器中打开代理。你可以在仪表板上创建 Kubernetes 资源，例如 Deployment 和 Service。
 
 如果你以 root 用户身份在环境中运行，
-请参见[使用 URL 打开仪表板](/zh/docs/tutorials/hello-minikube#open-dashboard-with-url)。
+请参见[使用 URL 打开仪表板](#open-dashboard-with-url)。
 
 要停止代理，请运行 `Ctrl+C` 退出该进程。仪表板仍在运行中。
 {{< /note >}}
@@ -273,9 +273,9 @@ Kubernetes [*Service*](/docs/concepts/services-networking/service/).
    如果你用 `kubectl expose` 暴露了其它的端口，客户端将不能访问其它端口。
 
 <!--
-2. View the Service you just created:
+2. View the Service you created:
 -->
-2. 查看你刚刚创建的 Service：
+2. 查看你创建的 Service：
 
    ```shell
    kubectl get services
@@ -391,9 +391,9 @@ Minikube 有一组内置的 {{< glossary_tooltip text="插件" term_id="addons"
    ```
 
 <!--
-3. View the Pod and Service you just created:
+3. View the Pod and Service you created:
 -->
-3. 查看刚才创建的 Pod 和 Service：
+3. 查看创建的 Pod 和 Service：
 
    ```shell
    kubectl get pod,svc -n kube-system