From abd888438033adc95056b11228bba6c26d4666ba Mon Sep 17 00:00:00 2001
From: Ana Carolina Rodrigues <anacarolinarodrigues480@gmail.com>
Date: Mon, 30 Jan 2023 14:48:27 -0300
Subject: [PATCH 001/215] Add
 content/pt-br/docs/reference/issues-security/issues.md

---
 .../docs/reference/issues-security/issues.md     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 content/pt-br/docs/reference/issues-security/issues.md

diff --git a/content/pt-br/docs/reference/issues-security/issues.md b/content/pt-br/docs/reference/issues-security/issues.md
new file mode 100644
index 0000000000000..319ca3a586c8e
--- /dev/null
+++ b/content/pt-br/docs/reference/issues-security/issues.md
@@ -0,0 +1,16 @@
+---
+title: Rastreador de Issue Kubernetes
+weight: 10
+aliases: [/cve/,/cves/]
+---
+
+Para reportar um problema de segurança, siga [processo de divulgação de issues do Kubernetes](/docs/reference/issues-security/security/#report-a-vulnerability).
+
+O trabalho no código do Kubernetes e os problemas de segurança podem ser encontrados usando [ GitHub Issues ](https://github.com/kubernetes/kubernetes/issues/).
+
+* Oficial [lista de CVEs conhecidos](/docs/reference/issues-security/official-cve-feed/)
+  (vulnerabilidades de segurança) que foram anunciados pelo
+  [comitê de resposta de segurança](https://github.com/kubernetes/committee-security-response)
+* [Problemas do gitHub relacionados ao CVE](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
+
+Anúncios relacionados à segurança são enviados para a lista de discussão [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce).
\ No newline at end of file

From b15ead71f5423e27cc76793f5392dbae24e976ca Mon Sep 17 00:00:00 2001
From: Wesley Hartford <github@cutterslade.ca>
Date: Wed, 1 Feb 2023 07:55:10 -0800
Subject: [PATCH 002/215] Fix reference to file name in generated configMap

Documentation prose refers to the file named `.properties`, the correct file name is `application.properties`.
---
 .../en/docs/tasks/manage-kubernetes-objects/kustomization.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tasks/manage-kubernetes-objects/kustomization.md b/content/en/docs/tasks/manage-kubernetes-objects/kustomization.md
index 525c404ef744e..f53eae1d88296 100644
--- a/content/en/docs/tasks/manage-kubernetes-objects/kustomization.md
+++ b/content/en/docs/tasks/manage-kubernetes-objects/kustomization.md
@@ -120,7 +120,7 @@ metadata:
 ```
 
 {{< note >}}
-Each variable in the `.env` file becomes a separate key in the ConfigMap that you generate. This is different from the previous example which embeds a file named `.properties` (and all its entries) as the value for a single key.
+Each variable in the `.env` file becomes a separate key in the ConfigMap that you generate. This is different from the previous example which embeds a file named `application.properties` (and all its entries) as the value for a single key.
 {{< /note >}}
 
 ConfigMaps can also be generated from literal key-value pairs. To generate a ConfigMap from a literal key-value pair, add an entry to the `literals` list in configMapGenerator. Here is an example of generating a ConfigMap with a data item from a key-value pair:

From f55090070743d9cea3cc8c33b1493ff476af40e0 Mon Sep 17 00:00:00 2001
From: Aayush Sharma <aayushsharma47163@gmail.com>
Date: Thu, 2 Feb 2023 19:02:12 +0530
Subject: [PATCH 003/215] Kubecon 2023 dates updated

---
 content/hi/_index.html | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/content/hi/_index.html b/content/hi/_index.html
index 640f3f104b74e..77bdcabb4798f 100644
--- a/content/hi/_index.html
+++ b/content/hi/_index.html
@@ -43,12 +43,11 @@ <h2>150+ माइक्रोसर्विसेज को कुबेरन
         <button id="desktopShowVideoButton" onclick="kub.showVideo()">वीडियो देखें</button>
         <br>
         <br>
-        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/?utm_source=kubernetes.io&utm_medium=nav&utm_campaign=kccncna21" button id="desktopKCButton">अक्टूबर 11-15, 2021 को KubeCon North America में भाग लें</a>
+        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/" button id="desktopKCButton">अप्रैल 18-21, 2023 KubeCon + CloudNativeCon Europe में भाग लें</a>
         <br>
         <br>
         <br>
-        <br>
-        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-europe-2022/?utm_source=kubernetes.io&utm_medium=nav&utm_campaign=kccnceu22" button id="desktopKCButton">मई 17-20, 2022 को KubeCon Europe में भाग लें</a>
+        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/" button id="desktopKCButton">6-9 नवंबर, 2023 को KubeCon + CloudNativeCon North America में भाग लें</a>
 </div>
 <div id="videoPlayer">
     <iframe data-url="https://www.youtube.com/embed/H06qrNmGqyE?autoplay=1" frameborder="0" allowfullscreen></iframe>

From 33c430b09313ee387ec70f98f700d7a4d2b02386 Mon Sep 17 00:00:00 2001
From: Aayush Sharma <aayushsharma47163@gmail.com>
Date: Thu, 2 Feb 2023 19:03:27 +0530
Subject: [PATCH 004/215] Kubecon 2023 dates updated

---
 content/hi/_index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/hi/_index.html b/content/hi/_index.html
index 77bdcabb4798f..2009559be3bab 100644
--- a/content/hi/_index.html
+++ b/content/hi/_index.html
@@ -47,6 +47,7 @@ <h2>150+ माइक्रोसर्विसेज को कुबेरन
         <br>
         <br>
         <br>
+        <br>
         <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/" button id="desktopKCButton">6-9 नवंबर, 2023 को KubeCon + CloudNativeCon North America में भाग लें</a>
 </div>
 <div id="videoPlayer">

From 9daccce6a9a00335d5b0dc90eb2ff1b5b900d1b6 Mon Sep 17 00:00:00 2001
From: Ana Carolina Rodrigues <anacarolinarodrigues480@gmail.com>
Date: Thu, 2 Feb 2023 18:10:30 -0300
Subject: [PATCH 005/215] Update
 content/pt-br/docs/reference/issues-security/issues.md

---
 content/pt-br/docs/reference/issues-security/issues.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/pt-br/docs/reference/issues-security/issues.md b/content/pt-br/docs/reference/issues-security/issues.md
index 319ca3a586c8e..706a69f5fd0c8 100644
--- a/content/pt-br/docs/reference/issues-security/issues.md
+++ b/content/pt-br/docs/reference/issues-security/issues.md
@@ -1,7 +1,7 @@
 ---
 title: Rastreador de Issue Kubernetes
 weight: 10
-aliases: [/cve/,/cves/]
+aliases: [/pt-br/cve/,/pt-br/cves/]
 ---
 
 Para reportar um problema de segurança, siga [processo de divulgação de issues do Kubernetes](/docs/reference/issues-security/security/#report-a-vulnerability).

From 96b174da80f59912b64690a0a6c6e5dd4e716c75 Mon Sep 17 00:00:00 2001
From: Yuiko Mouri <yuiko-mori@nec.com>
Date: Mon, 6 Feb 2023 09:16:37 +0900
Subject: [PATCH 006/215] [ja]Fix invalid Japanese words

---
 content/ja/case-studies/sos/index.html                        | 2 +-
 .../concepts/configuration/manage-resources-containers.md     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/ja/case-studies/sos/index.html b/content/ja/case-studies/sos/index.html
index c63fa4ab516e6..07ab28aad6dcc 100644
--- a/content/ja/case-studies/sos/index.html
+++ b/content/ja/case-studies/sos/index.html
@@ -37,7 +37,7 @@ <h2>影響</h2>
 SOS Internationalは60年にわたり、北欧諸国の顧客に信頼性の高い緊急医療および旅行支援を提供してきました。
 {{< /case-studies/lead >}}
 
-<p>SOSのオペレータは年間100万件の案件を扱い、100万件以上の電話を処理しています。しかし、過去4年間で同社のビジネス戦略にデジタル空間でのますます激しい開発が必要になりました。</p>
+<p>SOSのオペレーターは年間100万件の案件を扱い、100万件以上の電話を処理しています。しかし、過去4年間で同社のビジネス戦略にデジタル空間でのますます激しい開発が必要になりました。</p>
 
 <p>ITシステムに関していえば、会社のデータセンターで稼働する3つの伝統的なモノリスとウォーターフォールアプローチにおいて「SOSは非常に断片化された資産があります。」とエンタープライズアーキテクチャ責任者のMartin Ahrentsen氏は言います。「市場投入までの時間を短縮し、効率を高めるために新しい技術と新しい働き方の両方を導入する必要がありました。それははるかに機敏なアプローチであり、それをビジネスに提供するために役立つプラットフォームが必要でした。」</p>
 
diff --git a/content/ja/docs/concepts/configuration/manage-resources-containers.md b/content/ja/docs/concepts/configuration/manage-resources-containers.md
index 499e2a7214976..8dc1b36f636b6 100644
--- a/content/ja/docs/concepts/configuration/manage-resources-containers.md
+++ b/content/ja/docs/concepts/configuration/manage-resources-containers.md
@@ -378,7 +378,7 @@ Kubernetesが使用しないようにする必要があります。
 ## 拡張リソース {#extended-resources}
 
 拡張リソースは`kubernetes.io`ドメインの外で完全に修飾されたリソース名です。
-これにより、クラスタオペレータはKubernetesに組み込まれていないリソースをアドバタイズし、ユーザはそれを利用することができるようになります。
+これにより、クラスタオペレーターはKubernetesに組み込まれていないリソースをアドバタイズし、ユーザはそれを利用することができるようになります。
 
 拡張リソースを使用するためには、2つのステップが必要です。
 第一に、クラスタオペレーターは拡張リソースをアドバタイズする必要があります。
@@ -394,7 +394,7 @@ Nodeレベルの拡張リソースはNodeに関連付けられています。
 各Nodeにデバイスプラグインで管理されているリソースをアドバタイズする方法については、[デバイスプラグイン](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)を参照してください。
 
 ##### その他のリソース {#other-resources}
-新しいNodeレベルの拡張リソースをアドバタイズするには、クラスタオペレータはAPIサーバに`PATCH`HTTPリクエストを送信し、クラスタ内のNodeの`status.capacity`に利用可能な量を指定します。
+新しいNodeレベルの拡張リソースをアドバタイズするには、クラスタオペレーターはAPIサーバに`PATCH`HTTPリクエストを送信し、クラスタ内のNodeの`status.capacity`に利用可能な量を指定します。
 この操作の後、ノードの`status.capacity`には新しいリソースが含まれます。
 `status.allocatable`フィールドは、kubeletによって非同期的に新しいリソースで自動的に更新されます。
 スケジューラはPodの適合性を評価する際にNodeの`status.allocatable`値を使用するため、Nodeの容量に新しいリソースを追加してから、そのNodeでリソースのスケジューリングを要求する最初のPodが現れるまでには、短い遅延が生じる可能性があることに注意してください。

From e14d2871c3369d326532926509a96a95214c8e4e Mon Sep 17 00:00:00 2001
From: Toshiaki Inukai <t_inukai@nec.com>
Date: Thu, 16 Feb 2023 02:05:09 +0000
Subject: [PATCH 007/215] [ja] Set heading IDs in daemonset.md and
 assign-pods-nodes.md

---
 .../workloads/controllers/daemonset.md        | 32 +++++++++----------
 .../assign-pods-nodes.md                      |  8 ++---
 2 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 42647228e6180..32e62fb74b6c9 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -22,9 +22,9 @@ DaemonSetのいくつかの典型的な使用例は以下の通りです。
 
 <!-- body -->
 
-## DaemonSet Specの記述
+## DaemonSet Specの記述 {#writing-a-daemonset-spec}
 
-### DaemonSetの作成
+### DaemonSetの作成 {#create-a-daemonset}
 
 ユーザーはYAMLファイル内でDaemonSetの設定を記述することができます。例えば、下記の`daemonset.yaml`ファイルでは`fluentd-elasticsearch`というDockerイメージを稼働させるDaemonSetの設定を記述します。
 
@@ -36,7 +36,7 @@ YAMLファイルに基づいてDaemonSetを作成します。
 kubectl apply -f https://k8s.io/examples/controllers/daemonset.yaml
 ```
 
-### 必須のフィールド
+### 必須のフィールド {#required-fields}
 
 他の全てのKubernetesの設定と同様に、DaemonSetは`apiVersion`、`kind`と`metadata`フィールドが必須となります。設定ファイルの活用法に関する一般的な情報は、[ステートレスアプリケーションの稼働](/ja/docs/tasks/run-application/run-stateless-application-deployment/)、[コンテナの設定](/ja/docs/tasks/)、[kubectlを用いたオブジェクトの管理](/ja/docs/concepts/overview/working-with-objects/object-management/)といったドキュメントを参照ください。
 
@@ -45,7 +45,7 @@ DaemonSetオブジェクトの名前は、有効な
 
 また、DaemonSetにおいて[`.spec`](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status)セクションも必須となります。
 
-### Podテンプレート
+### Podテンプレート {#pod-template}
 
 `.spec.template`は`.spec`内での必須のフィールドの1つです。
 
@@ -55,7 +55,7 @@ Podに対する必須のフィールドに加えて、DaemonSet内のPodテン
 
 DaemonSet内のPodテンプレートでは、[`RestartPolicy`](/ja/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)フィールドを指定せずにデフォルトの`Always`を使用するか、明示的に`Always`を設定するかのどちらかである必要があります。
 
-### Podセレクター
+### Podセレクター {#pod-selector}
 
 `.spec.selector`フィールドはPodセレクターとなります。これは[Job](/docs/concepts/workloads/controllers/job/)の`.spec.selector`と同じものです。
 
@@ -70,14 +70,14 @@ Kubernetes1.8のように、ユーザーは`.spec.template`のラベルにマッ
 
 もし`spec.selector`が指定されたとき、`.spec.template.metadata.labels`とマッチしなければなりません。この2つの値がマッチしない設定をした場合、APIによってリジェクトされます。
 
-### 選択したNode上でPodを稼働させる
+### 選択したNode上でPodを稼働させる {#running-pods-on-select-nodes}
 
 もしユーザーが`.spec.template.spec.nodeSelector`を指定したとき、DaemonSetコントローラーは、その[node selector](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)にマッチするNode上にPodを作成します。同様に、もし`.spec.template.spec.affinity`を指定したとき、DaemonSetコントローラーは[node affinity](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)にマッチするNode上にPodを作成します。
 もしユーザーがどちらも指定しないとき、DaemonSetコントローラーは全てのNode上にPodを作成します。
 
-## Daemon Podがどのようにスケジューリングされるか
+## Daemon Podがどのようにスケジューリングされるか {#how-daemon-pods-are-scheduled}
 
-### デフォルトスケジューラーによってスケジューリングされる場合
+### デフォルトスケジューラーによってスケジューリングされる場合 {#scheduled-by-default-scheduler}
 
 {{< feature-state for_k8s_version="1.17" state="stable" >}}
 
@@ -102,7 +102,7 @@ nodeAffinity:
 
 さらに、`node.kubernetes.io/unschedulable:NoSchedule`というtolarationがDaemonSetのPodに自動的に追加されます。デフォルトスケジューラーは、DaemonSetのPodのスケジューリングのときに、`unschedulable`なNodeを無視します。
 
-### TaintsとTolerations
+### TaintsとTolerations {#taints-and-tolerations}
 
 DaemonSetのPodは[TaintsとTolerations](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)の設定を尊重します。下記のTolerationsは、関連する機能によって自動的にDaemonSetのPodに追加されます。
 
@@ -115,7 +115,7 @@ DaemonSetのPodは[TaintsとTolerations](/ja/docs/concepts/scheduling-eviction/t
 | `node.kubernetes.io/unschedulable`       | NoSchedule | 1.12+   | DaemonSetのPodはデフォルトスケジューラーによってスケジュール不可能な属性を許容(tolerate)します。 |
 | `node.kubernetes.io/network-unavailable` | NoSchedule | 1.12+   | ホストネットワークを使うDaemonSetのPodはデフォルトスケジューラーによってネットワーク利用不可能な属性を許容(tolerate)します。 |
 
-## Daemon Podとのコミュニケーション
+## Daemon Podとのコミュニケーション {#communicating-with-daemon-pods}
 
 DaemonSet内のPodとのコミュニケーションをする際に考えられるパターンは以下の通りです。:
 
@@ -124,7 +124,7 @@ DaemonSet内のPodとのコミュニケーションをする際に考えられ
 - **DNS**: 同じPodセレクターを持つ[HeadlessService](/ja/docs/concepts/services-networking/service/#headless-service)を作成し、`endpoints`リソースを使ってDaemonSetを探すか、DNSから複数のAレコードを取得します。
 - **Service**: 同じPodセレクターを持つServiceを作成し、複数のうちのいずれかのNode上のDaemonに疎通させるためにそのServiceを使います。
 
-## DaemonSetの更新
+## DaemonSetの更新 {#updating-a-daemonset}
 
 もしNodeラベルが変更されたとき、そのDaemonSetは直ちに新しくマッチしたNodeにPodを追加し、マッチしなくなったNodeからPodを削除します。
 
@@ -134,9 +134,9 @@ DaemonSet内のPodとのコミュニケーションをする際に考えられ
 
 ユーザーはDaemonSet上で[ローリングアップデートの実施](/docs/tasks/manage-daemon/update-daemon-set/)が可能です。
 
-## DaemonSetの代替案
+## DaemonSetの代替案 {#alternatives-to-daemonset}
 
-### Initスクリプト
+### Initスクリプト {#init-scripts}
 
 Node上で直接起動することにより(例: `init`、`upstartd`、`systemd`を使用する)、デーモンプロセスを稼働することが可能です。この方法は非常に良いですが、このようなプロセスをDaemonSetを介して起動することはいくつかの利点があります。
 
@@ -144,15 +144,15 @@ Node上で直接起動することにより(例: `init`、`upstartd`、`systemd`
 - デーモンとアプリケーションで同じ設定用の言語とツール(例: Podテンプレート、`kubectl`)を使える。
 - リソースリミットを使ったコンテナ内でデーモンを稼働させることにより、デーモンとアプリケーションコンテナの分離を促進します。しかし、これはPod内でなく、コンテナ内でデーモンを稼働させることにより可能です(Dockerを介して直接起動する)。
 
-### ベアPod
+### ベアPod {#bare-pods}
 
 特定のNode上で稼働するように指定したPodを直接作成することは可能です。しかし、DaemonSetはNodeの故障やNodeの破壊的なメンテナンスやカーネルのアップグレードなど、どのような理由に限らず、削除されたもしくは停止されたPodを置き換えます。このような理由で、ユーザーはPod単体を作成するよりもむしろDaemonSetを使うべきです。
 
-### 静的Pod Pods
+### 静的Pod Pods {#static-pods}
 
 Kubeletによって監視されているディレクトリに対してファイルを書き込むことによって、Podを作成することが可能です。これは[静的Pod](/ja/docs/tasks/configure-pod-container/static-pod/)と呼ばれます。DaemonSetと違い、静的Podはkubectlや他のKubernetes APIクライアントで管理できません。静的PodはApiServerに依存しておらず、クラスターの自立起動時に最適です。また、静的Podは将来的には廃止される予定です。
 
-### Deployment
+### Deployment {#deployments}
 
 DaemonSetは、Podの作成し、そのPodが停止されることのないプロセスを持つことにおいて[Deployment](/ja/docs/concepts/workloads/controllers/deployment/)と同様です(例: webサーバー、ストレージサーバー)。
 
diff --git a/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md b/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md
index e2e4e1d647ca4..4e09dbaf9325a 100644
--- a/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md
+++ b/content/ja/docs/tasks/configure-pod-container/assign-pods-nodes.md
@@ -7,13 +7,13 @@ weight: 120
 <!-- overview -->
 このページでは、KubernetesのPodをKubernetesクラスター上の特定のノードに割り当てる方法を説明します。
 
-## {{% heading "prerequisites" %}}
+## {{% heading "prerequisites" %}} {#before-you-begin}
 
 {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
 
 <!-- steps -->
 
-## ラベルをノードに追加する
+## ラベルをノードに追加する {#add-a-label-to-a-node}
 
 1. クラスター内の{{< glossary_tooltip term_id="node" text="ノード" >}}のリストをラベル付きで表示します。
 
@@ -54,7 +54,7 @@ weight: 120
 
     上の出力を見ると、`worker0`に`disktype=ssd`というラベルがあることがわかります。
 
-## 選択したノードにスケジューリングされるPodを作成する
+## 選択したノードにスケジューリングされるPodを作成する {#create-a-pod-that-gets-scheduled-to-your-chosen-node}
 
 以下のPodの構成ファイルには、nodeSelectorに`disktype: ssd`を持つPodが書かれています。これにより、Podは`disktype: ssd`というラベルを持っているノードにスケジューリングされるようになります。
 
@@ -79,7 +79,7 @@ weight: 120
     nginx    1/1       Running   0          13s    10.200.0.4   worker0
     ```
 
-## 特定のノードにスケジューリングされるPodを作成する
+## 特定のノードにスケジューリングされるPodを作成する {#create-a-pod-that-gets-scheduled-to-specific-node}
 
 `nodeName`という設定を使用して、Podを特定のノードにスケジューリングすることもできます。
 

From 260d241ddc0d3e6b347cbeb74eddcb62060e5bf6 Mon Sep 17 00:00:00 2001
From: Kirill Kononovich <41591254+kirkonru@users.noreply.github.com>
Date: Wed, 11 May 2022 11:28:31 +0300
Subject: [PATCH 008/215] [ru] Add RU localization for
 docs/concepts/containers/*

Apply suggestions from code review

Co-authored-by: Dmitry Shurupov <dmitry.shurupov@palark.com>
---
 content/ru/docs/concepts/architecture/cri.md  |  31 ++
 content/ru/docs/concepts/containers/_index.md |  33 ++
 .../containers/container-environment.md       |  51 +++
 .../containers/container-lifecycle-hooks.md   |  87 ++++++
 content/ru/docs/concepts/containers/images.md | 294 ++++++++++++++++++
 .../docs/concepts/containers/runtime-class.md | 131 ++++++++
 .../glossary/container-runtime-interface.md   |  18 ++
 .../reference/glossary/container-runtime.md   |  10 +-
 .../ru/docs/reference/glossary/namespace.md   |  17 +
 content/ru/docs/reference/glossary/secret.md  |  18 ++
 .../reference/glossary/service-account.md     |  18 ++
 11 files changed, 703 insertions(+), 5 deletions(-)
 create mode 100644 content/ru/docs/concepts/architecture/cri.md
 create mode 100644 content/ru/docs/concepts/containers/_index.md
 create mode 100644 content/ru/docs/concepts/containers/container-environment.md
 create mode 100644 content/ru/docs/concepts/containers/container-lifecycle-hooks.md
 create mode 100644 content/ru/docs/concepts/containers/images.md
 create mode 100644 content/ru/docs/concepts/containers/runtime-class.md
 create mode 100644 content/ru/docs/reference/glossary/container-runtime-interface.md
 create mode 100644 content/ru/docs/reference/glossary/namespace.md
 create mode 100644 content/ru/docs/reference/glossary/secret.md
 create mode 100644 content/ru/docs/reference/glossary/service-account.md

diff --git a/content/ru/docs/concepts/architecture/cri.md b/content/ru/docs/concepts/architecture/cri.md
new file mode 100644
index 0000000000000..efa0708d75e17
--- /dev/null
+++ b/content/ru/docs/concepts/architecture/cri.md
@@ -0,0 +1,31 @@
+---
+title: Container Runtime Interface (CRI)
+content_type: concept
+weight: 50
+---
+
+<!-- overview -->
+
+Интерфейс CRI позволяет kubelet работать с различными исполняемыми средами контейнеров без необходимости перекомпиляции компонентов кластера.
+
+{{<glossary_tooltip text="Исполняемая среда контейнеров" term_id="container-runtime">}} должна работать на всех узлах кластера, чтобы {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} мог запускать {{< glossary_tooltip text="Pod'ы" term_id="pod" >}} и их контейнеры.
+
+{{< glossary_definition prepend="Интерфейс Kubernetes Container Runtime Interface (CRI)" term_id="container-runtime-interface" length="all" >}}
+
+<!-- body -->
+
+## API {#api}
+
+{{< feature-state for_k8s_version="v1.23" state="stable" >}}
+
+Kubelet выступает в роли клиента при подключении к исполняемой среде через gRPC. Конечные точки ImageService и RuntimeService должны быть доступны в исполняемой среде контейнеров; в kubelet их можно настроить независимо с помощью [флагов командной строки](/docs/reference/command-line-tools-reference/kubelet) `--image-service-endpoint` и `--container-runtime-endpoint`.
+
+В Kubernetes v{{< skew currentVersion >}} kubelet предпочитает использовать CRI `v1`. Если исполняемая среда контейнера не поддерживает `v1` CRI, kubelet пытается перейти на более старую поддерживаемую версию. В версии v{{< skew currentVersion >}} kubelet также может работать с CRI `v1alpha2`, но эта версия считается устаревшей. Если согласовать поддерживаемую версию CRI не удается, узел не регистрируется.
+
+## Обновление
+
+При обновлении Kubernetes kubelet автоматически выбирает последнюю версию CRI при перезапуске компонента. Если это не удается, происходит откат, как описано выше. Если повторный вызов gRPC произошел из-за обновления исполняемой среды контейнера, последняя также должна поддерживать первоначально выбранную версию, иначе повторный вызов будет неудачным. Для этого требуется перезапуск kubelet'а.
+
+## {{% heading "whatsnext" %}}
+
+- Дополнительная информация о [протоколе CRI](https://github.com/kubernetes/cri-api/blob/c75ef5b/pkg/apis/runtime/v1/api.proto)
diff --git a/content/ru/docs/concepts/containers/_index.md b/content/ru/docs/concepts/containers/_index.md
new file mode 100644
index 0000000000000..e04cb3cdb1898
--- /dev/null
+++ b/content/ru/docs/concepts/containers/_index.md
@@ -0,0 +1,33 @@
+---
+title: Контейнеры
+weight: 40
+description: Технология упаковки приложения вместе с его runtime-зависимостями.
+reviewers:
+content_type: concept
+no_list: true
+---
+
+<!-- overview -->
+
+Каждый запускаемый контейнер воспроизводим; стандартизация благодаря включению зависимостей позволяет каждый раз получать одинаковое поведение при запуске.
+
+Контейнеры абстрагируют приложения от базовой инфраструктуры хоста, упрощая развертывание в различных облачных средах или ОС.
+
+
+
+
+<!-- body -->
+
+## Образы контейнеров
+[Образ контейнера](/docs/concepts/containers/images/) – это готовый к запуску пакет программного обеспечения, содержащий все необходимое для запуска приложения: код, среду исполнения, прикладные и системные библиотеки, а также значения по умолчанию всех важных параметров.
+
+Контейнер по определению неизменяем (immutable): код работающего контейнера невозможно поменять. Чтобы внести правки в контейнеризованное приложение, необходимо собрать новый образ, содержащий эти правки, а затем запустить контейнер на базе обновленного образа.
+
+## Исполняемые среды контейнеров
+
+{{< glossary_definition term_id="container-runtime" length="all" >}}
+
+## {{% heading "whatsnext" %}}
+
+* Раздел об [образах контейнеров](/docs/concepts/containers/images/).
+* Раздел о [Pod'ах](/docs/concepts/workloads/pods/).
diff --git a/content/ru/docs/concepts/containers/container-environment.md b/content/ru/docs/concepts/containers/container-environment.md
new file mode 100644
index 0000000000000..465f841615453
--- /dev/null
+++ b/content/ru/docs/concepts/containers/container-environment.md
@@ -0,0 +1,51 @@
+---
+reviewers:
+title: Контейнерное окружение
+content_type: concept
+weight: 20
+---
+
+<!-- overview -->
+
+На этой странице описаны ресурсы, доступные для контейнеров в соответствующем окружении. 
+
+
+
+
+<!-- body -->
+
+## Контейнерное окружение
+
+Контейнерное окружение Kubernetes предоставляет контейнерам несколько важных ресурсов:
+
+* Файловую систему, сочетающую в себе [образ](/docs/concepts/containers/images/) и один или несколько [томов](/docs/concepts/storage/volumes/).
+* Информацию о самом контейнере.
+* Информацию о других объектах в кластере.
+
+### Информация о контейнере
+
+*Hostname* контейнера — имя Pod'а, в котором запущен контейнер. Его можно получить с помощью команды `hostname` или функции [`gethostname`](https://man7.org/linux/man-pages/man2/gethostname.2.html) в libc.
+
+Имя Pod'а и его пространство имен можно получить из переменных окружения в [Downward API](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/).
+
+Контейнеру также доступны переменные окружения из определения Pod'а, заданные пользователем, а также любые переменные окружения, указанные статически в образе контейнера.
+
+### Информация о кластере
+
+Список всех сервисов, активных на момент создания контейнера, доступен этому контейнеру в виде переменных окружения. Этот список ограничен сервисами в пространстве имен, которому принадлежит Pod с данным контейнером, а также сервисами управляющего слоя Kubernetes.
+
+Для сервиса *foo*, связанного с контейнером *bar*, определены следующие переменные:
+
+```shell
+FOO_SERVICE_HOST=<хост, на котором запущен сервис>
+FOO_SERVICE_PORT=<порт, на котором запущен сервис>
+```
+
+Сервисы получают выделенные IP-адреса и доступны для контейнера через DNS, если включен [аддон DNS](https://releases.k8s.io/{{< param "fullversion" >}}/cluster/addons/dns/). 
+
+
+## {{% heading "whatsnext" %}}
+
+
+* [Хуки жизненного цикла контейнера](/docs/concepts/containers/container-lifecycle-hooks/).
+* Упражнение: [Подключаем обработчики к событиям жизненного цикла контейнера](/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/).
diff --git a/content/ru/docs/concepts/containers/container-lifecycle-hooks.md b/content/ru/docs/concepts/containers/container-lifecycle-hooks.md
new file mode 100644
index 0000000000000..78f6bce799595
--- /dev/null
+++ b/content/ru/docs/concepts/containers/container-lifecycle-hooks.md
@@ -0,0 +1,87 @@
+---
+reviewers:
+- TBD
+- TBD
+title: Хуки жизненного цикла контейнеров
+content_type: concept
+weight: 30
+---
+
+<!-- overview -->
+
+На этой странице описывается, как контейнеры под управлением kubelet могут использовать механизм хуков для запуска кода, инициированного событиями во время своего жизненного цикла.
+
+
+
+
+<!-- body -->
+
+## Общая информация
+
+Многие платформы для разработки предлагают хуки жизненного цикла компонентов (например, Angular). Kubernetes имеет аналогичный механизм. Хуки позволяют контейнерам оставаться в курсе событий своего жизненного цикла и запускать запакованный в обработчик код при наступлении определенных событий, приводящих к вызову хука.
+
+## Хуки контейнеров
+
+В распоряжении контейнеров имеются два хука:
+
+`PostStart`
+
+Выполняется сразу после создания контейнера. Однако нет гарантии, что хук закончит работу до ENTRYPOINT контейнера. Параметры обработчику не передаются.
+
+`PreStop`
+
+Вызывается непосредственно перед завершением работы контейнера в результате запроса API или иного события (например, неудачное завершение теста liveness/startup, вытеснение, борьба за ресурсы и т.п.). Вызов хука `PreStop` завершается неудачно, если контейнер уже находится в прерванном (terminated) или завершенном (completed) состоянии. Кроме того, работа хука должна закончиться до того, как будет отправлен сигнал TERM для остановки контейнера. Отсчет задержки перед принудительной остановкой Pod'а (grace-период) начинается до вызова хука `PreStop`. Таким образом, независимо от результата выполнения обработчика, контейнер будет остановлен в течение этого grace-периода. Параметры обработчику не передаются.
+
+Более подробное описание поведения при прекращении работы можно найти в разделе [Прекращение работы Pod'ов](/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination).
+
+### Реализации обработчиков хуков
+
+Чтобы контейнер имел доступ к хуку, необходимо реализовать и зарегистрировать обработчик для этого хука. Существует два типа обработчиков хуков, доступных для контейнеров:
+
+* Exec — Выполняет определенную команду, например, `pre-stop.sh`, внутри cgroups и пространств имен контейнера. Ресурсы, потребляемые командой, прибавляются к ресурсам, потребляемым контейнером.
+* HTTP — Выполняет HTTP-запрос к определенной конечной точке контейнера.
+
+### Выполнение обработчиков хуков
+
+При вызове хука, привязанного к жизненному циклу контейнера, система управления Kubernetes выполняет обработчик в соответствии с типом хука: kubelet отвечает за `httpGet` и `tcpSocket`, а `exec` выполняется в контейнере.
+
+Вызовы обработчиков хуков синхронны в контексте Pod'а, содержащего контейнер. Это означает, что в случае `PostStart`-хука ENTRYPOINT контейнера и хук запускаются асинхронно. При этом если хук выполняется слишком долго или зависает, контейнер не может достичь состояния `Running`.
+
+Хуки `PreStop` не запускаются асинхронно с сигналом на остановку контейнера; хук должен завершить свою работу до отправки сигнала TERM. Если хук `PreStop` зависнет во время выполнения, Pod будет пребывать в состоянии `Terminating` до истечения периода `terminationGracePeriodSeconds`, после чего Kubernetes "убьет" его. Этот grace-период включает как время, которое требуется для выполнения хука `PreStop`, так и время, необходимое для нормальной остановки контейнера. Например, если `terminationGracePeriodSeconds` равен 60, работа хука занимает 55 секунд, а контейнеру требуется 10 секунд для нормальной остановки после получения сигнала, то контейнер будет "убит" до того, как сможет нормально завершить свою работу, поскольку `terminationGracePeriodSeconds` меньше, чем суммарное время (55+10), необходимое для работы хука и остановки контейнера.
+
+Если любой из хуков `postStart` / `preStop` завершается неудачей, Kubernetes "убивает" контейнер.
+
+Поэтому обработчики для хуков должны быть максимально простыми. Однако бывают случаи, когда применение "тяжелых" команд оправдано – например, при сохранении состояния перед остановкой контейнера.
+
+### Гарантии поставки хука
+
+Хук должен выполниться *хотя бы один раз*. Это означает, что он может вызываться неоднократно для любого события вроде `PostStart` или `PreStop`. Задача по правильной обработке подобных вызовов возложена на сам хук.
+
+Как правило, поставка хука выполняется однократно. Если, например, приемник HTTP-хука не работает и не может принимать трафик, повторная попытка отправки не предпринимается. В редких случаях может происходить двойная поставка. Например, если kubelet перезапустится в процессе доставки хука, тот может быть отправлен повторно.
+
+### Отладка обработчиков хуков
+
+Логи обработчиков хуков не отображаются в событиях Pod'а. В случае сбоя обработчика тот транслирует событие. Для `PostStart` это событие `FailedPostStartHook`, для `PreStop` — событие `FailedPreStopHook`. Чтобы самостоятельно сгенерировать событие `FailedPreStopHook`, в манифесте [lifecycle-events.yaml](https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/lifecycle-events.yaml) замените команду для postStart на что-то заведомо невыполнимое (`badcommand`) и примените его. Если теперь выполнить команду `kubectl describe pod lifecycle-demo`, вы увидите следующее:
+
+```
+Events:
+  Type     Reason               Age              From               Message
+  ----     ------               ----             ----               -------
+  Normal   Scheduled            7s               default-scheduler  Successfully assigned default/lifecycle-demo to ip-XXX-XXX-XX-XX.us-east-2...
+  Normal   Pulled               6s               kubelet            Successfully pulled image "nginx" in 229.604315ms
+  Normal   Pulling              4s (x2 over 6s)  kubelet            Pulling image "nginx"
+  Normal   Created              4s (x2 over 5s)  kubelet            Created container lifecycle-demo-container
+  Normal   Started              4s (x2 over 5s)  kubelet            Started container lifecycle-demo-container
+  Warning  FailedPostStartHook  4s (x2 over 5s)  kubelet            Exec lifecycle hook ([badcommand]) for Container "lifecycle-demo-container" in Pod "lifecycle-demo_default(30229739-9651-4e5a-9a32-a8f1688862db)" failed - error: command 'badcommand' exited with 126: , message: "OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: \"badcommand\": executable file not found in $PATH: unknown\r\n"
+  Normal   Killing              4s (x2 over 5s)  kubelet            FailedPostStartHook
+  Normal   Pulled               4s               kubelet            Successfully pulled image "nginx" in 215.66395ms
+  Warning  BackOff              2s (x2 over 3s)  kubelet            Back-off restarting failed container
+```
+
+
+
+## {{% heading "whatsnext" %}}
+
+
+* Дополнительная информация о [контейнерном окружении](/docs/concepts/containers/container-environment/).
+* Упражнение: [Подключаем обработчики к событиям жизненного цикла контейнера](/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/).
diff --git a/content/ru/docs/concepts/containers/images.md b/content/ru/docs/concepts/containers/images.md
new file mode 100644
index 0000000000000..3b78e08ed0512
--- /dev/null
+++ b/content/ru/docs/concepts/containers/images.md
@@ -0,0 +1,294 @@
+---
+reviewers:
+title: Образы
+content_type: concept
+weight: 10
+---
+
+<!-- overview -->
+
+Образ контейнера содержит исполняемые данные приложения и всех его программных зависимостей. Образы контейнеров — это исполняемые пакеты программного обеспечения, способные автономно работать и дополненные конкретными предположениями о соответствующей среде исполнения.
+
+Как правило, образ контейнера с приложением предварительно собирается и размещается в реестре, после чего его можно использовать в {{< glossary_tooltip text="Pod'е" term_id="pod" >}}.
+
+На этой странице представлено общее описание концепции контейнерных образов.
+
+<!-- body -->
+
+## Названия образов
+
+Образам контейнеров обычно присваивается имя, намекающее на их функционал и цели, например, `pause`, `example/mycontainer` или `kube-apiserver`. Образы также могут включать имя хоста реестра, например, `fictional.registry.example/imagename`, и (в некоторых случаях) номер порта, например, `fictional.registry.example:10443/imagename`.
+
+Если имя хоста реестра не указано, Kubernetes по умолчанию будет использовать публичный реестр Docker.
+
+После имени образа можно добавить _тег_ (как, например, в командах `docker` и `podman`). Теги помогают идентифицировать различные версии одной и той же линейки образов.
+
+Теги образов могут состоять из строчных и прописных букв, цифр, знаков подчеркивания (`_`), точек (`.`) и дефисов (`-`).
+Кроме того, существуют дополнительные правила размещения символов-разделителей (`_`, `-` и `.`) внутри тега.
+Если тег не указан, Kubernetes по умолчанию использует тег `latest`.
+
+## Обновление образов
+
+При первоначальном создании объекта типа {{< glossary_tooltip text="Deployment" term_id="deployment" >}}, {{< glossary_tooltip text="StatefulSet" term_id="statefulset" >}}, Pod или другого объекта, включающего шаблон Pod'а, политика извлечения всех контейнеров в этом Pod'е будет по умолчанию установлена на `IfNotPresent`, если иное не указано явно. В рамках этой политики {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} не извлекает образ, если тот уже присутствует в кэше.
+
+### Политика извлечения образов
+
+Политика `imagePullPolicy` контейнера и тег образа определяют поведение [kubelet'а](/docs/reference/command-line-tools-reference/kubelet/) при извлечении (загрузке) данного образа.
+
+Вот список возможных значений `imagePullPolicy` и их влияние:
+
+`IfNotPresent`
+: образ извлекается только в том случае, если он еще не доступен локально.
+
+`Always`
+: каждый раз при запуске контейнера kubelet запрашивает [дайджест](https://docs.docker.com/engine/reference/commandline/pull/#pull-an-image-by-digest-immutable-identifier) образа в реестре образов контейнеров. Если полученный дайджест полностью совпадает с дайджестом кэшированного образа, kubelet использует кэшированный образ; иначе извлекается и используется образ с полученным дайждестом.
+
+`Never`
+: kubelet не пытается скачать образ. Если образ уже присутствует локально, kubelet пытается запустить контейнер; в противном случае запуск завершается неудачей. Для получения более подробной информации обратитесь к разделу о [предварительно извлеченных](#предварительно-извлеченные-образы) (pre-pulled) образах.
+
+Благодаря семантике кэширования, лежащей в основе механизма поставки образов, даже `imagePullPolicy: Always` может быть вполне эффективной (при условии, что реестр надежно доступен). Исполняемая среда для контейнера может обнаружить, что слои образов уже имеются на узле и их не нужно скачивать еще раз.
+
+{{< note >}}
+Избегайте использования тега `:latest` при развертывании контейнеров в production, поскольку в этом случае не понятно, какая именно версия образа используется и на какую ее нужно откатить при необходимости.
+
+Всегда указывайте содержательный тег, например `v1.42.0`.
+{{< /note >}}
+
+Чтобы убедиться, что Pod всегда использует одну и ту же версию образа контейнера, можно указать дайджест образа вместо тега; для этого замените `<image-name>:<tag>` на `<image-name>@<digest>`
+(например, `image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`).
+
+Изменение кода, к которому привязан некий тег, может привести к тому, что в Pod'ах окажется две версии кода — старая и новая. Дайджест образа однозначно идентифицирует конкретную версию образа, что гарантирует идентичность кода при запуске контейнера с заданным именем образа и дайджестом. Таким образом, изменение кода в реестре уже не может привести к смешению версий.
+
+Существуют сторонние [admission-контроллеры](/docs/reference/access-authn-authz/admission-controllers/), которые модифицируют Pod'ы (и их шаблоны) при создании, из-за чего рабочая нагрузка определяется на основе дайджеста образа, а не тега. Это может быть полезно в случаях, когда необходимо убедиться, что вся рабочая нагрузка использует идентичный код независимо от изменений тегов в реестре.
+
+#### Политика извлечения образов по умолчанию {#imagepullpolicy-defaulting}
+
+Когда информация о новом Pod'е поступает на сервер API, кластер устанавливает поле `imagePullPolicy` в соответствии со следующими условиями:
+
+
+- `imagePullPolicy` автоматически присваивается значение `Always`, если поле `imagePullPolicy` не задано, а тег для образа контейнера имеет значение `:latest`;
+- `imagePullPolicy` автоматически присваивается значение `Always`, если поле `imagePullPolicy` не задано, а тег для образа контейнера не указан;
+- `imagePullPolicy` автоматически присваивается значение `IfNotPresent`, если поле `imagePullPolicy` не задано, а тег для образа контейнера имеет значение, отличное от `:latest`.
+
+{{< note >}}
+Значение `imagePullPolicy` контейнера всегда устанавливается при первом _создании_ объекта и не обновляется при последующем изменении тега образа.
+
+Например, если в Deployment'е используется образ с тегом, _отличным_ от `:latest`, а потом он меняется на `:latest`, поле `imagePullPolicy` останется прежним (т.е. _не_ будет изменено на `Always`). После первоначального создания любого объекта его политику извлечения можно изменить вручную.
+{{< /note >}}
+
+#### Обязательное извлечение образов
+
+Для принудительного извлечения образов можно сделать следующее:
+
+- Установить `imagePullPolicy` контейнера в `Always`;
+- Не устанавливать `imagePullPolicy` и использовать тег `:latest` для образа; Kubernetes автоматически поменяет политику на `Always`, получив информацию о Pod'е;
+- Не устанавливать `imagePullPolicy` и тег образа; Kubernetes автоматически применит политику `Always`, получив информацию о Pod'е;
+- Включить admission-контроллер [AlwaysPullImages](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages).
+
+
+### ImagePullBackOff
+
+При создании kubelet'ом контейнеров для Pod'а может возникнуть ситуация, когда контейнер пребывает в состоянии [Waiting](/docs/concepts/workloads/pods/pod-lifecycle/#container-state-waiting) из-за `ImagePullBackOff`.
+
+Статус `ImagePullBackOff` означает, что контейнер не может запуститься, поскольку у Kubernetes не получается извлечь его образ (например, из-за ошибки в имени или попытки извлечь образ из приватного репозитория без `imagePullSecret`). `BackOff` в названии статуса указывает на то, что Kubernetes будет продолжать попытки извлечь образ, постепенно увеличивая интервал между ними.
+
+Так, интервал между попытками будет расти до тех пор, пока не достигнет установленного предела в 300 секунд (5 минут).
+
+## Мультиархитектурные образы с индексами
+
+Помимо обычных исполняемых образов реестр контейнеров также может хранить так называемые [индексы образов](https://github.com/opencontainers/image-spec/blob/master/image-index.md). Индекс образа содержит ссылки на различные [манифесты образов](https://github.com/opencontainers/image-spec/blob/master/manifest.md), каждый из которых предназначен для определенной архитектуры. Идея здесь в том, чтобы любой пользователь мог получить образ, оптимизированный под конкретную архитектуру, используя его унифицированное, общее для всех архитектур имя (например, `pause`, `example/mycontainer`, `kube-apiserver`).
+
+Сам Kubernetes обычно добавляет суффикс `-$(ARCH)` к имени образа. Для обратной совместимости также рекомендуется генерировать образы с суффиксами в названиях. Например, универсальный образ `pause`, содержащий манифест для всех архитектур, рекомендуется дополнить образом `pause-amd64` для обратной совместимости со старыми конфигурациями или YAML-файлами, в которых могут быть жестко прописаны образы с суффиксами.
+
+## Работа с приватным реестром
+
+Для чтения образов из приватных реестров могут потребоваться соответствующие ключи.
+Доступ к таким реестрам можно получить следующими способами:
+  - Аутентификация на уровне узлов:
+    - все Pod'ы имеют доступ ко всем настроенным приватным реестрам;
+    - требуется конфигурация узлов администратором кластера;
+  - Предварительно извлеченные образы:
+    - все Pod'ы могут использовать любые образы, кэшированные на узле;
+    - для настройки требуется root-доступ ко всем узлам;
+  - imagePullSecrets на уровне Pod'а:
+    - доступ к реестру получают только Pod'ы с ключами;
+  - Специализированные расширения от вендора/пользователя:
+    - в кастомных конфигурациях могут существовать специализированные механизмы аутентификации узлов в реестре контейнеров, реализованные самим пользователем или поставщиком облачных услуг.
+
+Ниже мы подробнее остановимся на каждом из вариантов.
+
+### Аутентификация на уровне узлов
+
+Конкретные инструкции по настройке учетных данных зависят от среды исполнения контейнера и реестра. Для получения наиболее подробной информации следует обратиться к документации используемого решения.
+
+Пример настройки частного реестра образов контейнеров приводится в упражнении [Извлекаем образ из частного реестра](/docs/tasks/configure-pod-container/pull-image-private-registry). В нем используется частный реестр в Docker Hub.
+
+### Интерпретация config.json {#config-json}
+
+Интерпретация `config.json` отличается в оригинальной Docker-реализации и в Kubernetes. В Docker ключи `auths` могут указывать только корневые URL, в то время как Kubernetes позволяет использовать URL с подстановками (globbing) и пути с префиксами. То есть `config.json`, подобный этому, вполне допустим:
+
+```json
+{
+    "auths": {
+        "*my-registry.io/images": {
+            "auth": "…"
+        }
+    }
+}
+```
+
+Корневой URL (`*my-registry.io`) сопоставляется с помощью следующего синтаксиса:
+
+```
+pattern:
+    { term }
+
+term:
+    '*'         соответствует любой последовательности символов, не являющихся разделителями
+    '?'         соответствует любому одиночному символу, не являющемуся разделителем
+    '[' [ '^' ] { диапазон символов } ']'
+                класс символов (не может быть пустым)
+    c           соответствует символу c (c != '*', '?', '\\', '[')
+    '\\' c      соответствует символу c
+
+диапазон символов:
+    c           соответствует символу c (c != '\\', '-', ']')
+    '\\' c      соответствует символу c
+    lo '-' hi   соответствует символу c при lo <= c <= hi
+```
+
+Учетные данные теперь будут передаваться в CRI-совместимую исполняемую среду для контейнеров для каждого действительного шаблона. Ниже приведены примеры имен образов, удовлетворяющие требованиям к паттерну:
+
+- `my-registry.io/images`
+- `my-registry.io/images/my-image`
+- `my-registry.io/images/another-image`
+- `sub.my-registry.io/images/my-image`
+- `a.sub.my-registry.io/images/my-image`
+
+kubelet последовательно извлекает образы для каждой обнаруженной учетной записи. Это означает, что `config.json` может содержать сразу несколько записей:
+
+```json
+{
+    "auths": {
+        "my-registry.io/images": {
+            "auth": "…"
+        },
+        "my-registry.io/images/subpath": {
+            "auth": "…"
+        }
+    }
+}
+```
+
+К примеру, если необходимо извлечь образ `my-registry.io/images/subpath/my-image`, kubelet будет пытаться загрузить его из второго источника, если первый не работает.
+
+### Предварительно извлеченные образы
+
+{{< note >}}
+Этот подход применим, если имеется доступ к конфигурации узлов. Он не будет надежно работать, если поставщик облачных услуг управляет узлами и автоматически заменяет их.
+{{< /note >}}
+
+По умолчанию kubelet пытается извлечь каждый образ из указанного реестра. Однако если параметр `imagePullPolicy` контейнера установлен на `IfNotPresent` или `Never`, используется локальный образ (преимущественно или исключительно, соответственно).
+
+Чтобы использовать предварительно извлеченные образы (и не связываться с аутентификацией для доступа к реестру), необходимо убедиться, что они идентичны на всех узлах кластера.
+
+Предварительная загрузка образов позволяет увеличить скорость работы и является альтернативой аутентификации в приватном реестре.
+
+При этом у всех Pod'ов будет доступ на чтение всех предварительно извлеченных образов.
+
+### Задаем imagePullSecrets на уровне Pod'а
+
+{{< note >}}
+Это рекомендуемый подход для запуска контейнеров на основе образов в приватных реестрах.
+{{< /note >}}
+
+Kubernetes поддерживает указание ключей реестра образов на уровне Pod'а.
+
+#### Создаем Secret с помощью конфигурационного файла Docker
+
+Для аутентификации в реестре необходимо знать имя пользователя, пароль, имя хоста реестра и адрес электронной почты клиента.
+
+Выполните следующую команду, подставив соответствующие значения вместо параметров, выделенных заглавными буквами:
+
+```shell
+kubectl create secret docker-registry <name> --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
+```
+
+При наличии файла учетных данных Docker можно импортировать их как {{< glossary_tooltip text="Secret'ы" term_id="secret" >}} Kubernetes вместо команды, приведенной выше.
+ 
+В разделе [Создание Secret'а на основе существующих учетных данных Docker](/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials) рассказывается, как это можно сделать.
+
+Это особенно удобно в случае нескольких приватных реестров контейнеров, так как `kubectl create secret docker-registry` создает Secret, который работает только с одним приватным реестром.
+
+{{< note >}}
+Pod'ы могут работать только с Secret'ами в собственном пространстве имен, поэтому данный процесс необходимо повторить для каждого пространства имен.
+{{< /note >}}
+
+#### Ссылаемся на imagePullSecrets в Pod'е
+
+Теперь можно создавать Pod'ы, ссылающиеся на данный Secret, добавив раздел `imagePullSecrets` в манифест Pod'а.
+
+Например:
+
+```shell
+cat <<EOF > pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: foo
+  namespace: awesomeapps
+spec:
+  containers:
+    - name: foo
+      image: janedoe/awesomeapp:v1
+  imagePullSecrets:
+    - name: myregistrykey
+EOF
+
+cat <<EOF >> ./kustomization.yaml
+resources:
+- pod.yaml
+EOF
+```
+
+Это необходимо проделать для каждого Pod'а, работающего с приватным репозиторием.
+
+Процесс можно автоматизировать, задав imagePullSecrets в ресурсе [ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/).
+
+Подробные инструкции см. в разделе [Добавить ImagePullSecrets в Service Account](/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account).
+
+Этот подход можно использовать совместно с файлами `.docker/config.json`, определяемыми для каждого узла. Учетные данные будут объединены.
+
+## Примеры использования
+
+Существует ряд решений для настройки приватных реестров. Вот некоторые распространенные случаи использования и рекомендуемые решения:
+
+1. Кластер, работающий только со свободными (например, Open Source) образами.  Необходимость скрывать образы отсутствует.
+   - Используйте общедоступные образы из Docker Hub;
+     - Настройка не требуется;
+     - Некоторые облачные провайдеры автоматически кэшируют или зеркалируют публичные образы, что повышает доступность и сокращает время их извлечения.
+1. В кластере используются закрытые образы. Они должны быть скрыты для всех за пределами компании, но доступны для всех пользователей кластера.
+   - Используйте приватный репозиторий;
+     - Может потребоваться ручная настройка на узлах, которым необходим доступ к частному репозиторию;
+   - В качестве альтернативы можно завести внутренний приватный реестр с доступом на чтение, скрыв его за сетевым экраном;
+     - Настройка Kubernetes не требуется;
+   - Используйте сервис для работы с образами, контролирующий доступ к ним;
+     - Этот подход лучше работает с автомасштабированием кластера, нежели ручная настройка узлов;
+   - Если изменение конфигурации узлов в кластере затруднено, можно использовать imagePullSecrets.
+1. Кластер с несвободными образами, некоторые из которых требуют более строгого контроля доступа.
+   - Убедитесь, что [AlwaysPullImages admission-контроллер](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) включен. В противном случае у всех Pod'ов потенциально будет доступ ко всем образам;
+   - Переместите конфиденциальные данные в Secret вместо того, чтобы упаковывать их в образ.
+1. Кластер категории multi-tenant (многопользовательский), где каждому пользователю требуется собственный приватный репозиторий.
+   - Убедитесь, что [admission-контроллер AlwaysPullImages](/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages) включен. В противном случае у всех Pod'ов всех пользователей потенциально будет доступ ко всем образам;
+   - Создайте приватный реестр с обязательной авторизацией;
+   - Сгенерируйте учетные данные для доступа к реестру для каждого пользователя, поместите их в Secret и добавьте его в пространство имен каждого пользователя;
+   - Каждый пользователь должен добавить свой Secret в imagePullSecrets каждого пространства имен.
+
+
+Если нужен доступ к нескольким реестрам, можно создать по Secret'у для каждого реестра.
+
+## {{% heading "whatsnext" %}}
+
+* [Спецификация манифестов образов OCI](https://github.com/opencontainers/image-spec/blob/master/manifest.md).
+* Сборка "мусора" в Kubernetes — [неиспользуемые контейнеры и образы](/docs/concepts/architecture/garbage-collection/#container-image-garbage-collection).
+* [Извлечение образов из приватных репозиториев](/docs/tasks/configure-pod-container/pull-image-private-registry).
diff --git a/content/ru/docs/concepts/containers/runtime-class.md b/content/ru/docs/concepts/containers/runtime-class.md
new file mode 100644
index 0000000000000..7169da2868f73
--- /dev/null
+++ b/content/ru/docs/concepts/containers/runtime-class.md
@@ -0,0 +1,131 @@
+---
+reviewers:
+title: RuntimeClass
+content_type: concept
+weight: 20
+---
+
+<!-- overview -->
+
+{{< feature-state for_k8s_version="v1.20" state="stable" >}}
+
+На этой странице описывается ресурс RuntimeClass и механизм выбора исполняемой среды.
+
+RuntimeClass позволяет выбрать конфигурацию исполняемой среды для контейнеров. Используется для настройки исполняемой среды в Pod'е.
+
+<!-- body -->
+
+## Мотивация
+
+Разным Pod'ам можно назначать различные RuntimeClass'ы, соблюдая баланс между производительностью и безопасностью. Например, если часть рабочей нагрузки требует высокого уровня информационной безопасности, связанные с ней Pod'ы можно запланировать так, чтобы они использовали исполняемую среду для контейнеров на основе аппаратной виртуализации. Это обеспечит повышенную изоляцию, но потребует дополнительных издержек.
+
+Также можно использовать RuntimeClass для запуска различных Pod'ов с одинаковой исполняемой средой, но с разными настройками.
+
+## Подготовка
+
+1. Настройте реализацию CRI на узлах (зависит от используемой исполняемой среды);
+2. Создайте соответствующие ресурсы RuntimeClass.
+
+### 1. Настройте реализацию CRI на узлах
+
+Конфигурации, доступные с помощью RuntimeClass, зависят от реализации Container Runtime Interface (CRI). Для настройки определенной реализации CRI обратитесь к соответствующему разделу документации ([ниже](#cri-configuration)).
+
+{{< note >}}
+По умолчанию RuntimeClass предполагает однородную конфигурацию узлов в кластере (то есть все узлы настроены одинаково в плане исполняемой среды для контейнеров). Для гетерогенных конфигураций узлов см. раздел [Scheduling](#scheduling) ниже.
+{{< /note >}}
+
+Каждой конфигурации соответствует обработчик, на который ссылается RuntimeClass. Имя обработчика должно соответствовать [синтаксису для меток DNS](/docs/concepts/overview/working-with-objects/names/#dns-label-names).
+
+### 2. Создайте соответствующие ресурсы RuntimeClass
+
+К каждой конфигурации, настроенной на шаге 1, должно быть привязано имя обработчика (`handler`), которое ее идентифицирует. Для каждого обработчика создайте соответствующий объект RuntimeClass.
+
+На данный момент у ресурса RuntimeClass есть только 2 значимых поля: имя RuntimeClass (`metadata.name`) и обработчик (`handler`). Определение объекта выглядит следующим образом:
+
+```yaml
+# RuntimeClass определен в API-группе node.k8s.io
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  # Имя, которое ссылается на RuntimeClass
+  # ресурс RuntimeClass не включается в пространство имен
+  name: myclass 
+# Имя соответствующей конфигурации CRI
+handler: myconfiguration 
+```
+
+Имя объекта RuntimeClass должно удовлетворять [синтаксису для поддоменных имен DNS](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+
+{{< note >}}
+Рекомендуется ограничить доступ к операциям записи RuntimeClass (create/update/patch/delete) администратором кластера. Обычно это сделано по умолчанию. Более подробную информацию см. в разделе [Общая информация об авторизации](/docs/reference/access-authn-authz/authorization/).
+{{< /note >}}
+
+## Использование
+
+После того как RuntimeClasses настроены для кластера, использовать их очень просто. Достаточно указать `runtimeClassName` в спецификации Pod'а. Например:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+spec:
+  runtimeClassName: myclass
+  # ...
+```
+
+kubelet будет использовать указанный RuntimeClass для запуска этого Pod'а. Если указанный RuntimeClass не существует или CRI не может запустить соответствующий обработчик, Pod войдет в [фазу завершения работы](/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase) `Failed`. Полное сообщение об ошибке можно получить, обратившись к соответствующему [событию](/docs/tasks/debug/debug-application/debug-running-pod/) (event).
+
+Если имя `runtimeClassName` не указано, будет использоваться RuntimeHandler по умолчанию (что эквивалентно поведению, когда функция RuntimeClass отключена).
+
+### Настройка CRI
+
+Для получения более подробной информации о настройке исполняемых сред CRI обратитесь к разделу [Установка CRI](/docs/setup/production-environment/container-runtimes/).
+
+#### {{< glossary_tooltip term_id="containerd" >}}
+
+Обработчики исполняемой среды настраиваются в конфигурации containerd в файле `/etc/containerd/config.toml`. Допустимые обработчики прописываются в разделе runtimes:
+
+```
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.${HANDLER_NAME}]
+```
+
+Дополнительная информация доступна в [документации по конфигурации containerd](https://github.com/containerd/cri/blob/master/docs/config.md).
+
+#### {{< glossary_tooltip term_id="cri-o" >}}
+
+Обработчики исполняемой среды настраиваются в файле конфигурации CRI-O (`/etc/crio/crio.conf`). Допустимые обработчики прописываются в [таблице crio.runtime](https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md#crioruntime-table):
+
+```
+[crio.runtime.runtimes.${HANDLER_NAME}]
+  runtime_path = "${PATH_TO_BINARY}"
+```
+
+Более подробную информацию см. в [документации по конфигурации CRI-O](https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md).
+
+## Scheduling
+
+{{< feature-state for_k8s_version="v1.16" state="beta" >}}
+
+Поле `scheduling` в RuntimeClass позволяет наложить определенные ограничения, гарантировав, что Pod'ы с определенным RuntimeClass'ом будут планироваться на узлы, которые его поддерживают. Если параметр `scheduling` не установлен, предполагается, что данный RuntimeClass поддерживается всеми узлами.
+
+Чтобы гарантировать, что Pod'ы попадают на узлы, поддерживающие определенный RuntimeClass, эти узлы должны быть связаны общей меткой, которая затем выбирается полем `runtimeclass.scheduling.nodeSelector`. nodeSelector RuntimeClass'а объединяется с nodeSelector'ом admission-контроллера, на выходе образуя пересечение подмножеств узлов, выбранных каждым из селекторов. Если возникает конфликт, Pod отклоняется.
+
+Если поддерживаемые узлы объединены неким taint'ом, чтобы предотвратить запуск на них Pod'ов с другими RuntimeClass'ами, можно к нужному RuntimeClass'у добавить `tolerations`. Как и в случае с `nodeSelector`, tolerations объединяются с tolerations Pod'а admission-контроллера, фактически образуя объединение двух подмножеств узлов с соответствующими tolerations.
+
+Чтобы узнать больше о настройке селектора узлов и tolerations, см. раздел [Назначаем Pod'ы на узлы](/docs/concepts/scheduling-eviction/assign-pod-node/).
+
+### Pod Overhead
+
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
+
+Можно указать _overhead_-ресурсы, необходимые для работы Pod'а. Это позволит кластеру (и планировщику) учитывать их при принятии решений о Pod'ах и управлении ресурсами.
+
+В RuntimeClass дополнительные ресурсы, потребляемые Pod'ом, указываются в поле `overhead`. С помощью этого поля можно указать ресурсы, необходимые Pod'ам с данным RuntimeClass'ом, и гарантировать их учет в Kubernetes.
+
+## {{% heading "whatsnext" %}}
+
+- Описание [RuntimeClass](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/585-runtime-class/README.md);
+- Описание [RuntimeClass Scheduling](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/585-runtime-class/README.md#runtimeclass-scheduling);
+- Концепция [Pod Overhead](/docs/concepts/scheduling-eviction/pod-overhead/);
+- Описание функции [PodOverhead](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/688-pod-overhead).
diff --git a/content/ru/docs/reference/glossary/container-runtime-interface.md b/content/ru/docs/reference/glossary/container-runtime-interface.md
new file mode 100644
index 0000000000000..8bb24114a029f
--- /dev/null
+++ b/content/ru/docs/reference/glossary/container-runtime-interface.md
@@ -0,0 +1,18 @@
+---
+title: Container Runtime Interface
+id: container-runtime-interface
+date: 2021-11-24
+full_link: /docs/concepts/architecture/cri
+short_description: >
+  Основной протокол для связи между kubelet'ом и исполняемой средой контейнеров.
+
+aka:
+tags:
+  - cri
+---
+
+Container Runtime Interface (CRI) — это основной протокол для связи между kubelet'ом и исполняемой средой контейнеров.
+
+<!--more-->
+
+Интерфейс Kubernetes Container Runtime Interface (CRI) задает основной [gRPC-протокол](https://grpc.io), на базе которого осуществляется коммуникация между [компонентами кластера](/docs/concepts/overview/components/#node-components): {{< glossary_tooltip text="kubelet'ом" term_id="kubelet" >}} и {{< glossary_tooltip text="исполняемой средой" term_id="container-runtime" >}}.
diff --git a/content/ru/docs/reference/glossary/container-runtime.md b/content/ru/docs/reference/glossary/container-runtime.md
index 25916582e51ef..0ff3f1c47d574 100644
--- a/content/ru/docs/reference/glossary/container-runtime.md
+++ b/content/ru/docs/reference/glossary/container-runtime.md
@@ -1,21 +1,21 @@
 ---
-title: Среда выполнения контейнера
+title: Иполняемая среда контейнеров
 id: container-runtime
 date: 2019-06-05
 full_link: /docs/setup/production-environment/container-runtimes
 short_description: >
-  Среда выполнения контейнера — это программа, предназначенная для выполнения контейнеров.
+  Иполняемая среда контейнеров — это программа, предназначенная для запуска контейнеров.
 
 aka:
 tags:
 - fundamental
 - workload
 ---
- Среда выполнения контейнера — это программа, предназначенная для выполнения контейнеров.
+ Иполняемая среда контейнера — это программа, предназначенная для запуска контейнера в Kubernetes.
 
 <!--more-->
 
-Kubernetes поддерживает несколько сред для запуска контейнеров: {{< glossary_tooltip term_id="docker">}},
+Kubernetes поддерживает различные среды для запуска контейнеров: {{< glossary_tooltip term_id="docker">}},
 {{< glossary_tooltip term_id="containerd" >}}, {{< glossary_tooltip term_id="cri-o" >}},
-и любая реализация [Kubernetes CRI (Container Runtime
+и любые реализации [Kubernetes CRI (Container Runtime
 Interface)](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/container-runtime-interface.md).
diff --git a/content/ru/docs/reference/glossary/namespace.md b/content/ru/docs/reference/glossary/namespace.md
new file mode 100644
index 0000000000000..9e876227cdfe6
--- /dev/null
+++ b/content/ru/docs/reference/glossary/namespace.md
@@ -0,0 +1,17 @@
+---
+title: Пространство имен
+id: namespace
+date: 2018-04-12
+full_link: /docs/concepts/overview/working-with-objects/namespaces
+short_description: >
+  Абстракция, которую Kubernetes использует для изоляции групп ресурсов в рамках одного кластера.
+
+aka: 
+tags:
+- fundamental
+---
+ Абстракция, которую Kubernetes использует для изоляции групп ресурсов в рамках одного {{< glossary_tooltip text="кластера" term_id="cluster" >}}.
+
+<!--more--> 
+
+Пространства имен используются для организации объектов в кластере и разграничивают ресурсы кластера. Имена ресурсов должны быть уникальными в пределах одного пространства имен, но не в разных пространствах имен. Ограничения на основе пространства имен применимы только к объектам на уровне пространств имен _(например, Deployments, Services и т.д.)_, но не для объектов на уровне кластера _(таких как StorageClass, Nodes, PersistentVolumes и т.д.)_.
diff --git a/content/ru/docs/reference/glossary/secret.md b/content/ru/docs/reference/glossary/secret.md
new file mode 100644
index 0000000000000..4abf91292d024
--- /dev/null
+++ b/content/ru/docs/reference/glossary/secret.md
@@ -0,0 +1,18 @@
+---
+title: Secret
+id: secret
+date: 2018-04-12
+full_link: /docs/concepts/configuration/secret/
+short_description: >
+  Хранит конфиденциальную информацию, такую как пароли, токены OAuth и ключи ssh.
+
+aka: 
+tags:
+- core-object
+- security
+---
+ Хранит конфиденциальную информацию, такую как пароли, токены OAuth и ключи ssh.
+
+<!--more--> 
+
+Позволяет повысить контроль над использованием конфиденциальной информации и снизить риск ее случайного раскрытия. Секретные значения кодируются в формат base64 и по умолчанию хранятся в незашифрованном виде, но могут быть настроены на шифрование "at rest" (при записи в хранилище). {{< glossary_tooltip text="Pod" term_id="pod" >}} ссылается на Secret как на файл при монтировании тома. Secret также используется kubelet'ом при извлечении образов для Pod'а. Secret'ы отлично подходят для хранения конфиденциальных данных, [ConfigMaps](/docs/tasks/configure-pod-container/configure-pod-configmap/) – для неконфиденциальных.
diff --git a/content/ru/docs/reference/glossary/service-account.md b/content/ru/docs/reference/glossary/service-account.md
new file mode 100644
index 0000000000000..87abd6a1935da
--- /dev/null
+++ b/content/ru/docs/reference/glossary/service-account.md
@@ -0,0 +1,18 @@
+---
+title: ServiceAccount
+id: service-account
+date: 2018-04-12
+full_link: /docs/tasks/configure-pod-container/configure-service-account/
+short_description: >
+  Отвечает за идентификацию процессов, выполняющихся в Pod'е.
+
+aka: 
+tags:
+- fundamental
+- core-object
+---
+ Отвечает за идентификацию процессов, выполняющихся в {{< glossary_tooltip text="Pod'е" term_id="pod" >}}.
+
+<!--more--> 
+
+Процессы внутри Pod'а аутентифицируются сервером API и относятся к определенной учетной записи (service account) (например, к `default`) для доступа к кластеру. Если при создании Pod'а служебная учетная запись не указана, ему автоматически присваивается service account по умолчанию в том же {{< glossary_tooltip text="пространстве имен" term_id="namespace" >}}.

From 4f3f22403002b1a31d0dc927fcfb64349be55690 Mon Sep 17 00:00:00 2001
From: Kirill Kononovich <41591254+kirkonru@users.noreply.github.com>
Date: Tue, 13 Sep 2022 18:00:27 +0300
Subject: [PATCH 009/215] Add RU localization for system-logs.md

Apply suggestions from code review

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Dmitry Shurupov <dmitry.shurupov@palark.com>
---
 .../cluster-administration/system-logs.md     | 185 ++++++++++++++++++
 1 file changed, 185 insertions(+)
 create mode 100644 content/ru/docs/concepts/cluster-administration/system-logs.md

diff --git a/content/ru/docs/concepts/cluster-administration/system-logs.md b/content/ru/docs/concepts/cluster-administration/system-logs.md
new file mode 100644
index 0000000000000..3c108e0461b58
--- /dev/null
+++ b/content/ru/docs/concepts/cluster-administration/system-logs.md
@@ -0,0 +1,185 @@
+---
+title: Логи системных компонентов
+content_type: concept
+weight: 60
+---
+
+<!-- overview -->
+
+Логи системных компонентов регистрируют события, происходящие в кластере, что может быть очень полезно при отладке. Степень детализации логов настраивается. Так, в логах низкой детализации будет содержаться только информация об ошибках внутри компонента, в то время как логи высокой детализации будут содержать пошаговую трассировку событий (доступ по HTTP, изменения состояния Pod'а, действия контроллера, решения планировщика).
+
+<!-- body -->
+
+## Klog
+
+[klog](https://github.com/kubernetes/klog) — библиотека Kubernetes для сбора логов. Отвечает за генерацию соответствующих сообщений для системных компонентов оркестратора.
+
+Дополнительные сведения о настройке klog можно получить в [Справке по CLI](/docs/reference/command-line-tools-reference/).
+
+В настоящее время ведется работа по упрощению процесса сбора логов в компонентах Kubernetes. Приведенные ниже флаги командной строки klog [устарели](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components), начиная с версии Kubernetes 1.23, и будут удалены в одном из будущих релизов:
+
+- `--add-dir-header`
+- `--alsologtostderr`
+- `--log-backtrace-at`
+- `--log-dir`
+- `--log-file`
+- `--log-file-max-size`
+- `--logtostderr`
+- `--one-output`
+- `--skip-headers`
+- `--skip-log-headers`
+- `--stderrthreshold`
+
+Вывод всегда будет записываться в stderr независимо от его формата. Перенаправление вывода должно осуществляться компонентом, который вызывает компонент Kubernetes, например, POSIX-совместимой командной оболочкой или инструментом вроде systemd.
+
+Иногда эти опции недоступны — например, в случае контейнера без дистрибутива (distroless) или системной службы Windows. Тогда [`kube-log-runner`](https://github.com/kubernetes/kubernetes/blob/d2a8a81639fcff8d1221b900f66d28361a170654/staging/src/k8s.io/component-base/logs/kube-log-runner/README.md) можно использовать в качестве обертки вокруг компонента Kubernetes для перенаправления вывода. Его предварительно собранный исполняемый файл включен в некоторые базовые образы Kubernetes под старым именем `/go-runner`, а в актуальных бинарных релизах архивов с kubernetes-server и kubernetes-node он называется `kube-log-runner`.
+
+В таблице ниже показаны соответствия между вызовами `kube-log-runner` и логикой перенаправления командной оболочки:
+
+| Использование                                | Оболочка POSIX (например, Bash) | `kube-log-runner <options> <cmd>`                             |
+| ---------------------------------------------|---------------------------------|---------------------------------------------------------------|
+| Объединить stderr и stdout, вывести в stdout | `2>&1`                          | `kube-log-runner` (default behavior)                           |
+| Перенаправить оба потока в файл лога         | `1>>/tmp/log 2>&1`              | `kube-log-runner -log-file=/tmp/log`                           |
+| Скопировать в файл лога и в stdout           | `2>&1 \| tee -a /tmp/log`       | `kube-log-runner -log-file=/tmp/log -also-stdout`       |
+| Перенаправить только stdout в файл лога      | `>/tmp/log`                     | `kube-log-runner -log-file=/tmp/log -redirect-stderr=false` |
+
+### Вывод klog
+
+Пример оригинального "родного" формата klog:
+```
+I1025 00:15:15.525108       1 httplog.go:79] GET /api/v1/namespaces/kube-system/pods/metrics-server-v0.3.1-57c75779f-9p8wg: (1.512ms) 200 [pod_nanny/v0.0.0 (linux/amd64) kubernetes/$Format 10.56.1.19:51756]
+```
+
+Сообщение может содержать переносы строк:
+```
+I1025 00:15:15.525108       1 example.go:79] This is a message
+which has a line break.
+```
+
+
+### Структурированное логирование
+
+{{< feature-state for_k8s_version="v1.23" state="beta" >}}
+
+{{< warning >}}
+Переход на структурированное логирование — продолжающийся процесс. Не все сообщения структурированы в текущей версии Kubernetes. При парсинге файлов логов необходимо также обрабатывать неструктурированные сообщения.
+
+Формат логов и сериализация значений могут измениться в будущем. 
+{{< /warning>}}
+
+Структурированное логирование придает определенную структуру сообщениям логов, упрощая программное извлечение информации и сокращая затраты и усилия на их обработку. Код, который генерирует сообщение лога, определяет, используется ли обычный неструктурированный вывод klog или структурированное логирование.
+
+По умолчанию структурированные сообщения форматируются как текст, при этом его формат обратно совместим с традиционным форматом klog:
+
+```ini
+<klog header> "<message>" <key1>="<value1>" <key2>="<value2>" ...
+```
+
+Пример:
+
+```ini
+I1025 00:15:15.525108       1 controller_utils.go:116] "Pod status updated" pod="kube-system/kubedns" status="ready"
+```
+
+Строки заключаются в кавычки. Другие значения форматируются с помощью [`%+v`](https://pkg.go.dev/fmt#hdr-Printing). В результате сообщение может продолжиться на следующей строке в [зависимости от типа данных](https://github.com/kubernetes/kubernetes/issues/106428).
+
+```
+I1025 00:15:15.525108       1 example.go:116] "Example" data="This is text with a line break\nand \"quotation marks\"." someInt=1 someFloat=0.1 someStruct={StringField: First line,
+second line.}
+```
+
+### Контекстное логирование
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+Контекстное логирование базируется на структурированном логировании. Речь идет в первую очередь о том, как разработчики используют лог-вызовы: код, основанный на этой концепции, более гибок и поддерживает дополнительные сценарии использования (см. [Contextual Logging KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/3077-contextual-logging)).
+
+При использовании в компонентах дополнительных функций, таких как `WithValues` или `WithName`, записи лога содержат дополнительную информацию, которая передается в функции вызывающей стороной.
+
+В настоящее время за включение контекстного логирования отвечает переключатель функционала `StructuredLogging`. По умолчанию оно отключено. Соответствующая инфраструктура появилась в версии 1.24 и она не потребовала изменений в компонентах. Команда [`component-base/logs/example`](https://github.com/kubernetes/kubernetes/blob/v1.24.0-beta.0/staging/src/k8s.io/component-base/logs/example/cmd/logger.go) показывает, как использовать новые лог-вызовы и как ведет себя компонент, поддерживающий контекстное логирование.
+
+```console
+$ cd $GOPATH/src/k8s.io/kubernetes/staging/src/k8s.io/component-base/logs/example/cmd/
+$ go run . --help
+...
+      --feature-gates mapStringBool  A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+                                     AllAlpha=true|false (ALPHA - default=false)
+                                     AllBeta=true|false (BETA - default=false)
+                                     ContextualLogging=true|false (ALPHA - default=false)
+$ go run . --feature-gates ContextualLogging=true
+...
+I0404 18:00:02.916429  451895 logger.go:94] "example/myname: runtime" foo="bar" duration="1m0s"
+I0404 18:00:02.916447  451895 logger.go:95] "example: another runtime" foo="bar" duration="1m0s"
+```
+
+Префикс `example` и `foo="bar"` были добавлены вызовом функции, которая пишет в лог сообщение `runtime` и значение `duration="1m0s"`, при этом вносить изменения в эту функцию не потребовалось.
+
+При отключенном контекстном логировании `WithValues` и `WithName` ничего не делают, а вызовы журнала проходят через глобальный логгер klog. Соответственно, эта дополнительная информация более не отображается в логе:
+
+```console
+$ go run . --feature-gates ContextualLogging=false
+...
+I0404 18:03:31.171945  452150 logger.go:94] "runtime" duration="1m0s"
+I0404 18:03:31.171962  452150 logger.go:95] "another runtime" duration="1m0s"
+```
+
+### Логи в формате JSON
+
+{{< feature-state for_k8s_version="v1.19" state="alpha" >}}
+
+{{<warning >}}
+Вывод в формате JSON не поддерживает многие стандартные флаги klog. Список неподдерживаемых флагов klog см. в [Справочнике по CLI](/docs/reference/command-line-tools-reference/).
+
+Кроме того, запись в формате JSON не гарантируется (например, во время запуска процесса). Таким образом, если планируется дальнейший парсинг логов, убедитесь, что ваш парсер способен обрабатывать строки лога, которые не являются JSON.
+
+Имена полей и сериализация JSON могут измениться в будущем.
+{{< /warning >}}
+
+Флаг `--logging-format=json` переключает формат логов с родного формата klog на JSON. Пример лога в формате JSON (стилистически отформатированном):
+```json
+{
+   "ts": 1580306777.04728,
+   "v": 4,
+   "msg": "Pod status updated",
+   "pod":{
+      "name": "nginx-1",
+      "namespace": "default"
+   },
+   "status": "ready"
+}
+```
+
+Специальные ключи:
+* `ts` — временная метка в формате времени Unix (обязательный параметр, float);
+* `v` — детализация (для общей информации — не для сообщений об ошибках, int);
+* `err` — ошибка (опциональный параметр, string);
+* `msg` — сообщение (обязательный параметр, string).
+
+
+Список компонентов, поддерживающих формат JSON:
+* {{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}}
+* {{< glossary_tooltip term_id="kube-apiserver" text="kube-apiserver" >}}
+* {{< glossary_tooltip term_id="kube-scheduler" text="kube-scheduler" >}}
+* {{< glossary_tooltip term_id="kubelet" text="kubelet" >}}
+
+### Уровень детализации лога
+
+Флаг `-v` задает степень детализации лога. Увеличение значения увеличивает количество регистрируемых событий. Уменьшение значения уменьшает количество регистрируемых событий. Увеличение детализации приводит к тому, что регистрируются все менее значимые события. При уровне детализации, равном 0, регистрируются только критические события.
+
+### Местоположение лога
+
+Существует два типа системных компонентов: те, которые работают в контейнере, и те, которые работают за пределами контейнера. Например:
+
+* Планировщик Kubernetes и kube-proxy работают в контейнере.
+* kubelet и {{<glossary_tooltip term_id="container-runtime" text="среда исполнения для контейнеров">}}
+  работают за пределами контейнеров.
+
+На машинах с systemd среда исполнения и kubelet пишут в journald. В противном случае ведется запись в файлы `.log` в директории `/var/log`. Системные компоненты внутри контейнеров всегда пишут в файлы `.log` в директории `/var/log`, обходя механизм логирования по умолчанию. Как и логи контейнеров, логи системных компонентов в `/var/log` нуждаются в ротации. В кластерах Kubernetes, созданных с использованием скрипта `kube-up.sh`, ротация логов настраивается с помощью инструмента `logrotate`. `logrotate` ротирует логи ежедневно или при достижении ими размера в 100 МБ.
+
+## {{% heading "whatsnext" %}}
+
+* [Архитектура логирования в Kubernetes](/docs/concepts/cluster-administration/logging/)
+* [Структурированное логирование (EN)](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/1602-structured-logging)
+* [Контекстное логирование (EN)](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/3077-contextual-logging)
+* [Вывод флагов klog из эксплуатации (EN)](https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
+* [Соглашения и правила для определения критичности логов (EN)](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md)

From 9f485e7fa6247067b492e15f955325367a6750f9 Mon Sep 17 00:00:00 2001
From: Kinzhi <wei.wang@daocloud.io>
Date: Tue, 21 Feb 2023 00:48:54 +0800
Subject: [PATCH 010/215] [zh-cn]SYNC generate-ref-docs/_index.md

---
 content/zh-cn/docs/contribute/generate-ref-docs/_index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/contribute/generate-ref-docs/_index.md b/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
index 87f08c5f6d75a..9a4d18bcbc5ca 100644
--- a/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
@@ -1,11 +1,11 @@
 ---
-title: 参考文档概述
+title: 更新参考文档
 main_menu: true
 weight: 80
 ---
 
 <!--
-title: Reference docs overview
+title: Updating Reference Documentation
 main_menu: true
 weight: 80
 -->

From d1be50d94e2c7e3655c4ff71bbe7a4c0d0dca343 Mon Sep 17 00:00:00 2001
From: Ana Carolina Rodrigues <anacarolinarodrigues480@gmail.com>
Date: Tue, 21 Feb 2023 14:10:25 -0300
Subject: [PATCH 011/215] Update
 content/pt-br/docs/reference/issues-security.md

---
 content/pt-br/docs/reference/issues-security/issues.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/pt-br/docs/reference/issues-security/issues.md b/content/pt-br/docs/reference/issues-security/issues.md
index 706a69f5fd0c8..c1c8584739491 100644
--- a/content/pt-br/docs/reference/issues-security/issues.md
+++ b/content/pt-br/docs/reference/issues-security/issues.md
@@ -8,9 +8,9 @@ Para reportar um problema de segurança, siga [processo de divulgação de issue
 
 O trabalho no código do Kubernetes e os problemas de segurança podem ser encontrados usando [ GitHub Issues ](https://github.com/kubernetes/kubernetes/issues/).
 
-* Oficial [lista de CVEs conhecidos](/docs/reference/issues-security/official-cve-feed/)
+* Lista [oficial de CVEs conhecidos](/docs/reference/issues-security/official-cve-feed/)
   (vulnerabilidades de segurança) que foram anunciados pelo
   [comitê de resposta de segurança](https://github.com/kubernetes/committee-security-response)
-* [Problemas do gitHub relacionados ao CVE](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
+* [Questões relacionadas ao CVE](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE)
 
 Anúncios relacionados à segurança são enviados para a lista de discussão [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce).
\ No newline at end of file

From 6f330b23df05b446c0115aa23618f378336dd5c0 Mon Sep 17 00:00:00 2001
From: Mauren Berti <stormqueen1990@gmail.com>
Date: Wed, 22 Feb 2023 10:20:20 -0500
Subject: [PATCH 012/215] [pt-br] Update
 enforce-standards-admission-controller.md.

* Update the contents in the Brazilian Portuguese version of docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
to reflect the latest English content.
---
 .../enforce-standards-admission-controller.md | 90 +++++++------------
 1 file changed, 31 insertions(+), 59 deletions(-)

diff --git a/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
index 7762fc1cf5581..d3eb331c5d91c 100644
--- a/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
+++ b/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
@@ -1,43 +1,53 @@
 ---
 title: Aplicando os Padrões de Segurança do Pod Através da Configuração do Controlador de Admissão Embutido
 content_type: task
-min-kubernetes-server-version: v1.22
 ---
 
-Desde a versão v1.22, o Kubernetes fornece um [controlador de admissão](/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
-embutido para fazer cumprir os [padrões de segurança do Pod](/docs/concepts/security/pod-security-standards).
-Você pode configurar esse controlador de admissão para definir padrões em todo 
-o cluster e [exceções](/docs/concepts/security/pod-security-admission/#exemptions).
+O Kubernetes force um [controlador de admissão](/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
+embutido para garantir os [padrões de segurança do Pod](/docs/concepts/security/pod-security-standards).
+Você pode configurar esse controlador de admissão para definir padrões e
+[isenções](/docs/concepts/security/pod-security-admission/#exemptions) em todo
+o cluster.
 
 ## {{% heading "prerequisites" %}}
 
+Após uma release alfa no Kubernetes v1.22, o controlador de admissão
+_Pod Security Admission_ tornou-se disponível por padrão no Kubernetes v1.23,
+no estado beta. Da versão 1.25 em diante o controlador de admissão _Pod Security
+Admission_ está publicamente disponível.
+
 {{% version-check %}}
 
-- Garanta que a `PodSecurity` do [`feature gate`](/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features) 
-está ativada.
+Se você não estiver utilizando o Kubernetes {{< skew currentVersion >}}, você
+pode verificar a documentação da versão do Kubernetes que você está utilizando.
 
 ## Configure o Controlador de Admissão
 
-{{< tabs name="PodSecurityConfiguration_example_1" >}}
-{{% tab name="pod-security.admission.config.k8s.io/v1beta1" %}}
+{{< note >}}
+A configuração `pod-security.admission.config.k8s.io/v1` requer o Kubernetes v1.25
+ou superior.
+Para as versões v1.23 e v1.24, utilize [v1beta1](https://v1-24.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/).
+Para a versão v1.22, utilize [v1alpha1](https://v1-22.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/).
+{{< /note >}}
+
 ```yaml
-apiVersion: apiserver.config.k8s.io/v1
+apiVersion: apiserver.config.k8s.io/v1 # veja a nota de compatibilidade
 kind: AdmissionConfiguration
 plugins:
 - name: PodSecurity
   configuration:
     apiVersion: pod-security.admission.config.k8s.io/v1beta1
     kind: PodSecurityConfiguration
-    # Defaults applied when a mode label is not set.
+    # Padrões aplicados quando o label de modo não é especificado.
     #
-    # Level label values must be one of:
-    # - "privileged" (default)
+    # O valor para o label Level deve ser uma das opções abaixo:
+    # - "privileged" (padrão)
     # - "baseline"
     # - "restricted"
     #
-    # Version label values must be one of:
-    # - "latest" (default) 
-    # - specific version like "v{{< skew currentVersion >}}"
+    # O valor para o label Version deve ser uma das opções abaixo:
+    # - "latest" (padrão)
+    # - versão específica no formato "v{{< skew currentVersion >}}"
     defaults:
       enforce: "privileged"
       enforce-version: "latest"
@@ -46,53 +56,15 @@ plugins:
       warn: "privileged"
       warn-version: "latest"
     exemptions:
-      # Array of authenticated usernames to exempt.
+      # Lista de usuários autenticados a eximir.
       usernames: []
-      # Array of runtime class names to exempt.
+      # Lista de RuntimeClasses a eximir.
       runtimeClasses: []
-      # Array of namespaces to exempt.
+      # Lista de namespaces a eximir.
       namespaces: []
 ```
 
 {{< note >}}
-A versão da configuração v1beta1 requer a versão v1.23 ou superior do Kubernetes. Para a versão v1.22 do Kubernetes, utilize v1alpha1.
+O manifesto acima precisa ser especificado através da opção de linha de comando
+`--admission-control-config-file` do kube-apiserver.
 {{< /note >}}
-
-{{% /tab %}}
-{{% tab name="pod-security.admission.config.k8s.io/v1alpha1" %}}
-
-```yaml
-apiVersion: apiserver.config.k8s.io/v1
-kind: AdmissionConfiguration
-plugins:
-- name: PodSecurity
-  configuration:
-    apiVersion: pod-security.admission.config.k8s.io/v1alpha1
-    kind: PodSecurityConfiguration
-    # Defaults applied when a mode label is not set.
-    #
-    # Level label values must be one of:
-    # - "privileged" (default)
-    # - "baseline"
-    # - "restricted"
-    #
-    # Version label values must be one of:
-    # - "latest" (default) 
-    # - specific version like "v{{< skew currentVersion >}}"
-    defaults:
-      enforce: "privileged"
-      enforce-version: "latest"
-      audit: "privileged"
-      audit-version: "latest"
-      warn: "privileged"
-      warn-version: "latest"
-    exemptions:
-      # Array of authenticated usernames to exempt.
-      usernames: []
-      # Array of runtime class names to exempt.
-      runtimeClasses: []
-      # Array of namespaces to exempt.
-      namespaces: [] 
-```
-{{% /tab %}}
-{{< /tabs >}}

From a1be4f42d4f56607b07a4b363c91d02700d5cb66 Mon Sep 17 00:00:00 2001
From: Mauren Berti <stormqueen1990@gmail.com>
Date: Wed, 22 Feb 2023 10:23:29 -0500
Subject: [PATCH 013/215] Fix typo.

---
 .../enforce-standards-admission-controller.md                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
index d3eb331c5d91c..ce2788a8dd977 100644
--- a/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
+++ b/content/pt-br/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
@@ -3,7 +3,7 @@ title: Aplicando os Padrões de Segurança do Pod Através da Configuração do
 content_type: task
 ---
 
-O Kubernetes force um [controlador de admissão](/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
+O Kubernetes fornece um [controlador de admissão](/docs/reference/access-authn-authz/admission-controllers/#podsecurity)
 embutido para garantir os [padrões de segurança do Pod](/docs/concepts/security/pod-security-standards).
 Você pode configurar esse controlador de admissão para definir padrões e
 [isenções](/docs/concepts/security/pod-security-admission/#exemptions) em todo

From 1179ec8b11a8328cd12f77498d83c656b791172d Mon Sep 17 00:00:00 2001
From: Ana Carolina Rodrigues <anacarolinarodrigues480@gmail.com>
Date: Wed, 22 Feb 2023 13:53:38 -0300
Subject: [PATCH 014/215] Update content/pt-br/docs/issues-security/issues.md

---
 content/pt-br/docs/reference/issues-security/issues.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/pt-br/docs/reference/issues-security/issues.md b/content/pt-br/docs/reference/issues-security/issues.md
index c1c8584739491..d0480ed558b3a 100644
--- a/content/pt-br/docs/reference/issues-security/issues.md
+++ b/content/pt-br/docs/reference/issues-security/issues.md
@@ -4,9 +4,9 @@ weight: 10
 aliases: [/pt-br/cve/,/pt-br/cves/]
 ---
 
-Para reportar um problema de segurança, siga [processo de divulgação de issues do Kubernetes](/docs/reference/issues-security/security/#report-a-vulnerability).
+Para reportar um problema de segurança, siga [processo de divulgação de segurança do Kubernetes](/docs/reference/issues-security/security/#report-a-vulnerability).
 
-O trabalho no código do Kubernetes e os problemas de segurança podem ser encontrados usando [ GitHub Issues ](https://github.com/kubernetes/kubernetes/issues/).
+O trabalho no código do Kubernetes e os problemas de segurança podem ser encontrados usando [issues do GitHub](https://github.com/kubernetes/kubernetes/issues/).
 
 * Lista [oficial de CVEs conhecidos](/docs/reference/issues-security/official-cve-feed/)
   (vulnerabilidades de segurança) que foram anunciados pelo

From 351c4789df25beeb21449cf247e9e770b9047ec7 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Thu, 23 Feb 2023 00:05:43 +0200
Subject: [PATCH 015/215] rename config.toml to hugo.toml

---
 config.toml => hugo.toml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename config.toml => hugo.toml (100%)

diff --git a/config.toml b/hugo.toml
similarity index 100%
rename from config.toml
rename to hugo.toml

From 6b801158094a491924a36dcf493e2274b98f4779 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Fri, 24 Feb 2023 07:58:05 +0200
Subject: [PATCH 016/215] [hi] improvement: kubectl install on windows verify
 command

---
 content/hi/docs/tasks/tools/install-kubectl-windows.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/hi/docs/tasks/tools/install-kubectl-windows.md b/content/hi/docs/tasks/tools/install-kubectl-windows.md
index fc7d1e1870ad0..5af06aaf32792 100644
--- a/content/hi/docs/tasks/tools/install-kubectl-windows.md
+++ b/content/hi/docs/tasks/tools/install-kubectl-windows.md
@@ -54,7 +54,7 @@ Windows पर kubectl संस्थापित करने के लिए
    - `True` या `False` परिणाम प्राप्त करने के लिए `-eq` ऑपरेटर का उपयोग करके सत्यापन को ऑटोमेट करने के लिए powershell का उपयोग करें:
 
      ```powershell
-     $($(CertUtil -hashfile .\kubectl.exe SHA256)[1] -replace " ", "") -eq $(type .\kubectl.exe.sha256)
+      $(Get-FileHash -Algorithm SHA256 .\kubectl.exe).Hash -eq $(Get-Content .\kubectl.exe.sha256)
      ```
 
 1. अपने `PATH` में बाइनरी जोड़ें।

From 2afb7d7d7e17c41d740d8fc9c6af552c3123cba0 Mon Sep 17 00:00:00 2001
From: Dipesh Rawat <Dipesh.rawat@ibm.com>
Date: Fri, 24 Feb 2023 16:23:15 +0000
Subject: [PATCH 017/215] Changed the occurrence of scratch to test

---
 .../configure-access-multiple-clusters.md     | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
index 03dc6b4dc031f..ca7f6897d32c8 100644
--- a/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
+++ b/content/en/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
@@ -41,12 +41,12 @@ cluster's API server.
 
 ## Define clusters, users, and contexts
 
-Suppose you have two clusters, one for development work and one for scratch work.
+Suppose you have two clusters, one for development work and one for test work.
 In the `development` cluster, your frontend developers work in a namespace called `frontend`,
-and your storage developers work in a namespace called `storage`. In your `scratch` cluster,
+and your storage developers work in a namespace called `storage`. In your `test` cluster,
 developers work in the default namespace, or they create auxiliary namespaces as they
 see fit. Access to the development cluster requires authentication by certificate. Access
-to the scratch cluster requires authentication by username and password.
+to the test cluster requires authentication by username and password.
 
 Create a directory named `config-exercise`. In your
 `config-exercise` directory, create a file named `config-demo` with this content:
@@ -60,7 +60,7 @@ clusters:
 - cluster:
   name: development
 - cluster:
-  name: scratch
+  name: test
 
 users:
 - name: developer
@@ -72,7 +72,7 @@ contexts:
 - context:
   name: dev-storage
 - context:
-  name: exp-scratch
+  name: exp-test
 ```
 
 A configuration file describes clusters, users, and contexts. Your `config-demo` file
@@ -83,7 +83,7 @@ your configuration file:
 
 ```shell
 kubectl config --kubeconfig=config-demo set-cluster development --server=https://1.2.3.4 --certificate-authority=fake-ca-file
-kubectl config --kubeconfig=config-demo set-cluster scratch --server=https://5.6.7.8 --insecure-skip-tls-verify
+kubectl config --kubeconfig=config-demo set-cluster test --server=https://5.6.7.8 --insecure-skip-tls-verify
 ```
 
 Add user details to your configuration file:
@@ -108,7 +108,7 @@ Add context details to your configuration file:
 ```shell
 kubectl config --kubeconfig=config-demo set-context dev-frontend --cluster=development --namespace=frontend --user=developer
 kubectl config --kubeconfig=config-demo set-context dev-storage --cluster=development --namespace=storage --user=developer
-kubectl config --kubeconfig=config-demo set-context exp-scratch --cluster=scratch --namespace=default --user=experimenter
+kubectl config --kubeconfig=config-demo set-context exp-test --cluster=test --namespace=default --user=experimenter
 ```
 
 Open your `config-demo` file to see the added details. As an alternative to opening the
@@ -130,7 +130,7 @@ clusters:
 - cluster:
     insecure-skip-tls-verify: true
     server: https://5.6.7.8
-  name: scratch
+  name: test
 contexts:
 - context:
     cluster: development
@@ -143,10 +143,10 @@ contexts:
     user: developer
   name: dev-storage
 - context:
-    cluster: scratch
+    cluster: test
     namespace: default
     user: experimenter
-  name: exp-scratch
+  name: exp-test
 current-context: ""
 kind: Config
 preferences: {}
@@ -220,19 +220,19 @@ users:
     client-key: fake-key-file
 ```
 
-Now suppose you want to work for a while in the scratch cluster.
+Now suppose you want to work for a while in the test cluster.
 
-Change the current context to `exp-scratch`:
+Change the current context to `exp-test`:
 
 ```shell
-kubectl config --kubeconfig=config-demo use-context exp-scratch
+kubectl config --kubeconfig=config-demo use-context exp-test
 ```
 
 Now any `kubectl` command you give will apply to the default namespace of
-the `scratch` cluster. And the command will use the credentials of the user
-listed in the `exp-scratch` context.
+the `test` cluster. And the command will use the credentials of the user
+listed in the `exp-test` context.
 
-View configuration associated with the new current context, `exp-scratch`.
+View configuration associated with the new current context, `exp-test`.
 
 ```shell
 kubectl config --kubeconfig=config-demo view --minify
@@ -338,10 +338,10 @@ contexts:
     user: developer
   name: dev-storage
 - context:
-    cluster: scratch
+    cluster: test
     namespace: default
     user: experimenter
-  name: exp-scratch
+  name: exp-test
 ```
 
 For more information about how kubeconfig files are merged, see

From 307c08071b420453edeabd612a9b3999cc7828da Mon Sep 17 00:00:00 2001
From: ziyi-xie <kai-shii@nec.com>
Date: Mon, 27 Feb 2023 10:05:33 +0000
Subject: [PATCH 018/215] Update
 /content/ja/docs/concepts/workloads/controllers/daemonset.md

---
 .../workloads/controllers/daemonset.md        | 85 ++++++++++++-------
 1 file changed, 53 insertions(+), 32 deletions(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 42647228e6180..da2671ca776e3 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -33,12 +33,12 @@ DaemonSetのいくつかの典型的な使用例は以下の通りです。
 YAMLファイルに基づいてDaemonSetを作成します。
 
 ```
-kubectl apply -f https://k8s.io/examples/controllers/daemonset.yaml
+kubectl apply -f https://k8s.io/examples/controllers/daemonset.yal
 ```
 
 ### 必須のフィールド
 
-他の全てのKubernetesの設定と同様に、DaemonSetは`apiVersion`、`kind`と`metadata`フィールドが必須となります。設定ファイルの活用法に関する一般的な情報は、[ステートレスアプリケーションの稼働](/ja/docs/tasks/run-application/run-stateless-application-deployment/)、[コンテナの設定](/ja/docs/tasks/)、[kubectlを用いたオブジェクトの管理](/ja/docs/concepts/overview/working-with-objects/object-management/)といったドキュメントを参照ください。
+他の全てのKubernetesの設定と同様に、DaemonSetは`apiVersion`、`kind`と`metadata`フィールドが必須となります。設定ファイルの活用法に関する一般的な情報は、[ステートレスアプリケーションの稼働](/ja/docs/tasks/run-application/run-stateless-application-deployment/)、[kubectlを用いたオブジェクトの管理](/ja/docs/concepts/overview/working-with-objects/object-management/)といったドキュメントを参照ください。
 
 DaemonSetオブジェクトの名前は、有効な
 [DNSサブドメイン名](/ja/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)である必要があります。
@@ -49,17 +49,18 @@ DaemonSetオブジェクトの名前は、有効な
 
 `.spec.template`は`.spec`内での必須のフィールドの1つです。
 
-`.spec.template`は[Podテンプレート](/docs/concepts/workloads/pods/#pod-templates)となります。これはフィールドがネストされていて、`apiVersion`や`kind`をもたないことを除いては、{{< glossary_tooltip text="Pod" term_id="pod" >}}のテンプレートと同じスキーマとなります。
+`.spec.template`は[Podテンプレート](/ja/docs/concepts/workloads/pods/#pod-template)となります。これはフィールドがネストされていて、`apiVersion`や`kind`をもたないことを除いては、{{< glossary_tooltip text="Pod" term_id="pod" >}}のテンプレートと同じスキーマとなります。
 
 Podに対する必須のフィールドに加えて、DaemonSet内のPodテンプレートは適切なラベルを指定しなくてはなりません([Podセレクター](#pod-selector)の項目を参照ください)。
 
 DaemonSet内のPodテンプレートでは、[`RestartPolicy`](/ja/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)フィールドを指定せずにデフォルトの`Always`を使用するか、明示的に`Always`を設定するかのどちらかである必要があります。
 
-### Podセレクター
+### Podセレクター 
 
-`.spec.selector`フィールドはPodセレクターとなります。これは[Job](/docs/concepts/workloads/controllers/job/)の`.spec.selector`と同じものです。
+`.spec.selector`フィールドはPodセレクターとなります。これは[Job](/ja/docs/concepts/workloads/controllers/job/)の`.spec.selector`と同じものです。
 
-Kubernetes1.8のように、ユーザーは`.spec.template`のラベルにマッチするPodセレクターを指定しなくてはいけません。Podセレクターは、値を空のままにしてもデフォルト設定にならなくなりました。セレクターのデフォルト化は`kubectl apply`と互換性はありません。また、一度DaemonSetが作成されると、その`.spec.selector`は変更不可能になります。Podセレクターの変更は、意図しないPodの孤立を引き起こし、ユーザーにとってやっかいなものとなります。
+ユーザーは`.spec.template`のラベルにマッチするPodセレクターを指定しなくてはいけません。
+また、一度DaemonSetが作成されると、その`.spec.selector`は変更不可能になります。Podセレクターの変更は、意図しないPodの孤立を引き起こし、ユーザーにとってやっかいなものとなります。
 
 `.spec.selector`は2つのフィールドからなるオブジェクトです。
 
@@ -77,17 +78,11 @@ Kubernetes1.8のように、ユーザーは`.spec.template`のラベルにマッ
 
 ## Daemon Podがどのようにスケジューリングされるか
 
-### デフォルトスケジューラーによってスケジューリングされる場合
+DaemonSetは全ての利用可能なNodeが単一のPodのコピーを稼働させることを保証します。DaemonSetコントローラーは対象となる各Nodeに対してPodを作成し、ターゲットホストに一致するようにPodの`spec.affinity.nodeAffinity`フィールドを追加します。Podが作成されると、デフォルトのスケジューラーが慣例的に引き継ぎ、`.spec.nodeName`を設定することでPodをターゲットホストにバインドします。新しいNodeに適合できない場合、デフォルトスケジューラーは新しいPodの[優先度](/ja/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)に基づいて既存Podのいくつかを先取り（退避）させることがあります。
 
-{{< feature-state for_k8s_version="1.17" state="stable" >}}
+ユーザーは、DaemonSetの`.spec.template.spec.schedulerName`フィールドを設定することにより、DaemonSetのPodsに対して異なるスケジューラーを指定することができます。
 
-DaemonSetは全ての利用可能なNodeが単一のPodのコピーを稼働させることを保証します。通常、Podが稼働するNodeはKubernetesスケジューラーによって選択されます。しかし、DaemonSetのPodは代わりにDaemonSetコントローラーによって作成され、スケジューリングされます。   
-下記の問題について説明します:
-
- * 矛盾するPodのふるまい: スケジューリングされるのを待っている通常のPodは、作成されているが`Pending`状態となりますが、DaemonSetのPodは`Pending`状態で作成されません。これはユーザーにとって困惑するものです。
- * [Podプリエンプション(Pod preemption)](/docs/concepts/configuration/pod-priority-preemption/)はデフォルトスケジューラーによってハンドルされます。もしプリエンプションが有効な場合、そのDaemonSetコントローラーはPodの優先順位とプリエンプションを考慮することなくスケジューリングの判断を行います。
-
-`ScheduleDaemonSetPods`は、DaemonSetのPodに対して`NodeAffinity`項目を追加することにより、DaemonSetコントローラーの代わりにデフォルトスケジューラーを使ってDaemonSetのスケジュールを可能にします。その際に、デフォルトスケジューラーはPodをターゲットのホストにバインドします。もしDaemonSetのNodeAffinityが存在するとき、それは新しいものに置き換えられます(ターゲットホストを選択する前に、元のNodeAffinityが考慮されます)。DaemonSetコントローラーはDaemonSetのPodの作成や修正を行うときのみそれらの操作を実施します。そしてDaemonSetの`.spec.template`フィールドに対しては何も変更が加えられません。
+`.spec.template.spec.affinity.nodeAffinity`フィールド(指定された場合)で指定された元のNodeアフィニティは、DaemonSetコントローラーが対象Nodeを評価する際に考慮されますが、作成されたPod上では対象Nodeの名前と一致するNodeアフィニティに置き換わります。
 
 ```yaml
 nodeAffinity:
@@ -100,29 +95,41 @@ nodeAffinity:
         - target-host-name
 ```
 
-さらに、`node.kubernetes.io/unschedulable:NoSchedule`というtolarationがDaemonSetのPodに自動的に追加されます。デフォルトスケジューラーは、DaemonSetのPodのスケジューリングのときに、`unschedulable`なNodeを無視します。
 
-### TaintsとTolerations
+### TaintとToleration
+
+DaemonSetコントローラーはDaemonSet Podに一連の{{< glossary_tooltip
+text="Toleration" term_id="toleration" >}}を自動的に追加します:
+
+{{< table caption="Tolerations for DaemonSet pods" >}}
+
+| Toleration key                                                                                                        | Effect       | Details                                                                                                                                       |
+| --------------------------------------------------------------------------------------------------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| [`node.kubernetes.io/not-ready`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-not-ready)             | `NoExecute`  | 健康でないNodeや、Podを受け入れる準備ができていないNodeにDaemonSet Podをスケジュールできるように設定します。そのようなNode上で動作しているDaemonSet Podは退避されることがありません。 |
+| [`node.kubernetes.io/unreachable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unreachable)         | `NoExecute`  | Nodeコントローラーから到達できないNodeにDaemonSet Podをスケジュールできるように設定します。このようなNode上で動作しているDaemonSet Podは、退避されません。 |
+| [`node.kubernetes.io/disk-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-disk-pressure)     | `NoSchedule` | ディスク不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                         |
+| [`node.kubernetes.io/memory-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-memory-pressure) | `NoSchedule` | メモリ不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
+| [`node.kubernetes.io/pid-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-pid-pressure) | `NoSchedule` | 処理プレッシャー問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
+| [`node.kubernetes.io/unschedulable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unschedulable)   | `NoSchedule` | スケジューリング不可能なNodeにDaemonSet Podをスケジュールできるように設定します。                                                                            |
+| [`node.kubernetes.io/network-unavailable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-network-unavailable) | `NoSchedule` | **ホストネットワークを要求するDaemonSet Podにのみ追加できます**、つまり`spec.hostNetwork: true`と設定されているPodです。このようなDaemonSet Podは、ネットワークが利用できないNodeにスケジュールできるように設定できます。|
 
-DaemonSetのPodは[TaintsとTolerations](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)の設定を尊重します。下記のTolerationsは、関連する機能によって自動的にDaemonSetのPodに追加されます。
+{{< /table >}}
 
-| Toleration Key                           | Effect     | Version | Description |
-| ---------------------------------------- | ---------- | ------- | ----------- |
-| `node.kubernetes.io/not-ready`           | NoExecute  | 1.13+   | DaemonSetのPodはネットワーク分割のようなNodeの問題が発生したときに除外されません。|
-| `node.kubernetes.io/unreachable`         | NoExecute  | 1.13+   | DaemonSetのPodはネットワーク分割のようなNodeの問題が発生したときに除外されません。|
-| `node.kubernetes.io/disk-pressure`       | NoSchedule | 1.8+    | |
-| `node.kubernetes.io/memory-pressure`     | NoSchedule | 1.8+    | |
-| `node.kubernetes.io/unschedulable`       | NoSchedule | 1.12+   | DaemonSetのPodはデフォルトスケジューラーによってスケジュール不可能な属性を許容(tolerate)します。 |
-| `node.kubernetes.io/network-unavailable` | NoSchedule | 1.12+   | ホストネットワークを使うDaemonSetのPodはデフォルトスケジューラーによってネットワーク利用不可能な属性を許容(tolerate)します。 |
+DaemonSetのPodテンプレートで定義すれば、DaemonSetのPodに独自のTolerationを追加することも可能です。
+
+DaemonSetコントローラーは`node.kubernetes.io/unschedulable:NoSchedule`Tolerationを自動的に設定するため、Kubernetesは _スケジューリング不可能_ としてマークされているNodeでDaemonSet Podを実行することが可能です。
+
+[クラスターのネットワーク](/ja/docs/concepts/cluster-administration/networking/)のような重要なNodeレベル機能をDaemonSetで提供する場合、KubernetesがDaemonSet PodをNodeが準備完了になる前に配置することは有用です。
+例えば、その特別なTolerationがなければ、ネットワークプラグインがそこで実行されていないためにNodeが準備完了としてマークされず、同時にNodeがまだ準備完了でないためにそのNode上でネットワークプラグインが実行されていないというデッドロック状態に陥ってしまう可能性があるのです。
 
 ## Daemon Podとのコミュニケーション
 
 DaemonSet内のPodとのコミュニケーションをする際に考えられるパターンは以下の通りです。:
 
-- **Push**: DaemonSet内のPodは他のサービスに対して更新情報を送信するように設定されます。
+- **Push**: DaemonSet内のPodは統計データベースなどの他のサービスに対して更新情報を送信するように設定されます。クライアントは持っていません。
 - **NodeIPとKnown Port**: PodがNodeIPを介して疎通できるようにするため、DaemonSet内のPodは`hostPort`を使用できます。慣例により、クライアントはNodeIPのリストとポートを知っています。
 - **DNS**: 同じPodセレクターを持つ[HeadlessService](/ja/docs/concepts/services-networking/service/#headless-service)を作成し、`endpoints`リソースを使ってDaemonSetを探すか、DNSから複数のAレコードを取得します。
-- **Service**: 同じPodセレクターを持つServiceを作成し、複数のうちのいずれかのNode上のDaemonに疎通させるためにそのServiceを使います。
+- **Service**: 同じPodセレクターを持つServiceを作成し、複数のうちのいずれかのNode上のDaemonに疎通させるためにそのServiceを使います。(特定のNodeにアクセスする方法がありません。)
 
 ## DaemonSetの更新
 
@@ -130,7 +137,7 @@ DaemonSet内のPodとのコミュニケーションをする際に考えられ
 
 ユーザーはDaemonSetが作成したPodを修正可能です。しかし、Podは全てのフィールドの更新を許可していません。また、DaemonSetコントローラーは次のNode(同じ名前でも)が作成されたときにオリジナルのテンプレートを使ってPodを作成します。
 
-ユーザーはDaemonSetを削除可能です。`kubectl`コマンドで`--cascade=false`を指定するとDaemonSetのPodはNode上に残り続けます。その後、同じセレクターで新しいDaemonSetを作成すると、新しいDaemonSetは既存のPodを再利用します。PodでDaemonSetを置き換える必要がある場合は、`updateStrategy`に従ってそれらを置き換えます。
+ユーザーはDaemonSetを削除可能です。`kubectl`コマンドで`--cascade=orphan`を指定するとDaemonSetのPodはNode上に残り続けます。その後、同じセレクターで新しいDaemonSetを作成すると、新しいDaemonSetは既存のPodを再利用します。PodでDaemonSetを置き換える必要がある場合は、`updateStrategy`に従ってそれらを置き換えます。
 
 ユーザーはDaemonSet上で[ローリングアップデートの実施](/docs/tasks/manage-daemon/update-daemon-set/)が可能です。
 
@@ -142,13 +149,13 @@ Node上で直接起動することにより(例: `init`、`upstartd`、`systemd`
 
 - アプリケーションと同じ方法でデーモンの監視とログの管理ができる。
 - デーモンとアプリケーションで同じ設定用の言語とツール(例: Podテンプレート、`kubectl`)を使える。
-- リソースリミットを使ったコンテナ内でデーモンを稼働させることにより、デーモンとアプリケーションコンテナの分離を促進します。しかし、これはPod内でなく、コンテナ内でデーモンを稼働させることにより可能です(Dockerを介して直接起動する)。
+- リソースリミットを使ったコンテナ内でデーモンを稼働させることにより、デーモンとアプリケーションコンテナの分離を促進します。しかし、これはPod内でなく、コンテナ内でデーモンを稼働させることにより可能です。
 
 ### ベアPod
 
 特定のNode上で稼働するように指定したPodを直接作成することは可能です。しかし、DaemonSetはNodeの故障やNodeの破壊的なメンテナンスやカーネルのアップグレードなど、どのような理由に限らず、削除されたもしくは停止されたPodを置き換えます。このような理由で、ユーザーはPod単体を作成するよりもむしろDaemonSetを使うべきです。
 
-### 静的Pod Pods
+### 静的Pod
 
 Kubeletによって監視されているディレクトリに対してファイルを書き込むことによって、Podを作成することが可能です。これは[静的Pod](/ja/docs/tasks/configure-pod-container/static-pod/)と呼ばれます。DaemonSetと違い、静的Podはkubectlや他のKubernetes APIクライアントで管理できません。静的PodはApiServerに依存しておらず、クラスターの自立起動時に最適です。また、静的Podは将来的には廃止される予定です。
 
@@ -157,5 +164,19 @@ Kubeletによって監視されているディレクトリに対してファイ
 DaemonSetは、Podの作成し、そのPodが停止されることのないプロセスを持つことにおいて[Deployment](/ja/docs/concepts/workloads/controllers/deployment/)と同様です(例: webサーバー、ストレージサーバー)。
 
 フロントエンドのようなServiceのように、どのホスト上にPodが稼働するか制御するよりも、レプリカ数をスケールアップまたはスケールダウンしたりローリングアップデートする方が重要であるような、状態をもたないServiceに対してDeploymentを使ってください。
-Podのコピーが全てまたは特定のホスト上で常に稼働していることが重要な場合や、他のPodの前に起動させる必要があるときにDaemonSetを使ってください。
+DaemonSetがNodeレベルの機能を提供し、他のPodがその特定のNodeで正しく動作するようにする場合、Podのコピーが全てまたは特定のホスト上で常に稼働していることが重要な場合や、他のPodの前に起動させる必要があるときにDaemonSetを使ってください。
+
+例えば、[ネットワークプラグイン](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)には、DaemonSetとして動作するコンポーネントが含まれていることがよくあります。DaemonSetコンポーネントは、それが動作しているNodeでクラスターネットワークが動作していることを確認します。
+
+
+## {{% heading "whatsnext" %}}
 
+* [Pod](/ja/docs/concepts/workloads/pods/)について学ぶ。
+  * Kubernetesの{{< glossary_tooltip text="コントロールプレーン" term_id="control-plane" >}}コンポーネントを実行するのに便利な[静的Pod](#static-pods)について学ぶ。
+* DaemonSetの使用方法を確認する
+  * [DaemonSetでローリングアップデートを実施する](/docs/tasks/manage-daemon/update-daemon-set/)
+  * [DaemonSetでロールバックを実行する](/docs/tasks/manage-daemon/rollback-daemon-set/)
+    (例えば、ロールアウトが期待通りに動作しなかった場合)。
+* [Node上へのPodのスケジューリング](/ja/docs/concepts/scheduling-eviction/assign-pod-node/)の仕組みを理解する
+* よくDaemonSetとして実行される[デバイスプラグイン](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/)と[アドオン](/ja/docs/concepts/cluster-administration/addons/)について学ぶ。
+* `DaemonSet`は、Kubernetes REST APIのトップレベルのリソースです。デーモンセットのAPIを理解するため{{< api-reference page="workload-resources/daemon-set-v1" >}}オブジェクトの定義を読む。

From 8a7476c1579b276ad28ff877f379cae4ad7218da Mon Sep 17 00:00:00 2001
From: lakshmi <thummala.prasuna@india.nec.com>
Date: Tue, 28 Feb 2023 12:51:20 +0530
Subject: [PATCH 019/215] corrected reference link for ComponentConfig.

---
 content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md b/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md
index 7ce410607622a..9fc3f4702df88 100644
--- a/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md
+++ b/content/en/blog/_posts/2018-12-04-kubeadm-ga-release.md
@@ -33,7 +33,7 @@ General Availability means different things for different projects. For kubeadm,
 We now consider kubeadm to have achieved GA-level maturity in each of these important domains:
 
  * **Stable command-line UX** --- The kubeadm CLI conforms to [#5a GA rule of the Kubernetes Deprecation Policy](/docs/reference/using-api/deprecation-policy/#deprecating-a-flag-or-cli), which states that a command or flag that exists in a GA version must be kept for at least 12 months after deprecation.
- * **Stable underlying implementation** --- kubeadm now creates a new Kubernetes cluster using methods that shouldn't change any time soon. The control plane, for example, is run as a set of static Pods, bootstrap tokens are used for the [`kubeadm join`](/docs/reference/setup-tools/kubeadm/kubeadm-join/) flow, and [ComponentConfig](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/wgs/0014-20180707-componentconfig-api-types-to-staging.md) is used for configuring the [kubelet](/docs/reference/command-line-tools-reference/kubelet/).
+ * **Stable underlying implementation** --- kubeadm now creates a new Kubernetes cluster using methods that shouldn't change any time soon. The control plane, for example, is run as a set of static Pods, bootstrap tokens are used for the [`kubeadm join`](/docs/reference/setup-tools/kubeadm/kubeadm-join/) flow, and [ComponentConfig](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/wgs/115-componentconfig) is used for configuring the [kubelet](/docs/reference/command-line-tools-reference/kubelet/).
  * **Configuration file schema** --- With the new **v1beta1** API version, you can now tune almost every part of the cluster declaratively and thus build a "GitOps" flow around kubeadm-built clusters. In future versions, we plan to graduate the API to version **v1** with minimal changes (and perhaps none).
  * **The "toolbox" interface of kubeadm** --- Also known as **phases**. If you don't want to perform all [`kubeadm init`](/docs/reference/setup-tools/kubeadm/kubeadm-init/) tasks, you can instead apply more fine-grained actions using the `kubeadm init phase` command (for example generating certificates or control plane [Static Pod](/docs/tasks/administer-cluster/static-pod/) manifests).
  * **Upgrades between minor versions** --- The [`kubeadm upgrade`](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) command is now fully GA. It handles control plane upgrades for you, which includes upgrades to [etcd](https://etcd.io), the [API Server](/docs/reference/using-api/api-overview/), the [Controller Manager](/docs/reference/command-line-tools-reference/kube-controller-manager/), and the [Scheduler](/docs/reference/command-line-tools-reference/kube-scheduler/). You can seamlessly upgrade your cluster between minor or patch versions (e.g. v1.12.2 -> v1.13.1 or v1.13.1 -> v1.13.3).

From c6c09236c7b49ef8926204c83dffa6abe5cfc89c Mon Sep 17 00:00:00 2001
From: ziyi-xie <kai-shii@nec.com>
Date: Wed, 1 Mar 2023 08:29:13 +0000
Subject: [PATCH 020/215] Update
 /content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: nasa9084 <nasa9084@users.noreply.github.com>
Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
Co-authored-by: atoato88 <akihito-inou@nec.com>
---
 .../scheduling-eviction/assign-pod-node.md    | 355 +++++++++---------
 1 file changed, 175 insertions(+), 180 deletions(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index 7256b988f1b13..a8cf9e0129b23 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -7,212 +7,230 @@ weight: 20
 
 <!-- overview -->
 
-{{< glossary_tooltip text="Pod" term_id="pod" >}}が稼働する{{< glossary_tooltip text="Node" term_id="node" >}}を特定のものに指定したり、優先条件を指定して制限することができます。
-これを実現するためにはいくつかの方法がありますが、推奨されている方法は[ラベルでの選択](/ja/docs/concepts/overview/working-with-objects/labels/)です。
-スケジューラーが最適な配置を選択するため、一般的にはこのような制限は不要です(例えば、複数のPodを別々のNodeへデプロイしたり、Podを配置する際にリソースが不十分なNodeにはデプロイされないことが挙げられます)が、
-SSDが搭載されているNodeにPodをデプロイしたり、同じアベイラビリティーゾーン内で通信する異なるサービスのPodを同じNodeにデプロイする等、柔軟な制御が必要なこともあります。
+{{< glossary_tooltip text="Pod" term_id="pod" >}}を特定の{{< glossary_tooltip text="Node" term_id="node" >}}で実行するように _制限_ したり、特定のNodeで実行することを _優先_ させたりといった制約をかけることができます。
+これを実現するためにはいくつかの方法がありますが、推奨されている方法は、すべて[ラベルセレクター](/ja/docs/concepts/overview/working-with-objects/labels/)を使用して選択を容易にすることです。
+多くの場合、このような制約を設定する必要はなく、{{< glossary_tooltip text="スケジューラー" term_id="kube-scheduler" >}}が自動的に妥当な配置を行います(例えば、Podを複数のNodeに分散させ、空きリソースが十分でないNodeにPodを配置しないようにすることができます)。
+しかし、例えばSSDが接続されているNodeにPodが配置されるようにしたり、多くの通信を行う2つの異なるサービスのPodを同じアベイラビリティーゾーンに配置したりする等、どのNodeに配置するかを制御したい状況もあります。
 
+<!-- body -->
 
+Kubernetesが特定のPodの配置場所を選択するために、以下の方法があります:
 
-<!-- body -->
+  * [nodeラベル](#built-in-node-labels)に対してマッチングを行う[nodeSelector](#nodeselector)フィールド
+  * [アフィニティとアンチアフィニティ](#affinity-and-anti-affinity)
+  * [nodeName](#nodename)フィールド
+  * [Podのトポロジー分散制約](#pod-topology-spread-constraints)
 
-## nodeSelector
+## Nodeラベル {#built-in-node-labels}
 
-`nodeSelector`は、Nodeを選択するための、最も簡単で推奨されている手法です。
-`nodeSelector`はPodSpecのフィールドです。これはkey-valueペアのマップを特定します。
-あるノードでPodを稼働させるためには、そのノードがラベルとして指定されたkey-valueペアを保持している必要があります(複数のラベルを保持することも可能です)。
-最も一般的な使用方法は、1つのkey-valueペアを付与する方法です。
+他の多くのKubernetesオブジェクトと同様に、Nodeにも[ラベル](/ja/docs/concepts/overview/working-with-objects/labels/)があります。[手動でラベルを付ける](/ja/docs/tasks/configure-pod-container/assign-pods-nodes/#ラベルをNodeに追加する)ことができます。
+また、Kubernetesはクラスター内のすべてのNodeに対し、いくつかの標準ラベルを付けます。Nodeラベルの一覧については[よく使われるラベル、アノテーションとtaint](/docs/reference/labels-annotations-taints/)を参照してください。
 
-以下に、`nodeSelector`の使用例を紹介します。
+{{<note>}}
+これらのラベルの値はクラウドプロバイダー固有のもので、信頼性を保証できません。
+例えば、`kubernetes.io/hostname`の値はある環境ではNode名と同じになり、他の環境では異なる値になることがあります。
+{{</note>}}
 
-### ステップ0: 前提条件
+### Nodeの分離/制限
 
-この例では、KubernetesのPodに関して基本的な知識を有していることと、[Kubernetesクラスターのセットアップ](/ja/docs/setup/)がされていることが前提となっています。
+Nodeにラベルを追加することで、Podを特定のNodeまたはNodeグループ上でのスケジューリングの対象にすることができます。この機能を使用すると、特定のPodが一定の独立性、安全性、または規制といった属性を持ったNode上でのみ実行されるようにすることができます。
 
-### ステップ1: Nodeへのラベルの付与
+Node分離するのにラベルを使用する場合、{{<glossary_tooltip text="kubelet" term_id="kubelet">}}が修正できないラベルキーを選択してください。
+これにより、侵害されたNodeが自身でそれらのラベルを設定することで、スケジューラーがそのNodeにワークロードをスケジュールしてしまうのを防ぐことができます。
 
-`kubectl get nodes`で、クラスターのノードの名前を取得してください。
-そして、ラベルを付与するNodeを選び、`kubectl label nodes <node-name> <label-key>=<label-value>`で選択したNodeにラベルを付与します。
-例えば、Nodeの名前が'kubernetes-foo-node-1.c.a-robinson.internal'、付与するラベルが'disktype=ssd'の場合、`kubectl label nodes kubernetes-foo-node-1.c.a-robinson.internal disktype=ssd`によってラベルが付与されます。
+[`NodeRestriction`アドミッションプラグイン](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)は、kubeletが`node-restriction.kubernetes.io/`というプレフィックスを持つラベルを設定または変更するのを防ぎます。
 
-`kubectl get nodes --show-labels`によって、ノードにラベルが付与されたかを確認することができます。
-また、`kubectl describe node "nodename"`から、そのNodeの全てのラベルを表示することもできます。
+ラベルプレフィックスをNode分離に利用するには:
 
-### ステップ2: PodへのnodeSelectorフィールドの追加
+1. [Node認可](/docs/reference/access-authn-authz/node/)を使用していることと、`NodeRestriction` アドミッションプラグインが _有効_ になっていることを確認します。
+2. `node-restriction.kubernetes.io/`プレフィックスを持つラベルをNodeに追加し、 [nodeSelector](#nodeselector)でそれらのラベルを使用します。
+    例えば、`example.com.node-restriction.kubernetes.io/fips=true`や`example.com.node-restriction.kubernetes.io/pci-dss=true`などです。
 
-該当のPodのconfigファイルに、nodeSelectorのセクションを追加します:
-例として以下のconfigファイルを扱います:
+## nodeSelector {#nodeselector}
 
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nginx
-  labels:
-    env: test
-spec:
-  containers:
-  - name: nginx
-    image: nginx
-```
+`nodeSelector`は、Node選択制約の中で最もシンプルな推奨形式です。
+Podのspec(仕様)に`nodeSelector`フィールドを追加することで、ターゲットNodeが持つべき[Nodeラベル](#built-in-node-labels)を指定できます。
+Kubernetesは指定された各ラベルを持つNodeにのみ、Podをスケジューリングします。
 
-nodeSelectorを以下のように追加します:
+詳しい情報については[PodをNodeに割り当てる](/ja/docs/tasks/configure-pod-container/assign-pods-nodes/)を参照してください。
 
-{{< codenew file="pods/pod-nginx.yaml" >}}
+## アフィニティとアンチアフィニティ {#affinity-and-anti-affinity}
 
-`kubectl apply -f https://k8s.io/examples/pods/pod-nginx.yaml`により、Podは先ほどラベルを付与したNodeへスケジュールされます。
-`kubectl get pods -o wide`で表示される"NODE"の列から、PodがデプロイされているNodeを確認することができます。
+`nodeSelector`はPodを特定のラベルが付与されたNodeに制限する最も簡単な方法です。
+アフィニティとアンチアフィニティでは、定義できる制約の種類が拡張されています。
+アフィニティとアンチアフィニティのメリットは以下の通りです。
 
-## 補足: ビルトインNodeラベル {#built-in-node-labels}
+* アフィニティとアンチアフィニティで使われる言語は、より表現力が豊かです。`nodeSelector`は指定されたラベルを全て持つNodeを選択するだけです。アフィニティとアンチアフィニティは選択ロジックをより細かく制御することができます。
+* ルールが*柔軟*であったり*優先*での指定ができたりするため、一致するNodeが見つからない場合でも、スケジューラーはPodをスケジュールします。
+* Node自体のラベルではなく、Node(または他のトポロジカルドメイン)上で稼働している他のPodのラベルを使ってPodを制約することができます。これにより、Node上にどのPodを共存させるかのルールを定義することができます。
 
-明示的に[付与](#step-one-attach-label-to-the-node)するラベルの他に、事前にNodeへ付与されているものもあります。
-これらのラベルのリストは、[Well-Known Labels, Annotations and Taints](/docs/reference/kubernetes-api/labels-annotations-taints/)を参照してください。
+アフィニティ機能は、2種類のアフィニティで構成されています:
 
-{{< note >}}
-これらのラベルは、クラウドプロバイダー固有であり、確実なものではありません。
-例えば、`kubernetes.io/hostname`の値はNodeの名前と同じである環境もあれば、異なる環境もあります。
-{{< /note >}}
+* *Nodeアフィニティ*は`nodeSelector`フィールドと同様に機能しますが、より表現力が豊かで、より柔軟にルールを指定することができます。
+* *Pod間アフィニティとアンチアフィニティ*は、他のPodのラベルを元に、Podを制約することができます。
 
+### Nodeアフィニティ {#node-affinity}
 
-## Nodeの隔離や制限
-Nodeにラベルを付与することで、Podは特定のNodeやNodeグループにスケジュールされます。
-これにより、特定のPodを、確かな隔離性や安全性、特性を持ったNodeで稼働させることができます。
-この目的でラベルを使用する際に、Node上のkubeletプロセスに上書きされないラベルキーを選択することが強く推奨されています。
-これは、安全性が損なわれたNodeがkubeletの認証情報をNodeのオブジェクトに設定したり、スケジューラーがそのようなNodeにデプロイすることを防ぎます。
+Nodeアフィニティは概念的には、NodeのラベルによってPodがどのNodeにスケジュールされるかを制限する`nodeSelector`と同様です。
 
-`NodeRestriction`プラグインは、kubeletが`node-restriction.kubernetes.io/`プレフィックスを有するラベルの設定や上書きを防ぎます。
-Nodeの隔離にラベルのプレフィックスを使用するためには、以下のようにします。
+Nodeアフィニティには2種類あります:
 
-1. [Node authorizer](/docs/reference/access-authn-authz/node/)を使用していることと、[NodeRestriction admission plugin](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)が _有効_ になっていること。
-2. Nodeに`node-restriction.kubernetes.io/` プレフィックスのラベルを付与し、そのラベルがnode selectorに指定されていること。
-例えば、`example.com.node-restriction.kubernetes.io/fips=true` または `example.com.node-restriction.kubernetes.io/pci-dss=true`のようなラベルです。
+  * `requiredDuringSchedulingIgnoredDuringExecution`: 
+    スケジューラーは、ルールが満たされない限り、Podをスケジュールすることができません。これは`nodeSelector`と同じように機能しますが、より表現力豊かな構文になっています。
+  * `preferredDuringSchedulingIgnoredDuringExecution`: 
+    スケジューラーは、対応するルールを満たすNodeを探そうとします。 一致するNodeが見つからなくても、スケジューラーはPodをスケジュールします。
 
-## アフィニティとアンチアフィニティ {#affinity-and-anti-affinity}
+{{<note>}}
+上記の2種類にある`IgnoredDuringExecution`は、KubernetesがPodをスケジュールした後にNodeラベルが変更されても、Podは実行し続けることを意味します。
+{{</note>}}
 
-`nodeSelector`はPodの稼働を特定のラベルが付与されたNodeに制限する最も簡単な方法です。
-アフィニティ/アンチアフィニティでは、より柔軟な指定方法が提供されています。
-拡張機能は以下の通りです。
+Podのspec(仕様)にある`.spec.affinity.nodeAffinity`フィールドを使用して、Nodeアフィニティを指定することができます。
 
-1. アフィニティ/アンチアフィニティという用語はとても表現豊かです。この用語は論理AND演算で作成された完全一致だけではなく、より多くのマッチングルールを提供します。
-2. 必須条件ではなく優先条件を指定でき、条件を満たさない場合でもPodをスケジュールさせることができます。
-3. Node自体のラベルではなく、Node(または他のトポロジカルドメイン)上で稼働している他のPodのラベルに対して条件を指定することができ、そのPodと同じ、または異なるドメインで稼働させることができます。
+例えば、次のようなPodのspec(仕様)を考えてみましょう:
 
-アフィニティは"Nodeアフィニティ"と"Pod間アフィニティ/アンチアフィニティ"の2種類から成ります。
-Nodeアフィニティは`nodeSelector`(前述の2つのメリットがあります)に似ていますが、Pod間アフィニティ/アンチアフィニティは、上記の3番目の機能に記載している通り、NodeのラベルではなくPodのラベルに対して制限をかけます。
+{{< codenew file="pods/pod-with-node-affinity.yaml" >}}
 
-### Nodeアフィニティ
+この例では、以下のルールが適用されます:
 
-Nodeアフィニティは概念的には、NodeのラベルによってPodがどのNodeにスケジュールされるかを制限する`nodeSelector`と同様です。
+  * Nodeには`topology.kubernetes.io/zone`をキーとするラベルが*必要*で、そのラベルの値は`antarctica-east1`または`antarctica-west1`のいずれかでなければなりません。
+  * Nodeにはキー名が`another-node-label-key`で、値が`another-node-label-value`のラベルを持つことが*望ましい*です。
 
-現在は2種類のNodeアフィニティがあり、`requiredDuringSchedulingIgnoredDuringExecution`と`preferredDuringSchedulingIgnoredDuringExecution`です。
-前者はNodeにスケジュールされるPodが条件を満たすことが必須(`nodeSelector`に似ていますが、より柔軟に条件を指定できます)であり、後者は条件を指定できますが保証されるわけではなく、優先的に考慮されます。
-"IgnoredDuringExecution"の意味するところは、`nodeSelector`の機能と同様であり、Nodeのラベルが変更され、Podがその条件を満たさなくなった場合でも
-PodはそのNodeで稼働し続けるということです。
-将来的には、`requiredDuringSchedulingIgnoredDuringExecution`に、PodのNodeアフィニティに記された必須要件を満たさなくなったNodeからそのPodを退避させることができる機能を備えた`requiredDuringSchedulingRequiredDuringExecution`が提供される予定です。
+`operator`フィールドを使用して、Kubernetesがルールを解釈する際に使用できる論理演算子を指定することができます。`In`、`NotIn`、`Exists`、`DoesNotExist`、`Gt`、`Lt`が使用できます。
 
-それぞれの使用例として、
-`requiredDuringSchedulingIgnoredDuringExecution` は、"インテルCPUを供えたNode上でPodを稼働させる"、
-`preferredDuringSchedulingIgnoredDuringExecution`は、"ゾーンXYZでPodの稼働を試みますが、実現不可能な場合には他の場所で稼働させる"
-といった方法が挙げられます。
+`NotIn`と`DoesNotExist`を使って、Nodeのアンチアフィニティ動作を定義することができます。また、[NodeのTaint](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)を使用して、特定のNodeからPodをはじくこともできます。
 
-Nodeアフィニティは、PodSpecの`affinity`フィールドにある`nodeAffinity`フィールドで特定します。
+{{<note>}}
+`nodeSelector`と`nodeAffinity`の両方を指定した場合、*両方の*条件を満たさないとPodはNodeにスケジュールされません。
 
-Nodeアフィニティを使用したPodの例を以下に示します:
+`nodeAffinity`タイプに関連付けられた`nodeSelectorTerms`内に、複数の条件を指定した場合、Podは指定した条件のいずれかを満たしたNodeへスケジュールされます(条件はORされます)。
 
-{{< codenew file="pods/pod-with-node-affinity.yaml" >}}
+`nodeSelectorTerms`内の条件に関連付けられた1つの`matchExpressions`フィールド内に、複数の条件を指定した場合、Podは全ての条件を満たしたNodeへスケジュールされます(条件はANDされます)。
+{{</note>}}
+
+詳細については[Nodeアフィニティを利用してPodをNodeに割り当てる](/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)を参照してください。
+
+#### Nodeアフィニティの重み
+
+`preferredDuringSchedulingIgnoredDuringExecution`アフィニティタイプの各インスタンスに、1から100の範囲の`weight`を指定できます。
+Podの他のスケジューリング要件をすべて満たすNodeを見つけると、スケジューラーはそのNodeが満たすすべての優先ルールを繰り返し実行し、対応する式の`weight`値を合計に加算します。
+
+最終的な合計は、そのNodeの他の優先度関数のスコアに加算されます。合計スコアが最も高いNodeが、スケジューラーがPodのスケジューリングを決定する際に優先されます。
+
+例えば、次のようなPodのspec(仕様)を考えてみましょう: 
 
-このNodeアフィニティでは、Podはキーが`kubernetes.io/e2e-az-name`、値が`e2e-az1`または`e2e-az2`のラベルが付与されたNodeにしか配置されません。
-加えて、キーが`another-node-label-key`、値が`another-node-label-value`のラベルが付与されたNodeが優先されます。
+{{< codenew file="pods/pod-with-affinity-anti-affinity.yaml" >}}
 
-この例ではオペレーター`In`が使われています。
-Nodeアフィニティでは、`In`、`NotIn`、`Exists`、`DoesNotExist`、`Gt`、`Lt`のオペレーターが使用できます。
-`NotIn`と`DoesNotExist`はNodeアンチアフィニティ、またはPodを特定のNodeにスケジュールさせない場合に使われる[Taints](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)に使用します。
+`preferredDuringSchedulingIgnoredDuringExecution`ルールにマッチするNodeとして、一つは`label-1:key-1`ラベル、もう一つは`label-2:key-2`ラベルの2つの候補がある場合、スケジューラーは各Nodeの`weight`を考慮し、その重みとNodeの他のスコアを加え、最終スコアが最も高いNodeにPodをスケジューリングします。
 
-`nodeSelector`と`nodeAffinity`の両方を指定した場合、Podは**両方の**条件を満たすNodeにスケジュールされます。
+{{<note>}}
+この例でKubernetesにPodを正常にスケジュールさせるには、`kubernetes.io/os=linux`ラベルを持つ既存のNodeが必要です。
+{{</note>}}
 
-`nodeAffinity`内で複数の`nodeSelectorTerms`を指定した場合、Podは**いずれかの**`nodeSelectorTerms`を満たしたNodeへスケジュールされます。
+#### スケジューリングプロファイルごとのNodeアフィニティ {#node-affinity-per-scheduling-profile}
 
-`nodeSelectorTerms`内で複数の`matchExpressions`を指定した場合にはPodは**全ての**`matchExpressions`を満たしたNodeへスケジュールされます。
+{{< feature-state for_k8s_version="v1.20" state="beta" >}}
 
-PodがスケジュールされたNodeのラベルを削除したり変更しても、Podは削除されません。
-言い換えると、アフィニティはPodをスケジュールする際にのみ考慮されます。
+複数の[スケジューリングプロファイル](/ja/docs/reference/scheduling/config/#multiple-profiles)を設定する場合、プロファイルにNodeアフィニティを関連付けることができます。これは、プロファイルが特定のNode群にのみ適用される場合に便利です。[スケジューラーの設定](/ja/docs/reference/scheduling/config/)にある[`NodeAffinity`プラグイン](/ja/docs/reference/scheduling/config/#scheduling-plugins)の`args`フィールドに`addedAffinity`を追加すると実現できます。例えば:
 
-`preferredDuringSchedulingIgnoredDuringExecution`内の`weight`フィールドは、1から100の範囲で指定します。
-全ての必要条件(リソースやRequiredDuringSchedulingアフィニティ等)を満たしたNodeに対して、スケジューラーはそのNodeがMatchExpressionsを満たした場合に、このフィルードの"weight"を加算して合計を計算します。
-このスコアがNodeの他の優先機能のスコアと組み合わせれ、最も高いスコアを有したNodeが優先されます。
+```yaml
+apiVersion: kubescheduler.config.k8s.io/v1beta3
+kind: KubeSchedulerConfiguration
+
+profiles:
+  - schedulerName: default-scheduler
+  - schedulerName: foo-scheduler
+    pluginConfig:
+      - name: NodeAffinity
+        args:
+          addedAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+              - matchExpressions:
+                - key: scheduler-profile
+                  operator: In
+                  values:
+                  - foo
+```
+
+`addedAffinity`は、Podの仕様(spec)で指定されたNodeアフィニティに加え、`.spec.schedulerName`を`foo-scheduler`に設定したすべてのPodに適用されます。つまり、Podにマッチするためには、Nodeは`addedAffinity`とPodの`.spec.NodeAffinity`を満たす必要があるのです。
+
+`addedAffinity`はエンドユーザーには見えないので、その動作はエンドユーザーにとって予期しないものになる可能性があります。スケジューラープロファイル名と明確な相関関係のあるNodeラベルを使用すべきです。
+
+{{< note >}}
+[DaemonSetのPodを作成する](/ja/docs/concepts/workloads/controllers/daemonset/#how-daemon-pods-are-scheduled)DaemonSetコントローラーは、スケジューリングプロファイルをサポートしていません。DaemonSetコントローラーがPodを作成すると、デフォルトのKubernetesスケジューラーがそれらのPodを配置し、DaemonSetコントローラーの`nodeAffinity`ルールに優先して従います。
+{{< /note >}}
 
-### Pod間アフィニティとアンチアフィニティ
+### Pod間のアフィニティとアンチアフィニティ
 
-Pod間アフィニティとアンチアフィニティは、Nodeのラベルではなく、すでにNodeで稼働しているPodのラベルに従ってPodがスケジュールされるNodeを制限します。
-このポリシーは、"XにてルールYを満たすPodがすでに稼働している場合、このPodもXで稼働させる(アンチアフィニティの場合は稼働させない)"という形式です。
-Yはnamespaceのリストで指定したLabelSelectorで表されます。
-Nodeと異なり、Podはnamespaceで区切られているため(それゆえPodのラベルも暗黙的にnamespaceで区切られます)、Podのラベルを指定するlabel selectorは、どのnamespaceにselectorを適用するかを指定する必要があります。
-概念的に、XはNodeや、ラック、クラウドプロバイダゾーン、クラウドプロバイダのリージョン等を表すトポロジードメインです。
-これらを表すためにシステムが使用するNodeラベルのキーである`topologyKey`を使うことで、トポロジードメインを指定することができます。
-先述のセクション[補足: ビルトインNodeラベル](#interlude-built-in-node-labels)にてラベルの例が紹介されています。
+Pod間のアフィニティとアンチアフィニティは、Nodeのラベルではなく、すでにNode上で稼働している**Pod**のラベルに従って、PodがどのNodeにスケジュールされるかを制限できます。
 
+XはNodeや、ラック、クラウドプロバイダーのゾーンやリージョン等を表すトポロジードメインで、YはKubernetesが満たそうとするルールである場合、Pod間のアフィニティとアンチアフィニティのルールは、"XにてルールYを満たすPodがすでに稼働している場合、このPodもXで実行すべき(アンチアフィニティの場合はすべきではない)"という形式です。
+
+これらのルール(Y)は、オプションの関連する名前空間のリストを持つ[ラベルセレクター](/ja/docs/concepts/overview/working-with-objects/labels/#label-selectors)で表現されます。PodはKubernetesの名前空間オブジェクトであるため、Podラベルも暗黙的に名前空間を持ちます。Kubernetesが指定された名前空間でラベルを探すため、Podラベルのラベルセレクターは、名前空間を指定する必要があります。
+
+トポロジードメイン(X)は`topologyKey`で表現され、システムがドメインを示すために使用するNodeラベルのキーになります。具体例は[よく知られたラベル、アノテーションとTaint](/docs/reference/labels-annotations-taints/)を参照してください。
 
 {{< note >}}
-Pod間アフィニティとアンチアフィニティは、大規模なクラスター上で使用する際にスケジューリングを非常に遅くする恐れのある多くの処理を要します。
-そのため、数百台以上のNodeから成るクラスターでは使用することを推奨されません。
+Pod間アフィニティとアンチアフィニティはかなりの処理量を必要とするため、大規模クラスターでのスケジューリングが大幅に遅くなる可能性があります
+そのため、数百台以上のNodeから成るクラスターでの使用は推奨されません。
 {{< /note >}}
 
 {{< note >}}
-Podのアンチアフィニティは、Nodeに必ずラベルが付与されている必要があります。
-言い換えると、クラスターの全てのNodeが、`topologyKey`で指定されたものに合致する適切なラベルが必要になります。
-それらが付与されていないNodeが存在する場合、意図しない挙動を示すことがあります。
+Podのアンチアフィニティは、Nodeに必ず一貫性の持つラベルが付与されている必要があります。
+言い換えると、クラスターの全てのNodeが、`topologyKey`に合致する適切なラベルが必要になります。
+一部、または全部のNodeに`topologyKey`ラベルが指定されていない場合、意図しない挙動に繋がる可能性があります。
 {{< /note >}}
 
-Nodeアフィニティと同様に、PodアフィニティとPodアンチアフィニティにも必須条件と優先条件を示す`requiredDuringSchedulingIgnoredDuringExecution`と`preferredDuringSchedulingIgnoredDuringExecution`があります。
-前述のNodeアフィニティのセクションを参照してください。
-`requiredDuringSchedulingIgnoredDuringExecution`を指定するアフィニティの使用例は、"Service AのPodとService BのPodが密に通信する際、それらを同じゾーンで稼働させる場合"です。
-また、`preferredDuringSchedulingIgnoredDuringExecution`を指定するアンチアフィニティの使用例は、"ゾーンをまたいでPodのサービスを稼働させる場合"(Podの数はゾーンの数よりも多いため、必須条件を指定すると合理的ではありません)です。
+#### Pod間のアフィニティとアンチアフィニティの種類
+
+[Nodeアフィニティ](#node-affinity)と同様に、Podアフィニティとアンチアフィニティにも下記の2種類があります:
+
+  * `requiredDuringSchedulingIgnoredDuringExecution`
+  * `preferredDuringSchedulingIgnoredDuringExecution`
+
+例えば、`requiredDuringSchedulingIgnoredDuringExecution`アフィニティを使用して、2つのサービスのPodはお互いのやり取りが多いため、同じクラウドプロバイダーゾーンに併置するようにスケジューラーに指示することができます。
+同様に、`preferredDuringSchedulingIgnoredDuringExecution`アンチアフィニティを使用して、あるサービスのPodを複数のクラウドプロバイダーゾーンに分散させることができます。
+
+Pod間アフィニティを使用するには、Pod仕様(spec)の`affinity.podAffinity`フィールドで指定します。Pod間アンチアフィニティを使用するには、Pod仕様(spec)の`affinity.podAntiAffinity`フィールドで指定します。
 
-Pod間アフィニティは、PodSpecの`affinity`フィールド内に`podAffinity`で指定し、Pod間アンチアフィニティは、`podAntiAffinity`で指定します。
+#### Podアフィニティ使用例 {#an-example-of-a-pod-that-uses-pod-affinity}
 
-#### Podアフィニティを使用したPodの例
+次のようなPod仕様(spec)を考えてみましょう:
 
 {{< codenew file="pods/pod-with-pod-affinity.yaml" >}}
 
-このPodのアフィニティは、PodアフィニティとPodアンチアフィニティを1つずつ定義しています。
-この例では、`podAffinity`に`requiredDuringSchedulingIgnoredDuringExecution`、`podAntiAffinity`に`preferredDuringSchedulingIgnoredDuringExecution`が設定されています。
-Podアフィニティは、「キーが"security"、値が"S1"のラベルが付与されたPodが少なくとも1つは稼働しているNodeが同じゾーンにあれば、PodはそのNodeにスケジュールされる」という条件を指定しています(より正確には、キーが"security"、値が"S1"のラベルが付与されたPodが稼働しており、キーが`topology.kubernetes.io/zone`、値がVであるNodeが少なくとも1つはある状態で、
-Node Nがキー`topology.kubernetes.io/zone`、値Vのラベルを持つ場合に、PodはNode Nで稼働させることができます)。
-Podアンチアフィニティは、「すでにあるNode上で、キーが"security"、値が"S2"であるPodが稼働している場合に、Podを可能な限りそのNode上で稼働させない」という条件を指定しています
-(`topologyKey`が`topology.kubernetes.io/zone`であった場合、キーが"security"、値が"S2"であるであるPodが稼働しているゾーンと同じゾーン内のNodeにはスケジュールされなくなります)。
-PodアフィニティとPodアンチアフィニティや、`requiredDuringSchedulingIgnoredDuringExecution`と`preferredDuringSchedulingIgnoredDuringExecution`に関する他の使用例は[デザインドック](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md)を参照してください。
+この例では、PodアフィニティルールとPodアンチアフィニティルールを1つずつ定義しています。
+Podアフィニティルールは"ハード"な`requiredDuringSchedulingIgnoredDuringExecution`を使用し、アンチアフィニティルールは"ソフト"な`preferredDuringSchedulingIgnoredDuringExecution`を使用しています。
 
-PodアフィニティとPodアンチアフィニティで使用できるオペレーターは、`In`、`NotIn`、 `Exists`、 `DoesNotExist`です。
+アフィニティルールは、スケジューラーがNodeにPodをスケジュールできるのは、そのNodeが、`security=S1`ラベルを持つ1つ以上の既存のPodと同じゾーンにある場合のみであることを示しています。より正確には、現在Podラベル`security=S1`を持つPodが1つ以上あるNodeが、そのゾーン内に少なくとも1つ存在する限り、スケジューラーは`topology.kubernetes.io/zone=V`ラベルを持つNodeにPodを配置しなければなりません。
 
-原則として、`topologyKey`には任意のラベルとキーが使用できます。
-しかし、パフォーマンスやセキュリティの観点から、以下の制約があります:
+アンチアフィニティルールは、`security=S2`ラベルを持つ1つ以上のPodと同じゾーンにあるNodeには、スケジューラーがPodをスケジュールしないようにすることを示しています。より正確には、Podラベル`Security=S2`を持つPodが稼働している他のNodeが、同じゾーン内に存在する場合、スケジューラーは`topology.kubernetes.io/zone=R`ラベルを持つNodeにはPodを配置しないようにしなければなりません。
 
-1. アフィニティと、`requiredDuringSchedulingIgnoredDuringExecution`を指定したPodアンチアフィニティは、`topologyKey`を指定しないことは許可されていません。
-2. `requiredDuringSchedulingIgnoredDuringExecution`を指定したPodアンチアフィニティでは、`kubernetes.io/hostname`の`topologyKey`を制限するため、アドミッションコントローラー`LimitPodHardAntiAffinityTopology`が導入されました。
-トポロジーをカスタマイズする場合には、アドミッションコントローラーを修正または無効化する必要があります。
-3. `preferredDuringSchedulingIgnoredDuringExecution`を指定したPodアンチアフィニティでは、`topologyKey`を省略することはできません。
-4. 上記の場合を除き、`topologyKey` は任意のラベルとキーを指定することができます。
+Podアフィニティとアンチアフィニティの使用例についてもっと知りたい方は[デザイン案](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md)を参照してください。
 
-`labelSelector`と`topologyKey`に加え、`labelSelector`が合致すべき`namespaces`のリストを特定することも可能です(これは`labelSelector`と`topologyKey`を定義することと同等です)。
-省略した場合や空の場合は、アフィニティとアンチアフィニティが定義されたPodのnamespaceがデフォルトで設定されます。
+Podアフィニティとアンチアフィニティの`operator`フィールドで使用できるのは、`In`、`NotIn`、 `Exists`、 `DoesNotExist`です。
 
-`requiredDuringSchedulingIgnoredDuringExecution`が指定されたアフィニティとアンチアフィニティでは、`matchExpressions`に記載された全ての条件が満たされるNodeにPodがスケジュールされます。
+原則として、`topologyKey`には任意のラベルキーが指定できますが、パフォーマンスやセキュリティの観点から、以下の例外があります:
 
+* Podアフィニティとアンチアフィニティでは、`requiredDuringSchedulingIgnoredDuringExecution`と`preferredDuringSchedulingIgnoredDuringExecution`内のどちらも、`topologyKey`フィールドが空であることは許可されていません。
+* Podアンチアフィニティルールの`requiredDuringSchedulingIgnoredDuringExecution`では、アドミッションコントローラー`LimitPodHardAntiAffinityTopology`が`topologyKey`を`kubernetes.io/hostname`に制限しています。アドミッションコントローラーを修正または無効化すると、トポロジーのカスタマイズができるようになります。
 
-#### 実際的なユースケース
+`labelSelector`と`topologyKey`に加え、`labelSelector`と`topologyKey`と同じレベルの`namespaces`フィールドを使用して、`labelSelector`が合致すべき名前空間のリストを任意に指定することができます。省略または空の場合、`namespaces`がデフォルトで、アフィニティとアンチアフィニティが定義されたPodの名前空間に設定されます。
 
-Pod間アフィニティとアンチアフィニティは、ReplicaSet、StatefulSet、Deploymentなどのより高レベルなコレクションと併せて使用するとさらに有用です。
-Workloadが、Node等の定義された同じトポロジーに共存させるよう、簡単に設定できます。
+#### 名前空間セレクター
+{{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
+`namespaceSelector`を使用し、ラベルで名前空間の集合に対して検索することによって、名前空間を選択することができます。
+アフィニティ項は`namespaceSelector`と`namespaces`フィールドによって選択された名前空間に適用されます。
+要注意なのは、空の`namespaceSelector`({})はすべての名前空間にマッチし、nullまたは空の`namespaces`リストとnullの`namespaceSelector`は、ルールが定義されているPodの名前空間にマッチします。
 
-##### 常に同じNodeで稼働させる場合
+#### 実践的なユースケース
 
-３つのノードから成るクラスターでは、ウェブアプリケーションはredisのようにインメモリキャッシュを保持しています。
-このような場合、ウェブサーバーは可能な限りキャッシュと共存させることが望ましいです。
+Pod間アフィニティとアンチアフィニティは、ReplicaSet、StatefulSet、Deploymentなどのより高レベルなコレクションと併せて使用するとさらに有用です。これらのルールにより、ワークロードのセットが同じ定義されたトポロジーに併置されるように設定できます。たとえば、2つの関連するPodを同じNodeに配置することが好ましい場合です。
 
-ラベル`app=store`を付与した3つのレプリカから成るredisのdeploymentを記述したyamlファイルを示します。
-Deploymentには、1つのNodeにレプリカを共存させないために`PodAntiAffinity`を付与しています。
+例えば、3つのNodeで構成されるクラスターを想像してください。クラスターを使用してウェブアプリケーションを実行し、さらにインメモリキャッシュ（Redisなど）を使用します。この例では、ウェブアプリケーションとメモリキャッシュの間のレイテンシーは実用的な範囲の低さも想定しています。Pod間アフィニティやアンチアフィニティを使って、ウェブサーバーとキャッシュをなるべく同じ場所に配置することができます。
 
+以下のRedisキャッシュのDeploymentの例では、各レプリカはラベル`app=store`が付与されています。`podAntiAffinity`ルールは、`app=store`ラベルを持つ複数のレプリカを単一Nodeに配置しないよう、スケジューラーに指示します。これにより、各キャッシュが別々のNodeに作成されます。
 
 ```yaml
 apiVersion: apps/v1
@@ -244,10 +262,7 @@ spec:
         image: redis:3.2-alpine
 ```
 
-ウェブサーバーのDeploymentを記載した以下のyamlファイルには、`podAntiAffinity` と`podAffinity`が設定されています。
-全てのレプリカが`app=store`のラベルが付与されたPodと同じゾーンで稼働するよう、スケジューラーに設定されます。
-また、それぞれのウェブサーバーは1つのノードで稼働されないことも保証されます。
-
+次の Web サーバーのDeployment例では、`app=web-store`ラベルが付与されたレプリカを作成します。Podアフィニティルールは、各レプリカを、`app=store`ラベルが付与されたPodを持つNodeに配置するようスケジューラーに指示します。Podアンチアフィニティルールは、1つのNodeに複数の`app=web-store`サーバーを配置しないようにスケジューラーに指示します。
 
 ```yaml
 apiVersion: apps/v1
@@ -288,49 +303,29 @@ spec:
         image: nginx:1.16-alpine
 ```
 
-上記2つのDeploymentが生成されると、3つのノードは以下のようになります。
+上記2つのDeploymentが生成されると、以下のようなクラスター構成になり、各Webサーバーはキャッシュと同位置に、3つの別々のNodeに配置されます。
 
 |       node-1         |       node-2        |       node-3       |
 |:--------------------:|:-------------------:|:------------------:|
 | *webserver-1*        |   *webserver-2*     |    *webserver-3*   |
 |  *cache-1*           |     *cache-2*       |     *cache-3*      |
 
-このように、3つの`web-server`は期待通り自動的にキャッシュと共存しています。
-
-```
-kubectl get pods -o wide
-```
-出力は以下のようになります:
-```
-NAME                           READY     STATUS    RESTARTS   AGE       IP           NODE
-redis-cache-1450370735-6dzlj   1/1       Running   0          8m        10.192.4.2   kube-node-3
-redis-cache-1450370735-j2j96   1/1       Running   0          8m        10.192.2.2   kube-node-1
-redis-cache-1450370735-z73mh   1/1       Running   0          8m        10.192.3.1   kube-node-2
-web-server-1287567482-5d4dz    1/1       Running   0          7m        10.192.2.3   kube-node-1
-web-server-1287567482-6f7v5    1/1       Running   0          7m        10.192.4.3   kube-node-3
-web-server-1287567482-s330j    1/1       Running   0          7m        10.192.3.2   kube-node-2
-```
-
-##### 同じNodeに共存させない場合
-
-上記の例では `PodAntiAffinity`を`topologyKey: "kubernetes.io/hostname"`と合わせて指定することで、redisクラスター内の2つのインスタンスが同じホストにデプロイされない場合を扱いました。
-同様の方法で、アンチアフィニティを用いて高可用性を実現したStatefulSetの使用例は[ZooKeeper tutorial](/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure)を参照してください。
+全体的な効果として、各キャッシュインスタンスは、同じNode上で実行している単一のクライアントによってアクセスされる可能性が高いです。この方法は、スキュー(負荷の偏り)とレイテンシーの両方を最小化することを目的としています。
 
+Podアンチアフィニティを使用する理由は他にもあります。
+この例と同様の方法で、アンチアフィニティを用いて高可用性を実現したStatefulSetの使用例は[ZooKeeperチュートリアル](/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure)を参照してください。
 
 ## nodeName
 
-`nodeName`はNodeの選択を制限する最も簡単な方法ですが、制約があることからあまり使用されません。
-`nodeName`はPodSpecのフィールドです。
-ここに値が設定されると、schedulerはそのPodを考慮しなくなり、その名前が付与されているNodeのkubeletはPodを稼働させようとします。
-そのため、PodSpecに`nodeName`が指定されると、上述のNodeの選択方法よりも優先されます。
+`nodeName`はアフィニティや`nodeSelector`よりも直接的なNode選択形式になります。`nodeName`はPod仕様(spec)のフィールドです。`nodeName`フィールドが空でない場合、スケジューラーはPodを考慮せずに、指定されたNodeにあるkubeletはそのNodeにPodを配置しようとします。`nodeName`を使用すると、`nodeSelector`やアフィニティおよびアンチアフィニティルールを使用するよりも優先されます。
 
- `nodeName`を使用することによる制約は以下の通りです:
+ `nodeName`を使ってNodeを選択する場合の制約は以下の通りです:
 
--   その名前のNodeが存在しない場合、Podは起動されす、自動的に削除される場合があります。
--   その名前のNodeにPodを稼働させるためのリソースがない場合、Podの起動は失敗し、理由は例えばOutOfmemoryやOutOfcpuになります。
--   クラウド上のNodeの名前は予期できず、変更される可能性があります。
+-   指定されたNodeが存在しない場合、Podは実行されず、場合によっては自動的に削除されることがあります。
+-   指定されたNodeがPodを収容するためのリソースを持っていない場合、Podの起動は失敗し、OutOfmemoryやOutOfcpuなどの理由が表示されます。
+-   クラウド環境におけるNode名は、常に予測可能で安定したものではありません。
 
-`nodeName`を指定したPodの設定ファイルの例を示します:
+以下は、`nodeName`フィールドを使用したPod仕様(spec)の例になります:
 
 ```yaml
 apiVersion: v1
@@ -344,18 +339,18 @@ spec:
   nodeName: kube-01
 ```
 
-上記のPodはkube-01という名前のNodeで稼働します。
-
+上記のPodは`kube-01`というNodeでのみ実行されます。
 
+## Podトポロジー分散制約 {#pod-topology-spread-constraints}
 
-## {{% heading "whatsnext" %}}
-
+_トポロジー分散制約_ を使って、リージョン、ゾーン、Nodeなどの障害ドメイン間、または定義したその他のトポロジードメイン間で、クラスター全体にどのように{{< glossary_tooltip text="Pod" term_id="Pod" >}}を分散させるかを制御することができます。これにより、パフォーマンス、予想される可用性、または全体的な使用率を向上させることができます。
 
-[Taints](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)を使うことで、NodeはPodを追い出すことができます。
+詳しい仕組みについては、[トポロジー分散制約](/docs/concepts/scheduling-eviction/topology-spread-constraints/)を参照してください。
 
-[Nodeアフィニティ](https://git.k8s.io/community/contributors/design-proposals/scheduling/nodeaffinity.md)と
-[Pod間アフィニティ/アンチアフィニティ](https://git.k8s.io/community/contributors/design-proposals/scheduling/podaffinity.md)
-のデザインドキュメントには、これらの機能の追加のバックグラウンドの情報が記載されています。
+## {{% heading "whatsnext" %}}
 
-一度PodがNodeに割り当たると、kubeletはPodを起動してノード内のリソースを確保します。
-[トポロジーマネージャー](/docs/tasks/administer-cluster/topology-manager/)はNodeレベルのリソース割り当てを決定する際に関与します。
+* [TaintとToleration](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)についてもっと読む。
+* [Nodeアフィニティ](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)と[Pod間アフィニティ/アンチアフィニティ](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md)のデザインドキュメントを読む。
+* [トポロジーマネージャー](/ja/docs/tasks/administer-cluster/topology-manager/)がNodeレベルリソースの割り当て決定に参加する方法について学ぶ。
+* [nodeSelector](/ja/docs/tasks/configure-pod-container/assign-pods-nodes/)の使用方法について学ぶ。
+* [アフィニティとアンチアフィニティ](/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)の使用方法について学ぶ。

From 9781390c523ab1a11e01a977f932daf8dce24fd3 Mon Sep 17 00:00:00 2001
From: ziyi-xie <kai-shii@nec.com>
Date: Wed, 1 Mar 2023 09:06:03 +0000
Subject: [PATCH 021/215] add
 content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml file

---
 .../pods/pod-with-affinity-anti-affinity.yaml | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml

diff --git a/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml b/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml
new file mode 100644
index 0000000000000..f5f698d1f9b57
--- /dev/null
+++ b/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: with-affinity-anti-affinity
+spec:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/os
+            operator: In
+            values:
+            - linux
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: label-1
+            operator: In
+            values:
+            - key-1
+      - weight: 50
+        preference:
+          matchExpressions:
+          - key: label-2
+            operator: In
+            values:
+            - key-2
+  containers:
+  - name: with-node-affinity
+    image: registry.k8s.io/pause:2.0
+    
\ No newline at end of file

From dbd72395cd23148315f03a9f7934a052b665a1c0 Mon Sep 17 00:00:00 2001
From: Peter Arboleda <skypeter1@gmail.com>
Date: Wed, 1 Mar 2023 14:29:10 +0100
Subject: [PATCH 022/215] Update endpoint-slices.md

---
 content/en/docs/concepts/services-networking/endpoint-slices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/services-networking/endpoint-slices.md b/content/en/docs/concepts/services-networking/endpoint-slices.md
index 5d83300032771..30fbb4ae5bf1d 100644
--- a/content/en/docs/concepts/services-networking/endpoint-slices.md
+++ b/content/en/docs/concepts/services-networking/endpoint-slices.md
@@ -235,7 +235,7 @@ at different times.
 {{< note >}}
 Clients of the EndpointSlice API must iterate through all the existing EndpointSlices
 associated to a Service and build a complete list of unique network endpoints. It is
-important to mention that endpoints may be duplicated in different EndointSlices.
+important to mention that endpoints may be duplicated in different EndpointSlices.
 
 You can find a reference implementation for how to perform this endpoint aggregation
 and deduplication as part of the `EndpointSliceCache` code within `kube-proxy`.

From dda415932020c49aede37201e3cbca7d235fcc12 Mon Sep 17 00:00:00 2001
From: hxysayhi <51870525+hxysayhi@users.noreply.github.com>
Date: Thu, 2 Mar 2023 09:39:30 +0800
Subject: [PATCH 023/215] Update topology-spread-constraints.md

Fixed translation errors.
---
 .../concepts/scheduling-eviction/topology-spread-constraints.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md b/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md
index 37a2fd0b20937..afb4aefbc3985 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints.md
@@ -958,7 +958,7 @@ section of the enhancement proposal about Pod topology spread constraints.
 - 该调度器不会预先知道集群拥有的所有可用区和其他拓扑域。
   拓扑域由集群中存在的节点确定。在自动扩缩的集群中，如果一个节点池（或节点组）的节点数量缩减为零，
   而用户正期望其扩容时，可能会导致调度出现问题。
-  因为在这种情况下，调度器不会考虑这些拓扑域，因为其中至少有一个节点。
+  因为在这种情况下，调度器不会考虑这些拓扑域，直至这些拓扑域中至少包含有一个节点。
 
   你可以通过使用感知 Pod 拓扑分布约束并感知整个拓扑域集的集群自动扩缩工具来解决此问题。
 

From ee3ba4e39504c40d860bfccd3afb0eb6a62e19ad Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Thu, 2 Mar 2023 08:35:18 +0000
Subject: [PATCH 024/215] [ja] update some roles and links

---
 content/ja/docs/contribute/review/for-approvers.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/ja/docs/contribute/review/for-approvers.md b/content/ja/docs/contribute/review/for-approvers.md
index ea17bba99ecf1..822396fbf67ea 100644
--- a/content/ja/docs/contribute/review/for-approvers.md
+++ b/content/ja/docs/contribute/review/for-approvers.md
@@ -61,13 +61,13 @@ Prowコマンド | Roleの制限 | 説明
 :------------|:------------------|:-----------
 `/lgtm` | Organizationメンバー | PRのレビューが完了し、変更に納得したことを知らせる。
 `/approve` | Approver | PRをマージすることを承認する。
-`/assign` | ReviewerまたはApprover | PRのレビューまたは承認するひとを割り当てる。
-`/close` | ReviewerまたはApprover | issueまたはPRをcloseする。
+`/assign` | 誰でも | PRのレビューまたは承認するひとを割り当てる。
+`/close` | Organizationメンバー | issueまたはPRをcloseする。
 `/hold` | 誰でも | `do-not-merge/hold`ラベルを追加して、自動的にマージできないPRであることを示す。
 `/hold cancel` | 誰でも | `do-not-merge/hold`ラベルを削除する。
 {{< /table >}}
 
-PRで利用できるすべてのコマンド一覧を確認するには、[Prowコマンドリファレンス](https://prow.k8s.io/command-help)を参照してください。
+PRで利用できるすべてのコマンドを確認するには、[Prowコマンドリファレンス](https://prow.k8s.io/command-help?repo=kubernetes%2Fwebsite)を参照してください。
 
 ## issueのトリアージとカテゴリー分類
 
@@ -141,7 +141,7 @@ SIG Docsでは、対処方法をドキュメントに書いても良いくらい
 
 ### Blogに関するissue
 
-[Kubernetes Blog](https://kubernetes.io/blog/)のエントリーは時間が経つと情報が古くなるものだと考えています。そのため、ブログのエントリーは1年以内のものだけをメンテナンスします。1年以上前のブログエントリーに関するissueは修正せずにcloseします。
+[Kubernetes Blog](/blog/)のエントリーは時間が経つと情報が古くなるものだと考えています。そのため、ブログのエントリーは1年以内のものだけをメンテナンスします。1年以上前のブログエントリーに関するissueは修正せずにcloseします。
 
 ### サポートリクエストまたはコードのバグレポート {#support-requests-or-code-bug-reports}
 

From d6445848fc32d9cb832f020a9fd5845f4d346ccf Mon Sep 17 00:00:00 2001
From: ClimberJ <98227175+ClimberJ@users.noreply.github.com>
Date: Thu, 2 Mar 2023 12:14:13 +0100
Subject: [PATCH 025/215] Removed duplicate word

---
 content/en/docs/concepts/workloads/pods/pod-qos.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/workloads/pods/pod-qos.md b/content/en/docs/concepts/workloads/pods/pod-qos.md
index b2035c520f404..9b0b10dedadbe 100644
--- a/content/en/docs/concepts/workloads/pods/pod-qos.md
+++ b/content/en/docs/concepts/workloads/pods/pod-qos.md
@@ -71,7 +71,7 @@ A Pod is given a QoS class of `Burstable` if:
 
 Pods in the `BestEffort` QoS class can use node resources that aren't specifically assigned
 to Pods in other QoS classes. For example, if you have a node with 16 CPU cores available to the
-kubelet, and you assign assign 4 CPU cores to a `Guaranteed` Pod, then a Pod in the `BestEffort`
+kubelet, and you assign 4 CPU cores to a `Guaranteed` Pod, then a Pod in the `BestEffort`
 QoS class can try to use any amount of the remaining 12 CPU cores.
 
 The kubelet prefers to evict `BestEffort` Pods if the node comes under resource pressure.

From c90fd0f340ae93e91d1a319e4b3770655319c013 Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Fri, 3 Mar 2023 09:08:17 +0000
Subject: [PATCH 026/215] [ja] Update page weights under
 content/ja/docs/reference.

---
 .../ja/docs/reference/command-line-tools-reference/_index.md    | 2 +-
 content/ja/docs/reference/kubectl/_index.md                     | 2 +-
 content/ja/docs/reference/kubectl/cheatsheet.md                 | 1 +
 content/ja/docs/reference/kubectl/conventions.md                | 1 +
 content/ja/docs/reference/kubectl/jsonpath.md                   | 2 +-
 content/ja/docs/reference/scheduling/_index.md                  | 2 +-
 content/ja/docs/reference/scheduling/policies.md                | 1 +
 content/ja/docs/reference/setup-tools/_index.md                 | 2 +-
 content/ja/docs/reference/using-api/_index.md                   | 2 +-
 9 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/content/ja/docs/reference/command-line-tools-reference/_index.md b/content/ja/docs/reference/command-line-tools-reference/_index.md
index 89d64ce646db7..2e4806da13d42 100644
--- a/content/ja/docs/reference/command-line-tools-reference/_index.md
+++ b/content/ja/docs/reference/command-line-tools-reference/_index.md
@@ -1,5 +1,5 @@
 ---
 title: コマンドラインツールのリファレンス
-weight: 60
+weight: 120
 toc-hide: true
 ---
diff --git a/content/ja/docs/reference/kubectl/_index.md b/content/ja/docs/reference/kubectl/_index.md
index 7b6c2d720b12a..6738659218c18 100644
--- a/content/ja/docs/reference/kubectl/_index.md
+++ b/content/ja/docs/reference/kubectl/_index.md
@@ -1,5 +1,5 @@
 ---
 title: "kubectl CLI"
-weight: 60
+weight: 110
 ---
 
diff --git a/content/ja/docs/reference/kubectl/cheatsheet.md b/content/ja/docs/reference/kubectl/cheatsheet.md
index 7b2d782882cfd..31a56103ccf92 100644
--- a/content/ja/docs/reference/kubectl/cheatsheet.md
+++ b/content/ja/docs/reference/kubectl/cheatsheet.md
@@ -1,6 +1,7 @@
 ---
 title: kubectlチートシート
 content_type: concept
+weight: 10 # highlight it
 card:
   name: reference
   weight: 30
diff --git a/content/ja/docs/reference/kubectl/conventions.md b/content/ja/docs/reference/kubectl/conventions.md
index 338c97152adac..a1ee10d6e1e87 100644
--- a/content/ja/docs/reference/kubectl/conventions.md
+++ b/content/ja/docs/reference/kubectl/conventions.md
@@ -1,6 +1,7 @@
 ---
 title: kubectlの使用規則
 content_type: concept
+weight: 60
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/reference/kubectl/jsonpath.md b/content/ja/docs/reference/kubectl/jsonpath.md
index 9b9caca4bb3b0..fc382444ddc11 100644
--- a/content/ja/docs/reference/kubectl/jsonpath.md
+++ b/content/ja/docs/reference/kubectl/jsonpath.md
@@ -1,7 +1,7 @@
 ---
 title: JSONPathのサポート
 content_type: concept
-weight: 25
+weight: 40
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/reference/scheduling/_index.md b/content/ja/docs/reference/scheduling/_index.md
index 316b774081953..6a44b52845201 100644
--- a/content/ja/docs/reference/scheduling/_index.md
+++ b/content/ja/docs/reference/scheduling/_index.md
@@ -1,5 +1,5 @@
 ---
 title: Scheduling
-weight: 70
+weight: 140
 toc-hide: true
 ---
diff --git a/content/ja/docs/reference/scheduling/policies.md b/content/ja/docs/reference/scheduling/policies.md
index dd236d3c3db20..620adbc1a2603 100644
--- a/content/ja/docs/reference/scheduling/policies.md
+++ b/content/ja/docs/reference/scheduling/policies.md
@@ -3,6 +3,7 @@ title: スケジューリングポリシー
 content_type: concept
 sitemap:
   priority: 0.2 # スケジューリングポリシーは廃止されました。
+weight: 30
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/reference/setup-tools/_index.md b/content/ja/docs/reference/setup-tools/_index.md
index 8341a25236359..0ccc1ece2f0e3 100644
--- a/content/ja/docs/reference/setup-tools/_index.md
+++ b/content/ja/docs/reference/setup-tools/_index.md
@@ -1,4 +1,4 @@
 ---
 title: セットアップツールのリファレンス
-weight: 50
+weight: 100
 ---
diff --git a/content/ja/docs/reference/using-api/_index.md b/content/ja/docs/reference/using-api/_index.md
index 543b78b2c84a9..5df9a0391835d 100644
--- a/content/ja/docs/reference/using-api/_index.md
+++ b/content/ja/docs/reference/using-api/_index.md
@@ -1,7 +1,7 @@
 ---
 title: API概要
 content_type: concept
-weight: 10
+weight: 20
 no_list: true
 card:
   name: reference

From 4a885ceca8839245502881a9834b5c05253b1b79 Mon Sep 17 00:00:00 2001
From: Shogo Hida <shogo.hida@gmail.com>
Date: Sun, 19 Feb 2023 11:54:43 +0900
Subject: [PATCH 027/215] Fix paths

Signed-off-by: Shogo Hida <shogo.hida@gmail.com>
---
 .../cluster-administration-overview.md                      | 6 +-----
 .../concepts/cluster-administration/manage-deployment.md    | 5 ++---
 .../concepts/configuration/manage-resources-containers.md   | 2 +-
 .../reference/command-line-tools-reference/feature-gates.md | 4 ++--
 .../ja/docs/tasks/debug/debug-cluster/local-debugging.md    | 2 +-
 .../guestbook-logs-metrics-with-elk.md                      | 4 ++--
 6 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/content/ja/docs/concepts/cluster-administration/cluster-administration-overview.md b/content/ja/docs/concepts/cluster-administration/cluster-administration-overview.md
index 9f27d7779df53..11c7285609b80 100644
--- a/content/ja/docs/concepts/cluster-administration/cluster-administration-overview.md
+++ b/content/ja/docs/concepts/cluster-administration/cluster-administration-overview.md
@@ -49,7 +49,7 @@ Kubernetesクラスターの計画、セットアップ、設定の例を知る
 
 * [Kubernetesクラスターでのsysctlの使用](/docs/concepts/cluster-administration/sysctl-cluster/)では、管理者向けにカーネルパラメーターを設定するため`sysctl`コマンドラインツールの使用方法について解説します。
 
-* [クラスターの監査](/docs/tasks/debug-application-cluster/audit/)では、Kubernetesの監査ログの扱い方について解説します。
+* [クラスターの監査](/ja/docs/tasks/debug/debug-cluster/audit/)では、Kubernetesの監査ログの扱い方について解説します。
 
 ### kubeletをセキュアにする
   * [マスターとノードのコミュニケーション](/ja/docs/concepts/architecture/master-node-communication/)
@@ -61,7 +61,3 @@ Kubernetesクラスターの計画、セットアップ、設定の例を知る
 * [DNSのインテグレーション](/ja/docs/concepts/services-networking/dns-pod-service/)では、DNS名をKubernetes Serviceに直接名前解決する方法を解説します。
 
 * [クラスターアクティビィのロギングと監視](/docs/concepts/cluster-administration/logging/)では、Kubernetesにおけるロギングがどのように行われ、どう実装されているかについて解説します。
-
-
-
-
diff --git a/content/ja/docs/concepts/cluster-administration/manage-deployment.md b/content/ja/docs/concepts/cluster-administration/manage-deployment.md
index 084ff304b5c6a..35def1de1269e 100644
--- a/content/ja/docs/concepts/cluster-administration/manage-deployment.md
+++ b/content/ja/docs/concepts/cluster-administration/manage-deployment.md
@@ -1,6 +1,6 @@
 ---
 reviewers:
-- 
+-
 title: リソースの管理
 content_type: concept
 weight: 40
@@ -449,6 +449,5 @@ kubectl edit deployment/my-nginx
 
 ## {{% heading "whatsnext" %}}
 
-- [アプリケーションの調査とデバッグのための`kubectl`の使用方法](/docs/tasks/debug-application-cluster/debug-application-introspection/)について学んでください。
+- [アプリケーションの調査とデバッグのための`kubectl`の使用方法](/ja/docs/tasks/debug/debug-application/debug-running-pod/)について学んでください。
 - [設定のベストプラクティスとTIPS](/ja/docs/concepts/configuration/overview/)を参照してください。
-
diff --git a/content/ja/docs/concepts/configuration/manage-resources-containers.md b/content/ja/docs/concepts/configuration/manage-resources-containers.md
index 62b01aa0dfe88..7004d7348dc8e 100644
--- a/content/ja/docs/concepts/configuration/manage-resources-containers.md
+++ b/content/ja/docs/concepts/configuration/manage-resources-containers.md
@@ -170,7 +170,7 @@ Dockerを使用する場合:
 
 Podのリソース使用量は、Podのステータスの一部として報告されます。
 
-オプションの[監視ツール](/docs/tasks/debug-application-cluster/resource-usage-monitoring/)がクラスターにおいて利用可能な場合、Podのリソース使用量は[メトリクスAPI](/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#the-metrics-api)から直接、もしくは監視ツールから取得できます。
+オプションの[監視ツール](/ja/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)がクラスターにおいて利用可能な場合、Podのリソース使用量は[メトリクスAPI](/ja/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/#the-metrics-api)から直接、もしくは監視ツールから取得できます。
 
 ## ローカルのエフェメラルストレージ {#local-ephemeral-storage}
 
diff --git a/content/ja/docs/reference/command-line-tools-reference/feature-gates.md b/content/ja/docs/reference/command-line-tools-reference/feature-gates.md
index 76ee414f7bbb8..a014c7c608593 100644
--- a/content/ja/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/ja/docs/reference/command-line-tools-reference/feature-gates.md
@@ -346,7 +346,7 @@ GAになってからさらなる変更を加えることは現実的ではない
 各フィーチャーゲートは特定の機能を有効/無効にするように設計されています。
 
 - `Accelerators`: DockerでのNvidia GPUのサポートを有効にします。
-- `AdvancedAuditing`: [高度な監査機能](/docs/tasks/debug-application-cluster/audit/#advanced-audit)を有効にします。
+- `AdvancedAuditing`: [高度な監査機能](/ja/docs/tasks/debug/debug-cluster/audit/#advanced-audit)を有効にします。
 - `AffinityInAnnotations`(*非推奨*): [Podのアフィニティまたはアンチアフィニティ](/ja/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)を有効にします。
 - `AnyVolumeDataSource`: {{< glossary_tooltip text="PVC" term_id="persistent-volume-claim" >}}の`DataSource`としてカスタムリソースの使用を有効にします。
 - `AllowExtTrafficLocalEndpoints`: サービスが外部へのリクエストをノードのローカルエンドポイントにルーティングできるようにします。
@@ -387,7 +387,7 @@ GAになってからさらなる変更を加えることは現実的ではない
 - `CustomResourceWebhookConversion`: [CustomResourceDefinition](/docs/concepts/extend-kubernetes/api-extension/custom-resources/)から作成されたリソースのWebhookベースの変換を有効にします。
 - `DevicePlugins`: [device-plugins](/docs/concepts/cluster-administration/device-plugins/)によるノードでのリソースプロビジョニングを有効にします。
 - `DryRun`: サーバーサイドでの[dry run](/docs/reference/using-api/api-concepts/#dry-run)リクエストを有効にします。
-- `DynamicAuditing`: [動的監査](/docs/tasks/debug-application-cluster/audit/#dynamic-backend)を有効にします。
+- `DynamicAuditing`: [動的監査](/docs/tasks/debug/debug-cluster/audit/#dynamic-backend)を有効にします。
 - `DynamicKubeletConfig`: kubeletの動的構成を有効にします。[kubeletの再設定](/docs/tasks/administer-cluster/reconfigure-kubelet/)を参照してください。
 - `DynamicProvisioningScheduling`: デフォルトのスケジューラーを拡張してボリュームトポロジーを認識しPVプロビジョニングを処理します。この機能は、v1.12の`VolumeScheduling`機能に完全に置き換えられました。
 - `DynamicVolumeProvisioning`(*非推奨*): Podへの永続ボリュームの[動的プロビジョニング](/ja/docs/concepts/storage/dynamic-provisioning/)を有効にします。
diff --git a/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md b/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md
index 3272582fb367c..a0ef6f361115b 100644
--- a/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md
+++ b/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md
@@ -5,7 +5,7 @@ content_type: task
 
 <!-- overview -->
 
-Kubernetesアプリケーションは通常、複数の独立したサービスから構成され、それぞれが独自のコンテナで動作しています。これらのサービスをリモートのKubernetesクラスター上で開発・デバッグするには、[get a shell on a running container](/docs/task/debug-application-cluster/get-shell-running-container/)してリモートシェル内でツールを実行しなければならず面倒な場合があります。
+Kubernetesアプリケーションは通常、複数の独立したサービスから構成され、それぞれが独自のコンテナで動作しています。これらのサービスをリモートのKubernetesクラスター上で開発・デバッグするには、[get a shell on a running container](/ja/docs/task/debug/debug-application/get-shell-running-container/)してリモートシェル内でツールを実行しなければならず面倒な場合があります。
 
 `telepresence`は、リモートKubernetesクラスターにサービスをプロキシーしながら、ローカルでサービスを開発・デバッグするプロセスを容易にするためのツールです。
 `telepresence` を使用すると、デバッガーやIDEなどのカスタムツールをローカルサービスで使用でき、ConfigMapやsecret、リモートクラスター上で動作しているサービスへのフルアクセスをサービスに提供します。
diff --git a/content/ja/docs/tutorials/stateless-application/guestbook-logs-metrics-with-elk.md b/content/ja/docs/tutorials/stateless-application/guestbook-logs-metrics-with-elk.md
index 2e771a13b40c0..4eac56f950514 100644
--- a/content/ja/docs/tutorials/stateless-application/guestbook-logs-metrics-with-elk.md
+++ b/content/ja/docs/tutorials/stateless-application/guestbook-logs-metrics-with-elk.md
@@ -456,7 +456,7 @@ DeploymentとServiceを削除すると、実行中のすべてのPodも削除さ
 
 ## {{% heading "whatsnext" %}}
 
-* [リソースを監視するためのツール](/docs/tasks/debug-application-cluster/resource-usage-monitoring/)について学ぶ。
+* [リソースを監視するためのツール](/ja/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)について学ぶ。
 * [ロギングのアーキテクチャ](/docs/concepts/cluster-administration/logging/)についてもっと読む。
 * [アプリケーションのイントロスペクションとデバッグ](/ja/docs/tasks/debug/debug-application/)についてもっと読む。
-* [アプリケーションのトラブルシューティング](/docs/tasks/debug-application-cluster/resource-usage-monitoring/)についてもっと読む。
+* [アプリケーションのトラブルシューティング](/ja/docs/tasks/debug/debug-cluster/resource-usage-monitoring/)についてもっと読む。

From fceca934ffbd6d3b508762fa36d1437e9a962b6f Mon Sep 17 00:00:00 2001
From: Shogo Hida <shogo.hida@gmail.com>
Date: Mon, 20 Feb 2023 18:25:22 +0900
Subject: [PATCH 028/215] Fix troubleshooting

Signed-off-by: Shogo Hida <shogo.hida@gmail.com>
---
 .../windows/intro-windows-in-kubernetes.md                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md b/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
index 2fa71ad2fc77b..ea9e947f6ae99 100644
--- a/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
+++ b/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
@@ -365,7 +365,7 @@ Windowsでは、PodSecurityContextフィールドはどれも機能しません
 
 ## ヘルプとトラブルシューティングを学ぶ {#troubleshooting}
 
-Kubernetesクラスターのトラブルシューティングの主なヘルプソースは、この[セクション](/docs/tasks/debug-application-cluster/troubleshooting/)から始める必要があります。このセクションには、いくつか追加的な、Windows固有のトラブルシューティングヘルプが含まれています。ログは、Kubernetesにおけるトラブルシューティング問題の重要な要素です。他のコントリビューターからトラブルシューティングの支援を求めるときは、必ずそれらを含めてください。SIG-Windows[ログ収集に関するコントリビュートガイド](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)の指示に従ってください。
+Kubernetesクラスターのトラブルシューティングの主なヘルプソースは、[トラブルシューティング](/ja/docs/tasks/debug/)ページから始める必要があります。このページには、いくつか追加的な、Windows固有のトラブルシューティングヘルプが含まれています。ログは、Kubernetesにおけるトラブルシューティング問題の重要な要素です。他のコントリビューターからトラブルシューティングの支援を求めるときは、必ずそれらを含めてください。SIG-Windows[ログ収集に関するコントリビュートガイド](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)の指示に従ってください。
 
 1. start.ps1が正常に完了したことをどのように確認できますか？
 

From 580a3a9eaf6e4a6656f5f97c6acfb72cd1543add Mon Sep 17 00:00:00 2001
From: Shogo Hida <shogo.hida@gmail.com>
Date: Mon, 20 Feb 2023 18:28:53 +0900
Subject: [PATCH 029/215] Fix translation

Signed-off-by: Shogo Hida <shogo.hida@gmail.com>
---
 .../windows/intro-windows-in-kubernetes.md                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md b/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
index ea9e947f6ae99..aa30f5ceaa0b4 100644
--- a/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
+++ b/content/ja/docs/setup/production-environment/windows/intro-windows-in-kubernetes.md
@@ -365,7 +365,7 @@ Windowsでは、PodSecurityContextフィールドはどれも機能しません
 
 ## ヘルプとトラブルシューティングを学ぶ {#troubleshooting}
 
-Kubernetesクラスターのトラブルシューティングの主なヘルプソースは、[トラブルシューティング](/ja/docs/tasks/debug/)ページから始める必要があります。このページには、いくつか追加的な、Windows固有のトラブルシューティングヘルプが含まれています。ログは、Kubernetesにおけるトラブルシューティング問題の重要な要素です。他のコントリビューターからトラブルシューティングの支援を求めるときは、必ずそれらを含めてください。SIG-Windows[ログ収集に関するコントリビュートガイド](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)の指示に従ってください。
+Kubernetesクラスターのトラブルシューティングの主なヘルプソースは、[トラブルシューティング](/ja/docs/tasks/debug/)ページから始める必要があります。このセクションには、いくつか追加的な、Windows固有のトラブルシューティングヘルプが含まれています。ログは、Kubernetesにおけるトラブルシューティング問題の重要な要素です。他のコントリビューターからトラブルシューティングの支援を求めるときは、必ずそれらを含めてください。SIG-Windows[ログ収集に関するコントリビュートガイド](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs)の指示に従ってください。
 
 1. start.ps1が正常に完了したことをどのように確認できますか？
 

From 1ae0421446e15e0ff69ef9cab91fd951624f84fa Mon Sep 17 00:00:00 2001
From: Shogo Hida <shogo.hida@gmail.com>
Date: Sun, 26 Feb 2023 18:28:01 +0900
Subject: [PATCH 030/215] Fix path and add translation

---
 content/ja/docs/tasks/debug/debug-cluster/local-debugging.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md b/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md
index a0ef6f361115b..8fe2c4a5f4999 100644
--- a/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md
+++ b/content/ja/docs/tasks/debug/debug-cluster/local-debugging.md
@@ -5,7 +5,7 @@ content_type: task
 
 <!-- overview -->
 
-Kubernetesアプリケーションは通常、複数の独立したサービスから構成され、それぞれが独自のコンテナで動作しています。これらのサービスをリモートのKubernetesクラスター上で開発・デバッグするには、[get a shell on a running container](/ja/docs/task/debug/debug-application/get-shell-running-container/)してリモートシェル内でツールを実行しなければならず面倒な場合があります。
+Kubernetesアプリケーションは通常、複数の独立したサービスから構成され、それぞれが独自のコンテナで動作しています。これらのサービスをリモートのKubernetesクラスター上で開発・デバッグするには、[実行中のコンテナへのシェルを取得](/ja/docs/tasks/debug/debug-application/get-shell-running-container/)してリモートシェル内でツールを実行しなければならず面倒な場合があります。
 
 `telepresence`は、リモートKubernetesクラスターにサービスをプロキシーしながら、ローカルでサービスを開発・デバッグするプロセスを容易にするためのツールです。
 `telepresence` を使用すると、デバッガーやIDEなどのカスタムツールをローカルサービスで使用でき、ConfigMapやsecret、リモートクラスター上で動作しているサービスへのフルアクセスをサービスに提供します。

From b3f8293850911fefb2bc614899e7bc0025f15e4e Mon Sep 17 00:00:00 2001
From: Madhumita Kundo <madhumita.kundo@ibm.com>
Date: Sun, 26 Feb 2023 12:20:18 +0000
Subject: [PATCH 031/215] [en] Update outdated update-readme-doc

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index cbc8617dff809..7aa81971cf126 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ This will start the local Hugo server on port 1313. Open up your browser to <htt
 
 ## Building the API reference pages
 
-The API reference pages located in `content/en/docs/reference/kubernetes-api` are built from the Swagger specification, using <https://github.com/kubernetes-sigs/reference-docs/tree/master/gen-resourcesdocs>.
+The API reference pages located in `content/en/docs/reference/kubernetes-api` are built from the Swagger specification, also known as OpenAPI specification, using <https://github.com/kubernetes-sigs/reference-docs/tree/master/gen-resourcesdocs>.
 
 To update the reference pages for a new Kubernetes release follow these steps:
 

From 76694cd68c8b4414bba59cca63f5d03574c940f7 Mon Sep 17 00:00:00 2001
From: "xin.li" <xin.li@daocloud.io>
Date: Tue, 28 Feb 2023 12:02:18 +0800
Subject: [PATCH 032/215] [zh-cn]sync blog 2022-09-07-iptables-chains.md

Signed-off-by: xin.li <xin.li@daocloud.io>
---
 .../blog/_posts/2022-09-07-iptables-chains.md | 343 ++++++++++++++++++
 1 file changed, 343 insertions(+)
 create mode 100644 content/zh-cn/blog/_posts/2022-09-07-iptables-chains.md

diff --git a/content/zh-cn/blog/_posts/2022-09-07-iptables-chains.md b/content/zh-cn/blog/_posts/2022-09-07-iptables-chains.md
new file mode 100644
index 0000000000000..2f6da8a69f043
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2022-09-07-iptables-chains.md
@@ -0,0 +1,343 @@
+---
+layout: blog
+title: "Kubernetes 的 iptables 链不是 API"
+date: 2022-09-07
+slug: iptables-chains-not-api
+---
+
+<!--
+layout: blog
+title: "Kubernetes’s IPTables Chains Are Not API"
+date: 2022-09-07
+slug: iptables-chains-not-api
+-->
+
+<!--
+**Author:** Dan Winship (Red Hat)
+-->
+**作者：** Dan Winship (Red Hat)
+
+**译者：** Xin Li (DaoCloud)
+
+<!--
+Some Kubernetes components (such as kubelet and kube-proxy) create
+iptables chains and rules as part of their operation. These chains
+were never intended to be part of any Kubernetes API/ABI guarantees,
+but some external components nonetheless make use of some of them (in
+particular, using `KUBE-MARK-MASQ` to mark packets as needing to be
+masqueraded).
+-->
+一些 Kubernetes 组件（例如 kubelet 和 kube-proxy）在执行操作时，会创建特定的 iptables 链和规则。
+这些链从未被计划使其成为任何 Kubernetes API/ABI 保证的一部分，
+但一些外部组件仍然使用其中的一些链（特别是使用 `KUBE-MARK-MASQ` 将数据包标记为需要伪装）。
+
+<!--
+As a part of the v1.25 release, SIG Network made this declaration
+explicit: that (with one exception), the iptables chains that
+Kubernetes creates are intended only for Kubernetes’s own internal
+use, and third-party components should not assume that Kubernetes will
+create any specific iptables chains, or that those chains will contain
+any specific rules if they do exist.
+-->
+作为 v1.25 版本的一部分，SIG Network 明确声明：
+Kubernetes 创建的 iptables 链仅供 Kubernetes 内部使用（有一个例外），
+第三方组件不应假定 Kubernetes 会创建任何特定的 iptables 链，
+或者这些链将包含任何特定的规则（即使它们确实存在）。
+
+<!--
+Then, in future releases, as part of [KEP-3178], we will begin phasing
+out certain chains that Kubernetes itself no longer needs. Components
+outside of Kubernetes itself that make use of `KUBE-MARK-MASQ`,
+`KUBE-MARK-DROP`, or other Kubernetes-generated iptables chains should
+start migrating away from them now.
+-->
+然后，在未来的版本中，作为 [KEP-3178] 的一部分，我们将开始逐步淘汰 Kubernetes
+本身不再需要的某些链。Kubernetes 自身之外且使用了 `KUBE-MARK-MASQ`、`KUBE-MARK-DROP`
+或 Kubernetes 所生成的其它 iptables 链的组件应当开始迁移。
+
+[KEP-3178]: https://github.com/kubernetes/enhancements/issues/3178
+
+<!--
+## Background
+
+In addition to various service-specific iptables chains, kube-proxy
+creates certain general-purpose iptables chains that it uses as part
+of service proxying. In the past, kubelet also used iptables for a few
+features (such as setting up `hostPort` mapping for pods) and so it
+also redundantly created some of the same chains.
+-->
+## 背景   {#background}
+
+除了各种为 Service 创建的 iptables 链之外，kube-proxy 还创建了某些通用 iptables 链，
+用作服务代理的一部分。 过去，kubelet 还使用 iptables
+来实现一些功能（例如为 Pod 设置 `hostPort` 映射），因此它也冗余地创建了一些重复的链。
+
+<!--
+However, with [the removal of dockershim] in Kubernetes in 1.24,
+kubelet now no longer ever uses any iptables rules for its own
+purposes; the things that it used to use iptables for are now always
+the responsibility of the container runtime or the network plugin, and
+there is no reason for kubelet to be creating any iptables rules.
+
+Meanwhile, although `iptables` is still the default kube-proxy backend
+on Linux, it is unlikely to remain the default forever, since the
+associated command-line tools and kernel APIs are essentially
+deprecated, and no longer receiving improvements. (RHEL 9
+[logs a warning] if you use the iptables API, even via
+`iptables-nft`.)
+-->
+然而，随着 1.24 版本 Kubernetes 中 [dockershim 的移除]，
+kubelet 现在不再为某种目的使用任何 iptables 规则；
+过去使用 iptables 来完成的事情现在总是由容器运行时或网络插件负责，
+现在 kubelet 没有理由创建任何 iptables 规则。
+
+同时，虽然 iptables 仍然是 Linux 上默认的 kube-proxy 后端，
+但它不会永远是默认选项，因为相关的命令行工具和内核 API 基本上已被弃用，
+并且不再得到改进。（RHEL 9 [记录警告] 如果你使用 iptables API，即使是通过 `iptables-nft`。）
+
+<!--
+Although as of Kubernetes 1.25 iptables kube-proxy remains popular,
+and kubelet continues to create the iptables rules that it
+historically created (despite no longer _using_ them), third party
+software cannot assume that core Kubernetes components will keep
+creating these rules in the future.
+
+[the removal of dockershim]: https://kubernetes.io/blog/2022/02/17/dockershim-faq/
+[logs a warning]: https://access.redhat.com/solutions/6739041
+-->
+尽管在 Kubernetes 1.25，iptables kube-proxy 仍然很流行，
+并且 kubelet 继续创建它过去创建的 iptables 规则（尽管不再**使用**它们），
+第三方软件不能假设核心 Kubernetes 组件将来会继续创建这些规则。
+
+[移除 dockershim]: https://kubernetes.io/zh-cn/blog/2022/02/17/dockershim-faq/
+[记录警告]: https://access.redhat.com/solutions/6739041
+
+<!--
+## Upcoming changes
+
+Starting a few releases from now, kubelet will no longer create the
+following iptables chains in the `nat` table:
+
+  - `KUBE-MARK-DROP`
+  - `KUBE-MARK-MASQ`
+  - `KUBE-POSTROUTING`
+
+Additionally, the `KUBE-FIREWALL` chain in the `filter` table will no
+longer have the functionality currently associated with
+`KUBE-MARK-DROP` (and it may eventually go away entirely).
+-->
+## 即将发生的变化
+
+从现在开始的几个版本中，kubelet 将不再在 `nat` 表中创建以下 iptables 链：
+
+  - `KUBE-MARK-DROP`
+  - `KUBE-MARK-MASQ`
+  - `KUBE-POSTROUTING`
+
+此外，`filter` 表中的 `KUBE-FIREWALL` 链将不再具有当前与
+`KUBE-MARK-DROP` 关联的功能（并且它最终可能会完全消失）。
+
+<!--
+This change will be phased in via the `IPTablesOwnershipCleanup`
+feature gate.  That feature gate is available and can be manually
+enabled for testing in Kubernetes 1.25. The current plan is that it
+will become enabled-by-default in Kubernetes 1.27, though this may be
+delayed to a later release. (It will not happen sooner than Kubernetes
+1.27.)
+-->
+此更改将通过 `IPTablesOwnershipCleanup` 特性门控逐步实施。
+你可以手动在 Kubernetes 1.25 中开启此特性进行测试。
+目前的计划是将其在 Kubernetes 1.27 中默认启用，
+尽管这可能会延迟到以后的版本。（不会在 Kubernetes 1.27 版本之前调整。）
+
+<!--
+## What to do if you use Kubernetes’s iptables chains
+
+(Although the discussion below focuses on short-term fixes that are
+still based on iptables, you should probably also start thinking about
+eventually migrating to nftables or another API).
+-->
+## 如果你使用 Kubernetes 的 iptables 链怎么办
+
+（尽管下面的讨论侧重于仍然基于 iptables 的短期修复，
+但你可能也应该开始考虑最终迁移到 nftables 或其他 API。）
+
+<!--
+### If you use `KUBE-MARK-MASQ`... {#use-case-kube-mark-masq}
+
+If you are making use of the `KUBE-MARK-MASQ` chain to cause packets
+to be masqueraded, you have two options: (1) rewrite your rules to use
+`-j MASQUERADE` directly, (2) create your own alternative “mark for
+masquerade” chain.
+-->
+### 如果你使用 `KUBE-MARK-MASQ` 链...  {#use-case-kube-mark-drop}
+
+如果你正在使用 `KUBE-MARK-MASQ` 链来伪装数据包，
+你有两个选择：（1）重写你的规则以直接使用 `-j MASQUERADE`，
+（2）创建你自己的替代链，完成“为伪装而设标记”的任务。
+
+<!--
+The reason kube-proxy uses `KUBE-MARK-MASQ` is because there are lots
+of cases where it needs to call both `-j DNAT` and `-j MASQUERADE` on
+a packet, but it’s not possible to do both of those at the same time
+in iptables; `DNAT` must be called from the `PREROUTING` (or `OUTPUT`)
+chain (because it potentially changes where the packet will be routed
+to) while `MASQUERADE` must be called from `POSTROUTING` (because the
+masqueraded source IP that it picks depends on what the final routing
+decision was).
+-->
+kube-proxy 使用 `KUBE-MARK-MASQ` 的原因是因为在很多情况下它需要在数据包上同时调用 
+`-j DNAT` 和 `-j MASQUERADE`，但不可能同时在 iptables 中调用这两种方法；
+`DNAT` 必须从 `PREROUTING`（或 `OUTPUT`）链中调用（因为它可能会改变数据包将被路由到的位置）而
+`MASQUERADE` 必须从 `POSTROUTING` 中调用（因为它伪装的源 IP 地址取决于最终的路由）。
+
+<!--
+In theory, kube-proxy could have one set of rules to match packets in
+`PREROUTING`/`OUTPUT` and call `-j DNAT`, and then have a second set
+of rules to match the same packets in `POSTROUTING` and call `-j
+MASQUERADE`. But instead, for efficiency, it only matches them once,
+during `PREROUTING`/`OUTPUT`, at which point it calls `-j DNAT` and
+then calls `-j KUBE-MARK-MASQ` to set a bit on the kernel packet mark
+as a reminder to itself. Then later, during `POSTROUTING`, it has a
+single rule that matches all previously-marked packets, and calls `-j
+MASQUERADE` on them.
+-->
+理论上，kube-proxy 可以有一组规则来匹配 `PREROUTING`/`OUTPUT`
+中的数据包并调用 `-j DNAT`，然后有第二组规则来匹配 `POSTROUTING`
+中的相同数据包并调用 `-j MASQUERADE`。
+但是，为了提高效率，kube-proxy 只匹配了一次，在 `PREROUTING`/`OUTPUT` 期间调用 `-j DNAT`，
+然后调用 `-j KUBE-MARK-MASQ` 在内核数据包标记属性上设置一个比特，作为对自身的提醒。
+然后，在 `POSTROUTING` 期间，通过一条规则来匹配所有先前标记的数据包，并对它们调用 `-j MASQUERADE`。
+
+<!--
+If you have _a lot_ of rules where you need to apply both DNAT and
+masquerading to the same packets like kube-proxy does, then you may
+want a similar arrangement. But in many cases, components that use
+`KUBE-MARK-MASQ` are only doing it because they copied kube-proxy’s
+behavior without understanding why kube-proxy was doing it that way.
+Many of these components could easily be rewritten to just use
+separate DNAT and masquerade rules. (In cases where no DNAT is
+occurring then there is even less point to using `KUBE-MARK-MASQ`;
+just move your rules from `PREROUTING` to `POSTROUTING` and call `-j
+MASQUERADE` directly.)
+-->
+如果你有**很多**规则需要像 kube-proxy 一样对同一个数据包同时执行 DNAT 和伪装操作，
+那么你可能需要类似的安排。但在许多情况下，使用 `KUBE-MARK-MASQ` 的组件之所以这样做，
+只是因为它们复制了 kube-proxy 的行为，而不理解 kube-proxy 为何这样做。
+许多这些组件可以很容易地重写为仅使用单独的 DNAT 和伪装规则。
+（在没有发生 DNAT 的情况下，使用 `KUBE-MARK-MASQ` 的意义就更小了；
+只需将你的规则从 `PREROUTING` 移至 `POSTROUTING` 并直接调用 `-j MASQUERADE`。）
+
+<!--
+### If you use `KUBE-MARK-DROP`... {#use-case-kube-mark-drop}
+
+The rationale for `KUBE-MARK-DROP` is similar to the rationale for
+`KUBE-MARK-MASQ`: kube-proxy wanted to make packet-dropping decisions
+alongside other decisions in the `nat` `KUBE-SERVICES` chain, but you
+can only call `-j DROP` from the `filter` table. So instead, it uses
+`KUBE-MARK-DROP` to mark packets to be dropped later on.
+-->
+### 如果你使用 `KUBE-MARK-DROP`... {#use-case-kube-mark-drop}
+
+`KUBE-MARK-DROP` 的基本原理与 `KUBE-MARK-MASQ` 类似：
+kube-proxy 想要在 `nat` `KUBE-SERVICES` 链中做出丢包决定以及其他决定，
+但你只能从 `filter` 表中调用 `-j DROP`。
+
+<!--
+In general, the approach for removing a dependency on `KUBE-MARK-DROP`
+is the same as for removing a dependency on `KUBE-MARK-MASQ`. In
+kube-proxy’s case, it is actually quite easy to replace the usage of
+`KUBE-MARK-DROP` in the `nat` table with direct calls to `DROP` in the
+`filter` table, because there are no complicated interactions between
+DNAT rules and drop rules, and so the drop rules can simply be moved
+from `nat` to `filter`.
+
+In more complicated cases, it might be necessary to “re-match” the
+same packets in both `nat` and `filter`.
+-->
+通常，删除对 `KUBE-MARK-DROP` 的依赖的方法与删除对 `KUBE-MARK-MASQ` 的依赖的方法相同。
+在 kube-proxy 的场景中，很容易将 `nat` 表中的 `KUBE-MARK-DROP`
+的用法替换为直接调用 `filter` 表中的 `DROP`，因为 DNAT 规则和 DROP 规则之间没有复杂的交互关系，
+因此 DROP 规则可以简单地从 `nat` 移动到 `filter`。
+更复杂的场景中，可能需要在 `nat` 和 `filter` 表中“重新匹配”相同的数据包。
+
+<!--
+### If you use Kubelet’s iptables rules to figure out `iptables-legacy` vs `iptables-nft`... {#use-case-iptables-mode}
+
+Components that manipulate host-network-namespace iptables rules from
+inside a container need some way to figure out whether the host is
+using the old `iptables-legacy` binaries or the newer `iptables-nft`
+binaries (which talk to a different kernel API underneath).
+-->
+### 如果你使用 Kubelet 的 iptables 规则来确定 `iptables-legacy` 与 `iptables-nft`... {#use-case-iptables-mode}
+
+对于从容器内部操纵主机网络命名空间 iptables 规则的组件而言，需要一些方法来确定主机是使用旧的
+`iptables-legacy` 二进制文件还是新的 `iptables-nft` 二进制文件（与不同的内核 API 交互）下。
+
+<!--
+The [`iptables-wrappers`] module provides a way for such components to
+autodetect the system iptables mode, but in the past it did this by
+assuming that Kubelet will have created “a bunch” of iptables rules
+before any containers start, and so it can guess which mode the
+iptables binaries in the host filesystem are using by seeing which
+mode has more rules defined.
+
+In future releases, Kubelet will no longer create many iptables rules,
+so heuristics based on counting the number of rules present may fail.
+-->
+[`iptables-wrappers`] 模块为此类组件提供了一种自动检测系统 iptables 模式的方法，
+但在过去，它通过假设 kubelet 将在任何容器启动之前创建“一堆” iptables
+规则来实现这一点，因此它可以通过查看哪种模式定义了更多规则来猜测主机文件系统中的
+iptables 二进制文件正在使用哪种模式。
+
+在未来的版本中，kubelet 将不再创建许多 iptables 规则，
+因此基于计算存在的规则数量的启发式方法可能会失败。
+
+<!--
+However, as of 1.24, Kubelet always creates a chain named
+`KUBE-IPTABLES-HINT` in the `mangle` table of whichever iptables
+subsystem it is using. Components can now look for this specific chain
+to know which iptables subsystem Kubelet (and thus, presumably, the
+rest of the system) is using.
+
+(Additionally, since Kubernetes 1.17, kubelet has created a chain
+called `KUBE-KUBELET-CANARY` in the `mangle` table. While this chain
+may go away in the future, it will of course still be there in older
+releases, so in any recent version of Kubernetes, at least one of
+`KUBE-IPTABLES-HINT` or `KUBE-KUBELET-CANARY` will be present.)
+-->
+然而，从 1.24 开始，kubelet 总是在它使用的任何 iptables 子系统的
+`mangle` 表中创建一个名为 `KUBE-IPTABLES-HINT` 的链。
+组件现在可以查找这个特定的链，以了解 kubelet（以及系统的其余部分）正在使用哪个 iptables 子系统。
+
+（此外，从 Kubernetes 1.17 开始，kubelet 在 `mangle` 表中创建了一个名为 `KUBE-KUBELET-CANARY` 的链。
+虽然这条链在未来可能会消失，但它仍然会在旧版本中存在，因此在任何最新版本的 Kubernetes 中，
+至少会包含 `KUBE-IPTABLES-HINT` 或 `KUBE-KUBELET-CANARY` 两条链的其中一个。）
+
+<!--
+The `iptables-wrappers` package has [already been updated] with this new
+heuristic, so if you were previously using that, you can rebuild your
+container images with an updated version of that.
+
+[`iptables-wrappers`]: https://github.com/kubernetes-sigs/iptables-wrappers/
+[already been updated]: https://github.com/kubernetes-sigs/iptables-wrappers/pull/3
+-->
+`iptables-wrappers` 包[已经被更新]，以提供这个新的启发式逻辑，
+所以如果你以前使用过它，你可以用它的更新版本重建你的容器镜像。
+
+[`iptables-wrappers`]: https://github.com/kubernetes-sigs/iptables-wrappers/
+[已经更新]: https://github.com/kubernetes-sigs/iptables-wrappers/pull/3
+
+<!--
+## Further reading
+
+The project to clean up iptables chain ownership and deprecate the old
+chains is tracked by [KEP-3178].
+
+[KEP-3178]: https://github.com/kubernetes/enhancements/issues/3178
+-->
+## 延伸阅读
+
+[KEP-3178] 跟踪了清理 iptables 链所有权和弃用旧链的项目。
+
+[KEP-3178]: https://github.com/kubernetes/enhancements/issues/3178
\ No newline at end of file

From 0dba6571d5bc7c524db95524f684cea3b201855e Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Sat, 4 Mar 2023 10:56:17 +0200
Subject: [PATCH 033/215] [es] Change shell to console for code snippet

---
 .../configure-pod-container/configure-volume-storage.md     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/es/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/es/docs/tasks/configure-pod-container/configure-volume-storage.md
index c4f08f29690e8..f5f8b17d97a77 100644
--- a/content/es/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/es/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -41,7 +41,7 @@ En este ejercicio crearás un Pod que ejecuta un único Contenedor. Este Pod tie
 
     La salida debería ser similar a:
 
-    ```shell
+    ```console
     NAME      READY     STATUS    RESTARTS   AGE
     redis     1/1       Running   0          13s
     ```
@@ -69,7 +69,7 @@ En este ejercicio crearás un Pod que ejecuta un único Contenedor. Este Pod tie
 
     La salida debería ser similar a:
 
-    ```shell
+    ```console
     USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
     redis        1  0.1  0.1  33308  3828 ?        Ssl  00:46   0:00 redis-server *:6379
     root        12  0.0  0.0  20228  3020 ?        Ss   00:47   0:00 /bin/bash
@@ -86,7 +86,7 @@ En este ejercicio crearás un Pod que ejecuta un único Contenedor. Este Pod tie
 
 1. En el terminal original, observa los cambios en el Pod de Redis. Eventualmente verás algo como lo siguiente:
 
-    ```shell
+    ```console
     NAME      READY     STATUS     RESTARTS   AGE
     redis     1/1       Running    0          13s
     redis     0/1       Completed  0         6m

From 1318d4085311fa31566f16623c799035323682b3 Mon Sep 17 00:00:00 2001
From: David Xia <davidxia@users.noreply.github.com>
Date: Sat, 4 Mar 2023 07:12:56 -0500
Subject: [PATCH 034/215] fix docs: update user-namespaces.md for English usage

Make it grammatically correct and more concise.
---
 content/en/docs/concepts/workloads/pods/user-namespaces.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/workloads/pods/user-namespaces.md b/content/en/docs/concepts/workloads/pods/user-namespaces.md
index 4241104ad4b61..0217490aa875d 100644
--- a/content/en/docs/concepts/workloads/pods/user-namespaces.md
+++ b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@@ -10,7 +10,7 @@ min-kubernetes-server-version: v1.25
 {{< feature-state for_k8s_version="v1.25" state="alpha" >}}
 
 This page explains how user namespaces are used in Kubernetes pods. A user
-namespace allows to isolate the user running inside the container from the one
+namespace isolates the user running inside the container from the one
 in the host.
 
 A process running as root in a container can run as a different (non-root) user

From 6ceae5e94320cdc4b7d53e180bd94a15f7bb280e Mon Sep 17 00:00:00 2001
From: marianogg9 <gonzalez.mariano.gabriel@gmail.com>
Date: Sat, 4 Mar 2023 15:06:16 +0100
Subject: [PATCH 035/215] added [ES] translated finalizer glossary item +
 concept page

---
 .../working-with-objects/finalizers.md        | 87 +++++++++++++++++++
 .../es/docs/reference/glossary/finalizer.md   | 36 ++++++++
 2 files changed, 123 insertions(+)
 create mode 100644 content/es/docs/concepts/overview/working-with-objects/finalizers.md
 create mode 100644 content/es/docs/reference/glossary/finalizer.md

diff --git a/content/es/docs/concepts/overview/working-with-objects/finalizers.md b/content/es/docs/concepts/overview/working-with-objects/finalizers.md
new file mode 100644
index 0000000000000..04404f1e70cac
--- /dev/null
+++ b/content/es/docs/concepts/overview/working-with-objects/finalizers.md
@@ -0,0 +1,87 @@
+---
+title: Finalizadores
+content_type: concept
+weight: 80
+---
+
+<!-- overview -->
+
+{{<glossary_definition term_id="finalizer" length="long">}}
+
+Puedes usar finalizadores para controlar {{<glossary_tooltip text="garbage collection" term_id="garbage-collection">}}
+de los recursos alertando a los controladores para que ejecuten tareas de limpieza especificas antes de eliminar el recurso.
+
+Los finalizadores usualmente no especifican codigo a ejecutar, sino que son generalmente listas de parametros referidos a
+un recurso especifico, similares a las anotaciones. Kubernetes especifica algunos finalizadores automaticamente,
+pero podrías especificar tus propios.
+
+## Cómo funcionan los finalizadores
+
+Cuando creas un recurso utilizando un archivo de manifiesto, puedes especificar 
+finalizadores mediante el campo `metadata.finalizers`. Cuando intentas eliminar el
+recurso, el servidor API que maneja el pedido de eliminación ve los valores en el
+campo `finalizadores` y hace lo siguiente:
+
+  * Modifica el objecto para agregar un campo `metadata.deletionTimestamp` con
+    el momento en que comenzaste la eliminación.
+  * Previene que el objeto sea eliminado hasta que su campo `metadata.finalizers`
+    este vacío.
+  * Retorna un codigo de estado `202` (HTTP "Aceptado")
+
+El controlador que meneja ese finalizador recibe la actualización del objecto
+configurando el campo `metadata.deletionTimestamp`, indicando que la eliminación
+del objeto ha sido solicitada.
+El controlador luego intenta satisfacer los requerimientos de los finalizadores
+especificados para ese recurso. Cada vez que una condición del finalizador es
+satisfecha, el controlador remueve ese parametro del campo `finalizadores`. Cuando
+el campo `finalizadores` esta vacío, un objeto con un campo `deletionTimestamp`
+configurado es automaticamente borrado. Puedes tambien utilizar finalizadores para
+prevenir el borrado de recursos no manejados.
+
+Un ejemplo usual de un finalizador es `kubernetes.io/pv-protection`, el cual
+previene el borrado accidental de objetos `PersistentVolume`. Cuando un objeto
+`PersistentVolume` está en uso por un Pod, Kubernetes agrega el finalizador
+`pv-protection`. Si intentas elimiar el `PersistentVolume`, este pasa a un estado
+`Terminating`, pero el controlador no puede eliminarlo ya que existe el finalizador.
+Cuando el Pod deja de utilizar el `PersistentVolume`, Kubernetes borra el finalizador
+`pv-protection` y el controlador borra el volumen.
+
+## Referencias de dueño, etiquetas y finalizadores (#dueños-etiquetas-finalizadores)
+
+Al igual que las {{<glossary_tooltip text="etiquetas" term_id="label">}}, las
+[referencias de dueño](/docs/concepts/overview/working-with-objects/owners-dependents/)
+describen las relaciones entre objetos en Kubernetes, pero son utilizadas para un
+propósito diferente. Cuando un
+{{<glossary_tooltip text="controlador" term_id="controller">}} maneja objetos como
+Pods, utiliza etiquetas para identificar cambios a grupos de objetos relacionados.
+Por ejemplo, cuando un {{<glossary_tooltip text="Job" term_id="job">}} crea uno
+o más Pods, el controlador del Job agrega etiquetas a esos pods para identificar cambios
+a cualquier Pod en el cluster con la misma etiqueta.
+
+El controlador del Job tambien agrega *referencias de dueño* a esos Pods, referidas
+al Job que creo a los Pods. Si borras el Job mientras estos Pods estan corriendo,
+Kubernetes utiliza las referencias de dueño (no las etiquetas) para determinar
+cuáles Pods en el cluster deberían ser borrados.
+
+Kubernetes también procesa finalizadores cuando identifica referencias de dueño en
+un recurso que ha sido marcado para eliminación.
+
+En algunas situaciones, los finalizadores pueden bloquear el borrado de objetos
+dependientes, causando que el objeto inicial a borrar permanezca más de lo
+esperado sin ser completamente eliminado. En esas situaciones, deberías chequear
+finalizadores y referencias de dueños en los objetos y sus dependencias para
+intentar solucionarlo.
+
+{{<note>}}
+En casos donde los objetos queden bloqueados en un estado de eliminación, evita
+borrarlos manualmente para que el proceso continue. Los finalizadores usualmente
+son agregados a los recursos por una razón, por lo cual eliminarlos forzosamente
+puede causar problemas en tu cluster. Borrados manuales sólo deberían ejecutados
+cuando el propósito del finalizador es entendido y satisfecho de alguna otra manera (por
+ejemplo, borrando manualmente un objeto dependiente).
+{{</note>}}
+
+## {{% heading "whatsnext" %}}
+
+* Lea [Using Finalizers to Control Deletion](/blog/2021/05/14/using-finalizers-to-control-deletion/)
+  en el blog de Kubernetes.
\ No newline at end of file
diff --git a/content/es/docs/reference/glossary/finalizer.md b/content/es/docs/reference/glossary/finalizer.md
new file mode 100644
index 0000000000000..765ab36a83ad0
--- /dev/null
+++ b/content/es/docs/reference/glossary/finalizer.md
@@ -0,0 +1,36 @@
+---
+title: Finalizador
+id: finalizer
+date: 2021-07-07
+full_link: /docs/concepts/overview/working-with-objects/finalizers/
+short_description: >
+  Un atributo de un namespace que dicta a Kubernetes a esperar hasta que condiciones
+  especificas son satisfechas antes que pueda borrar un objeto marcado para eliminacion.
+aka: 
+tags:
+- fundamental
+- operation
+---
+Los finalizadores son atributos de un namespace que dictan a Kubernetes a
+esperar a que ciertas condiciones sean satisfechas antes que pueda borrar
+definitivamente un objeto que ha sido marcado para eliminarse.
+Los finalizadores alertan a los {{<glossary_tooltip text="controladores" term_id="controller">}}
+para borrar recursos que poseian esos objetos eliminados.
+
+<!--more-->
+
+Cuando instruyes a Kubernetes a borrar un objeto que tiene finalizadores
+especificados, la API de Kubernetes marca ese objeto para eliminacion
+configurando el campo `metadata.deletionTimestamp`, y retorna un codigo de
+estado `202` (HTTP "Aceptado"). 
+El objeto a borrar permanece en un estado
+de terminacion mientras el plano de contol, u otros componentes, ejecutan
+las acciones definidas en los finalizadores.
+Luego de que esas acciones son completadas, el controlador borra los 
+finalizadores relevantes del objeto. Cuando el campo `metadata.finalizers`
+esta vacio, Kubernetes considera el proceso de eliminacion completo y borra
+el objeto.
+
+Puedes utilizar finalizadores para controlar {{<glossary_tooltip text="garbage collection" term_id="garbage-collection">}}
+de recursos. Por ejemplo, puedes definir un finalizador para borrar recursos
+relacionados o infraestructura antes que el controlador elimine el objeto.
\ No newline at end of file

From e342648b91f3bda1b7f35cd39feb8acca957d2ef Mon Sep 17 00:00:00 2001
From: Mengjiao Liu <mengjiao.liu@daocloud.io>
Date: Fri, 3 Mar 2023 15:26:02 +0800
Subject: [PATCH 036/215] Fix the description of Service External IPs to match
 the YAML example

---
 content/en/docs/concepts/services-networking/service.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md
index bb6b1d3750029..09690eb71ece4 100644
--- a/content/en/docs/concepts/services-networking/service.md
+++ b/content/en/docs/concepts/services-networking/service.md
@@ -1165,7 +1165,7 @@ will be routed to one of the Service endpoints. `externalIPs` are not managed by
 of the cluster administrator.
 
 In the Service spec, `externalIPs` can be specified along with any of the `ServiceTypes`.
-In the example below, "`my-service`" can be accessed by clients on "`80.11.12.10:80`" (`externalIP:port`)
+In the example below, "`my-service`" can be accessed by clients on "`198.51.100.32:80`" (`externalIP:port`)
 
 ```yaml
 apiVersion: v1

From f9ccb1412d298eef83d739c1b13ea3c98a696c32 Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Mon, 6 Mar 2023 04:23:41 +0000
Subject: [PATCH 037/215] [ja] Update page weights under security, storage and
 workloads.

---
 content/ja/docs/concepts/security/_index.md                 | 2 +-
 content/ja/docs/concepts/security/controlling-access.md     | 1 +
 content/ja/docs/concepts/security/overview.md               | 2 +-
 content/ja/docs/concepts/storage/dynamic-provisioning.md    | 2 +-
 content/ja/docs/concepts/storage/storage-capacity.md        | 2 +-
 content/ja/docs/concepts/storage/storage-limits.md          | 1 +
 content/ja/docs/concepts/storage/volume-pvc-datasource.md   | 2 +-
 content/ja/docs/concepts/storage/volume-snapshot-classes.md | 2 +-
 content/ja/docs/concepts/workloads/_index.md                | 2 +-
 9 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/content/ja/docs/concepts/security/_index.md b/content/ja/docs/concepts/security/_index.md
index 0088a3ea95d7e..b0912322b0263 100644
--- a/content/ja/docs/concepts/security/_index.md
+++ b/content/ja/docs/concepts/security/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "セキュリティ"
-weight: 81
+weight: 85
 description: >
   クラウドネイティブなワークロードをセキュアに維持するための概念
 ---
diff --git a/content/ja/docs/concepts/security/controlling-access.md b/content/ja/docs/concepts/security/controlling-access.md
index b9ec55417f5e6..576613895ee4c 100644
--- a/content/ja/docs/concepts/security/controlling-access.md
+++ b/content/ja/docs/concepts/security/controlling-access.md
@@ -1,6 +1,7 @@
 ---
 title: Kubernetes APIへのアクセスコントロール
 content_type: concept
+weight: 50
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/security/overview.md b/content/ja/docs/concepts/security/overview.md
index c9d656a423268..ca4410b775196 100644
--- a/content/ja/docs/concepts/security/overview.md
+++ b/content/ja/docs/concepts/security/overview.md
@@ -2,7 +2,7 @@
 reviewers:
 title: クラウドネイティブセキュリティの概要
 content_type: concept
-weight: 10
+weight: 1
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/storage/dynamic-provisioning.md b/content/ja/docs/concepts/storage/dynamic-provisioning.md
index 94bee64ed101a..07206c09830c3 100644
--- a/content/ja/docs/concepts/storage/dynamic-provisioning.md
+++ b/content/ja/docs/concepts/storage/dynamic-provisioning.md
@@ -2,7 +2,7 @@
 reviewers:
 title: ボリュームの動的プロビジョニング(Dynamic Volume Provisioning)
 content_type: concept
-weight: 40
+weight: 50
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/storage/storage-capacity.md b/content/ja/docs/concepts/storage/storage-capacity.md
index cff887a125a81..1151706a4f9c7 100644
--- a/content/ja/docs/concepts/storage/storage-capacity.md
+++ b/content/ja/docs/concepts/storage/storage-capacity.md
@@ -1,7 +1,7 @@
 ---
 title: ストレージ容量
 content_type: concept
-weight: 45
+weight: 80
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/storage/storage-limits.md b/content/ja/docs/concepts/storage/storage-limits.md
index 4f38361f0848a..e3df1f3bc9732 100644
--- a/content/ja/docs/concepts/storage/storage-limits.md
+++ b/content/ja/docs/concepts/storage/storage-limits.md
@@ -1,6 +1,7 @@
 ---
 title: ノード固有のボリューム制限
 content_type: concept
+weight: 90
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/storage/volume-pvc-datasource.md b/content/ja/docs/concepts/storage/volume-pvc-datasource.md
index fc1b7ae4b9d7d..8e0a9f7c7b86b 100644
--- a/content/ja/docs/concepts/storage/volume-pvc-datasource.md
+++ b/content/ja/docs/concepts/storage/volume-pvc-datasource.md
@@ -1,7 +1,7 @@
 ---
 title: CSI Volume Cloning
 content_type: concept
-weight: 30
+weight: 70
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/storage/volume-snapshot-classes.md b/content/ja/docs/concepts/storage/volume-snapshot-classes.md
index ca381652d22b7..5c4c999625873 100644
--- a/content/ja/docs/concepts/storage/volume-snapshot-classes.md
+++ b/content/ja/docs/concepts/storage/volume-snapshot-classes.md
@@ -2,7 +2,7 @@
 reviewers:
 title: VolumeSnapshotClass
 content_type: concept
-weight: 30
+weight: 61 # just after volume snapshots
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/workloads/_index.md b/content/ja/docs/concepts/workloads/_index.md
index ca846cd0e7e99..94631dc878d64 100644
--- a/content/ja/docs/concepts/workloads/_index.md
+++ b/content/ja/docs/concepts/workloads/_index.md
@@ -1,6 +1,6 @@
 ---
 title: "ワークロード"
-weight: 50
+weight: 55
 description: >
   Kubernetesにおけるデプロイ可能な最小のオブジェクトであるPodと、高レベルな抽象化がPodの実行を助けることを理解します。
 no_list: true

From 18107b55ae31f1b5739bbb166144da06e1ce8eb4 Mon Sep 17 00:00:00 2001
From: zhuzhenghao <zhenghao.zhu@daocloud.io>
Date: Mon, 6 Mar 2023 13:43:44 +0800
Subject: [PATCH 038/215] [zh] sync page ns-level-pss

---
 .../docs/tutorials/security/ns-level-pss.md   | 108 +++++++++---------
 1 file changed, 52 insertions(+), 56 deletions(-)

diff --git a/content/zh-cn/docs/tutorials/security/ns-level-pss.md b/content/zh-cn/docs/tutorials/security/ns-level-pss.md
index faf20f35993bf..1f793a4e375b6 100644
--- a/content/zh-cn/docs/tutorials/security/ns-level-pss.md
+++ b/content/zh-cn/docs/tutorials/security/ns-level-pss.md
@@ -11,7 +11,9 @@ weight: 20
 -->
 
 {{% alert title="Note" %}}
-<!-- This tutorial applies only for new clusters. -->
+<!--
+This tutorial applies only for new clusters.
+-->
 本教程仅适用于新集群。
 {{% /alert %}}
 
@@ -24,7 +26,7 @@ when pods are created. In this tutorial, you will enforce the `baseline` Pod Sec
 one namespace at a time.
 
 You can also apply Pod Security Standards to multiple namespaces at once at the cluster
-level. For instructions, refer to 
+level. For instructions, refer to
 [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/).
 -->
 Pod 安全准入（PSA）在 v1.23 及更高版本默认启用，
@@ -59,15 +61,17 @@ Install the following on your workstation:
 2. 按照如下方式创建一个 `KinD` 集群：
 
    ```shell
-   kind create cluster --name psa-ns-level --image kindest/node:v1.23.0
+   kind create cluster --name psa-ns-level
    ```
 
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
    输出类似于：
 
    ```
    Creating cluster "psa-ns-level" ...
-    ✓ Ensuring node image (kindest/node:v1.23.0) 🖼 
+    ✓ Ensuring node image (kindest/node:v{{< skew currentVersion >}}.0) 🖼 
     ✓ Preparing nodes 📦  
     ✓ Writing configuration 📜 
     ✓ Starting control-plane 🕹️ 
@@ -75,26 +79,30 @@ Install the following on your workstation:
     ✓ Installing StorageClass 💾 
    Set kubectl context to "kind-psa-ns-level"
    You can now use your cluster with:
-   
+
    kubectl cluster-info --context kind-psa-ns-level
-   
+
    Not sure what to do next? 😅  Check out https://kind.sigs.k8s.io/docs/user/quick-start/
    ```
 
-<!-- 1. Set the kubectl context to the new cluster: -->
+<!--
+1. Set the kubectl context to the new cluster:
+-->
 1. 将 kubectl 上下文设置为新集群：
 
    ```shell
    kubectl cluster-info --context kind-psa-ns-level
    ```
 
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
    输出类似于：
 
    ```
    Kubernetes control plane is running at https://127.0.0.1:50996
    CoreDNS is running at https://127.0.0.1:50996/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
-   
+
    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
    ```
 
@@ -111,7 +119,9 @@ Create a new namespace called `example`:
 kubectl create ns example
 ```
 
-<!-- The output is similar to this: -->
+<!--
+The output is similar to this:
+-->
 输出类似于：
 
 ```
@@ -119,34 +129,35 @@ namespace/example created
 ```
 
 <!-- 
-## Apply Pod Security Standards
+## Enable Pod Security Standards checking for that namespace
 
 1. Enable Pod Security Standards on this namespace using labels supported by
-   built-in Pod Security Admission. In this step we will warn on baseline pod
-   security standard as per the latest version (default value)
+   built-in Pod Security Admission. In this step you will configure a check to
+   warn on Pods that don't meet the latest version of the _baseline_ pod
+   security standard.
 -->
-## 应用 Pod 安全标准  {#apply-pod-security-standards}
+## 为该命名空间启用 Pod 安全标准检查  {#enable-pod-security-standards-checking-for-that-namespace}
 
 1. 使用内置 Pod 安全准入所支持的标签在此名字空间上启用 Pod 安全标准。
    在这一步中，我们将根据最新版本（默认值）对基线 Pod 安全标准发出警告。
 
    ```shell
    kubectl label --overwrite ns example \
-     pod-security.kubernetes.io/warn=baseline \
-     pod-security.kubernetes.io/warn-version=latest
+      pod-security.kubernetes.io/warn=baseline \
+      pod-security.kubernetes.io/warn-version=latest
    ```
 
 <!-- 
-2. Multiple pod security standards can be enabled on any namespace, using labels.
-   Following command will `enforce` the `baseline` Pod Security Standard, but
+2. You can configure multiple pod security standard checks on any namespace, using labels.
+   The following command will `enforce` the `baseline` Pod Security Standard, but
    `warn` and `audit` for `restricted` Pod Security Standards as per the latest
    version (default value)
 -->
-2. 可以使用标签在任何名字空间上启用多个 Pod 安全标准。
+1. 你可以使用标签在任何名字空间上配置多个 Pod 安全标准检查。
    以下命令将强制（`enforce`） 执行基线（`baseline`）Pod 安全标准，
    但根据最新版本（默认值）对受限（`restricted`）Pod 安全标准执行警告（`warn`）和审核（`audit`）。
 
-   ```
+   ```shell
    kubectl label --overwrite ns example \
      pod-security.kubernetes.io/enforce=baseline \
      pod-security.kubernetes.io/enforce-version=latest \
@@ -157,56 +168,39 @@ namespace/example created
    ```
 
 <!-- 
-## Verify the Pod Security Standards
+## Verify the Pod Security Standard enforcement
 
-1. Create a minimal pod in `example` namespace:
+1. Create a baseline Pod in the `example` namespace:
 -->
 ## 验证 Pod 安全标准  {#verify-the-pod-security-standards}
 
-1. 在 `example` 名字空间中创建一个最小的 Pod：
-
-   ```shell
-   cat <<EOF > /tmp/pss/nginx-pod.yaml
-   apiVersion: v1
-   kind: Pod
-   metadata:
-     name: nginx
-   spec:
-     containers:
-       - image: nginx
-         name: nginx
-         ports:
-           - containerPort: 80
-   EOF
-   ```
-
-<!-- 
-2. Apply the pod spec to the cluster in `example` namespace: 
--->
-1. 将 Pod 规约应用到集群中的 `example` 名字空间中：
+1. 在 `example` 名字空间中创建一个基线 Pod：
 
    ```shell
-   kubectl apply -n example -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -n example -f https://k8s.io/examples/security/example-baseline-pod.yaml
    ```
-
-   <!-- The output is similar to this: -->
-   输出类似于：
+   <!--
+   The Pod does start OK; the output includes a warning. For example:
+   -->
+   Pod 确实启动正常；输出包括一条警告信息。例如：
 
    ```
-   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext seccompProfile.type to "RuntimeDefault" or "Localhost")
+   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    pod/nginx created
    ```
 
 <!-- 
-1. Apply the pod spec to the cluster in `default` namespace:
+1. Create a baseline Pod in the `default` namespace:
 -->
-3. 将 Pod 规约应用到集群中的 `default` 名字空间中：
+1. 在 `default` 名字空间中创建一个基线 Pod：
 
    ```shell
-   kubectl apply -n default -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -n default -f https://k8s.io/examples/security/example-baseline-pod.yaml
    ```
 
-   <!-- Output is similar to this: -->
+   <!--
+   Output is similar to this:
+   -->
    输出类似于：
 
    ```
@@ -214,10 +208,11 @@ namespace/example created
    ```
 
 <!-- 
-The Pod Security Standards were applied only to the `example`
-namespace. You could create the same Pod in the `default` namespace
-with no warnings.
+The Pod Security Standards enforcement and warning settings were applied only
+to the `example` namespace. You could create the same Pod in the `default`
+namespace with no warnings.
 -->
+Pod 安全标准实施和警告设置仅被应用到 `example` 名字空间。
 以上 Pod 安全标准仅被应用到 `example` 名字空间。
 你可以在没有警告的情况下在 `default` 名字空间中创建相同的 Pod。
 
@@ -246,6 +241,7 @@ kind delete cluster --name psa-ns-level
   3. Apply `baseline` Pod Security Standard in `enforce` mode while applying
      `restricted` Pod Security Standard also in `warn` and `audit` mode.
   4. Create a new pod with the following pod security standards applied
+
 - [Pod Security Admission](/docs/concepts/security/pod-security-admission/)
 - [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
 - [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/)

From 02c313169af7dfb04013c84594cf9e077bd84bd7 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Mon, 6 Mar 2023 16:39:18 +0900
Subject: [PATCH 039/215] Update
 content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml

Co-authored-by: atoato88 <akihito-inou@nec.com>
---
 content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml b/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml
index f5f698d1f9b57..ba21557f2d6a4 100644
--- a/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml
+++ b/content/ja/examples/pods/pod-with-affinity-anti-affinity.yaml
@@ -29,5 +29,4 @@ spec:
             - key-2
   containers:
   - name: with-node-affinity
-    image: registry.k8s.io/pause:2.0
-    
\ No newline at end of file
+    image: registry.k8s.io/pause:2.0
\ No newline at end of file

From 4813cb9484d02ac054730abe32c9fc3d65f3866e Mon Sep 17 00:00:00 2001
From: saliha <a.mohamedsaliha1@gmail.com>
Date: Fri, 24 Feb 2023 14:35:10 +0900
Subject: [PATCH 040/215] [jp]Japanese localization for main page

---
 content/ja/blog/_index.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 content/ja/blog/_index.md

diff --git a/content/ja/blog/_index.md b/content/ja/blog/_index.md
new file mode 100644
index 0000000000000..673c4aeef29ed
--- /dev/null
+++ b/content/ja/blog/_index.md
@@ -0,0 +1,4 @@
+---
+linktitle: Kubernetesブログ
+title: ドキュメント
+---

From 0e57c72a23e4293140174cfeb3afc873e78777cc Mon Sep 17 00:00:00 2001
From: saliha <a.mohamedsaliha1@gmail.com>
Date: Fri, 24 Feb 2023 14:38:54 +0900
Subject: [PATCH 041/215] changed to blog[jp]

---
 content/ja/blog/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/blog/_index.md b/content/ja/blog/_index.md
index 673c4aeef29ed..e66f28220ac76 100644
--- a/content/ja/blog/_index.md
+++ b/content/ja/blog/_index.md
@@ -1,4 +1,4 @@
 ---
 linktitle: Kubernetesブログ
-title: ドキュメント
+title: ブログ
 ---

From 2a8d459f079f8870be1f463b415eaf8eea15efd3 Mon Sep 17 00:00:00 2001
From: saliha <a.mohamedsaliha1@gmail.com>
Date: Fri, 24 Feb 2023 14:45:06 +0900
Subject: [PATCH 042/215] changing title to match with linktitle

---
 content/ja/blog/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/blog/_index.md b/content/ja/blog/_index.md
index e66f28220ac76..113c7f5a6d502 100644
--- a/content/ja/blog/_index.md
+++ b/content/ja/blog/_index.md
@@ -1,4 +1,4 @@
 ---
 linktitle: Kubernetesブログ
-title: ブログ
+title: Kubernetesブログ
 ---

From ca59f533e514a74014c9a48a41c2c1d47ac17777 Mon Sep 17 00:00:00 2001
From: Saliha <49085460+Saliha067@users.noreply.github.com>
Date: Fri, 3 Mar 2023 19:49:15 +0900
Subject: [PATCH 043/215] Update content/ja/blog/_index.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/blog/_index.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/content/ja/blog/_index.md b/content/ja/blog/_index.md
index 113c7f5a6d502..f4f2c571cae07 100644
--- a/content/ja/blog/_index.md
+++ b/content/ja/blog/_index.md
@@ -1,4 +1,16 @@
 ---
-linktitle: Kubernetesブログ
 title: Kubernetesブログ
+linkTitle: ブログ
+menu:
+  main:
+    title: "ブログ"
+    weight: 40
+    post: >
+       <p>Kubernetesやコンテナ全般に関する最新ニュースを読んで、技術的なハウツーをいち早く入手しましょう。</p>
 ---
+{{< comment >}}
+
+ブログへの寄稿についての情報は、以下を参照してください
+https://kubernetes.io/docs/contribute/new-content/blogs-case-studies/#write-a-blog-post
+
+{{< /comment >}}

From 48c6be119ceb367dc1f6b4a25434323113d25a55 Mon Sep 17 00:00:00 2001
From: zhuzhenghao <zhenghao.zhu@daocloud.io>
Date: Mon, 6 Mar 2023 12:57:40 +0800
Subject: [PATCH 044/215] [zh] sync page deployment

---
 .../workloads/controllers/deployment.md       | 98 ++++++++++---------
 .../workloads/controllers/replicaset.md       |  5 +-
 2 files changed, 54 insertions(+), 49 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/controllers/deployment.md b/content/zh-cn/docs/concepts/workloads/controllers/deployment.md
index 8f64bfeb3a5fa..657fba81ddfbf 100644
--- a/content/zh-cn/docs/concepts/workloads/controllers/deployment.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/deployment.md
@@ -8,6 +8,8 @@ content_type: concept
 weight: 10
 ---
 <!--
+reviewers:
+- janetkuo
 title: Deployments
 feature:
   title: Automated rollouts and rollbacks
@@ -80,7 +82,7 @@ The following are typical use cases for Deployments:
 * [清理较旧的不再需要的 ReplicaSet](#clean-up-policy) 。
 
 <!--
- ## Creating a Deployment
+## Creating a Deployment
 
 The following is an example of a Deployment. It creates a ReplicaSet to bring up three `nginx` Pods:
 -->
@@ -97,8 +99,8 @@ In this example:
 
 <!--
 * A Deployment named `nginx-deployment` is created, indicated by the
-  `.metadata.name` field.  This name will become the basis for the ReplicaSets
-  and Pods which are created later.  See [Writing a Deployment Spec](#writing-a-deployment-spec)
+  `.metadata.name` field. This name will become the basis for the ReplicaSets
+  and Pods which are created later. See [Writing a Deployment Spec](#writing-a-deployment-spec)
   for more details.
 * The Deployment creates a ReplicaSet that creates three replicated Pods, indicated by the `.spec.replicas` field.
 * The `.spec.selector` field defines how the created ReplicaSet finds which Pods to manage.
@@ -116,12 +118,12 @@ In this example:
 
   {{< note >}}
   <!--
-  The `spec.selector.matchLabels` field is a map of {key,value} pairs.
+  The `.spec.selector.matchLabels` field is a map of {key,value} pairs.
   A single {key,value} in the `matchLabels` map is equivalent to an element of `matchExpressions`,
   whose `key` field is "key", the `operator` is "In", and the `values` array contains only "value".
   All of the requirements, from both `matchLabels` and `matchExpressions`, must be satisfied in order to match.
   -->
-  `spec.selector.matchLabels` 字段是 `{key,value}` 键值对映射。
+  `.spec.selector.matchLabels` 字段是 `{key,value}` 键值对映射。
   在 `matchLabels` 映射中的每个 `{key,value}` 映射等效于 `matchExpressions` 中的一个元素，
   即其 `key` 字段是 “key”，`operator` 为 “In”，`values` 数组仅包含 “value”。
   在 `matchLabels` 和 `matchExpressions` 中给出的所有条件都必须满足才能匹配。
@@ -158,9 +160,9 @@ Follow the steps given below to create the above Deployment:
    ```
 
 <!--
- 2. Run `kubectl get deployments` to check if the Deployment was created.
+2. Run `kubectl get deployments` to check if the Deployment was created.
 
-    If the Deployment is still being created, the output is similar to the following:
+   If the Deployment is still being created, the output is similar to the following:
 -->
 2. 运行 `kubectl get deployments` 检查 Deployment 是否已创建。
    如果仍在创建 Deployment，则输出类似于：
@@ -208,7 +210,7 @@ Follow the steps given below to create the above Deployment:
    ```
 
 <!--
-4. Run the `kubectl get deployments` again a few seconds later. 
+4. Run the `kubectl get deployments` again a few seconds later.
    The output is similar to this:
 -->
 4. 几秒钟后再次运行 `kubectl get deployments`。输出类似于：
@@ -255,7 +257,7 @@ Follow the steps given below to create the above Deployment:
 
    <!--
    Notice that the name of the ReplicaSet is always formatted as
-   `[DEPLOYMENT-NAME]-[HASH]`.  This name will become the basis for the Pods
+   `[DEPLOYMENT-NAME]-[HASH]`. This name will become the basis for the Pods
    which are created.
    The `HASH` string is the same as the `pod-template-hash` label on the ReplicaSet.
    -->
@@ -296,7 +298,7 @@ Kubernetes 不会阻止你这样做，但是如果多个控制器具有重叠的
 {{< /note >}}
 
 <!--
- ### Pod-template-hash label
+### Pod-template-hash label
 -->
 ### Pod-template-hash 标签
 
@@ -323,13 +325,13 @@ and in any existing Pods that the ReplicaSet might have.
 可能拥有的任何现有 Pod 中。
 
 <!--
- ## Updating a Deployment
+## Updating a Deployment
 -->
 ## 更新 Deployment   {#updating-a-deployment}
 
 {{< note >}}
 <!--
- A Deployment's rollout is triggered if and only if the Deployment's Pod template (that is, `.spec.template`)
+A Deployment's rollout is triggered if and only if the Deployment's Pod template (that is, `.spec.template`)
 is changed, for example if the labels or container images of the template are updated. Other updates, such as scaling the Deployment, do not trigger a rollout.
 -->
 仅当 Deployment Pod 模板（即 `.spec.template`）发生改变时，例如模板的标签或容器镜像被更新，
@@ -353,7 +355,7 @@ Follow the steps given below to update your Deployment:
    or use the following command:
    -->
    或者使用下面的命令：
-    
+
    ```shell
    kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1
    ```
@@ -492,7 +494,7 @@ up to 3 replicas, as well as scaling down the old ReplicaSet to 0 replicas.
   then deletes an old Pod, and creates another new one. It does not kill old Pods until a sufficient number of
   new Pods have come up, and does not create new Pods until a sufficient number of old Pods have been killed.
   It makes sure that at least 3 Pods are available and that at max 4 Pods in total are available. In case of
-    a Deployment with 4 replicas, the number of Pods would be between 3 and 5.
+  a Deployment with 4 replicas, the number of Pods would be between 3 and 5.
   -->
   例如，如果仔细查看上述 Deployment ，将看到它首先创建了一个新的 Pod，然后删除旧的 Pod，
   并创建了新的 Pod。它不会杀死旧 Pod，直到有足够数量的新 Pod 已经出现。
@@ -559,8 +561,7 @@ up to 3 replicas, as well as scaling down the old ReplicaSet to 0 replicas.
   (nginx-deployment-1564180365) and scaled it up to 1 and waited for it to come up. Then it scaled down the old ReplicaSet
   to 2 and scaled up the new ReplicaSet to 2 so that at least 3 Pods were available and at most 4 Pods were created at all times.
   It then continued scaling up and down the new and the old ReplicaSet, with the same rolling update strategy.
-  Finally, you'll have 3 available replicas
-  in the new ReplicaSet, and the old ReplicaSet is scaled down to 0.
+  Finally, you'll have 3 available replicas in the new ReplicaSet, and the old ReplicaSet is scaled down to 0.
   -->
   可以看到，当第一次创建 Deployment 时，它创建了一个 ReplicaSet（`nginx-deployment-2035384211`）
   并将其直接扩容至 3 个副本。更新 Deployment 时，它创建了一个新的 ReplicaSet
@@ -624,7 +625,7 @@ before changing course.
 <!--
 ### Label selector updates
 
- It is generally discouraged to make label selector updates and it is suggested to plan your selectors up front.
+It is generally discouraged to make label selector updates and it is suggested to plan your selectors up front.
 In any case, if you need to perform a label selector update, exercise great caution and make sure you have grasped
 all of the implications.
 -->
@@ -665,7 +666,7 @@ removed label still exists in any existing Pods and ReplicaSets.
 ## 回滚 Deployment {#rolling-back-a-deployment}
 
 <!--
- Sometimes, you may want to rollback a Deployment; for example, when the Deployment is not stable, such as crash looping.
+Sometimes, you may want to rollback a Deployment; for example, when the Deployment is not stable, such as crash looping.
 By default, all of the Deployment's rollout history is kept in the system so that you can rollback anytime you want
 (you can change that by modifying revision history limit).
 -->
@@ -697,7 +698,7 @@ Deployment 被触发上线时，系统就会创建 Deployment 的新的修订版
   `nginx:1.161` 而不是 `nginx:1.16.1`：
 
   ```shell
-  kubectl set image deployment/nginx-deployment nginx=nginx:1.161 
+  kubectl set image deployment/nginx-deployment nginx=nginx:1.161
   ```
 
   <!--
@@ -734,7 +735,7 @@ Deployment 被触发上线时，系统就会创建 Deployment 的新的修订版
 * 按 Ctrl-C 停止上述上线状态观测。有关上线停滞的详细信息，[参考这里](#deployment-status)。
 
 <!--
- * You see that the number of old replicas (`nginx-deployment-1564180365` and `nginx-deployment-2035384211`) is 2, and new replicas (nginx-deployment-3066724191) is 1.
+* You see that the number of old replicas (`nginx-deployment-1564180365` and `nginx-deployment-2035384211`) is 2, and new replicas (nginx-deployment-3066724191) is 1.
 -->
 * 你可以看到旧的副本有两个（`nginx-deployment-1564180365` 和 `nginx-deployment-2035384211`），
   新的副本有 1 个（`nginx-deployment-3066724191`）：
@@ -748,7 +749,7 @@ Deployment 被触发上线时，系统就会创建 Deployment 的新的修订版
   -->
   输出类似于：
 
-  ```shell
+  ```
   NAME                          DESIRED   CURRENT   READY   AGE
   nginx-deployment-1564180365   3         3         3       25s
   nginx-deployment-2035384211   0         0         0       36s
@@ -769,7 +770,7 @@ Deployment 被触发上线时，系统就会创建 Deployment 的新的修订版
   -->
   输出类似于：
 
-  ```shell
+  ```
   NAME                                READY     STATUS             RESTARTS   AGE
   nginx-deployment-1564180365-70iae   1/1       Running            0          25s
   nginx-deployment-1564180365-jbqqo   1/1       Running            0          25s
@@ -828,7 +829,7 @@ Deployment 被触发上线时，系统就会创建 Deployment 的新的修订版
   OldReplicaSets:     nginx-deployment-1564180365 (3/3 replicas created)
   NewReplicaSet:      nginx-deployment-3066724191 (1/1 replicas created)
   Events:
-    FirstSeen LastSeen    Count   From                    SubobjectPath   Type        Reason              Message
+    FirstSeen LastSeen    Count   From                    SubObjectPath   Type        Reason              Message
     --------- --------    -----   ----                    -------------   --------    ------              -------
     1m        1m          1       {deployment-controller }                Normal      ScalingReplicaSet   Scaled up replica set nginx-deployment-2035384211 to 3
     22s       22s         1       {deployment-controller }                Normal      ScalingReplicaSet   Scaled up replica set nginx-deployment-1564180365 to 1
@@ -855,7 +856,7 @@ Follow the steps given below to check the rollout history:
 按照如下步骤检查回滚历史：
 
 <!--
- 1. First, check the revisions of this Deployment:
+1. First, check the revisions of this Deployment:
 -->
 1. 首先，检查 Deployment 修订历史：
 
@@ -929,7 +930,7 @@ Follow the steps given below to rollback the Deployment from the current version
 按照下面给出的步骤将 Deployment 从当前版本回滚到以前的版本（即版本 2）。
 
 <!--
- 1. Now you've decided to undo the current rollout and rollback to the previous revision:
+1. Now you've decided to undo the current rollout and rollback to the previous revision:
 -->
 1. 假定现在你已决定撤消当前上线并回滚到以前的修订版本：
 
@@ -1229,7 +1230,7 @@ The output is similar to this:
 -->
 输出类似于：
 
-```shell
+```
 NAME                          DESIRED   CURRENT   READY     AGE
 nginx-deployment-1989198191   7         7         0         7m
 nginx-deployment-618515232    11        11        11        7m
@@ -1307,7 +1308,7 @@ apply multiple fixes in between pausing and resuming without triggering unnecess
   -->
   输出类似于：
 
-  ```shell
+  ```
   deployment.apps/nginx-deployment paused
   ```
 
@@ -1363,7 +1364,7 @@ apply multiple fixes in between pausing and resuming without triggering unnecess
   -->
   输出类似于：
 
-  ```shell
+  ```
   NAME               DESIRED   CURRENT   READY     AGE
   nginx-2142116321   3         3         3         2m
   ```
@@ -1388,7 +1389,8 @@ apply multiple fixes in between pausing and resuming without triggering unnecess
 
   <!--
   The initial state of the Deployment prior to pausing its rollout will continue its function, but new updates to
-  the Deployment will not have any effect as long as the Deployment is paused.
+  the Deployment will not have any effect as long as the Deployment rollout is paused.
+
   -->
   暂停 Deployment 上线之前的初始状态将继续发挥作用，但新的更新在 Deployment
   上线被暂停期间不会产生任何效果。
@@ -1573,7 +1575,7 @@ The output is similar to this:
 -->
 输出类似于：
 
-```shell
+```
 Waiting for rollout to finish: 2 of 3 updated replicas are available...
 deployment "nginx-deployment" successfully rolled out
 ```
@@ -1584,7 +1586,7 @@ and the exit status from `kubectl rollout` is 0 (success):
 从 `kubectl rollout` 命令获得的返回状态为 0（成功）：
 
 ```shell
-$ echo $?
+echo $?
 ```
 ```
 0
@@ -1603,7 +1605,7 @@ due to some of the following factors:
 造成此情况一些可能因素如下：
 
 <!--
- * Insufficient quota
+* Insufficient quota
 * Readiness probe failures
 * Image pull errors
 * Insufficient permissions
@@ -1676,7 +1678,7 @@ See the [Kubernetes API conventions](https://git.k8s.io/community/contributors/d
 
 {{< note >}}
 <!--
- Kubernetes takes no action on a stalled Deployment other than to report a status condition with
+Kubernetes takes no action on a stalled Deployment other than to report a status condition with
 `reason: ProgressDeadlineExceeded`. Higher level orchestrators can take advantage of it and act accordingly, for
 example, rollback the Deployment to its previous version.
 -->
@@ -1687,8 +1689,8 @@ Deployment 不执行任何操作。更高级别的编排器可以利用这一设
 
 {{< note >}}
 <!--
-If you pause a Deployment rollout, Kubernetes does not check progress against your specified deadline. 
-You can safely pause a Deployment rollout in the middle of a rollout and resume without triggering 
+If you pause a Deployment rollout, Kubernetes does not check progress against your specified deadline.
+You can safely pause a Deployment rollout in the middle of a rollout and resume without triggering
 the condition for exceeding the deadline.
 -->
 如果你暂停了某个 Deployment 上线，Kubernetes 不再根据指定的截止时间检查 Deployment 上线的进展。
@@ -1831,7 +1833,7 @@ and the exit status from `kubectl rollout` is 1 (indicating an error):
 `kubectl rollout` 命令的退出状态为 1（表明发生了错误）：
 
 ```shell
-$ echo $?
+echo $?
 ```
 ```
 1
@@ -1899,9 +1901,9 @@ configuring containers, and [using kubectl to manage resources](/docs/concepts/o
 
 <!--
 When the control plane creates new Pods for a Deployment, the `.metadata.name` of the
-Deployment is part of the basis for naming those Pods.  The name of a Deployment must be a valid
+Deployment is part of the basis for naming those Pods. The name of a Deployment must be a valid
 [DNS subdomain](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names)
-value, but this can produce unexpected results for the Pod hostnames.  For best compatibility,
+value, but this can produce unexpected results for the Pod hostnames. For best compatibility,
 the name should follow the more restrictive rules for a
 [DNS label](/docs/concepts/overview/working-with-objects/names#dns-label-names).
 
@@ -2056,11 +2058,11 @@ All existing Pods are killed before new ones are created when `.spec.strategy.ty
 
 {{< note >}}
 <!--
-This will only guarantee Pod termination previous to creation for upgrades. If you upgrade a Deployment, all Pods 
-of the old revision will be terminated immediately. Successful removal is awaited before any Pod of the new 
-revision is created. If you manually delete a Pod, the lifecycle is controlled by the ReplicaSet and the 
-replacement will be created immediately (even if the old Pod is still in a Terminating state). If you need an 
-"at most" guarantee for your Pods, you should consider using a 
+This will only guarantee Pod termination previous to creation for upgrades. If you upgrade a Deployment, all Pods
+of the old revision will be terminated immediately. Successful removal is awaited before any Pod of the new
+revision is created. If you manually delete a Pod, the lifecycle is controlled by the ReplicaSet and the
+replacement will be created immediately (even if the old Pod is still in a Terminating state). If you need an
+"at most" guarantee for your Pods, you should consider using a
 [StatefulSet](/docs/concepts/workloads/controllers/statefulset/).
 -->
 这只会确保为了升级而创建新 Pod 之前其他 Pod 都已终止。如果你升级一个 Deployment，
@@ -2114,7 +2116,7 @@ at all times during the update is at least 70% of the desired Pods.
 <!--
 ##### Max Surge
 
- `.spec.strategy.rollingUpdate.maxSurge` is an optional field that specifies the maximum number of Pods
+`.spec.strategy.rollingUpdate.maxSurge` is an optional field that specifies the maximum number of Pods
 that can be created over the desired number of Pods. The value can be an absolute number (for example, 5) or a
 percentage of desired Pods (for example, 10%). The value cannot be 0 if `MaxUnavailable` is 0. The absolute number
 is calculated from the percentage by rounding up. The default value is 25%.
@@ -2137,11 +2139,11 @@ total number of Pods running at any time during the update is at most 130% of de
 同时确保更新期间的任何时候运行中的 Pod 总数最多为所需 Pod 总数的 130%。
 
 <!--
- ### Progress Deadline Seconds
+### Progress Deadline Seconds
 
- `.spec.progressDeadlineSeconds` is an optional field that specifies the number of seconds you want
+`.spec.progressDeadlineSeconds` is an optional field that specifies the number of seconds you want
 to wait for your Deployment to progress before the system reports back that the Deployment has
-[failed progressing](#failed-deployment) - surfaced as a condition with `type: Progressing`, `status: False`.
+[failed progressing](#failed-deployment) - surfaced as a condition with `type: Progressing`, `status: "False"`.
 and `reason: ProgressDeadlineExceeded` in the status of the resource. The Deployment controller will keep
 retrying the Deployment. This defaults to 600. In the future, once automatic rollback will be implemented, the Deployment
 controller will roll back a Deployment as soon as it observes such a condition.
@@ -2162,7 +2164,7 @@ If specified, this field needs to be greater than `.spec.minReadySeconds`.
 <!--
 ### Min Ready Seconds
 
- `.spec.minReadySeconds` is an optional field that specifies the minimum number of seconds for which a newly
+`.spec.minReadySeconds` is an optional field that specifies the minimum number of seconds for which a newly
 created Pod should be ready without any of its containers crashing, for it to be considered available.
 This defaults to 0 (the Pod will be considered available as soon as it is ready). To learn more about when
 a Pod is considered ready, see [Container Probes](/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
diff --git a/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md b/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md
index 5fef6703a111f..cc1bbc53d1b33 100644
--- a/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/replicaset.md
@@ -574,6 +574,9 @@ prioritize scaling down pods based on the following general algorithm:
    （当 `LogarithmicScaleDown` 这一[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)
    被启用时，创建时间是按整数幂级来分组的）。
 
+<!--
+If all of the above match, then selection is random.
+-->
 如果以上比较结果都相同，则随机选择。
 
 <!--
@@ -688,7 +691,7 @@ kubectl autoscale rs frontend --max=10 --min=3 --cpu-percent=50
 
 [`Deployment`](/docs/concepts/workloads/controllers/deployment/) is an object which can own ReplicaSets and update
 them and their Pods via declarative, server-side rolling updates.
-While ReplicaSets can be used independently, today they're  mainly used by Deployments as a mechanism to orchestrate Pod
+While ReplicaSets can be used independently, today they're mainly used by Deployments as a mechanism to orchestrate Pod
 creation, deletion and updates. When you use Deployments you don't have to worry about managing the ReplicaSets that
 they create. Deployments own and manage their ReplicaSets.
 As such, it is recommended to use Deployments when you want ReplicaSets.

From 5ddcf5f8e66be8f2c0d0635797b95f21c91d33aa Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 6 Mar 2023 18:30:37 +0800
Subject: [PATCH 045/215] [zh] sync control-plane-node-communication.md

---
 .../control-plane-node-communication.md       | 64 +++++++++++++------
 1 file changed, 46 insertions(+), 18 deletions(-)

diff --git a/content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md b/content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md
index fd8e4368d8839..ec4dee4e34998 100644
--- a/content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md
+++ b/content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md
@@ -3,8 +3,10 @@ title: 节点与控制面之间的通信
 content_type: concept
 weight: 20
 ---
-
 <!--
+reviewers:
+- dchen1107
+- liggitt
 title: Communication between Nodes and the Control Plane
 content_type: concept
 weight: 20
@@ -15,12 +17,14 @@ aliases:
 <!-- overview -->
 
 <!--
-This document catalogs the communication paths between the API server and the Kubernetes cluster.
+This document catalogs the communication paths between the {{< glossary_tooltip term_id="kube-apiserver" text="API server" >}}
+and the Kubernetes {{< glossary_tooltip text="cluster" term_id="cluster" length="all" >}}.
 The intent is to allow users to customize their installation to harden the network configuration
 such that the cluster can be run on an untrusted network (or on fully public IPs on a cloud
 provider).
 -->
-本文列举控制面节点（确切说是 API 服务器）和 Kubernetes 集群之间的通信路径。
+本文列举控制面节点（确切地说是 {{< glossary_tooltip term_id="kube-apiserver" text="API 服务器" >}}）和
+Kubernetes {{< glossary_tooltip text="集群" term_id="cluster" length="all" >}}之间的通信路径。
 目的是为了让用户能够自定义他们的安装，以实现对网络配置的加固，
 使得集群能够在不可信的网络上（或者在一个云服务商完全公开的 IP 上）运行。
 
@@ -51,35 +55,38 @@ API 服务器被配置为在一个安全的 HTTPS 端口（通常为 443）上
 或[服务账户令牌](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens)的时候。
 
 <!--
-Nodes should be provisioned with the public root certificate for the cluster such that they can
+Nodes should be provisioned with the public root {{< glossary_tooltip text="certificate" term_id="certificate" >}} for the cluster such that they can
 connect securely to the API server along with valid client credentials. A good approach is that the
 client credentials provided to the kubelet are in the form of a client certificate. See
 [kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 for automated provisioning of kubelet client certificates.
 -->
-应该使用集群的公共根证书开通节点，这样它们就能够基于有效的客户端凭据安全地连接 API 服务器。
+应该使用集群的公共根{{< glossary_tooltip text="证书" term_id="certificate" >}}开通节点，
+这样它们就能够基于有效的客户端凭据安全地连接 API 服务器。
 一种好的方法是以客户端证书的形式将客户端凭据提供给 kubelet。
 请查看 [kubelet TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 以了解如何自动提供 kubelet 客户端证书。
 
 <!--
-Pods that wish to connect to the API server can do so securely by leveraging a service account so
+{{< glossary_tooltip text="Pods" term_id="pod" >}} that wish to connect to the API server can do so securely by leveraging a service account so
 that Kubernetes will automatically inject the public root certificate and a valid bearer token
 into the pod when it is instantiated.
 The `kubernetes` service (in `default` namespace) is configured with a virtual IP address that is
-redirected (via `kube-proxy`) to the HTTPS endpoint on the API server.
+redirected (via `{{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}}`) to the HTTPS endpoint on the API server.
 
 The control plane components also communicate with the API server over the secure port.
 -->
-想要连接到 API 服务器的 Pod 可以使用服务账号安全地进行连接。
+想要连接到 API 服务器的 {{< glossary_tooltip text="Pod" term_id="pod" >}}
+可以使用服务账号安全地进行连接。
 当 Pod 被实例化时，Kubernetes 自动把公共根证书和一个有效的持有者令牌注入到 Pod 里。
 `kubernetes` 服务（位于 `default` 名字空间中）配置了一个虚拟 IP 地址，
-用于（通过 kube-proxy）转发请求到 API 服务器的 HTTPS 末端。
+用于（通过 `{{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}}`）转发请求到
+API 服务器的 HTTPS 末端。
 
 控制面组件也通过安全端口与集群的 API 服务器通信。
 
 <!--
-As a result, the default operating mode for connections from the nodes and pods running on the
+As a result, the default operating mode for connections from the nodes and pod running on the
 nodes to the control plane is secured by default and can run over untrusted and/or public
 networks.
 -->
@@ -90,15 +97,16 @@ networks.
 ## Control plane to node
 
 There are two primary communication paths from the control plane (the API server) to the nodes.
-The first is from the API server to the kubelet process which runs on each node in the cluster.
+The first is from the API server to the {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} process which runs on each node in the cluster.
 The second is from the API server to any node, pod, or service through the API server's _proxy_
 functionality.
 -->
 ## 控制面到节点  {#control-plane-to-node}
 
 从控制面（API 服务器）到节点有两种主要的通信路径。
-第一种是从 API 服务器到集群中每个节点上运行的 kubelet 进程。
-第二种是从 API 服务器通过它的代理功能连接到任何节点、Pod 或者服务。
+第一种是从 API 服务器到集群中每个节点上运行的
+{{< glossary_tooltip text="kubelet" term_id="kubelet" >}} 进程。
+第二种是从 API 服务器通过它的**代理**功能连接到任何节点、Pod 或者服务。
 
 <!--
 ### API server to kubelet
@@ -117,8 +125,8 @@ attacks and **unsafe** to run over untrusted and/or public networks.
 
 从 API 服务器到 kubelet 的连接用于：
 
-* 获取 Pod 日志
-* 挂接（通过 kubectl）到运行中的 Pod
+* 获取 Pod 日志。
+* 挂接（通过 kubectl）到运行中的 Pod。
 * 提供 kubelet 的端口转发功能。
 
 这些连接终止于 kubelet 的 HTTPS 末端。
@@ -167,7 +175,7 @@ connections **are not currently safe** to run over untrusted or public networks.
 <!--
 ### SSH tunnels
 
-Kubernetes supports SSH tunnels to protect the control plane to nodes communication paths. In this
+Kubernetes supports [SSH tunnels](https://www.ssh.com/academy/ssh/tunneling) to protect the control plane to nodes communication paths. In this
 configuration, the API server initiates an SSH tunnel to each node in the cluster (connecting to
 the SSH server listening on port 22) and passes all traffic destined for a kubelet, node, pod, or
 service through the tunnel.
@@ -176,8 +184,9 @@ running.
 -->
 ### SSH 隧道 {#ssh-tunnels}
 
-Kubernetes 支持使用 SSH 隧道来保护从控制面到节点的通信路径。在这种配置下，
-API 服务器建立一个到集群中各节点的 SSH 隧道（连接到在 22 端口监听的 SSH 服务器）
+Kubernetes 支持使用
+[SSH 隧道](https://www.ssh.com/academy/ssh/tunneling)来保护从控制面到节点的通信路径。
+在这种配置下，API 服务器建立一个到集群中各节点的 SSH 隧道（连接到在 22 端口监听的 SSH 服务器）
 并通过这个隧道传输所有到 kubelet、节点、Pod 或服务的请求。
 这一隧道保证通信不会被暴露到集群节点所运行的网络之外。
 
@@ -219,3 +228,22 @@ Konnectivity 代理建立并维持到 Konnectivity 服务器的网络连接。
 请浏览 [Konnectivity 服务任务](/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/)
 在你的集群中配置 Konnectivity 服务。
 
+## {{% heading "whatsnext" %}}
+
+<!--
+* Read about the [Kubernetes control plane components](/docs/concepts/overview/components/#control-plane-components)
+* Learn more about [Hubs and Spoke model](https://book.kubebuilder.io/multiversion-tutorial/conversion-concepts.html#hubs-spokes-and-other-wheel-metaphors)
+* Learn how to [Secure a Cluster](/docs/tasks/administer-cluster/securing-a-cluster/) 
+* Learn more about the [Kubernetes API](/docs/concepts/overview/kubernetes-api/)
+* [Set up Konnectivity service](/docs/tasks/extend-kubernetes/setup-konnectivity/)
+* [Use Port Forwarding to Access Applications in a Cluster](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
+* Learn how to [Fetch logs for Pods](/docs/tasks/debug/debug-application/debug-running-pod/#examine-pod-logs), [use kubectl port-forward](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod)
+-->
+* 阅读 [Kubernetes 控制面组件](/zh-cn/docs/concepts/overview/components/#control-plane-components)
+* 进一步了解 [Hubs and Spoke model](https://book.kubebuilder.io/multiversion-tutorial/conversion-concepts.html#hubs-spokes-and-other-wheel-metaphors)
+* 进一步了解如何[保护集群](/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/)
+* 进一步了解 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/)
+* [设置 Konnectivity 服务](/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/)
+* [使用端口转发来访问集群中的应用](/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
+* 学习如何[检查 Pod 的日志](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/#examine-pod-logs)
+  以及如何[使用 kubectl 端口转发](/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod)

From fb3b32507191c57396f864eb7ec433ec0a934d46 Mon Sep 17 00:00:00 2001
From: Shogo Hida <shogo.hida@gmail.com>
Date: Tue, 28 Feb 2023 19:08:44 +0900
Subject: [PATCH 046/215] Delete DynamicAuditing

Signed-off-by: Shogo Hida <shogo.hida@gmail.com>
---
 .../docs/reference/command-line-tools-reference/feature-gates.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/content/ja/docs/reference/command-line-tools-reference/feature-gates.md b/content/ja/docs/reference/command-line-tools-reference/feature-gates.md
index a014c7c608593..5667cbee61b8b 100644
--- a/content/ja/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/ja/docs/reference/command-line-tools-reference/feature-gates.md
@@ -387,7 +387,6 @@ GAになってからさらなる変更を加えることは現実的ではない
 - `CustomResourceWebhookConversion`: [CustomResourceDefinition](/docs/concepts/extend-kubernetes/api-extension/custom-resources/)から作成されたリソースのWebhookベースの変換を有効にします。
 - `DevicePlugins`: [device-plugins](/docs/concepts/cluster-administration/device-plugins/)によるノードでのリソースプロビジョニングを有効にします。
 - `DryRun`: サーバーサイドでの[dry run](/docs/reference/using-api/api-concepts/#dry-run)リクエストを有効にします。
-- `DynamicAuditing`: [動的監査](/docs/tasks/debug/debug-cluster/audit/#dynamic-backend)を有効にします。
 - `DynamicKubeletConfig`: kubeletの動的構成を有効にします。[kubeletの再設定](/docs/tasks/administer-cluster/reconfigure-kubelet/)を参照してください。
 - `DynamicProvisioningScheduling`: デフォルトのスケジューラーを拡張してボリュームトポロジーを認識しPVプロビジョニングを処理します。この機能は、v1.12の`VolumeScheduling`機能に完全に置き換えられました。
 - `DynamicVolumeProvisioning`(*非推奨*): Podへの永続ボリュームの[動的プロビジョニング](/ja/docs/concepts/storage/dynamic-provisioning/)を有効にします。

From 5038eba0ac5205b61974f5e0cbefb85a3f462d98 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 6 Mar 2023 17:58:58 +0800
Subject: [PATCH 047/215] [zh] sync configure-persistent-volume-storage.md

---
 .../configure-persistent-volume-storage.md    | 36 +++++++++----------
 1 file changed, 17 insertions(+), 19 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
index 57c4f13a30b21..d2fc135403649 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
@@ -1,13 +1,12 @@
 ---
 title: 配置 Pod 以使用 PersistentVolume 作为存储
 content_type: task
-weight: 60
+weight: 90
 ---
-
 <!--
 title: Configure a Pod to Use a PersistentVolume for Storage
 content_type: task
-weight: 60
+weight: 90
 -->
 
 <!-- overview -->
@@ -19,11 +18,11 @@ for storage.
 Here is a summary of the process:
 
 1. You, as cluster administrator, create a PersistentVolume backed by physical
-storage. You do not associate the volume with any Pod.
+   storage. You do not associate the volume with any Pod.
 
 1. You, now taking the role of a developer / cluster user, create a
-PersistentVolumeClaim that is automatically bound to a suitable
-PersistentVolume.
+   PersistentVolumeClaim that is automatically bound to a suitable
+   PersistentVolume.
 
 1. You create a Pod that uses the above PersistentVolumeClaim for storage.
 -->
@@ -43,15 +42,14 @@ PersistentVolume.
 
 <!--
 * You need to have a Kubernetes cluster that has only one Node, and the
-{{< glossary_tooltip text="kubectl" term_id="kubectl" >}}
-command-line tool must be configured to communicate with your cluster. If you
-do not already have a single-node cluster, you can create one by using
-[Minikube](https://minikube.sigs.k8s.io/docs/).
+  {{< glossary_tooltip text="kubectl" term_id="kubectl" >}}
+  command-line tool must be configured to communicate with your cluster. If you
+  do not already have a single-node cluster, you can create one by using
+  [Minikube](https://minikube.sigs.k8s.io/docs/).
 
 * Familiarize yourself with the material in
-[Persistent Volumes](/docs/concepts/storage/persistent-volumes/).
+  [Persistent Volumes](/docs/concepts/storage/persistent-volumes/).
 -->
-
 * 你需要一个包含单个节点的 Kubernetes 集群，并且必须配置
   {{< glossary_tooltip text="kubectl" term_id="kubectl" >}} 命令行工具以便与集群交互。
   如果还没有单节点集群，可以使用
@@ -101,11 +99,11 @@ In the `/mnt/data` directory, create an `index.html` file:
 sudo sh -c "echo 'Hello from Kubernetes storage' > /mnt/data/index.html"
 ```
 
+{{< note >}}
 <!--
 If your Node uses a tool for superuser access other than `sudo`, you can
 usually make this work if you replace `sudo` with the name of the other tool.
 -->
-{{< note >}}
 如果你的节点使用某工具而不是 `sudo` 来完成超级用户访问，你可以将上述命令中的 `sudo` 替换为该工具的名称。
 {{< /note >}}
 
@@ -374,7 +372,7 @@ use storage from a PersistentVolumeClaim.
 <!--
 ## Clean up
 
-Delete the Pod,  the PersistentVolumeClaim and the PersistentVolume:
+Delete the Pod, the PersistentVolumeClaim and the PersistentVolume:
 -->
 ## 清理    {#clean-up}
 
@@ -395,11 +393,11 @@ In the shell on your Node, remove the file and directory that you created:
 如果你还没有连接到集群中节点的 Shell，可以按之前所做操作，打开一个新的 Shell。
 
 在节点的 Shell 上，删除你所创建的目录和文件：
+
 <!--
 # This assumes that your Node uses "sudo" to run commands
 # as the superuser
 -->
-
 ```shell
 # 这里假定你使用 "sudo" 来以超级用户的角色执行命令
 sudo rm /mnt/data/index.html
@@ -426,8 +424,8 @@ You can perform 2 volume mounts on your nginx container:
 -->
 你可以在 nginx 容器上执行两个卷挂载:
 
-`/usr/share/nginx/html` 用于静态网站
-`/etc/nginx/nginx.conf` 作为默认配置
+- `/usr/share/nginx/html` 用于静态网站
+- `/etc/nginx/nginx.conf` 作为默认配置
 
 <!-- discussion -->
 
@@ -472,11 +470,11 @@ each container.
 应用的方法与 Pod 的安全上下文中指定的 GID 相同。
 每个 GID，无论是来自 PersistentVolume 注解还是来自 Pod 规约，都会被应用于每个容器中运行的第一个进程。
 
+{{< note >}}
 <!--
 When a Pod consumes a PersistentVolume, the GIDs associated with the
 PersistentVolume are not present on the Pod resource itself.
 -->
-{{< note >}}
 当 Pod 使用 PersistentVolume 时，与 PersistentVolume 关联的 GID 不会在 Pod
 资源本身的对象上出现。
 {{< /note >}}
@@ -493,7 +491,7 @@ PersistentVolume are not present on the Pod resource itself.
 <!--
 ### Reference
 -->
-### 参考
+### 参考   {#reference}
 
 * [PersistentVolume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#persistentvolume-v1-core)
 * [PersistentVolumeSpec](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#persistentvolumespec-v1-core)

From 3ea1d6790a2ddcbd420310cc0649e7ac26892d86 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 09:04:30 +0900
Subject: [PATCH 048/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index a8cf9e0129b23..d548e5e836e44 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -228,7 +228,7 @@ Podアフィニティとアンチアフィニティの`operator`フィールド
 
 Pod間アフィニティとアンチアフィニティは、ReplicaSet、StatefulSet、Deploymentなどのより高レベルなコレクションと併せて使用するとさらに有用です。これらのルールにより、ワークロードのセットが同じ定義されたトポロジーに併置されるように設定できます。たとえば、2つの関連するPodを同じNodeに配置することが好ましい場合です。
 
-例えば、3つのNodeで構成されるクラスターを想像してください。クラスターを使用してウェブアプリケーションを実行し、さらにインメモリキャッシュ（Redisなど）を使用します。この例では、ウェブアプリケーションとメモリキャッシュの間のレイテンシーは実用的な範囲の低さも想定しています。Pod間アフィニティやアンチアフィニティを使って、ウェブサーバーとキャッシュをなるべく同じ場所に配置することができます。
+例えば、3つのNodeで構成されるクラスターを想像してください。そのクラスターを使用してウェブアプリケーションを実行し、さらにインメモリーキャッシュ(Redisなど)を使用します。この例では、ウェブアプリケーションとメモリーキャッシュの間のレイテンシーは実用的な範囲の低さも想定しています。Pod間アフィニティやアンチアフィニティを使って、ウェブサーバーとキャッシュをなるべく同じ場所に配置することができます。
 
 以下のRedisキャッシュのDeploymentの例では、各レプリカはラベル`app=store`が付与されています。`podAntiAffinity`ルールは、`app=store`ラベルを持つ複数のレプリカを単一Nodeに配置しないよう、スケジューラーに指示します。これにより、各キャッシュが別々のNodeに作成されます。
 

From 3db17caaa305b7b0f0f20a59a83206b5f073e83a Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 09:04:43 +0900
Subject: [PATCH 049/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index d548e5e836e44..534356dc89d53 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -303,7 +303,7 @@ spec:
         image: nginx:1.16-alpine
 ```
 
-上記2つのDeploymentが生成されると、以下のようなクラスター構成になり、各Webサーバーはキャッシュと同位置に、3つの別々のNodeに配置されます。
+上記2つのDeploymentが生成されると、以下のようなクラスター構成になり、各ウェブサーバーはキャッシュと同位置に、3つの別々のNodeに配置されます。
 
 |       node-1         |       node-2        |       node-3       |
 |:--------------------:|:-------------------:|:------------------:|

From e761735da67f5185eaae7fceac9e4ff1a8d92f21 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 09:05:12 +0900
Subject: [PATCH 050/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index 534356dc89d53..c1d848d928ed0 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -351,6 +351,6 @@ _トポロジー分散制約_ を使って、リージョン、ゾーン、Node
 
 * [TaintとToleration](/ja/docs/concepts/scheduling-eviction/taint-and-toleration/)についてもっと読む。
 * [Nodeアフィニティ](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)と[Pod間アフィニティ/アンチアフィニティ](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md)のデザインドキュメントを読む。
-* [トポロジーマネージャー](/ja/docs/tasks/administer-cluster/topology-manager/)がNodeレベルリソースの割り当て決定に参加する方法について学ぶ。
+* [トポロジーマネージャー](/ja/docs/tasks/administer-cluster/topology-manager/)がNodeレベルのリソース割り当ての決定にどのように関与しているかについて学ぶ。
 * [nodeSelector](/ja/docs/tasks/configure-pod-container/assign-pods-nodes/)の使用方法について学ぶ。
 * [アフィニティとアンチアフィニティ](/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)の使用方法について学ぶ。

From fc6c72fab683c648d6f7b06fd15918fda1fe03da Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 09:05:42 +0900
Subject: [PATCH 051/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index c1d848d928ed0..a213ba723b487 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -262,7 +262,7 @@ spec:
         image: redis:3.2-alpine
 ```
 
-次の Web サーバーのDeployment例では、`app=web-store`ラベルが付与されたレプリカを作成します。Podアフィニティルールは、各レプリカを、`app=store`ラベルが付与されたPodを持つNodeに配置するようスケジューラーに指示します。Podアンチアフィニティルールは、1つのNodeに複数の`app=web-store`サーバーを配置しないようにスケジューラーに指示します。
+次のウェブサーバーのDeployment例では、`app=web-store`ラベルが付与されたレプリカを作成します。Podアフィニティルールは、各レプリカを、`app=store`ラベルが付与されたPodを持つNodeに配置するようスケジューラーに指示します。Podアンチアフィニティルールは、1つのNodeに複数の`app=web-store`サーバーを配置しないようにスケジューラーに指示します。
 
 ```yaml
 apiVersion: apps/v1

From 7824b8d5e08eb462a652f9239a6c9e92c479dd06 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 09:06:12 +0900
Subject: [PATCH 052/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index a213ba723b487..79852409f909d 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -317,7 +317,7 @@ Podアンチアフィニティを使用する理由は他にもあります。
 
 ## nodeName
 
-`nodeName`はアフィニティや`nodeSelector`よりも直接的なNode選択形式になります。`nodeName`はPod仕様(spec)のフィールドです。`nodeName`フィールドが空でない場合、スケジューラーはPodを考慮せずに、指定されたNodeにあるkubeletはそのNodeにPodを配置しようとします。`nodeName`を使用すると、`nodeSelector`やアフィニティおよびアンチアフィニティルールを使用するよりも優先されます。
+`nodeName`はアフィニティや`nodeSelector`よりも直接的なNode選択形式になります。`nodeName`はPod仕様(spec)内のフィールドです。`nodeName`フィールドが空でない場合、スケジューラーはPodを考慮せずに、指定されたNodeにあるkubeletがそのNodeにPodを配置しようとします。`nodeName`を使用すると、`nodeSelector`やアフィニティおよびアンチアフィニティルールを使用するよりも優先されます。
 
  `nodeName`を使ってNodeを選択する場合の制約は以下の通りです:
 

From 17971a75e1b9d0515d0416b0e3e229c05f5058da Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 13:38:40 +0900
Subject: [PATCH 053/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

---
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index 79852409f909d..4404abd8762ae 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -157,7 +157,7 @@ profiles:
 `addedAffinity`はエンドユーザーには見えないので、その動作はエンドユーザーにとって予期しないものになる可能性があります。スケジューラープロファイル名と明確な相関関係のあるNodeラベルを使用すべきです。
 
 {{< note >}}
-[DaemonSetのPodを作成する](/ja/docs/concepts/workloads/controllers/daemonset/#how-daemon-pods-are-scheduled)DaemonSetコントローラーは、スケジューリングプロファイルをサポートしていません。DaemonSetコントローラーがPodを作成すると、デフォルトのKubernetesスケジューラーがそれらのPodを配置し、DaemonSetコントローラーの`nodeAffinity`ルールに優先して従います。
+[DaemonSetのPodを作成する](/ja/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler)DaemonSetコントローラーは、スケジューリングプロファイルをサポートしていません。DaemonSetコントローラーがPodを作成すると、デフォルトのKubernetesスケジューラーがそれらのPodを配置し、DaemonSetコントローラーの`nodeAffinity`ルールに優先して従います。
 {{< /note >}}
 
 ### Pod間のアフィニティとアンチアフィニティ

From 8e42d86aa682d30e378b5e4a2eaa5cb5dbe5c72b Mon Sep 17 00:00:00 2001
From: utkarsh-singh1 <utkarsh.singh1@india.nec.com>
Date: Tue, 7 Mar 2023 11:29:35 +0530
Subject: [PATCH 054/215] Updated french documrnt web-ui-dashboard.md

Signed-off-by: utkarsh-singh1 <utkarsh.singh1@india.nec.com>
---
 .../docs/tasks/access-application-cluster/web-ui-dashboard.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/fr/docs/tasks/access-application-cluster/web-ui-dashboard.md b/content/fr/docs/tasks/access-application-cluster/web-ui-dashboard.md
index ba5d296adb5f8..539bec39f9ea3 100644
--- a/content/fr/docs/tasks/access-application-cluster/web-ui-dashboard.md
+++ b/content/fr/docs/tasks/access-application-cluster/web-ui-dashboard.md
@@ -29,7 +29,7 @@ L'interface utilisateur du tableau de bord n'est pas déployée par défaut.
 Pour le déployer, exécutez la commande suivante:
 
 ```text
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/charts/recommended.yaml
 ```
 
 ## Accès à l'interface utilisateur du tableau de bord

From 20a3712cc78d0bad40a0a217aec33be7b09114a9 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:53:50 +0900
Subject: [PATCH 055/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index da2671ca776e3..876c1276536be 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -33,7 +33,7 @@ DaemonSetのいくつかの典型的な使用例は以下の通りです。
 YAMLファイルに基づいてDaemonSetを作成します。
 
 ```
-kubectl apply -f https://k8s.io/examples/controllers/daemonset.yal
+kubectl apply -f https://k8s.io/examples/controllers/daemonset.yaml
 ```
 
 ### 必須のフィールド

From d47ec5d44992594ceb068cac40ba5706644980ac Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:54:00 +0900
Subject: [PATCH 056/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 876c1276536be..6f9dab1607d5c 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -55,7 +55,7 @@ Podに対する必須のフィールドに加えて、DaemonSet内のPodテン
 
 DaemonSet内のPodテンプレートでは、[`RestartPolicy`](/ja/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy)フィールドを指定せずにデフォルトの`Always`を使用するか、明示的に`Always`を設定するかのどちらかである必要があります。
 
-### Podセレクター 
+### Podセレクター
 
 `.spec.selector`フィールドはPodセレクターとなります。これは[Job](/ja/docs/concepts/workloads/controllers/job/)の`.spec.selector`と同じものです。
 

From 5ef089cdca11f4407991db1102d6c7255b960913 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:54:31 +0900
Subject: [PATCH 057/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 6f9dab1607d5c..d0f775db2f5a5 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -78,7 +78,7 @@ DaemonSet内のPodテンプレートでは、[`RestartPolicy`](/ja/docs/concepts
 
 ## Daemon Podがどのようにスケジューリングされるか
 
-DaemonSetは全ての利用可能なNodeが単一のPodのコピーを稼働させることを保証します。DaemonSetコントローラーは対象となる各Nodeに対してPodを作成し、ターゲットホストに一致するようにPodの`spec.affinity.nodeAffinity`フィールドを追加します。Podが作成されると、デフォルトのスケジューラーが慣例的に引き継ぎ、`.spec.nodeName`を設定することでPodをターゲットホストにバインドします。新しいNodeに適合できない場合、デフォルトスケジューラーは新しいPodの[優先度](/ja/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)に基づいて既存Podのいくつかを先取り（退避）させることがあります。
+DaemonSetは、全ての利用可能なNodeがPodのコピーを稼働させることを保証します。DaemonSetコントローラーは対象となる各Nodeに対してPodを作成し、ターゲットホストに一致するようにPodの`spec.affinity.nodeAffinity`フィールドを追加します。Podが作成されると、通常はデフォルトのスケジューラーが引き継ぎ、`.spec.nodeName`を設定することでPodをターゲットホストにバインドします。新しいNodeに適合できない場合、デフォルトスケジューラーは新しいPodの[優先度](/ja/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)に基づいて、既存Podのいくつかを先取り(退避)させることがあります。
 
 ユーザーは、DaemonSetの`.spec.template.spec.schedulerName`フィールドを設定することにより、DaemonSetのPodsに対して異なるスケジューラーを指定することができます。
 

From 74982a315514a707fb5531b2264af8c786b537cb Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:54:50 +0900
Subject: [PATCH 058/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index d0f775db2f5a5..1707ee10d73df 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -80,7 +80,7 @@ DaemonSet内のPodテンプレートでは、[`RestartPolicy`](/ja/docs/concepts
 
 DaemonSetは、全ての利用可能なNodeがPodのコピーを稼働させることを保証します。DaemonSetコントローラーは対象となる各Nodeに対してPodを作成し、ターゲットホストに一致するようにPodの`spec.affinity.nodeAffinity`フィールドを追加します。Podが作成されると、通常はデフォルトのスケジューラーが引き継ぎ、`.spec.nodeName`を設定することでPodをターゲットホストにバインドします。新しいNodeに適合できない場合、デフォルトスケジューラーは新しいPodの[優先度](/ja/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)に基づいて、既存Podのいくつかを先取り(退避)させることがあります。
 
-ユーザーは、DaemonSetの`.spec.template.spec.schedulerName`フィールドを設定することにより、DaemonSetのPodsに対して異なるスケジューラーを指定することができます。
+ユーザーは、DaemonSetの`.spec.template.spec.schedulerName`フィールドを設定することにより、DaemonSetのPodに対して異なるスケジューラーを指定することができます。
 
 `.spec.template.spec.affinity.nodeAffinity`フィールド(指定された場合)で指定された元のNodeアフィニティは、DaemonSetコントローラーが対象Nodeを評価する際に考慮されますが、作成されたPod上では対象Nodeの名前と一致するNodeアフィニティに置き換わります。
 

From 93ffc31f3cf49e63e1d7b3fd97efaa4854f8e248 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:55:05 +0900
Subject: [PATCH 059/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 1707ee10d73df..45eb01b951853 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -108,7 +108,7 @@ text="Toleration" term_id="toleration" >}}を自動的に追加します:
 | [`node.kubernetes.io/not-ready`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-not-ready)             | `NoExecute`  | 健康でないNodeや、Podを受け入れる準備ができていないNodeにDaemonSet Podをスケジュールできるように設定します。そのようなNode上で動作しているDaemonSet Podは退避されることがありません。 |
 | [`node.kubernetes.io/unreachable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unreachable)         | `NoExecute`  | Nodeコントローラーから到達できないNodeにDaemonSet Podをスケジュールできるように設定します。このようなNode上で動作しているDaemonSet Podは、退避されません。 |
 | [`node.kubernetes.io/disk-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-disk-pressure)     | `NoSchedule` | ディスク不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                         |
-| [`node.kubernetes.io/memory-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-memory-pressure) | `NoSchedule` | メモリ不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
+| [`node.kubernetes.io/memory-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-memory-pressure) | `NoSchedule` | メモリー不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
 | [`node.kubernetes.io/pid-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-pid-pressure) | `NoSchedule` | 処理プレッシャー問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
 | [`node.kubernetes.io/unschedulable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unschedulable)   | `NoSchedule` | スケジューリング不可能なNodeにDaemonSet Podをスケジュールできるように設定します。                                                                            |
 | [`node.kubernetes.io/network-unavailable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-network-unavailable) | `NoSchedule` | **ホストネットワークを要求するDaemonSet Podにのみ追加できます**、つまり`spec.hostNetwork: true`と設定されているPodです。このようなDaemonSet Podは、ネットワークが利用できないNodeにスケジュールできるように設定できます。|

From b942bf663538a55870137e2c91231778dca3bc66 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:55:22 +0900
Subject: [PATCH 060/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 45eb01b951853..fb3196dbd1267 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -109,7 +109,7 @@ text="Toleration" term_id="toleration" >}}を自動的に追加します:
 | [`node.kubernetes.io/unreachable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unreachable)         | `NoExecute`  | Nodeコントローラーから到達できないNodeにDaemonSet Podをスケジュールできるように設定します。このようなNode上で動作しているDaemonSet Podは、退避されません。 |
 | [`node.kubernetes.io/disk-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-disk-pressure)     | `NoSchedule` | ディスク不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                         |
 | [`node.kubernetes.io/memory-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-memory-pressure) | `NoSchedule` | メモリー不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
-| [`node.kubernetes.io/pid-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-pid-pressure) | `NoSchedule` | 処理プレッシャー問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
+| [`node.kubernetes.io/pid-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-pid-pressure) | `NoSchedule` | 処理負荷に問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
 | [`node.kubernetes.io/unschedulable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unschedulable)   | `NoSchedule` | スケジューリング不可能なNodeにDaemonSet Podをスケジュールできるように設定します。                                                                            |
 | [`node.kubernetes.io/network-unavailable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-network-unavailable) | `NoSchedule` | **ホストネットワークを要求するDaemonSet Podにのみ追加できます**、つまり`spec.hostNetwork: true`と設定されているPodです。このようなDaemonSet Podは、ネットワークが利用できないNodeにスケジュールできるように設定できます。|
 

From b3db57752e6034f1dc255615bc3c396d79da9ce0 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:55:51 +0900
Subject: [PATCH 061/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index fb3196dbd1267..a9f7fdf1b1956 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -117,7 +117,7 @@ text="Toleration" term_id="toleration" >}}を自動的に追加します:
 
 DaemonSetのPodテンプレートで定義すれば、DaemonSetのPodに独自のTolerationを追加することも可能です。
 
-DaemonSetコントローラーは`node.kubernetes.io/unschedulable:NoSchedule`Tolerationを自動的に設定するため、Kubernetesは _スケジューリング不可能_ としてマークされているNodeでDaemonSet Podを実行することが可能です。
+DaemonSetコントローラーは`node.kubernetes.io/unschedulable:NoSchedule`のTolerationを自動的に設定するため、Kubernetesは _スケジューリング不可能_ としてマークされているNodeでDaemonSet Podを実行することが可能です。
 
 [クラスターのネットワーク](/ja/docs/concepts/cluster-administration/networking/)のような重要なNodeレベル機能をDaemonSetで提供する場合、KubernetesがDaemonSet PodをNodeが準備完了になる前に配置することは有用です。
 例えば、その特別なTolerationがなければ、ネットワークプラグインがそこで実行されていないためにNodeが準備完了としてマークされず、同時にNodeがまだ準備完了でないためにそのNode上でネットワークプラグインが実行されていないというデッドロック状態に陥ってしまう可能性があるのです。

From d68da8ec5d5e8048b765ee4df872de66905eaad3 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:56:11 +0900
Subject: [PATCH 062/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index a9f7fdf1b1956..f5222384b148f 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -119,7 +119,7 @@ DaemonSetのPodテンプレートで定義すれば、DaemonSetのPodに独自
 
 DaemonSetコントローラーは`node.kubernetes.io/unschedulable:NoSchedule`のTolerationを自動的に設定するため、Kubernetesは _スケジューリング不可能_ としてマークされているNodeでDaemonSet Podを実行することが可能です。
 
-[クラスターのネットワーク](/ja/docs/concepts/cluster-administration/networking/)のような重要なNodeレベル機能をDaemonSetで提供する場合、KubernetesがDaemonSet PodをNodeが準備完了になる前に配置することは有用です。
+[クラスターのネットワーク](/ja/docs/concepts/cluster-administration/networking/)のような重要なNodeレベルの機能をDaemonSetで提供する場合、KubernetesがDaemonSet PodをNodeが準備完了になる前に配置することは有用です。
 例えば、その特別なTolerationがなければ、ネットワークプラグインがそこで実行されていないためにNodeが準備完了としてマークされず、同時にNodeがまだ準備完了でないためにそのNode上でネットワークプラグインが実行されていないというデッドロック状態に陥ってしまう可能性があるのです。
 
 ## Daemon Podとのコミュニケーション

From 60ab92635e8495c53b6bf6ddcd727364fc3f5a29 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:56:27 +0900
Subject: [PATCH 063/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index f5222384b148f..09e361c6a9977 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -129,7 +129,7 @@ DaemonSet内のPodとのコミュニケーションをする際に考えられ
 - **Push**: DaemonSet内のPodは統計データベースなどの他のサービスに対して更新情報を送信するように設定されます。クライアントは持っていません。
 - **NodeIPとKnown Port**: PodがNodeIPを介して疎通できるようにするため、DaemonSet内のPodは`hostPort`を使用できます。慣例により、クライアントはNodeIPのリストとポートを知っています。
 - **DNS**: 同じPodセレクターを持つ[HeadlessService](/ja/docs/concepts/services-networking/service/#headless-service)を作成し、`endpoints`リソースを使ってDaemonSetを探すか、DNSから複数のAレコードを取得します。
-- **Service**: 同じPodセレクターを持つServiceを作成し、複数のうちのいずれかのNode上のDaemonに疎通させるためにそのServiceを使います。(特定のNodeにアクセスする方法がありません。)
+- **Service**: 同じPodセレクターを持つServiceを作成し、複数のうちのいずれかのNode上のDaemonに疎通させるためにそのServiceを使います。(特定のNodeにアクセスする方法はありません。)
 
 ## DaemonSetの更新
 

From 78f342cc82e1c1345b31a41a14a28d025fff9232 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:56:47 +0900
Subject: [PATCH 064/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 09e361c6a9977..8a1a3090418e4 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -111,7 +111,7 @@ text="Toleration" term_id="toleration" >}}を自動的に追加します:
 | [`node.kubernetes.io/memory-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-memory-pressure) | `NoSchedule` | メモリー不足問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
 | [`node.kubernetes.io/pid-pressure`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-pid-pressure) | `NoSchedule` | 処理負荷に問題のあるNodeにDaemonSet Podをスケジュールできるように設定します。                                                                        |
 | [`node.kubernetes.io/unschedulable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-unschedulable)   | `NoSchedule` | スケジューリング不可能なNodeにDaemonSet Podをスケジュールできるように設定します。                                                                            |
-| [`node.kubernetes.io/network-unavailable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-network-unavailable) | `NoSchedule` | **ホストネットワークを要求するDaemonSet Podにのみ追加できます**、つまり`spec.hostNetwork: true`と設定されているPodです。このようなDaemonSet Podは、ネットワークが利用できないNodeにスケジュールできるように設定できます。|
+| [`node.kubernetes.io/network-unavailable`](/docs/reference/labels-annotations-taints/#node-kubernetes-io-network-unavailable) | `NoSchedule` | **ホストネットワークを要求するDaemonSet Podにのみ追加できます**、つまり`spec.hostNetwork: true`と設定されているPodです。このようなDaemonSet Podは、ネットワークが利用できないNodeにスケジュールできるように設定します。|
 
 {{< /table >}}
 

From 947170af0bada3cf9800547f7a64ac2b20841de6 Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:57:00 +0900
Subject: [PATCH 065/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index 8a1a3090418e4..d813d45b032d6 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -124,7 +124,7 @@ DaemonSetコントローラーは`node.kubernetes.io/unschedulable:NoSchedule`
 
 ## Daemon Podとのコミュニケーション
 
-DaemonSet内のPodとのコミュニケーションをする際に考えられるパターンは以下の通りです。:
+DaemonSet内のPodとのコミュニケーションをする際に考えられるパターンは以下の通りです:
 
 - **Push**: DaemonSet内のPodは統計データベースなどの他のサービスに対して更新情報を送信するように設定されます。クライアントは持っていません。
 - **NodeIPとKnown Port**: PodがNodeIPを介して疎通できるようにするため、DaemonSet内のPodは`hostPort`を使用できます。慣例により、クライアントはNodeIPのリストとポートを知っています。

From a37532c0b85e93687e6804379f6e98510fe280cc Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:58:02 +0900
Subject: [PATCH 066/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index d813d45b032d6..c5b129442e56a 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -149,7 +149,7 @@ Node上で直接起動することにより(例: `init`、`upstartd`、`systemd`
 
 - アプリケーションと同じ方法でデーモンの監視とログの管理ができる。
 - デーモンとアプリケーションで同じ設定用の言語とツール(例: Podテンプレート、`kubectl`)を使える。
-- リソースリミットを使ったコンテナ内でデーモンを稼働させることにより、デーモンとアプリケーションコンテナの分離を促進します。しかし、これはPod内でなく、コンテナ内でデーモンを稼働させることにより可能です。
+- リソースリミットを使ったコンテナ内でデーモンを稼働させることにより、デーモンとアプリケーションコンテナの分離性が高まります。ただし、これはPod内ではなく、コンテナ内でデーモンを稼働させることでも可能です。
 
 ### ベアPod
 

From 646bc62495d1847c221e440562820e22265fda3c Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:59:27 +0900
Subject: [PATCH 067/215] Update
 content/ja/docs/concepts/workloads/controllers/daemonset.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/workloads/controllers/daemonset.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/concepts/workloads/controllers/daemonset.md b/content/ja/docs/concepts/workloads/controllers/daemonset.md
index c5b129442e56a..f0f9379993e22 100644
--- a/content/ja/docs/concepts/workloads/controllers/daemonset.md
+++ b/content/ja/docs/concepts/workloads/controllers/daemonset.md
@@ -164,7 +164,7 @@ Kubeletによって監視されているディレクトリに対してファイ
 DaemonSetは、Podの作成し、そのPodが停止されることのないプロセスを持つことにおいて[Deployment](/ja/docs/concepts/workloads/controllers/deployment/)と同様です(例: webサーバー、ストレージサーバー)。
 
 フロントエンドのようなServiceのように、どのホスト上にPodが稼働するか制御するよりも、レプリカ数をスケールアップまたはスケールダウンしたりローリングアップデートする方が重要であるような、状態をもたないServiceに対してDeploymentを使ってください。
-DaemonSetがNodeレベルの機能を提供し、他のPodがその特定のNodeで正しく動作するようにする場合、Podのコピーが全てまたは特定のホスト上で常に稼働していることが重要な場合や、他のPodの前に起動させる必要があるときにDaemonSetを使ってください。
+DaemonSetがNodeレベルの機能を提供し、他のPodがその特定のNodeで正しく動作するようにする場合、Podのコピーが全てまたは特定のホスト上で常に稼働していることが重要な場合にDaemonSetを使ってください。
 
 例えば、[ネットワークプラグイン](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/)には、DaemonSetとして動作するコンポーネントが含まれていることがよくあります。DaemonSetコンポーネントは、それが動作しているNodeでクラスターネットワークが動作していることを確認します。
 

From bccd515e3ea8ecc79a06cb7ae71204085225baca Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Tue, 7 Mar 2023 18:06:23 +0800
Subject: [PATCH 068/215] [zh] sync organize-cluster-access-kubeconfig.md

---
 .../organize-cluster-access-kubeconfig.md     | 108 +++++++++---------
 1 file changed, 54 insertions(+), 54 deletions(-)

diff --git a/content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md b/content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
index c181e32fcef7b..d89e7c7f1f3f8 100644
--- a/content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
+++ b/content/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig.md
@@ -20,27 +20,23 @@ of a cluster.
 使用 kubeconfig 文件来组织有关集群、用户、命名空间和身份认证机制的信息。
 `kubectl` 命令行工具使用 kubeconfig 文件来查找选择集群所需的信息，并与集群的 API 服务器进行通信。
 
-<!--
 {{< note >}}
+<!--
 A file that is used to configure access to clusters is called
 a *kubeconfig file*. This is a generic way of referring to configuration files.
 It does not mean that there is a file named `kubeconfig`.
-{{< /note >}}
 -->
-{{< note >}}
-用于配置集群访问的文件称为“kubeconfig 文件”。
-这是引用配置文件的通用方法，并不意味着有一个名为 `kubeconfig` 的文件
+用于配置集群访问的文件称为 **kubeconfig 文件**。
+这是引用到配置文件的通用方法，并不意味着有一个名为 `kubeconfig` 的文件。
 {{< /note >}}
 
-<!--
 {{< warning >}}
+<!--
 Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure.
 If you must use an untrusted kubeconfig file, inspect it carefully first, much as you would a shell script.
-{{< /warning>}}
 -->
-{{< warning >}}
-只使用来源可靠的 kubeconfig 文件。使用特制的 kubeconfig 文件可能会导致恶意代码执行或文件暴露。
-如果必须使用不受信任的 kubeconfig 文件，请首先像检查 shell 脚本一样仔细检查它。
+请务必仅使用来源可靠的 kubeconfig 文件。使用特制的 kubeconfig 文件可能会导致恶意代码执行或文件暴露。
+如果必须使用不受信任的 kubeconfig 文件，请首先像检查 Shell 脚本一样仔细检查此文件。
 {{< /warning>}}
 
 <!--
@@ -57,15 +53,15 @@ variable or by setting the
 For step-by-step instructions on creating and specifying kubeconfig files, see
 [Configure Access to Multiple Clusters](/docs/tasks/access-application-cluster/configure-access-multiple-clusters).
 -->
-有关创建和指定 kubeconfig 文件的分步说明，请参阅
-[配置对多集群的访问](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters)。
+有关创建和指定 kubeconfig 文件的分步说明，
+请参阅[配置对多集群的访问](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters)。
 
 <!-- body -->
 
 <!--
 ## Supporting multiple clusters, users, and authentication mechanisms
 -->
-## 支持多集群、用户和身份认证机制
+## 支持多集群、用户和身份认证机制   {#support-clusters-users-and-authn}
 
 <!--
 Suppose you have several clusters, and your users and components authenticate
@@ -92,7 +88,7 @@ clusters and namespaces.
 <!--
 ## Context
 -->
-## 上下文（Context）
+## 上下文（Context）   {#context}
 
 <!--
 A *context* element in a kubeconfig file is used to group access parameters
@@ -107,7 +103,7 @@ the *current context* to communicate with the cluster.
 <!--
 To choose the current context:
 -->
-选择当前上下文
+选择当前上下文：
 
 ```shell
 kubectl config use-context
@@ -116,7 +112,7 @@ kubectl config use-context
 <!--
 ## The KUBECONFIG environment variable
 -->
-## KUBECONFIG 环境变量
+## KUBECONFIG 环境变量   {#kubeconfig-env-var}
 
 <!--
 The `KUBECONFIG` environment variable holds a list of kubeconfig files.
@@ -126,21 +122,21 @@ required. If the `KUBECONFIG` environment variable doesn't exist,
 `kubectl` uses the default kubeconfig file, `$HOME/.kube/config`.
 -->
 `KUBECONFIG` 环境变量包含一个 kubeconfig 文件列表。
-对于 Linux 和 Mac，列表以冒号分隔。对于 Windows，列表以分号分隔。
-`KUBECONFIG` 环境变量不是必要的。
-如果 `KUBECONFIG` 环境变量不存在，`kubectl` 使用默认的 kubeconfig 文件，`$HOME/.kube/config`。
+对于 Linux 和 Mac，此列表以英文冒号分隔。对于 Windows，此列表以英文分号分隔。
+`KUBECONFIG` 环境变量不是必需的。
+如果 `KUBECONFIG` 环境变量不存在，`kubectl` 将使用默认的 kubeconfig 文件：`$HOME/.kube/config`。
 
 <!--
 If the `KUBECONFIG` environment variable does exist, `kubectl` uses
 an effective configuration that is the result of merging the files
 listed in the `KUBECONFIG` environment variable.
 -->
-如果 `KUBECONFIG` 环境变量存在，`kubectl` 使用 `KUBECONFIG` 环境变量中列举的文件合并后的有效配置。
+如果 `KUBECONFIG` 环境变量存在，`kubectl` 将使用 `KUBECONFIG` 环境变量中列举的文件合并后的有效配置。
 
 <!--
 ## Merging kubeconfig files
 -->
-## 合并 kubeconfig 文件
+## 合并 kubeconfig 文件   {#merge-kubeconfig-files}
 
 <!--
 To see your configuration, enter this command:
@@ -155,7 +151,7 @@ kubectl config view
 As described previously, the output might be from a single kubeconfig file,
 or it might be the result of merging several kubeconfig files.
 -->
-如前所述，输出可能来自 kubeconfig 文件，也可能是合并多个 kubeconfig 文件的结果。
+如前所述，输出可能来自单个 kubeconfig 文件，也可能是合并多个 kubeconfig 文件的结果。
 
 <!--
 Here are the rules that `kubectl` uses when it merges kubeconfig files:
@@ -186,34 +182,36 @@ Here are the rules that `kubectl` uses when it merges kubeconfig files:
    * 忽略空文件名。
    * 对于内容无法反序列化的文件，产生错误信息。
    * 第一个设置特定值或者映射键的文件将生效。
-   * 永远不会更改值或者映射键。示例：保留第一个文件的上下文以设置 `current-context`。示例：如果两个文件都指定了 `red-user`，则仅使用第一个文件的 `red-user` 中的值。即使第二个文件在 `red-user` 下有非冲突条目，也要丢弃它们。
+   * 永远不会更改值或者映射键。示例：保留第一个文件的上下文以设置 `current-context`。
+     示例：如果两个文件都指定了 `red-user`，则仅使用第一个文件的 `red-user` 中的值。
+     即使第二个文件在 `red-user` 下有非冲突条目，也要丢弃它们。
 
-<!--
+   <!--
    For an example of setting the `KUBECONFIG` environment variable, see
    [Setting the KUBECONFIG environment variable](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable).
--->
-   有关设置 `KUBECONFIG` 环境变量的示例，请参阅
-   [设置 KUBECONFIG 环境变量](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)。
+   -->
+   有关设置 `KUBECONFIG` 环境变量的示例，
+   请参阅[设置 KUBECONFIG 环境变量](/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)。
 
-<!--
+   <!--
    Otherwise, use the default kubeconfig file, `$HOME/.kube/config`, with no merging.
--->
-   否则，使用默认的 kubeconfig 文件， `$HOME/.kube/config`，不进行合并。
+   -->
+   否则，使用默认的 kubeconfig 文件（`$HOME/.kube/config`），不进行合并。
 
 <!--
 1. Determine the context to use based on the first hit in this chain:
 
     1. Use the `--context` command-line flag if it exists.
-    2. Use the `current-context` from the merged kubeconfig files.
+    1. Use the `current-context` from the merged kubeconfig files.
 -->
 2. 根据此链中的第一个匹配确定要使用的上下文。
 
-    1. 如果存在，使用 `--context` 命令行参数。
+    1. 如果存在上下文，则使用 `--context` 命令行参数。
     2. 使用合并的 kubeconfig 文件中的 `current-context`。
 
-<!--
+   <!--
    An empty context is allowed at this point.
--->
+   -->
    这种场景下允许空上下文。
 
 <!--
@@ -222,16 +220,17 @@ Here are the rules that `kubectl` uses when it merges kubeconfig files:
    which is run twice: once for user and once for cluster:
 
    1. Use a command-line flag if it exists: `--user` or `--cluster`.
-   2. If the context is non-empty, take the user or cluster from the context.
+   1. If the context is non-empty, take the user or cluster from the context.
 -->
-3. 确定集群和用户。此时，可能有也可能没有上下文。根据此链中的第一个匹配确定集群和用户，这将运行两次：一次用于用户，一次用于集群。
+3. 确定集群和用户。此时，可能有也可能没有上下文。根据此链中的第一个匹配确定集群和用户，
+   这将运行两次：一次用于用户，一次用于集群。
 
-   1. 如果存在，使用命令行参数：`--user` 或者 `--cluster`。
-   2. 如果上下文非空，从上下文中获取用户或集群。
+   1. 如果存在用户或集群，则使用命令行参数：`--user` 或者 `--cluster`。
+   2. 如果上下文非空，则从上下文中获取用户或集群。
 
-<!--
+   <!--
    The user and cluster can be empty at this point.
--->
+   -->
    这种场景下用户和集群可以为空。
 
 <!--
@@ -240,32 +239,33 @@ Here are the rules that `kubectl` uses when it merges kubeconfig files:
    Build each piece of the cluster information based on this chain; the first hit wins:
 
    1. Use command line flags if they exist: `--server`, `--certificate-authority`, `--insecure-skip-tls-verify`.
-   2. If any cluster information attributes exist from the merged kubeconfig files, use them.
-   3. If there is no server location, fail.
+   1. If any cluster information attributes exist from the merged kubeconfig files, use them.
+   1. If there is no server location, fail.
 -->
-4. 确定要使用的实际集群信息。此时，可能有也可能没有集群信息。基于此链构建每个集群信息；第一个匹配项会被采用：
+4. 确定要使用的实际集群信息。此时，可能有也可能没有集群信息。
+   基于此链构建每个集群信息；第一个匹配项会被采用：
 
-   1. 如果存在：`--server`、`--certificate-authority` 和 `--insecure-skip-tls-verify`，使用命令行参数。
-   2. 如果合并的 kubeconfig 文件中存在集群信息属性，则使用它们。
+   1. 如果存在集群信息，则使用命令行参数：`--server`、`--certificate-authority` 和 `--insecure-skip-tls-verify`。
+   2. 如果合并的 kubeconfig 文件中存在集群信息属性，则使用这些属性。
    3. 如果没有 server 配置，则配置无效。
 
 <!--
-2. Determine the actual user information to use. Build user information using the same
+1. Determine the actual user information to use. Build user information using the same
    rules as cluster information, except allow only one authentication
    technique per user:
 
    1. Use command line flags if they exist: `--client-certificate`, `--client-key`, `--username`, `--password`, `--token`.
-   2. Use the `user` fields from the merged kubeconfig files.
-   3. If there are two conflicting techniques, fail.
+   1. Use the `user` fields from the merged kubeconfig files.
+   1. If there are two conflicting techniques, fail.
 -->
-5. 确定要使用的实际用户信息。使用与集群信息相同的规则构建用户信息，但每个用户只允许一种身份认证技术：
+5. 确定要使用的实际用户信息。使用与集群信息相同的规则构建用户信息，但对于每个用户只允许使用一种身份认证技术：
 
-   1. 如果存在：`--client-certificate`、`--client-key`、`--username`、`--password` 和 `--token`，使用命令行参数。
+   1. 如果存在用户信息，则使用命令行参数：`--client-certificate`、`--client-key`、`--username`、`--password` 和 `--token`。
    2. 使用合并的 kubeconfig 文件中的 `user` 字段。
    3. 如果存在两种冲突技术，则配置无效。
 
 <!--
-3. For any information still missing, use default values and potentially
+1. For any information still missing, use default values and potentially
    prompt for authentication information.
 -->
 6. 对于仍然缺失的任何信息，使用其对应的默认值，并可能提示输入身份认证信息。
@@ -273,7 +273,7 @@ Here are the rules that `kubectl` uses when it merges kubeconfig files:
 <!--
 ## File references
 -->
-## 文件引用
+## 文件引用   {#file-reference}
 
 <!--
 File and path references in a kubeconfig file are relative to the location of the kubeconfig file.
@@ -283,14 +283,14 @@ are stored absolutely.
 -->
 kubeconfig 文件中的文件和路径引用是相对于 kubeconfig 文件的位置。
 命令行上的文件引用是相对于当前工作目录的。
-在 `$HOME/.kube/config` 中，相对路径按相对路径存储，绝对路径按绝对路径存储。
+在 `$HOME/.kube/config` 中，相对路径按相对路径存储，而绝对路径按绝对路径存储。
 
 <!--
 ## Proxy
 
 You can configure `kubectl` to use a proxy per cluster using `proxy-url` in your kubeconfig file, like this:
 -->
-## 代理
+## 代理   {#proxy}
 
 你可以在 `kubeconfig` 文件中，为每个集群配置 `proxy-url` 来让 `kubectl` 使用代理，例如：
 

From f5bb98716ec08b77242b05d996cb4daf357e103c Mon Sep 17 00:00:00 2001
From: marianogg9 <gonzalez.mariano.gabriel@gmail.com>
Date: Tue, 7 Mar 2023 13:01:17 +0100
Subject: [PATCH 069/215] rephrased finalizers.md

---
 content/es/docs/reference/glossary/finalizer.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/es/docs/reference/glossary/finalizer.md b/content/es/docs/reference/glossary/finalizer.md
index 765ab36a83ad0..af8367da7b62d 100644
--- a/content/es/docs/reference/glossary/finalizer.md
+++ b/content/es/docs/reference/glossary/finalizer.md
@@ -9,9 +9,8 @@ short_description: >
 aka: 
 tags:
 - fundamental
-- operation
 ---
-Los finalizadores son atributos de un namespace que dictan a Kubernetes a
+Los finalizadores son atributos de un namespace que instruyen a Kubernetes a
 esperar a que ciertas condiciones sean satisfechas antes que pueda borrar
 definitivamente un objeto que ha sido marcado para eliminarse.
 Los finalizadores alertan a los {{<glossary_tooltip text="controladores" term_id="controller">}}

From a45d7fe2d30a1e2ca63b7c4cd9ba111701667d2e Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Thu, 2 Mar 2023 17:14:27 +0100
Subject: [PATCH 070/215] Add blog post about forensic container analysis

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
---
 .../index.md                                  | 373 ++++++++++++++++++
 1 file changed, 373 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-03-10-forensic-container-analysis/index.md

diff --git a/content/en/blog/_posts/2023-03-10-forensic-container-analysis/index.md b/content/en/blog/_posts/2023-03-10-forensic-container-analysis/index.md
new file mode 100644
index 0000000000000..7edff1196a2f7
--- /dev/null
+++ b/content/en/blog/_posts/2023-03-10-forensic-container-analysis/index.md
@@ -0,0 +1,373 @@
+---
+layout: blog
+title: "Forensic container analysis"
+date: 2023-03-10
+slug: forensic-container-analysis
+---
+
+**Authors:** Adrian Reber (Red Hat)
+
+In my previous article, [Forensic container checkpointing in
+Kubernetes][forensic-blog], I introduced checkpointing in Kubernetes
+and how it has to be setup and how it can be used. The name of the
+feature is Forensic container checkpointing, but I did not go into
+any details how to do the actual analysis of the checkpoint created by
+Kubernetes. In this article I want to provide details how the
+checkpoint can be analyzed.
+
+Checkpointing is still an alpha feature in Kubernetes and this article
+wants to provide a preview how the feature might work in the future.
+
+## Preparation
+
+Details about how to configure Kubernetes and the underlying CRI implementation
+to enable checkpointing support can be found in my [Forensic container
+checkpointing in Kubernetes][forensic-blog] article.
+
+As an example I prepared a container image (`quay.io/adrianreber/counter:blog`)
+which I want to checkpoint and then analyze in this article. This container allows
+me to create files in the container and also store information in memory which
+I later want to find in the checkpoint.
+
+To run that container I need a pod, and for this example I am using the following Pod manifest:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: counters
+spec:
+  containers:
+  - name: counter
+    image: quay.io/adrianreber/counter:blog
+```
+
+This results in a container called `counter` running in a pod called `counters`.
+
+Once the container is running I am performing following actions with that
+container:
+
+```console
+$ kubectl get pod counters --template '{{.status.podIP}}'
+10.88.0.25
+$ curl 10.88.0.25:8088/create?test-file
+$ curl 10.88.0.25:8088/secret?RANDOM_1432_KEY
+$ curl 10.88.0.25:8088
+```
+
+The first access creates a file called `test-file` with the content `test-file`
+in the container and the second access stores my secret information
+(`RANDOM_1432_KEY`) somewhere in the container's memory. The last access just
+adds an additional line to the internal log file.
+
+The last step before I can analyze the checkpoint it to tell Kubernetes to create
+the checkpoint. As described in the previous article this requires access to the
+*kubelet* only `checkpoint` API endpoint.
+
+For a container named *counter* in a pod named *counters* in a namespace named
+*default* the *kubelet* API endpoint is reachable at:
+
+```shell
+# run this on the node where that Pod is executing
+curl -X POST "https://localhost:10250/checkpoint/default/counters/counter"
+```
+
+For completeness the following `curl` command-line options are necessary to
+have `curl` accept the *kubelet*'s self signed certificate and authorize the
+use of the *kubelet* `checkpoint` API:
+
+```shell
+--insecure --cert /var/run/kubernetes/client-admin.crt --key /var/run/kubernetes/client-admin.key
+```
+
+Once the checkpointing has finished the checkpoint should be available at
+`/var/lib/kubelet/checkpoints/checkpoint-<pod-name>_<namespace-name>-<container-name>-<timestamp>.tar`
+
+In the following steps of this article I will use the name `checkpoint.tar`
+when analyzing the checkpoint archive.
+
+## Checkpoint archive analysis using `checkpointctl`
+
+To get some initial information about the checkpointed container I am using the
+tool [checkpointctl][checkpointctl] like this:
+
+```console
+$ checkpointctl show checkpoint.tar --print-stats
++-----------+----------------------------------+--------------+---------+---------------------+--------+------------+------------+-------------------+
+| CONTAINER |              IMAGE               |      ID      | RUNTIME |       CREATED       | ENGINE |     IP     | CHKPT SIZE | ROOT FS DIFF SIZE |
++-----------+----------------------------------+--------------+---------+---------------------+--------+------------+------------+-------------------+
+| counter   | quay.io/adrianreber/counter:blog | 059a219a22e5 | runc    | 2023-03-02T06:06:49 | CRI-O  | 10.88.0.23 | 8.6 MiB    | 3.0 KiB           |
++-----------+----------------------------------+--------------+---------+---------------------+--------+------------+------------+-------------------+
+CRIU dump statistics
++---------------+-------------+--------------+---------------+---------------+---------------+
+| FREEZING TIME | FROZEN TIME | MEMDUMP TIME | MEMWRITE TIME | PAGES SCANNED | PAGES WRITTEN |
++---------------+-------------+--------------+---------------+---------------+---------------+
+| 100809 us     | 119627 us   | 11602 us     | 7379 us       |          7800 |          2198 |
++---------------+-------------+--------------+---------------+---------------+---------------+
+```
+
+This gives me already some information about the checkpoint in that checkpoint
+archive.  I can see the name of the container, information about the container
+runtime and container engine.  It also lists the size of the checkpoint (`CHKPT
+SIZE`). This is mainly the size of the memory pages included in the checkpoint,
+but there is also information about the size of all changed files in the
+container (`ROOT FS DIFF SIZE`).
+
+The additional parameter `--print-stats` decodes information in the checkpoint
+archive and displays them in the second table (*CRIU dump statistics*). This
+information is collected during checkpoint creation and gives an overview how much
+time CRIU needed to checkpoint the processes in the container and how many
+memory pages were analyzed and written during checkpoint creation.
+
+## Digging deeper
+
+With the help of `checkpointctl` I am able to get some high level information
+about the checkpoint archive. To be able to analyze the checkpoint archive
+further I have to extract it. The checkpoint archive is a *tar* archive and can
+be extracted with the help of `tar xf checkpoint.tar`.
+
+Extracting the checkpoint archive will result in following files and directories:
+
+* `bind.mounts` - this file contains information about bind mounts and is needed
+  during restore to mount all external files and directories at the right location
+* `checkpoint/` - this directory contains the actual checkpoint as created by
+  CRIU
+* `config.dump` and `spec.dump` - these files contain metadata about the container
+  which is needed during restore
+* `dump.log` - this file contains the debug output of CRIU created during
+  checkpointing
+* `stats-dump` - this file contains the data which is used by `checkpointctl`
+  to display dump statistics (`--print-stats`)
+* `rootfs-diff.tar` - this file contains all changed files on the container's
+  file-system
+
+### File-system changes - `rootfs-diff.tar`
+
+The first step to analyze the container's checkpoint further is to look at
+the files that have changed in my container. This can be done by looking at the
+file `rootfs-diff.tar`:
+
+```console
+$ tar xvf rootfs-diff.tar
+home/counter/logfile
+home/counter/test-file
+```
+
+Now the files that changed in the container can be studied:
+
+```console
+$ cat home/counter/logfile
+10.88.0.1 - - [02/Mar/2023 06:07:29] "GET /create?test-file HTTP/1.1" 200 -
+10.88.0.1 - - [02/Mar/2023 06:07:40] "GET /secret?RANDOM_1432_KEY HTTP/1.1" 200 -
+10.88.0.1 - - [02/Mar/2023 06:07:43] "GET / HTTP/1.1" 200 -
+$ cat home/counter/test-file
+test-file 
+```
+
+Compared to the container image (`quay.io/adrianreber/counter:blog`) this
+container is based on, I can see that the file `logfile` contains information
+about all access to the service the container provides and the file `test-file`
+was created just as expected.
+
+With the help of `rootfs-diff.tar` it is possible to inspect all files that
+were created or changed compared to the base image of the container.
+
+### Analyzing the checkpointed processes - `checkpoint/`
+
+The directory `checkpoint/` contains data created by CRIU while checkpointing
+the processes in the container. The content in the directory `checkpoint/`
+consists of different [image files][image-files] which can be analyzed with the
+help of the tool [CRIT][crit] which is distributed as part of CRIU.
+
+First lets get an overview of the processes inside of the container:
+
+```console
+$ crit show checkpoint/pstree.img | jq .entries[].pid
+1
+7
+8
+```
+
+This output means that I have three processes inside of the container's PID
+namespace with the PIDs: 1, 7, 8
+
+This is only the view from the inside of the container's PID namespace. During
+restore exactly these PIDs will be recreated. From the outside of the
+container's PID namespace the PIDs will change after restore.
+
+The next step is to get some additional information about these three processes:
+
+```console
+$ crit show checkpoint/core-1.img | jq .entries[0].tc.comm
+"bash"
+$ crit show checkpoint/core-7.img | jq .entries[0].tc.comm
+"counter.py"
+$ crit show checkpoint/core-8.img | jq .entries[0].tc.comm
+"tee"
+```
+
+This means the three processes in my container are `bash`, `counter.py` (a Python
+interpreter) and `tee`. For details about the parent child relations of these processes there
+is more data to be analyzed in `checkpoint/pstree.img`.
+
+Let's compare the so far collected information to the still running container:
+
+```console
+$ crictl inspect --output go-template --template "{{(index .info.pid)}}" 059a219a22e56
+722520
+$ ps auxf | grep -A 2 722520
+fedora    722520  \_ bash -c /home/counter/counter.py 2>&1 | tee /home/counter/logfile
+fedora    722541      \_ /usr/bin/python3 /home/counter/counter.py
+fedora    722542      \_ /usr/bin/coreutils --coreutils-prog-shebang=tee /usr/bin/tee /home/counter/logfile
+$ cat /proc/722520/comm
+bash
+$ cat /proc/722541/comm
+counter.py
+$ cat /proc/722542/comm
+tee
+```
+
+In this output I am first retrieving the PID of the first process in the
+container and then I am looking for that PID and child processes on the system
+where the container is running. I am seeing three processes and the first one is
+"bash" which is PID 1 inside of the containers PID namespace.  Then I am looking
+at `/proc/<PID>/comm` and I can find the exact same value
+as in the checkpoint image.
+
+Important to remember is that the checkpoint will contain the view from within the
+container's PID namespace because that information is important to restore the
+processes.
+
+One last example of what `crit` can tell us about the container is the information
+about the UTS namespace:
+
+```console
+$ crit show checkpoint/utsns-12.img
+{
+    "magic": "UTSNS",
+    "entries": [
+        {
+            "nodename": "counters",
+            "domainname": "(none)"
+        }
+    ]
+}
+```
+
+This tells me that the hostname inside of the UTS namespace is `counters`.
+
+For every resource CRIU collected during checkpointing the `checkpoint/`
+directory contains corresponding image files which can be analyzed with the help
+of `crit`.
+
+#### Looking at the memory pages
+
+In addition to the information from CRIU that can be decoded with the help
+of CRIT, there are also files containing the raw memory pages written by
+CRIU to disk:
+
+```console
+$ ls  checkpoint/pages-*
+checkpoint/pages-1.img  checkpoint/pages-2.img  checkpoint/pages-3.img
+```
+
+When I initially used the container I stored a random key (`RANDOM_1432_KEY`)
+somewhere in the memory. Let see if I can find it:
+
+```console
+$ grep -ao RANDOM_1432_KEY checkpoint/pages-*
+checkpoint/pages-2.img:RANDOM_1432_KEY
+```
+
+And indeed, there is my data. This way I can easily look at the content
+of all memory pages of the processes in the container, but it is also
+important to remember that anyone that can access the checkpoint
+archive has access to all information that was stored in the memory of the
+container's processes.
+
+#### Using gdb for further analysis
+
+Another possibility to look at the checkpoint images is `gdb`. The CRIU repository
+contains the script [coredump][criu-coredump] which can convert a checkpoint
+into a coredump file:
+
+```console
+$ /home/criu/coredump/coredump-python3
+$ ls -al core*
+core.1  core.7  core.8
+```
+
+Running the `coredump-python3` script will convert the checkpoint images into
+one coredump file for each process in the container. Using `gdb` I can also look
+at the details of the processes:
+
+```console
+$ echo info registers | gdb --core checkpoint/core.1 -q
+
+[New LWP 1]
+
+Core was generated by `bash -c /home/counter/counter.py 2>&1 | tee /home/counter/logfile'.
+
+#0  0x00007fefba110198 in ?? ()
+(gdb)
+rax            0x3d                61
+rbx            0x8                 8
+rcx            0x7fefba11019a      140667595587994
+rdx            0x0                 0
+rsi            0x7fffed9c1110      140737179816208
+rdi            0xffffffff          4294967295
+rbp            0x1                 0x1
+rsp            0x7fffed9c10e8      0x7fffed9c10e8
+r8             0x1                 1
+r9             0x0                 0
+r10            0x0                 0
+r11            0x246               582
+r12            0x0                 0
+r13            0x7fffed9c1170      140737179816304
+r14            0x0                 0
+r15            0x0                 0
+rip            0x7fefba110198      0x7fefba110198
+eflags         0x246               [ PF ZF IF ]
+cs             0x33                51
+ss             0x2b                43
+ds             0x0                 0
+es             0x0                 0
+fs             0x0                 0
+gs             0x0                 0
+```
+
+In this example I can see the value of all registers as they were during
+checkpointing and I can also see the complete command-line of my container's PID
+1 process: `bash -c /home/counter/counter.py 2>&1 | tee /home/counter/logfile`
+
+## Summary
+
+With the help of container checkpointing, it is possible to create a
+checkpoint of a running container without stopping the container and without the
+container knowing that it was checkpointed. The result of checkpointing a
+container in Kubernetes is a checkpoint archive; using different tools like
+`checkpointctl`, `tar`, `crit` and `gdb` the checkpoint can be analyzed. Even
+with simple tools like `grep` it is possible to find information in the
+checkpoint archive.
+
+The different examples I have shown in this article how to analyze a checkpoint
+are just the starting point. Depending on your requirements it is possible to
+look at certain things in much more detail, but this article should give you an
+introduction how to start the analysis of your checkpoint.
+
+## How do I get involved?
+
+You can reach SIG Node by several means:
+
+* Slack: [#sig-node][slack-sig-node]
+* Slack: [#sig-security][slack-sig-security]
+* [Mailing list][sig-node-ml]
+
+[forensic-blog]: https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/
+[checkpointctl]: https://github.com/checkpoint-restore/checkpointctl
+[image-files]: https://criu.org/Images
+[crit]: https://criu.org/CRIT
+[slack-sig-node]: https://kubernetes.slack.com/messages/sig-node
+[slack-sig-security]: https://kubernetes.slack.com/messages/sig-security
+[sig-node-ml]: https://groups.google.com/forum/#!forum/kubernetes-sig-node
+[criu-coredump]: https://github.com/checkpoint-restore/criu/tree/criu-dev/coredump

From 4db706cff7ebe43fe550454352796727ec860a48 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Wed, 8 Mar 2023 00:41:57 +0200
Subject: [PATCH 071/215] [pt] Change shell to console for code snippet

---
 .../configure-pod-container/configure-volume-storage.md     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/pt-br/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/pt-br/docs/tasks/configure-pod-container/configure-volume-storage.md
index 8687c19ab7485..e0cbfa57a2bce 100644
--- a/content/pt-br/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/pt-br/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -49,7 +49,7 @@ reinicie. Aqui está o arquivo de configuração para o pod:
     
     A saída se parece com isso:
 
-    ```shell
+    ```console
     NAME      READY     STATUS    RESTARTS   AGE
     redis     1/1       Running   0          13s
     ```
@@ -77,7 +77,7 @@ reinicie. Aqui está o arquivo de configuração para o pod:
 
     A saída é semelhante a esta:
 
-    ```shell
+    ```console
     USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
     redis        1  0.1  0.1  33308  3828 ?        Ssl  00:46   0:00 redis-server *:6379
     root        12  0.0  0.0  20228  3020 ?        Ss   00:47   0:00 /bin/bash
@@ -95,7 +95,7 @@ reinicie. Aqui está o arquivo de configuração para o pod:
 1. No seu terminal original, preste atenção nas mudanças no Pod do Redis. 
 Eventualmente, você vai ver algo assim:
 
-    ```shell
+    ```console
     NAME      READY     STATUS     RESTARTS   AGE
     redis     1/1       Running    0          13s
     redis     0/1       Completed  0         6m

From 6798680f99bbe2d9b4b779e567fbb4242a65a423 Mon Sep 17 00:00:00 2001
From: Adrian Reber <areber@redhat.com>
Date: Tue, 7 Mar 2023 19:30:02 +0100
Subject: [PATCH 072/215] Add link to checkpointing follow-up article

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
---
 .../2022-12-05-forensic-container-checkpointing/index.md  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/content/en/blog/_posts/2022-12-05-forensic-container-checkpointing/index.md b/content/en/blog/_posts/2022-12-05-forensic-container-checkpointing/index.md
index 14293556a43ba..9cd3832e5f44d 100644
--- a/content/en/blog/_posts/2022-12-05-forensic-container-checkpointing/index.md
+++ b/content/en/blog/_posts/2022-12-05-forensic-container-checkpointing/index.md
@@ -207,3 +207,11 @@ and without losing the state of the containers in that Pod.
 You can reach SIG Node by several means:
 - Slack: [#sig-node](https://kubernetes.slack.com/messages/sig-node)
 - [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-node)
+
+## Further reading
+
+Please see the follow-up article [Forensic container
+analysis][forensic-container-analysis] for details on how a container checkpoint
+can be analyzed.
+
+[forensic-container-analysis]: /blog/2023/03/10/forensic-container-analysis/

From e7e4de3a0fdb154ee446999040b6fc31085ac533 Mon Sep 17 00:00:00 2001
From: Dipesh Rawat <rawat.dipesh@gmail.com>
Date: Wed, 8 Mar 2023 13:37:12 +0000
Subject: [PATCH 073/215] Added info for <codenew> shortcode in style guide
 (#39764)

* Add info for codenew shortcode in style guide

Signed-off-by: Dipesh Rawat <Dipesh.rawat@ibm.com>

* Update content/en/docs/contribute/style/style-guide.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* Addressed feedback comments

Signed-off-by: Dipesh Rawat <Dipesh.rawat@ibm.com>

* Update content/en/docs/contribute/style/hugo-shortcodes/index.md

Co-authored-by: Brad Topol <btopol@us.ibm.com>

* Update content/en/docs/contribute/style/hugo-shortcodes/index.md

Co-authored-by: Brad Topol <btopol@us.ibm.com>

---------

Signed-off-by: Dipesh Rawat <Dipesh.rawat@ibm.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Brad Topol <btopol@us.ibm.com>
---
 .../contribute/style/hugo-shortcodes/index.md | 27 +++++++++++++++++++
 .../en/docs/contribute/style/style-guide.md   |  1 +
 2 files changed, 28 insertions(+)

diff --git a/content/en/docs/contribute/style/hugo-shortcodes/index.md b/content/en/docs/contribute/style/hugo-shortcodes/index.md
index 2d751f73f30c0..a6ba992ee785b 100644
--- a/content/en/docs/contribute/style/hugo-shortcodes/index.md
+++ b/content/en/docs/contribute/style/hugo-shortcodes/index.md
@@ -271,6 +271,33 @@ Renders to:
 {{< tab name="JSON File" include="podtemplate.json" />}}
 {{< /tabs >}}
 
+### Source code files
+
+You can use the `{{</* codenew */>}}` shortcode to embed the contents of file in a code block to allow users to download or copy its content to their clipboard. This shortcode is used when the contents of the sample file is generic and reusable, and you want the users to try it out themselves.
+
+This shortcode takes in two named parameters: `language` and `file`. The mandatory parameter `file` is used to specify the path to the file being displayed. The optional parameter `language` is used to specify the programming language of the file. If the `language` parameter is not provided, the shortcode will attempt to guess the language based on the file extension.
+
+For example:
+
+```none
+{{</* codenew language="yaml" file="application/deployment-scale.yaml" */>}}
+```
+
+The output is:
+
+{{< codenew language="yaml" file="application/deployment-scale.yaml" >}}
+
+When adding a new sample file, such as a YAML file, create the file in one of the `<LANG>/examples/` subdirectories where `<LANG>` is the language for the page. In the markdown of your page, use the `codenew` shortcode:
+
+```none
+{{</* codenew file="<RELATIVE-PATH>/example-yaml>" */>}}
+```
+where `<RELATIVE-PATH>` is the path to the sample file to include, relative to the `examples` directory. The following shortcode references a YAML file located at `/content/en/examples/configmap/configmaps.yaml`.
+
+```none
+{{</* codenew file="configmap/configmaps.yaml" */>}}
+```
+
 ## Third party content marker
 
 Running Kubernetes requires third-party software. For example: you
diff --git a/content/en/docs/contribute/style/style-guide.md b/content/en/docs/contribute/style/style-guide.md
index dce6eb291ff30..c7f020a5fc1a2 100644
--- a/content/en/docs/contribute/style/style-guide.md
+++ b/content/en/docs/contribute/style/style-guide.md
@@ -631,4 +631,5 @@ These steps ... | These simple steps ...
 
 * Learn about [writing a new topic](/docs/contribute/style/write-new-topic/).
 * Learn about [using page templates](/docs/contribute/style/page-content-types/).
+* Learn about [custom hugo shortcodes](/docs/contribute/style/hugo-shortcodes/).
 * Learn about [creating a pull request](/docs/contribute/new-content/open-a-pr/).

From 08aaa3fce587ae988af7c8912ddfd98509e6d269 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= <mudrinic.mare@gmail.com>
Date: Wed, 8 Mar 2023 14:51:08 +0100
Subject: [PATCH 074/215] Add February patch releases to the calendar
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
---
 data/releases/schedule.yaml | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index 61d186ef8f0e8..df51c5a73af92 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -4,10 +4,15 @@ schedules:
   maintenanceModeStartDate: 2023-12-28
   endOfLifeDate: 2024-02-28
   next:
-    release: 1.26.2
-    cherryPickDeadline: 2023-02-10
-    targetDate: 2023-02-15
+    release: 1.26.3
+    cherryPickDeadline: 2023-03-10
+    targetDate: 2023-03-15
   previousPatches:
+    - release: 1.26.2
+      cherryPickDeadline: 2023-02-10
+      targetDate: 2023-02-15
+      note: >-
+        [Some container images might be **unsigned** due to a temporary issue with the promotion process](https://groups.google.com/a/kubernetes.io/g/dev/c/MwSx761slM0/m/4ajkeUl0AQAJ)
     - release: 1.26.1
       cherryPickDeadline: 2023-01-13
       targetDate: 2023-01-18
@@ -19,10 +24,15 @@ schedules:
   maintenanceModeStartDate: 2023-08-28
   endOfLifeDate: 2023-10-28
   next:
-    release: 1.25.7
-    cherryPickDeadline: 2023-02-10
-    targetDate: 2023-02-15
+    release: 1.25.8
+    cherryPickDeadline: 2023-03-10
+    targetDate: 2023-03-15
   previousPatches:
+    - release: 1.25.7
+      cherryPickDeadline: 2023-02-10
+      targetDate: 2023-02-15
+      note: >-
+        [Some container images might be **unsigned** due to a temporary issue with the promotion process](https://groups.google.com/a/kubernetes.io/g/dev/c/MwSx761slM0/m/4ajkeUl0AQAJ)
     - release: 1.25.6
       cherryPickDeadline: 2023-01-13
       targetDate: 2023-01-18
@@ -53,10 +63,15 @@ schedules:
   maintenanceModeStartDate: 2023-05-28
   endOfLifeDate: 2023-07-28
   next:
-    release: 1.24.11
-    cherryPickDeadline: 2023-02-10
-    targetDate: 2023-02-15
+    release: 1.24.12
+    cherryPickDeadline: 2023-03-10
+    targetDate: 2023-03-15
   previousPatches:
+    - release: 1.24.11
+      cherryPickDeadline: 2023-02-10
+      targetDate: 2023-02-15
+      note: >-
+        [Some container images might be **unsigned** due to a temporary issue with the promotion process](https://groups.google.com/a/kubernetes.io/g/dev/c/MwSx761slM0/m/4ajkeUl0AQAJ)
     - release: 1.24.10
       cherryPickDeadline: 2023-01-13
       targetDate: 2023-01-18

From d86e129d6aae75df945ea55246208d49735a9338 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= <mudrinic.mare@gmail.com>
Date: Wed, 8 Mar 2023 14:51:47 +0100
Subject: [PATCH 075/215] Mark 1.23 as EOL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
---
 data/releases/eol.yaml      |  3 ++
 data/releases/schedule.yaml | 66 -------------------------------------
 2 files changed, 3 insertions(+), 66 deletions(-)

diff --git a/data/releases/eol.yaml b/data/releases/eol.yaml
index 64e6306a26ff9..401c871946651 100644
--- a/data/releases/eol.yaml
+++ b/data/releases/eol.yaml
@@ -1,4 +1,7 @@
 branches:
+  - release: "1.23"
+    finalPatchRelease: "1.23.17"
+    endOfLifeDate: 2023-02-28
   - release: "1.22"
     finalPatchRelease: "1.22.17"
     endOfLifeDate: 2022-12-08
diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index df51c5a73af92..c1cc1a8af052d 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -109,69 +109,3 @@ schedules:
     - release: 1.24.0
       cherryPickDeadline: ""
       targetDate: 2022-05-03
-- release: 1.23
-  releaseDate: 2021-12-07
-  maintenanceModeStartDate: 2022-12-28
-  endOfLifeDate: 2023-02-28
-  next:
-    release: 1.23.17
-    cherryPickDeadline: 2023-02-10
-    targetDate: 2023-02-15
-  previousPatches:
-    - release: 1.23.16
-      cherryPickDeadline: 2023-01-13
-      targetDate: 2023-01-18
-    - release: 1.23.15
-      cherryPickDeadline: 2022-12-02
-      targetDate: 2022-12-08
-    - release: 1.23.14
-      cherryPickDeadline: 2022-11-04
-      targetDate: 2022-11-09
-    - release: 1.23.13
-      cherryPickDeadline: 2022-10-07
-      targetDate: 2022-10-12
-    - release: 1.23.12
-      cherryPickDeadline: 2022-09-20
-      targetDate: 2022-09-21
-      note: >-
-        [Out-of-Band release to fix the regression introduced in 1.23.11](https://groups.google.com/a/kubernetes.io/g/dev/c/tA6LNOQTR4Q/m/zL73maPTAQAJ)
-    - release: 1.23.11
-      cherryPickDeadline: 2022-09-09
-      targetDate: 2022-09-14
-      note: >-
-        [Regression](https://groups.google.com/a/kubernetes.io/g/dev/c/tA6LNOQTR4Q/m/zL73maPTAQAJ)
-    - release: 1.23.10
-      cherryPickDeadline: 2022-08-12
-      targetDate: 2022-08-17
-    - release: 1.23.9
-      cherryPickDeadline: 2022-07-08
-      targetDate: 2022-07-13
-    - release: 1.23.8
-      cherryPickDeadline: 2022-06-10
-      targetDate: 2022-06-15
-    - release: 1.23.7
-      cherryPickDeadline: 2022-05-20
-      targetDate: 2022-05-24
-    - release: 1.23.6
-      cherryPickDeadline: 2022-04-08
-      targetDate: 2022-04-13
-    - release: 1.23.5
-      cherryPickDeadline: 2022-03-11
-      targetDate: 2022-03-16
-    - release: 1.23.4
-      cherryPickDeadline: 2022-02-11
-      targetDate: 2022-02-16
-    - release: 1.23.3
-      cherryPickDeadline: 2022-01-24
-      targetDate: 2022-01-25
-      note: >-
-        [Out-of-Band Release](https://groups.google.com/a/kubernetes.io/g/dev/c/Xl1sm-CItaY)
-    - release: 1.23.2
-      cherryPickDeadline: 2022-01-14
-      targetDate: 2022-01-19
-    - release: 1.23.1
-      cherryPickDeadline: 2021-12-14
-      targetDate: 2021-12-16
-    - release: 1.23.0
-      cherryPickDeadline: ""
-      targetDate: 2021-12-07

From 5cf475c0b7fc879ac9ce80bd1f21a408befb0784 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= <mudrinic.mare@gmail.com>
Date: Wed, 8 Mar 2023 14:53:54 +0100
Subject: [PATCH 076/215] Add release dates for May and June
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
---
 content/en/releases/patch-releases.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/en/releases/patch-releases.md b/content/en/releases/patch-releases.md
index dc80e19baf225..874193f3283e9 100644
--- a/content/en/releases/patch-releases.md
+++ b/content/en/releases/patch-releases.md
@@ -78,9 +78,10 @@ releases may also occur in between these.
 
 | Monthly Patch Release | Cherry Pick Deadline | Target date |
 | --------------------- | -------------------- | ----------- |
-| February 2023         | 2023-02-10           | 2023-02-15  |
 | March 2023            | 2023-03-10           | 2023-03-15  |
 | April 2023            | 2023-04-07           | 2023-04-12  |
+| May 2023              | 2023-05-12           | 2023-05-17  |
+| June 2023             | 2023-06-09           | 2023-06-14  |
 
 ## Detailed Release History for Active Branches
 

From dc201c53807cc9d61932d150d85376f84cb9e939 Mon Sep 17 00:00:00 2001
From: marianogg9 <gonzalez.mariano.gabriel@gmail.com>
Date: Wed, 8 Mar 2023 17:16:46 +0100
Subject: [PATCH 077/215] fixed translation typo in finalizers.md

Signed-off-by: marianogg9 <gonzalez.mariano.gabriel@gmail.com>
---
 .../docs/concepts/overview/working-with-objects/finalizers.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/es/docs/concepts/overview/working-with-objects/finalizers.md b/content/es/docs/concepts/overview/working-with-objects/finalizers.md
index 04404f1e70cac..95a68f7852b57 100644
--- a/content/es/docs/concepts/overview/working-with-objects/finalizers.md
+++ b/content/es/docs/concepts/overview/working-with-objects/finalizers.md
@@ -46,7 +46,7 @@ previene el borrado accidental de objetos `PersistentVolume`. Cuando un objeto
 Cuando el Pod deja de utilizar el `PersistentVolume`, Kubernetes borra el finalizador
 `pv-protection` y el controlador borra el volumen.
 
-## Referencias de dueño, etiquetas y finalizadores (#dueños-etiquetas-finalizadores)
+## Referencias de dueño, etiquetas y finalizadores (#owners-labels-finalizers)
 
 Al igual que las {{<glossary_tooltip text="etiquetas" term_id="label">}}, las
 [referencias de dueño](/docs/concepts/overview/working-with-objects/owners-dependents/)

From 4b883eb10078304cf97eee18001b53323ddb94b7 Mon Sep 17 00:00:00 2001
From: ystkfujii <ystk.fujii0731@gmail.com>
Date: Wed, 8 Mar 2023 02:52:38 +0900
Subject: [PATCH 078/215] Clarify API version stability and guidelines

---
 .../docs/concepts/overview/kubernetes-api.md  | 16 ++++++++++---
 content/ja/docs/reference/using-api/_index.md | 23 ++++++++++---------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/content/ja/docs/concepts/overview/kubernetes-api.md b/content/ja/docs/concepts/overview/kubernetes-api.md
index 5b6388a306adf..4fb0b6ec5a3da 100644
--- a/content/ja/docs/concepts/overview/kubernetes-api.md
+++ b/content/ja/docs/concepts/overview/kubernetes-api.md
@@ -145,7 +145,9 @@ APIの発展や拡張を簡易に行えるようにするため、Kubernetesは[
 
 APIリソースは、APIグループ、リソースタイプ、ネームスペース（namespacedリソースのための）、名前によって区別されます。APIサーバーは、APIバージョン間の変換を透過的に処理します。すべてのバージョンの違いは、実際のところ同じ永続データとして表現されます。APIサーバーは、同じ基本的なデータを複数のAPIバージョンで提供することができます。
 
-例えば、同じリソースで`v1`と`v1beta1`の2つのバージョンが有ることを考えてみます。`v1beta1`バージョンのAPIを利用しオブジェクトを最初に作成したとして、`v1beta1`もしくは`v1`どちらのAPIバージョンを利用してもオブジェクトのread、update、deleteができます。
+例えば、同じリソースで`v1`と`v1beta1`の2つのバージョンが有ることを考えてみます。
+`v1beta1`バージョンのAPIを利用しオブジェクトを最初に作成したとして、`v1beta1`バージョンが非推奨となり削除されるまで、`v1beta1`もしくは`v1`どちらのAPIバージョンを利用してもオブジェクトのread、update、deleteができます。
+その時点では `v1` APIを使用してオブジェクトの修正やアクセスを継続することが可能です。
 
 ## APIの変更
 
@@ -156,10 +158,18 @@ Kubernetesプロジェクトは、既存のクライアントとの互換性を
 基本的に、新しいAPIリソースと新しいリソースフィールドは追加することができます。
 リソースまたはフィールドを削除するには、[API非推奨ポリシー](/docs/reference/using-api/deprecation-policy/)に従ってください。
 
-Kubernetesは、公式のKubernetes APIが一度一般提供（GA）に達した場合、通常は`v1`APIバージョンです、互換性を維持することを強い責任があります。さらに、Kubernetesは _beta_ についても可能な限り互換性を維持し続けます。ベータAPIを採用した場合、その機能が安定版になったあとでも、APIを利用してクラスタを操作し続けることができます。
+Kubernetesは、公式のKubernetes APIが一度一般提供（GA）に達した場合、通常は`v1`APIバージョンです、互換性を維持することを強い責任があります。
+さらに、Kubernetesは、公式Kubernetes APIの _beta_ APIバージョン経由で永続化されたデータとの互換性を維持します。
+そして、機能が安定したときにGA APIバージョン経由でデータを変換してアクセスできることを保証します。
+
+beta APIを採用した場合、APIが卒業(Graduate)したら、後続のbetaまたはstable APIに移行する必要があります。
+これを行うのに最適な時期は、オブジェクトが両方のAPIバージョンから同時にアクセスできるbeta APIが非推奨期間です。
+beta APIが非推奨期間を終えて提供されなくなったら、代替APIバージョンを使用する必要があります。
 
 {{< note >}}
-Kubernetesは、 _alpha_ APIバージョンについても互換性の維持に注力しますが、いくつかの事情により不可である場合もあります。アルファAPIバージョンを使っている場合、クラスタのアップグレードやAPIが変更された場合に備えて、Kubernetesのリリースノートを確認してください。
+Kubernetesは、 _alpha_ APIバージョンについても互換性の維持に注力しますが、いくつかの事情により不可である場合もあります。
+alpha APIバージョンを使っている場合、クラスターをアップグレードする時にKubernetesのリリースノートを確認してください。
+アップグレードのために既存のalphaオブジェクトをすべて削除する必要がある互換性の無い方法でAPIが変更される場合があります。
 {{< /note >}}
 
 APIバージョンレベルの定義に関する詳細は[APIバージョンのリファレンス](/docs/reference/using-api/#api-versioning)を参照してください。
diff --git a/content/ja/docs/reference/using-api/_index.md b/content/ja/docs/reference/using-api/_index.md
index 543b78b2c84a9..caad234abbd01 100644
--- a/content/ja/docs/reference/using-api/_index.md
+++ b/content/ja/docs/reference/using-api/_index.md
@@ -14,7 +14,7 @@ card:
 このセクションでは、Kubernetes APIのリファレンス情報を提供します。
 
 REST APIはKubernetesの基本的な構造です。
-すべての操作とコンポーネント間のと通信、および外部ユーザーのコマンドは、REST API呼び出しでありAPIサーバーが処理します。
+すべての操作とコンポーネント間の通信、および外部ユーザーのコマンドは、REST API呼び出しでありAPIサーバーが処理します。
 
 その結果、Kubernetesプラットフォーム内のすべてのものは、APIオブジェクトとして扱われ、[API](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/)に対応するエントリーがあります。
 
@@ -38,30 +38,31 @@ APIのバージョンが異なると、安定性やサポートのレベルも
 各レベルの概要は以下の通りです:
 
 - Alpha:
-  - バージョン名に「alpha」が含まれています（例：「v1alpha1」）。
+  - バージョン名に`alpha`が含まれています（例：`v1alpha1`）。
+  - 組み込みのalpha APIバージョンはデフォルトで無効化されており、使用するためには`kube-apiserver`の設定で明示的に有効にする必要があります。
   - バグが含まれている可能性があります。
     機能を有効にするとバグが露呈する可能性があります。
-    機能がデフォルトで無効になっている可能性があります。
-  - ある機能のサポートは、予告なしにいつでも中止される可能性があります。
+  - alpha APIのサポートは、予告なしにいつでも中止される可能性があります。
   - 後にリリースされるソフトウェアで、互換性のない方法で予告なく変更される可能性があります。
   - バグのリスクが高く、長期的なサポートが得られないため、短期間のテストクラスターのみでの使用を推奨します。
 
 - Beta:
   - バージョン名には `beta` が含まれています(例：`v2beta3`)。
+  - 組み込みのbeta APIバージョンはデフォルトで無効化されており、使用するためには`kube-apiserver`の設定で明示的に有効にする必要があります。
+    (**例外として**Kubernetes 1.22以前に導入されたAPIのbetaバージョンはデフォルトで有効化されています)
+  - 組み込みのbeta APIバージョンは、導入から非推奨となるまでが9ヶ月または3マイナーリリース（どちらかの長い期間）、そして非推奨から削除まで9ヶ月または3マイナーリリース（どちらかの長い期間）の最大存続期間を持ちます。
   - ソフトウェアは十分にテストされています。
     機能を有効にすることは安全であると考えられています。
-    機能はデフォルトで有効になっています。
   - 機能のサポートが打ち切られることはありませんが、詳細は変更される可能性があります。
 
-  - オブジェクトのスキーマやセマンティクスは、その後のベータ版や安定版のリリースで互換性のない方法で変更される可能性があります。
+  - オブジェクトのスキーマやセマンティクスは、その後のベータ版や安定版のAPIバージョンで互換性のない方法で変更される可能性があります。
     このような場合には、移行手順が提供されます。
-    スキーマの変更に伴い、APIオブジェクトの削除、編集、再作成が必要になる場合があります。
-    編集作業は単純ではないかもしれません。
+    後続のbetaまたはstable APIバージョンに適応することはAPIオブジェクトの編集や再作成が必要になる場合があり、単純ではないかもしれません。
     移行に伴い、その機能に依存しているアプリケーションのダウンタイムが必要になる場合があります。
 
   - 本番環境での使用は推奨しません。
-    後続のリリース は、互換性のない変更を導入する可能性があります。
-    独立してアップグレード可能な複数のクラスターがある場合、この制限を緩和できる可能性があります。
+    後続のリリースは、互換性のない変更を導入する可能性があります。
+    beta APIが非推奨となり提供されなくなった際には、後続のbetaまたはstable APIバージョンに移行するためにbeta APIバージョンを使用する必要があります。
 
   {{< note >}}
 ベータ版の機能をお試しいただき、ご意見をお寄せください。
@@ -70,7 +71,7 @@ APIのバージョンが異なると、安定性やサポートのレベルも
 
 - Stable:
   - バージョン名は `vX` であり、`X` は整数である。
-  - 安定版の機能は、リリースされたソフトウェアの中で、その後の多くのバージョンに登場します。
+  - stable APIバージョンはKubernetesのメジャーバージョン内の全てのリリースで利用可能であり、stable APIを削除したKubernetesのメジャーバージョンリビジョンの計画は現在ありません。
 
 ## APIグループ
 

From 8a55837f796dcbfa69b7d8b40eff71ce56202e29 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Thu, 9 Mar 2023 00:21:44 +0200
Subject: [PATCH 079/215] [id] Change shell to console for code snippet

---
 .../configure-pod-container/configure-volume-storage.md     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/id/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/id/docs/tasks/configure-pod-container/configure-volume-storage.md
index 2da9cebcdabe3..02d664d530457 100644
--- a/content/id/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/id/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -41,7 +41,7 @@ yang tetap bertahan, meski Container berakhir dan dimulai ulang. Berikut berkas
     
     Hasil keluaran seperti ini:
 
-    ```shell
+    ```console
     NAME      READY     STATUS    RESTARTS   AGE
     redis     1/1       Running   0          13s
     ```
@@ -69,7 +69,7 @@ yang tetap bertahan, meski Container berakhir dan dimulai ulang. Berikut berkas
 
     Keluarannya mirip seperti ini:
 
-    ```shell
+    ```console
     USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
     redis        1  0.1  0.1  33308  3828 ?        Ssl  00:46   0:00 redis-server *:6379
     root        12  0.0  0.0  20228  3020 ?        Ss   00:47   0:00 /bin/bash
@@ -86,7 +86,7 @@ yang tetap bertahan, meski Container berakhir dan dimulai ulang. Berikut berkas
 
 2. Di dalam terminal awal, amati perubahan terhadap Pod Redis. Sampai akhirnya kamu akan melihat hal seperti ini:
 
-    ```shell
+    ```console
     NAME      READY     STATUS     RESTARTS   AGE
     redis     1/1       Running    0          13s
     redis     0/1       Completed  0         6m

From 0064a0b3f9da167654735492ca28b4c888d523bd Mon Sep 17 00:00:00 2001
From: ziyi-xie <92832323+ziyi-xie@users.noreply.github.com>
Date: Thu, 9 Mar 2023 09:47:04 +0900
Subject: [PATCH 080/215] Update
 content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 .../ja/docs/concepts/scheduling-eviction/assign-pod-node.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index 4404abd8762ae..6377b8540836a 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -325,6 +325,12 @@ Podアンチアフィニティを使用する理由は他にもあります。
 -   指定されたNodeがPodを収容するためのリソースを持っていない場合、Podの起動は失敗し、OutOfmemoryやOutOfcpuなどの理由が表示されます。
 -   クラウド環境におけるNode名は、常に予測可能で安定したものではありません。
 
+{{< note >}}
+`nodeName`は、カスタムスケジューラーや、設定済みのスケジューラーをバイパスする必要がある高度なユースケースで使用することを目的としています。
+スケジューラーをバイパスすると、割り当てられたNodeに過剰なPodの配置をしようとした場合には、Podの起動に失敗することがあります。
+[Nodeアフィニティ](#node-affinity)または[`nodeSelector`フィールド](#nodeselector)を使用すれば、スケジューラーをバイパスせずに、特定のNodeにPodを割り当てることができます。
+{{</ note >}}
+
 以下は、`nodeName`フィールドを使用したPod仕様(spec)の例になります:
 
 ```yaml

From 05d117d5340d2d580cd4aeb5f423aee808f1e78b Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Wed, 8 Mar 2023 01:07:15 +0000
Subject: [PATCH 081/215] [ja] Remove
 content/ja/docs/reference/kubectl/overview.md

---
 .../manage-deployment.md                      |   2 +-
 .../api-extension/custom-resources.md         |   2 +-
 .../docs/concepts/overview/kubernetes-api.md  |   2 +-
 content/ja/docs/reference/_index.md           |   2 +-
 content/ja/docs/reference/glossary/kubectl.md |  19 +
 content/ja/docs/reference/kubectl/_index.md   | 492 +++++++++++++++++-
 .../ja/docs/reference/kubectl/cheatsheet.md   |   4 +-
 content/ja/docs/reference/kubectl/overview.md | 485 -----------------
 .../setup/learning-environment/minikube.md    |   2 +-
 .../production-environment/tools/kops.md      |   2 +-
 .../tools/kubeadm/create-cluster-kubeadm.md   |   2 +-
 .../windows/user-guide-windows-containers.md  |   2 +-
 .../ja/docs/tasks/tools/install-kubectl.md    |   2 +-
 content/ja/docs/tutorials/hello-minikube.md   |   2 +-
 14 files changed, 522 insertions(+), 498 deletions(-)
 create mode 100644 content/ja/docs/reference/glossary/kubectl.md
 delete mode 100644 content/ja/docs/reference/kubectl/overview.md

diff --git a/content/ja/docs/concepts/cluster-administration/manage-deployment.md b/content/ja/docs/concepts/cluster-administration/manage-deployment.md
index 35def1de1269e..280dda204660a 100644
--- a/content/ja/docs/concepts/cluster-administration/manage-deployment.md
+++ b/content/ja/docs/concepts/cluster-administration/manage-deployment.md
@@ -157,7 +157,7 @@ deployment.apps/my-deployment created
 persistentvolumeclaim/my-pvc created
 ```
 
-`kubectl`についてさらに知りたい場合は、[kubectlの概要](/ja/docs/reference/kubectl/overview/)を参照してください。
+`kubectl`についてさらに知りたい場合は、[コマンドラインツール(kubectl)](/ja/docs/reference/kubectl/)を参照してください。
 
 ## ラベルを有効に使う
 
diff --git a/content/ja/docs/concepts/extend-kubernetes/api-extension/custom-resources.md b/content/ja/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
index 9fea0905c6ec9..1679d2929f0d0 100644
--- a/content/ja/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
+++ b/content/ja/docs/concepts/extend-kubernetes/api-extension/custom-resources.md
@@ -18,7 +18,7 @@ weight: 10
 
 *カスタムリソース* は、Kubernetes APIの拡張で、デフォルトのKubernetesインストールでは、必ずしも利用できるとは限りません。つまりそれは、特定のKubernetesインストールのカスタマイズを表します。しかし、今現在、多数のKubernetesのコア機能は、カスタムリソースを用いて作られており、Kubernetesをモジュール化しています。
 
-カスタムリソースは、稼働しているクラスターに動的に登録され、現れたり、消えたりし、クラスター管理者はクラスター自体とは無関係にカスタムリソースを更新できます。一度、カスタムリソースがインストールされると、ユーザーは[kubectl](/ja/docs/reference/kubectl/overview/)を使い、ビルトインのリソースである *Pods* と同じように、オブジェクトを作成、アクセスすることが可能です。
+カスタムリソースは、稼働しているクラスターに動的に登録され、現れたり、消えたりし、クラスター管理者はクラスター自体とは無関係にカスタムリソースを更新できます。一度、カスタムリソースがインストールされると、ユーザーは[kubectl](/ja/docs/reference/kubectl/)を使い、ビルトインのリソースである *Pods* と同じように、オブジェクトを作成、アクセスすることが可能です。
 
 ## カスタムコントローラー
 
diff --git a/content/ja/docs/concepts/overview/kubernetes-api.md b/content/ja/docs/concepts/overview/kubernetes-api.md
index 5b6388a306adf..5f9f03bcdf30d 100644
--- a/content/ja/docs/concepts/overview/kubernetes-api.md
+++ b/content/ja/docs/concepts/overview/kubernetes-api.md
@@ -18,7 +18,7 @@ APIサーバーは、エンドユーザー、クラスターのさまざまな
 
 Kubernetes APIを使用すると、Kubernetes API内のオブジェクトの状態をクエリで操作できます（例：Pod、Namespace、ConfigMap、Events）。
 
-ほとんどの操作は、APIを使用している[kubectl](/docs/reference/kubectl/overview/)コマンドラインインターフェースもしくは[kubeadm](/docs/reference/setup-tools/kubeadm/)のような別のコマンドラインツールを通して実行できます。
+ほとんどの操作は、APIを使用している[kubectl](/ja/docs/reference/kubectl/)コマンドラインインターフェースもしくは[kubeadm](/docs/reference/setup-tools/kubeadm/)のような別のコマンドラインツールを通して実行できます。
 RESTコールを利用して直接APIにアクセスすることも可能です。
 
 Kubernetes APIを利用してアプリケーションを書いているのであれば、[client libraries](/docs/reference/using-api/client-libraries/)の利用を考えてみてください。
diff --git a/content/ja/docs/reference/_index.md b/content/ja/docs/reference/_index.md
index cafca8fe448a6..3940d23f429eb 100644
--- a/content/ja/docs/reference/_index.md
+++ b/content/ja/docs/reference/_index.md
@@ -30,7 +30,7 @@ content_type: concept
 
 ## CLIリファレンス
 
-* [kubectl](/ja/docs/reference/kubectl/overview/) - コマンドの実行やKubernetesクラスターの管理に使う主要なCLIツールです。
+* [kubectl](/ja/docs/reference/kubectl/) - コマンドの実行やKubernetesクラスターの管理に使う主要なCLIツールです。
     * [JSONPath](/ja/docs/reference/kubectl/jsonpath/) - kubectlで[JSONPath記法](https://goessner.net/articles/JsonPath/)を使うための構文ガイドです。
 * [kubeadm](/ja/docs/reference/setup-tools/kubeadm/) - セキュアなKubernetesクラスターを簡単にプロビジョニングするためのCLIツールです。
 
diff --git a/content/ja/docs/reference/glossary/kubectl.md b/content/ja/docs/reference/glossary/kubectl.md
new file mode 100644
index 0000000000000..ff7796060bd61
--- /dev/null
+++ b/content/ja/docs/reference/glossary/kubectl.md
@@ -0,0 +1,19 @@
+---
+title: Kubectl
+id: kubectl
+date: 2018-04-12
+full_link: /docs/reference/kubectl/
+short_description: >
+  Kubernetesクラスターと通信するためのコマンドラインツールです。
+
+aka:
+- kubectl
+tags:
+- tool
+- fundamental
+---
+Kubernetes APIを使用してKubernetesクラスターの{{< glossary_tooltip text="コントロールプレーン" term_id="control-plane" >}}と通信するためのコマンドラインツールです。
+
+<!--more--> 
+
+Kubernetesオブジェクトの作成、検査、更新、削除には `kubectl` を使用することができます。
diff --git a/content/ja/docs/reference/kubectl/_index.md b/content/ja/docs/reference/kubectl/_index.md
index 6738659218c18..bceb521c2fa9f 100644
--- a/content/ja/docs/reference/kubectl/_index.md
+++ b/content/ja/docs/reference/kubectl/_index.md
@@ -1,5 +1,495 @@
 ---
-title: "kubectl CLI"
+title: コマンドラインツール(kubectl)
+content_type: reference
 weight: 110
+no_list: true
+card:
+  name: reference
+  weight: 20
 ---
 
+<!-- overview -->
+{{< glossary_definition prepend="Kubernetesが提供する、" term_id="kubectl" length="short" >}}
+
+このツールの名前は、`kubectl` です。
+
+`kubectl`コマンドラインツールを使うと、Kubernetesクラスターを制御できます。環境設定のために、`kubectl`は、`$HOME/.kube`ディレクトリにある`config`という名前のファイルを探します。他の[kubeconfig](/ja/docs/concepts/configuration/organize-cluster-access-kubeconfig/)ファイルは、`KUBECONFIG`環境変数を設定するか、[`--kubeconfig`](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)フラグを設定することで指定できます。
+
+この概要では、`kubectl`の構文を扱い、コマンド操作を説明し、一般的な例を示します。サポートされているすべてのフラグやサブコマンドを含め、各コマンドの詳細については、[kubectl](/docs/reference/generated/kubectl/kubectl-commands/)リファレンスドキュメントを参照してください。
+
+インストール方法については、[kubectlのインストールおよびセットアップ](/ja/docs/tasks/tools/install-kubectl/)をご覧ください。クイックガイドは、[cheat sheet](/docs/reference/kubectl/cheatsheet/) をご覧ください。`docker`コマンドラインツールに慣れている方は、[`kubectl` for Docker Users](/docs/reference/kubectl/docker-cli-to-kubectl/) でKubernetesの同等のコマンドを説明しています。
+
+<!-- body -->
+
+## 構文
+
+ターミナルウィンドウから`kubectl`コマンドを実行するには、以下の構文を使用します。
+
+```shell
+kubectl [command] [TYPE] [NAME] [flags]
+```
+
+ここで、`command`、`TYPE`、`NAME`、`flags`は、以下を表します。
+
+* `command`: 1つ以上のリソースに対して実行したい操作を指定します。例えば、`create`、`get`、`describe`、`delete`です。
+
+* `TYPE`: [リソースタイプ](#resource-types)を指定します。リソースタイプは大文字と小文字を区別せず、単数形や複数形、省略形を指定できます。例えば、以下のコマンドは同じ出力を生成します。
+
+   ```shell
+   kubectl get pod pod1
+   kubectl get pods pod1
+   kubectl get po pod1
+   ```
+
+* `NAME`: リソースの名前を指定します。名前は大文字と小文字を区別します。`kubectl get pods`のように名前が省略された場合は、すべてのリソースの詳細が表示されます。
+
+   複数のリソースに対して操作を行う場合は、各リソースをタイプと名前で指定するか、1つまたは複数のファイルを指定することができます。
+
+   * リソースをタイプと名前で指定する場合
+
+      * タイプがすべて同じとき、リソースをグループ化するには`TYPE1 name1 name2 name<#>`とします。<br/>
+      例: `kubectl get pod example-pod1 example-pod2`
+
+      * 複数のリソースタイプを個別に指定するには、`TYPE1/name1 TYPE1/name2 TYPE2/name3 TYPE<#>/name<#>`とします。<br/>
+      例: `kubectl get pod/example-pod1 replicationcontroller/example-rc1`
+
+   * リソースを1つ以上のファイルで指定する場合は、`-f file1 -f file2 -f file<#>`とします。
+
+      * 特に設定ファイルについては、YAMLの方がより使いやすいため、[JSONではなくYAMLを使用してください](/ja/docs/concepts/configuration/overview/#一般的な設定のtips)。<br/>
+     例: `kubectl get pod -f ./pod.yaml`
+
+* `flags`: オプションのフラグを指定します。例えば、`-s`または`--server`フラグを使って、Kubernetes APIサーバーのアドレスやポートを指定できます。<br/>
+
+{{< caution >}}
+コマンドラインから指定したフラグは、デフォルト値および対応する任意の環境変数を上書きします。
+{{< /caution >}}
+
+ヘルプが必要な場合は、ターミナルウィンドウから`kubectl help`を実行してください。
+
+## 操作
+
+以下の表に、`kubectl`のすべての操作の簡単な説明と一般的な構文を示します。
+
+操作&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;       | 構文    |       説明
+-------------------- | -------------------- | --------------------
+`alpha`| `kubectl alpha SUBCOMMAND [flags]` | アルファ機能に該当する利用可能なコマンドを一覧表示します。これらの機能は、デフォルトではKubernetesクラスターで有効になっていません。
+`annotate`    | <code>kubectl annotate (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 1つ以上のリソースのアノテーションを、追加または更新します。
+`api-resources`    | `kubectl api-resources [flags]` | 利用可能なAPIリソースを一覧表示します。
+`api-versions`    | `kubectl api-versions [flags]` | 利用可能なAPIバージョンを一覧表示します。
+`apply`            | `kubectl apply -f FILENAME [flags]`| ファイルまたは標準出力から、リソースの設定変更を適用します。
+`attach`        | `kubectl attach POD -c CONTAINER [-i] [-t] [flags]` | 実行中のコンテナにアタッチして、出力ストリームを表示するか、コンテナ(標準入力)と対話します。
+`auth`    | `kubectl auth [flags] [options]` | 認可を検査します。
+`autoscale`    | <code>kubectl autoscale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU] [flags]</code> | ReplicationControllerで管理されているPodのセットを、自動的にスケールします。
+`certificate`    | `kubectl certificate SUBCOMMAND [options]` | 証明書のリソースを変更します。
+`cluster-info`    | `kubectl cluster-info [flags]` | クラスター内のマスターとサービスに関するエンドポイント情報を表示します。
+`completion`    | `kubectl completion SHELL [options]` | 指定されたシェル(bashまたはzsh)のシェル補完コードを出力します。
+`config`        | `kubectl config SUBCOMMAND [flags]` | kubeconfigファイルを変更します。詳細は、個々のサブコマンドを参照してください。
+`convert`    | `kubectl convert -f FILENAME [options]` | 異なるAPIバージョン間で設定ファイルを変換します。YAMLとJSONに対応しています。
+`cordon`    | `kubectl cordon NODE [options]` | Nodeをスケジュール不可に設定します。
+`cp`    | `kubectl cp <file-spec-src> <file-spec-dest> [options]` | コンテナとの間でファイルやディレクトリをコピーします。
+`create`        | `kubectl create -f FILENAME [flags]` | ファイルまたは標準出力から、1つ以上のリソースを作成します。
+`delete`        | <code>kubectl delete (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label &#124; --all]) [flags]</code> | ファイル、標準出力、またはラベルセレクター、リソースセレクター、リソースを指定して、リソースを削除します。
+`describe`    | <code>kubectl describe (-f FILENAME &#124; TYPE [NAME_PREFIX &#124; /NAME &#124; -l label]) [flags]</code> | 1つ以上のリソースの詳細な状態を表示します。
+`diff`        | `kubectl diff -f FILENAME [flags]`| ファイルまたは標準出力と、現在の設定との差分を表示します。
+`drain`    | `kubectl drain NODE [options]` | メンテナンスの準備のためにNodeをdrainします。
+`edit`        | <code>kubectl edit (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [flags]</code> | デファルトのエディタを使い、サーバー上の1つ以上のリソースリソースの定義を編集し、更新します。
+`exec`        | `kubectl exec POD [-c CONTAINER] [-i] [-t] [flags] [-- COMMAND [args...]]` | Pod内のコンテナに対して、コマンドを実行します。
+`explain`    | `kubectl explain  [--recursive=false] [flags]` | 様々なリソースのドキュメントを取得します。例えば、Pod、Node、Serviceなどです。
+`expose`        | <code>kubectl expose (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--port=port] [--protocol=TCP&#124;UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type] [flags]</code> | ReplicationController、Service、Podを、新しいKubernetesサービスとして公開します。
+`get`        | <code>kubectl get (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label]) [--watch] [--sort-by=FIELD] [[-o &#124; --output]=OUTPUT_FORMAT] [flags]</code> | 1つ以上のリソースを表示します。
+`kustomize`    | `kubectl kustomize <dir> [flags] [options]` | kustomization.yamlファイル内の指示から生成されたAPIリソースのセットを一覧表示します。引数はファイルを含むディレクトリのPath，またはリポジトリルートに対して同じ場所を示すパスサフィックス付きのgitリポジトリのURLを指定しなければなりません。
+`label`        | <code>kubectl label (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 1つ以上のリソースのラベルを、追加または更新します。
+`logs`        | `kubectl logs POD [-c CONTAINER] [--follow] [flags]` | Pod内のコンテナのログを表示します。
+`options`    | `kubectl options` | すべてのコマンドに適用されるグローバルコマンドラインオプションを一覧表示します。
+`patch`        | <code>kubectl patch (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --patch PATCH [flags]</code> | Strategic Merge Patchの処理を使用して、リソースの1つ以上のフィールドを更新します。
+`plugin`    | `kubectl plugin [flags] [options]` | プラグインと対話するためのユーティリティを提供します。
+`port-forward`    | `kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N] [flags]` | 1つ以上のローカルポートを、Podに転送します。
+`proxy`        | `kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [flags]` | Kubernetes APIサーバーへのプロキシーを実行します。
+`replace`        | `kubectl replace -f FILENAME` | ファイルや標準出力から、リソースを置き換えます。
+`rollout`    | `kubectl rollout SUBCOMMAND [options]` | リソースのロールアウトを管理します。有効なリソースには、Deployment、DaemonSetとStatefulSetが含まれます。
+`run`        | <code>kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server&#124;client&#124;none] [--overrides=inline-json] [flags]</code> | 指定したイメージを、クラスタ上で実行します。
+`scale`        | <code>kubectl scale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --replicas=COUNT [--resource-version=version] [--current-replicas=count] [flags]</code> | 指定したReplicationControllerのサイズを更新します。
+`set`    | `kubectl set SUBCOMMAND [options]` | アプリケーションリソースを設定します。
+`taint`    | `kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N [options]` | 1つ以上のNodeのtaintを更新します。
+`top`    | `kubectl top [flags] [options]` | リソース(CPU/メモリー/ストレージ)の使用量を表示します。
+`uncordon`    | `kubectl uncordon NODE [options]` | Nodeをスケジュール可に設定します。
+`version`        | `kubectl version [--client] [flags]` | クライアントとサーバーで実行中のKubernetesのバージョンを表示します。
+`wait`    | <code>kubectl wait ([-f FILENAME] &#124; resource.group/resource.name &#124; resource.group [(-l label &#124; --all)]) [--for=delete&#124;--for condition=available] [options]</code> | 実験中の機能: 1つ以上のリソースが特定の状態になるまで待ちます。
+
+コマンド操作について詳しく知りたい場合は、[kubectl](/docs/reference/kubectl/kubectl/)リファレンスドキュメントを参照してください。
+
+## リソースタイプ {#resource-types}
+
+以下の表に、サポートされているすべてのリソースと、省略されたエイリアスの一覧を示します。
+
+(この出力は`kubectl api-resources`から取得でき、Kubernetes 1.13.3時点で正確でした。)
+
+| リソース名 | 短縮名 | APIグループ | 名前空間に属するか | リソースの種類 |
+|---|---|---|---|---|
+| `bindings` | | | true | Binding|
+| `componentstatuses` | `cs` | | false | ComponentStatus |
+| `configmaps` | `cm` | | true | ConfigMap |
+| `endpoints` | `ep` | | true | Endpoints |
+| `limitranges` | `limits` | | true | LimitRange |
+| `namespaces` | `ns` | | false | Namespace |
+| `nodes` | `no` | | false | Node |
+| `persistentvolumeclaims` | `pvc` | | true | PersistentVolumeClaim |
+| `persistentvolumes` | `pv` | | false | PersistentVolume |
+| `pods` | `po` | | true | Pod |
+| `podtemplates` | | | true | PodTemplate |
+| `replicationcontrollers` | `rc` | | true| ReplicationController |
+| `resourcequotas` | `quota` | | true | ResourceQuota |
+| `secrets` | | | true | Secret |
+| `serviceaccounts` | `sa` | | true | ServiceAccount |
+| `services` | `svc` | | true | Service |
+| `mutatingwebhookconfigurations` | | admissionregistration.k8s.io | false | MutatingWebhookConfiguration |
+| `validatingwebhookconfigurations` | | admissionregistration.k8s.io | false | ValidatingWebhookConfiguration |
+| `customresourcedefinitions` | `crd`, `crds` | apiextensions.k8s.io | false |  CustomResourceDefinition |
+| `apiservices` | | apiregistration.k8s.io | false | APIService |
+| `controllerrevisions` | | apps | true | ControllerRevision |
+| `daemonsets` | `ds` | apps | true | DaemonSet |
+| `deployments` | `deploy` | apps | true | Deployment |
+| `replicasets` | `rs` | apps | true | ReplicaSet |
+| `statefulsets` | `sts` | apps | true | StatefulSet |
+| `tokenreviews` | | authentication.k8s.io | false | TokenReview |
+| `localsubjectaccessreviews` | | authorization.k8s.io | true | LocalSubjectAccessReview |
+| `selfsubjectaccessreviews` | | authorization.k8s.io | false | SelfSubjectAccessReview |
+| `selfsubjectrulesreviews` | | authorization.k8s.io | false | SelfSubjectRulesReview |
+| `subjectaccessreviews` | | authorization.k8s.io | false | SubjectAccessReview |
+| `horizontalpodautoscalers` | `hpa` | autoscaling | true | HorizontalPodAutoscaler |
+| `cronjobs` | `cj` | batch | true | CronJob |
+| `jobs` | | batch | true | Job |
+| `certificatesigningrequests` | `csr` | certificates.k8s.io | false | CertificateSigningRequest |
+| `leases` | | coordination.k8s.io | true | Lease |
+| `events` | `ev` | events.k8s.io | true | Event |
+| `ingresses` | `ing` | extensions | true | Ingress |
+| `networkpolicies` | `netpol` | networking.k8s.io | true | NetworkPolicy |
+| `poddisruptionbudgets` | `pdb` | policy | true | PodDisruptionBudget |
+| `podsecuritypolicies` | `psp` | policy | false | PodSecurityPolicy |
+| `clusterrolebindings` | | rbac.authorization.k8s.io | false | ClusterRoleBinding |
+| `clusterroles` | | rbac.authorization.k8s.io | false | ClusterRole |
+| `rolebindings` | | rbac.authorization.k8s.io | true | RoleBinding |
+| `roles` | | rbac.authorization.k8s.io | true | Role |
+| `priorityclasses` | `pc` | scheduling.k8s.io | false | PriorityClass |
+| `csidrivers` | | storage.k8s.io | false | CSIDriver |
+| `csinodes` | | storage.k8s.io | false | CSINode |
+| `storageclasses` | `sc` | storage.k8s.io |  false | StorageClass |
+| `volumeattachments` | | storage.k8s.io | false | VolumeAttachment |
+
+## 出力オプション
+
+ある特定のコマンドの出力に対してフォーマットやソートを行う方法については、以下の節を参照してください。どのコマンドが様々な出力オプションをサポートしているかについては、[kubectl](/docs/reference/kubectl/kubectl/)リファレンスドキュメントをご覧ください。
+
+### 出力のフォーマット
+
+すべての`kubectl`コマンドのデフォルトの出力フォーマットは、人間が読みやすいプレーンテキスト形式です。特定のフォーマットで、詳細をターミナルウィンドウに出力するには、サポートされている`kubectl`コマンドに`-o`または`--output`フラグのいずれかを追加します。
+
+#### 構文
+
+```shell
+kubectl [command] [TYPE] [NAME] -o <output_format>
+```
+
+`kubectl`の操作に応じて、以下の出力フォーマットがサポートされています。
+
+出力フォーマット | 説明
+--------------| -----------
+`-o custom-columns=<spec>` | [カスタムカラム](#custom-columns)のコンマ区切りのリストを使用して、テーブルを表示します。
+`-o custom-columns-file=<filename>` | `<filename>`ファイル内の[カスタムカラム](#custom-columns)のテンプレートを使用して、テーブルを表示します。
+`-o json`     | JSON形式のAPIオブジェクトを出力します。
+`-o jsonpath=<template>` | [jsonpath](/ja/docs/reference/kubectl/jsonpath/)式で定義されたフィールドを表示します。
+`-o jsonpath-file=<filename>` | `<filename>`ファイル内の[jsonpath](/ja/docs/reference/kubectl/jsonpath/)式で定義されたフィールドを表示します。
+`-o name`     | リソース名のみを表示します。
+`-o wide`     | 追加情報を含めて、プレーンテキスト形式で出力します。Podの場合は、Node名が含まれます。
+`-o yaml`     | YAML形式のAPIオブジェクトを出力します。
+
+##### 例
+
+この例において、以下のコマンドは1つのPodの詳細を、YAML形式のオブジェクトとして出力します。
+
+```shell
+kubectl get pod web-pod-13je7 -o yaml
+```
+
+各コマンドでサポートされている出力フォーマットの詳細については、[kubectl](/docs/reference/kubectl/kubectl/)リファレンスドキュメントを参照してください。
+
+#### カスタムカラム {#custom-columns}
+
+カスタムカラムを定義して、必要な詳細のみをテーブルに出力するには、`custom-columns`オプションを使います。カスタムカラムをインラインで定義するか、`-o custom-columns=<spec>`または`-o custom-columns-file=<filename>`のようにテンプレートファイルを使用するかを選択できます。
+
+##### 例
+
+インラインで定義する例は、以下の通りです。
+
+```shell
+kubectl get pods <pod-name> -o custom-columns=NAME:.metadata.name,RSRC:.metadata.resourceVersion
+```
+
+テンプレートファイルを使用して定義する例は、以下の通りです。
+
+```shell
+kubectl get pods <pod-name> -o custom-columns-file=template.txt
+```
+
+ここで、`template.txt`には以下の内容が含まれます。
+
+```
+NAME          RSRC
+metadata.name metadata.resourceVersion
+```
+どちらのコマンドを実行した場合でも、以下の結果を得ます。
+
+```
+NAME           RSRC
+submit-queue   610995
+```
+
+#### サーバーサイドカラム
+
+`kubectl`は、サーバーからオブジェクトに関する特定のカラム情報を受け取ることをサポートしています。
+つまり、与えられた任意のリソースについて、サーバーはそのリソースに関連する列や行を返し、クライアントが表示できるようにします。
+これにより、サーバーが表示の詳細をカプセル化することで、同一クラスターに対して使用されているクライアント間で、一貫した人間が読みやすい出力が可能です。
+
+この機能は、デフォルトで有効になっています。無効にするには、`kubectl get`コマンドに`--server-print=false`フラグを追加します。
+
+##### 例
+
+Podの状態に関する情報を表示するには、以下のようなコマンドを使用します。
+
+```shell
+kubectl get pods <pod-name> --server-print=false
+```
+
+以下のように出力されます。
+
+```
+NAME       AGE
+pod-name   1m
+```
+
+### オブジェクトリストのソート
+
+ターミナルウィンドウで、オブジェクトをソートされたリストに出力するには、サポートされている`kubectl`コマンドに`--sort-by`フラグを追加します。`--sort-by`フラグで任意の数値フィールドや文字列フィールドを指定することで、オブジェクトをソートします。フィールドの指定には、[jsonpath](/ja/docs/reference/kubectl/jsonpath/)式を使用します。
+
+#### 構文
+
+```shell
+kubectl [command] [TYPE] [NAME] --sort-by=<jsonpath_exp>
+```
+
+##### 例
+
+名前でソートしたPodのリストを表示するには、以下のように実行します。
+
+```shell
+kubectl get pods --sort-by=.metadata.name
+```
+
+## 例: 一般的な操作
+
+よく使われる`kubectl`の操作に慣れるために、以下の例を使用してください。
+
+`kubectl apply` - ファイルや標準出力から、リソースの適用や更新を行います。
+
+```shell
+# example-service.yaml内の定義を使用して、Serviceを作成します。
+kubectl apply -f example-service.yaml
+
+# example-controller.yaml内の定義を使用して、ReplicationControllerを作成します。
+kubectl apply -f example-controller.yaml
+
+# <directory>ディレクトリ内の、任意の.yaml、.yml、.jsonファイルで定義されているオブジェクトを作成します。
+kubectl apply -f <directory>
+```
+
+`kubectl get` - 1つ以上のリソースの一覧を表示します。
+
+```shell
+# すべてのPodの一覧をプレーンテキスト形式で表示します。
+kubectl get pods
+
+# すべてのPodの一覧を、ノード名などの追加情報を含めて、プレーンテキスト形式で表示します。
+kubectl get pods -o wide
+
+# 指定した名前のReplicationControllerの一覧をプレーンテキスト形式で表示します。'replicationcontroller'リソースタイプを短縮して、エイリアス'rc'で置き換えることもできます。
+kubectl get replicationcontroller <rc-name>
+
+# すべてのReplicationControllerとServiceの一覧をまとめてプレーンテキスト形式で表示します。
+kubectl get rc,services
+
+# すべてのDaemonSetの一覧をプレーンテキスト形式で表示します。
+kubectl get ds
+
+# server01ノードで実行中のPodの一覧をプレーンテキスト形式で表示します。
+kubectl get pods --field-selector=spec.nodeName=server01
+```
+
+`kubectl describe` - 1つ以上のリソースの詳細な状態を、デフォルトでは初期化されないものも含めて表示します。
+
+```shell
+# Node <node-name>の詳細を表示します。
+kubectl describe nodes <node-name>
+
+# Pod <pod-name>の詳細を表示します。
+kubectl describe pods/<pod-name>
+
+# ReplicationController <rc-name>が管理しているすべてのPodの詳細を表示します。
+# ReplicationControllerによって作成された任意のPodには、ReplicationControllerの名前がプレフィックスとして付与されます。
+kubectl describe pods <rc-name>
+
+# すべてのPodの詳細を表示します。
+kubectl describe pods
+```
+
+{{< note >}}
+`kubectl get`コマンドは通常、同じリソースタイプの1つ以上のリソースを取得するために使用します。豊富なフラグが用意されており、例えば`-o`や`--output`フラグを使って、出力フォーマットをカスタマイズできます。`-w`や`--watch`フラグを指定することで、特定のオブジェクトの更新を監視できます。`kubectl describe`コマンドは、指定されたリソースに関する多くの側面を説明することに重点を置いています。ユーザーに対してビューを構築するために、APIサーバーへ複数のAPIコールを呼び出すことができます。例えば、`kubectl describe node`コマンドは、Nodeに関する情報だけでなく、その上で動いているPodやNodeで生成されたイベントなどをまとめて表示します。
+{{< /note >}}
+
+`kubectl delete` - ファイル、標準出力、または指定したラベルセレクター、名前、リソースセレクター、リソースを指定して、リソースを削除します。
+
+```shell
+# pod.yamlファイルで指定されたタイプと名前を用いて、Podを削除します。
+kubectl delete -f pod.yaml
+
+# '<label-key>=<label-value>'というラベルを持つPodとServiceをすべて削除します。
+kubectl delete pods,services -l <label-key>=<label-value>
+
+# 初期化されていないPodを含む、すべてのPodを削除します。
+kubectl delete pods --all
+```
+
+`kubectl exec` - Pod内のコンテナに対してコマンドを実行します。
+
+```shell
+# Pod <pod-name>から、'date'を実行している時の出力を取得します。デフォルトでは、最初のコンテナから出力されます。
+kubectl exec <pod-name> -- date
+
+# Pod <pod-name>のコンテナ <container-name>から、'date'を実行している時の出力を取得します。
+kubectl exec <pod-name> -c <container-name> -- date
+
+# インタラクティブな TTY を取得し、Pod <pod-name>から/bin/bashを実行します。デフォルトでは、最初のコンテナから出力されます。
+kubectl exec -ti <pod-name> -- /bin/bash
+```
+
+`kubectl logs` - Pod内のコンテナのログを表示します。
+
+```shell
+# Pod <pod-name>のログのスナップショットを返します。
+kubectl logs <pod-name>
+
+# Pod <pod-name>から、ログのストリーミングを開始します。Linuxの'tail -f'コマンドと似ています。
+kubectl logs -f <pod-name>
+```
+
+`kubectl diff` - 提案されたクラスタに対する更新の差分を表示します。
+
+```shell
+# pod.jsonに含まれるリソースの差分を表示します。
+kubectl diff -f pod.json
+
+# 標準出力から読み込んだファイルの差分を表示します。
+cat service.yaml | kubectl diff -f -
+```
+
+## 例: プラグインの作成と使用
+
+`kubectl`プラグインの書き方や使い方に慣れるために、以下の例を使用してください。
+
+```shell
+# 任意の言語でシンプルなプラグインを作成し、生成される実行可能なファイルに
+# プレフィックス"kubectl-"で始まる名前を付けます。
+cat ./kubectl-hello
+```
+```shell
+#!/bin/sh
+
+# このプラグインは、"hello world"という単語を表示します。
+echo "hello world"
+```
+プラグインを書いたら、実行可能にします。
+```bash
+chmod a+x ./kubectl-hello
+
+# さらに、PATH内の場所に移動させます。
+sudo mv ./kubectl-hello /usr/local/bin
+sudo chown root:root /usr/local/bin
+
+# これでkubectlプラグインを作成し、"インストール"できました。
+# 通常のコマンドのようにkubectlから呼び出すことで、プラグインを使用できます。
+kubectl hello
+```
+```
+hello world
+```
+
+```shell
+# 配置したPATHのフォルダから削除することで、プラグインを"アンインストール"できます。
+sudo rm /usr/local/bin/kubectl-hello
+```
+
+`kubectl`で利用可能なプラグインをすべて表示するには、`kubectl plugin list`サブコマンドを使用してください。
+
+```shell
+kubectl plugin list
+```
+出力は以下のようになります。
+```
+The following kubectl-compatible plugins are available:
+
+/usr/local/bin/kubectl-hello
+/usr/local/bin/kubectl-foo
+/usr/local/bin/kubectl-bar
+```
+
+`kubectl plugin list`コマンドは、実行不可能なプラグインや、他のプラグインの影に隠れてしまっているプラグインなどについて、警告することもできます。例えば、以下のようになります。
+```shell
+sudo chmod -x /usr/local/bin/kubectl-foo # 実行権限を削除します。
+kubectl plugin list
+```
+```
+The following kubectl-compatible plugins are available:
+
+/usr/local/bin/kubectl-hello
+/usr/local/bin/kubectl-foo
+  - warning: /usr/local/bin/kubectl-foo identified as a plugin, but it is not executable
+/usr/local/bin/kubectl-bar
+
+error: one plugin warning was found
+```
+
+プラグインは、既存の`kubectl`コマンドの上に、より複雑な機能を構築するための手段であると考えることができます。
+
+```shell
+cat ./kubectl-whoami
+```
+次の例では、下記の内容を含んだ`kubectl-whoami`が既に作成済であることを前提としています。
+```shell
+#!/bin/bash
+
+# このプラグインは、`kubectl config`コマンドを使って
+# 現在選択されているコンテキストに基づいて、現在のユーザーに関する情報を提供します。
+kubectl config view --template='{{ range .contexts }}{{ if eq .name "'$(kubectl config current-context)'" }}Current user: {{ printf "%s\n" .context.user }}{{ end }}{{ end }}'
+```
+
+上記のコマンドを実行すると、KUBECONFIGファイル内のカレントコンテキストのユーザーを含んだ出力を得られます。
+
+```shell
+# ファイルを実行可能にします。
+sudo chmod +x ./kubectl-whoami
+
+# さらに、ファイルをPATHに移動します。
+sudo mv ./kubectl-whoami /usr/local/bin
+
+kubectl whoami
+Current user: plugins-user
+```
+
+## {{% heading "whatsnext" %}}
+
+* `kubectl`リファレンスドキュメントをお読みください。
+  * kubectl[コマンドリファレンス](/docs/reference/kubectl/kubectl/)
+  * [コマンドライン引数](/docs/reference/generated/kubectl/kubectl-commands/)リファレンス
+* [`kubectl`の使用規則](/ja/docs/reference/kubectl/conventions/)について学習してください。
+* kubectlの[JSONPathのサポート](/ja/docs/reference/kubectl/jsonpath/)についてお読みください。
+* [プラグインを使用して kubectl を拡張する](/docs/tasks/extend-kubectl/kubectl-plugins)方法についてお読みください。
+  * プラグインについてより詳しく知りたい場合は、[example CLI plugin](https://github.com/kubernetes/sample-cli-plugin)をご覧ください。
diff --git a/content/ja/docs/reference/kubectl/cheatsheet.md b/content/ja/docs/reference/kubectl/cheatsheet.md
index 31a56103ccf92..c9bbb56ba4de2 100644
--- a/content/ja/docs/reference/kubectl/cheatsheet.md
+++ b/content/ja/docs/reference/kubectl/cheatsheet.md
@@ -367,7 +367,7 @@ kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="registry
 kubectl get pods -A -o=custom-columns='DATA:metadata.*'
 ```
 
-kubectlに関するより多くのサンプルは[カスタムカラムのリファレンス](/ja/docs/reference/kubectl/overview/#custom-columns)を参照してください。
+kubectlに関するより多くのサンプルは[カスタムカラムのリファレンス](/ja/docs/reference/kubectl/#custom-columns)を参照してください。
 
 ### Kubectlのログレベルとデバッグ
 kubectlのログレベルは、レベルを表す整数が後に続く`-v`または`--v`フラグで制御されます。一般的なKubernetesのログ記録規則と関連するログレベルについて、[こちら](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md)で説明します。
@@ -388,7 +388,7 @@ kubectlのログレベルは、レベルを表す整数が後に続く`-v`また
 
 ## {{% heading "whatsnext" %}}
 
-* kubectlについてより深く学びたい方は[kubectl概要](/ja/docs/reference/kubectl/overview/)や[JsonPath](/docs/reference/kubectl/jsonpath)をご覧ください。
+* kubectlについてより深く学びたい方は[コマンドラインツール(kubectl)](/ja/docs/reference/kubectl/)や[JsonPath](/docs/reference/kubectl/jsonpath)をご覧ください。
 
 * オプションについては[kubectl](/docs/reference/kubectl/kubectl/) optionsをご覧ください。
  
diff --git a/content/ja/docs/reference/kubectl/overview.md b/content/ja/docs/reference/kubectl/overview.md
deleted file mode 100644
index 5b9b8fb016e05..0000000000000
--- a/content/ja/docs/reference/kubectl/overview.md
+++ /dev/null
@@ -1,485 +0,0 @@
----
-title: kubectlの概要
-content_type: concept
-weight: 20
-card:
-  name: reference
-  weight: 20
----
-
-<!-- overview -->
-`kubectl`コマンドラインツールを使うと、Kubernetesクラスターを制御できます。環境設定のために、`kubectl`は、`$HOME/.kube`ディレクトリにある`config`という名前のファイルを探します。他の[kubeconfig](/ja/docs/concepts/configuration/organize-cluster-access-kubeconfig/)ファイルは、`KUBECONFIG`環境変数を設定するか、[`--kubeconfig`](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)フラグを設定することで指定できます。
-この概要では、`kubectl`の構文を扱い、コマンド操作を説明し、一般的な例を示します。サポートされているすべてのフラグやサブコマンドを含め、各コマンドの詳細については、[kubectl](/docs/reference/generated/kubectl/kubectl-commands/)リファレンスドキュメントを参照してください。インストール方法については、[kubectlのインストールおよびセットアップ](/ja/docs/tasks/tools/install-kubectl/)をご覧ください。
-
-
-
-<!-- body -->
-
-## 構文
-
-ターミナルウィンドウから`kubectl`コマンドを実行するには、以下の構文を使用します。
-
-```shell
-kubectl [command] [TYPE] [NAME] [flags]
-```
-
-ここで、`command`、`TYPE`、`NAME`、`flags`は、以下を表します。
-
-* `command`: 1つ以上のリソースに対して実行したい操作を指定します。例えば、`create`、`get`、`describe`、`delete`です。
-
-* `TYPE`: [リソースタイプ](#resource-types)を指定します。リソースタイプは大文字と小文字を区別せず、単数形や複数形、省略形を指定できます。例えば、以下のコマンドは同じ出力を生成します。
-
-   ```shell
-   kubectl get pod pod1
-   kubectl get pods pod1
-   kubectl get po pod1
-   ```
-
-* `NAME`: リソースの名前を指定します。名前は大文字と小文字を区別します。`kubectl get pods`のように名前が省略された場合は、すべてのリソースの詳細が表示されます。
-
-   複数のリソースに対して操作を行う場合は、各リソースをタイプと名前で指定するか、1つまたは複数のファイルを指定することができます。
-
-   * リソースをタイプと名前で指定する場合
-
-      * タイプがすべて同じとき、リソースをグループ化するには`TYPE1 name1 name2 name<#>`とします。<br/>
-      例: `kubectl get pod example-pod1 example-pod2`
-
-      * 複数のリソースタイプを個別に指定するには、`TYPE1/name1 TYPE1/name2 TYPE2/name3 TYPE<#>/name<#>`とします。<br/>
-      例: `kubectl get pod/example-pod1 replicationcontroller/example-rc1`
-
-   * リソースを1つ以上のファイルで指定する場合は、`-f file1 -f file2 -f file<#>`とします。
-
-      * 特に設定ファイルについては、YAMLの方がより使いやすいため、[JSONではなくYAMLを使用してください](/ja/docs/concepts/configuration/overview/#一般的な設定のtips)。<br/>
-     例: `kubectl get pod -f ./pod.yaml`
-
-* `flags`: オプションのフラグを指定します。例えば、`-s`または`--server`フラグを使って、Kubernetes APIサーバーのアドレスやポートを指定できます。<br/>
-
-{{< caution >}}
-コマンドラインから指定したフラグは、デフォルト値および対応する任意の環境変数を上書きします。
-{{< /caution >}}
-
-ヘルプが必要な場合は、ターミナルウィンドウから`kubectl help`を実行してください。
-
-## 操作
-
-以下の表に、`kubectl`のすべての操作の簡単な説明と一般的な構文を示します。
-
-操作&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;       | 構文    |       説明
--------------------- | -------------------- | --------------------
-`alpha`| `kubectl alpha SUBCOMMAND [flags]` | アルファ機能に該当する利用可能なコマンドを一覧表示します。これらの機能は、デフォルトではKubernetesクラスターで有効になっていません。
-`annotate`    | <code>kubectl annotate (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 1つ以上のリソースのアノテーションを、追加または更新します。
-`api-resources`    | `kubectl api-resources [flags]` | 利用可能なAPIリソースを一覧表示します。
-`api-versions`    | `kubectl api-versions [flags]` | 利用可能なAPIバージョンを一覧表示します。
-`apply`            | `kubectl apply -f FILENAME [flags]`| ファイルまたは標準出力から、リソースの設定変更を適用します。
-`attach`        | `kubectl attach POD -c CONTAINER [-i] [-t] [flags]` | 実行中のコンテナにアタッチして、出力ストリームを表示するか、コンテナ(標準入力)と対話します。
-`auth`    | `kubectl auth [flags] [options]` | 認可を検査します。
-`autoscale`    | <code>kubectl autoscale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU] [flags]</code> | ReplicationControllerで管理されているPodのセットを、自動的にスケールします。
-`certificate`    | `kubectl certificate SUBCOMMAND [options]` | 証明書のリソースを変更します。
-`cluster-info`    | `kubectl cluster-info [flags]` | クラスター内のマスターとサービスに関するエンドポイント情報を表示します。
-`completion`    | `kubectl completion SHELL [options]` | 指定されたシェル(bashまたはzsh)のシェル補完コードを出力します。
-`config`        | `kubectl config SUBCOMMAND [flags]` | kubeconfigファイルを変更します。詳細は、個々のサブコマンドを参照してください。
-`convert`    | `kubectl convert -f FILENAME [options]` | 異なるAPIバージョン間で設定ファイルを変換します。YAMLとJSONに対応しています。
-`cordon`    | `kubectl cordon NODE [options]` | Nodeをスケジュール不可に設定します。
-`cp`    | `kubectl cp <file-spec-src> <file-spec-dest> [options]` | コンテナとの間でファイルやディレクトリをコピーします。
-`create`        | `kubectl create -f FILENAME [flags]` | ファイルまたは標準出力から、1つ以上のリソースを作成します。
-`delete`        | <code>kubectl delete (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label &#124; --all]) [flags]</code> | ファイル、標準出力、またはラベルセレクター、リソースセレクター、リソースを指定して、リソースを削除します。
-`describe`    | <code>kubectl describe (-f FILENAME &#124; TYPE [NAME_PREFIX &#124; /NAME &#124; -l label]) [flags]</code> | 1つ以上のリソースの詳細な状態を表示します。
-`diff`        | `kubectl diff -f FILENAME [flags]`| ファイルまたは標準出力と、現在の設定との差分を表示します。
-`drain`    | `kubectl drain NODE [options]` | メンテナンスの準備のためにNodeをdrainします。
-`edit`        | <code>kubectl edit (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [flags]</code> | デファルトのエディタを使い、サーバー上の1つ以上のリソースリソースの定義を編集し、更新します。
-`exec`        | `kubectl exec POD [-c CONTAINER] [-i] [-t] [flags] [-- COMMAND [args...]]` | Pod内のコンテナに対して、コマンドを実行します。
-`explain`    | `kubectl explain  [--recursive=false] [flags]` | 様々なリソースのドキュメントを取得します。例えば、Pod、Node、Serviceなどです。
-`expose`        | <code>kubectl expose (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) [--port=port] [--protocol=TCP&#124;UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type] [flags]</code> | ReplicationController、Service、Podを、新しいKubernetesサービスとして公開します。
-`get`        | <code>kubectl get (-f FILENAME &#124; TYPE [NAME &#124; /NAME &#124; -l label]) [--watch] [--sort-by=FIELD] [[-o &#124; --output]=OUTPUT_FORMAT] [flags]</code> | 1つ以上のリソースを表示します。
-`kustomize`    | `kubectl kustomize <dir> [flags] [options]` | kustomization.yamlファイル内の指示から生成されたAPIリソースのセットを一覧表示します。引数はファイルを含むディレクトリのPath，またはリポジトリルートに対して同じ場所を示すパスサフィックス付きのgitリポジトリのURLを指定しなければなりません。
-`label`        | <code>kubectl label (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags]</code> | 1つ以上のリソースのラベルを、追加または更新します。
-`logs`        | `kubectl logs POD [-c CONTAINER] [--follow] [flags]` | Pod内のコンテナのログを表示します。
-`options`    | `kubectl options` | すべてのコマンドに適用されるグローバルコマンドラインオプションを一覧表示します。
-`patch`        | <code>kubectl patch (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --patch PATCH [flags]</code> | Strategic Merge Patchの処理を使用して、リソースの1つ以上のフィールドを更新します。
-`plugin`    | `kubectl plugin [flags] [options]` | プラグインと対話するためのユーティリティを提供します。
-`port-forward`    | `kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N] [flags]` | 1つ以上のローカルポートを、Podに転送します。
-`proxy`        | `kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [flags]` | Kubernetes APIサーバーへのプロキシーを実行します。
-`replace`        | `kubectl replace -f FILENAME` | ファイルや標準出力から、リソースを置き換えます。
-`rollout`    | `kubectl rollout SUBCOMMAND [options]` | リソースのロールアウトを管理します。有効なリソースには、Deployment、DaemonSetとStatefulSetが含まれます。
-`run`        | <code>kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server&#124;client&#124;none] [--overrides=inline-json] [flags]</code> | 指定したイメージを、クラスタ上で実行します。
-`scale`        | <code>kubectl scale (-f FILENAME &#124; TYPE NAME &#124; TYPE/NAME) --replicas=COUNT [--resource-version=version] [--current-replicas=count] [flags]</code> | 指定したReplicationControllerのサイズを更新します。
-`set`    | `kubectl set SUBCOMMAND [options]` | アプリケーションリソースを設定します。
-`taint`    | `kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N [options]` | 1つ以上のNodeのtaintを更新します。
-`top`    | `kubectl top [flags] [options]` | リソース(CPU/メモリー/ストレージ)の使用量を表示します。
-`uncordon`    | `kubectl uncordon NODE [options]` | Nodeをスケジュール可に設定します。
-`version`        | `kubectl version [--client] [flags]` | クライアントとサーバーで実行中のKubernetesのバージョンを表示します。
-`wait`    | <code>kubectl wait ([-f FILENAME] &#124; resource.group/resource.name &#124; resource.group [(-l label &#124; --all)]) [--for=delete&#124;--for condition=available] [options]</code> | 実験中の機能: 1つ以上のリソースが特定の状態になるまで待ちます。
-
-コマンド操作について詳しく知りたい場合は、[kubectl](/docs/reference/kubectl/kubectl/)リファレンスドキュメントを参照してください。
-
-## リソースタイプ {#resource-types}
-
-以下の表に、サポートされているすべてのリソースと、省略されたエイリアスの一覧を示します。
-
-(この出力は`kubectl api-resources`から取得でき、Kubernetes 1.13.3時点で正確でした。)
-
-| リソース名 | 短縮名 | APIグループ | 名前空間に属するか | リソースの種類 |
-|---|---|---|---|---|
-| `bindings` | | | true | Binding|
-| `componentstatuses` | `cs` | | false | ComponentStatus |
-| `configmaps` | `cm` | | true | ConfigMap |
-| `endpoints` | `ep` | | true | Endpoints |
-| `limitranges` | `limits` | | true | LimitRange |
-| `namespaces` | `ns` | | false | Namespace |
-| `nodes` | `no` | | false | Node |
-| `persistentvolumeclaims` | `pvc` | | true | PersistentVolumeClaim |
-| `persistentvolumes` | `pv` | | false | PersistentVolume |
-| `pods` | `po` | | true | Pod |
-| `podtemplates` | | | true | PodTemplate |
-| `replicationcontrollers` | `rc` | | true| ReplicationController |
-| `resourcequotas` | `quota` | | true | ResourceQuota |
-| `secrets` | | | true | Secret |
-| `serviceaccounts` | `sa` | | true | ServiceAccount |
-| `services` | `svc` | | true | Service |
-| `mutatingwebhookconfigurations` | | admissionregistration.k8s.io | false | MutatingWebhookConfiguration |
-| `validatingwebhookconfigurations` | | admissionregistration.k8s.io | false | ValidatingWebhookConfiguration |
-| `customresourcedefinitions` | `crd`, `crds` | apiextensions.k8s.io | false |  CustomResourceDefinition |
-| `apiservices` | | apiregistration.k8s.io | false | APIService |
-| `controllerrevisions` | | apps | true | ControllerRevision |
-| `daemonsets` | `ds` | apps | true | DaemonSet |
-| `deployments` | `deploy` | apps | true | Deployment |
-| `replicasets` | `rs` | apps | true | ReplicaSet |
-| `statefulsets` | `sts` | apps | true | StatefulSet |
-| `tokenreviews` | | authentication.k8s.io | false | TokenReview |
-| `localsubjectaccessreviews` | | authorization.k8s.io | true | LocalSubjectAccessReview |
-| `selfsubjectaccessreviews` | | authorization.k8s.io | false | SelfSubjectAccessReview |
-| `selfsubjectrulesreviews` | | authorization.k8s.io | false | SelfSubjectRulesReview |
-| `subjectaccessreviews` | | authorization.k8s.io | false | SubjectAccessReview |
-| `horizontalpodautoscalers` | `hpa` | autoscaling | true | HorizontalPodAutoscaler |
-| `cronjobs` | `cj` | batch | true | CronJob |
-| `jobs` | | batch | true | Job |
-| `certificatesigningrequests` | `csr` | certificates.k8s.io | false | CertificateSigningRequest |
-| `leases` | | coordination.k8s.io | true | Lease |
-| `events` | `ev` | events.k8s.io | true | Event |
-| `ingresses` | `ing` | extensions | true | Ingress |
-| `networkpolicies` | `netpol` | networking.k8s.io | true | NetworkPolicy |
-| `poddisruptionbudgets` | `pdb` | policy | true | PodDisruptionBudget |
-| `podsecuritypolicies` | `psp` | policy | false | PodSecurityPolicy |
-| `clusterrolebindings` | | rbac.authorization.k8s.io | false | ClusterRoleBinding |
-| `clusterroles` | | rbac.authorization.k8s.io | false | ClusterRole |
-| `rolebindings` | | rbac.authorization.k8s.io | true | RoleBinding |
-| `roles` | | rbac.authorization.k8s.io | true | Role |
-| `priorityclasses` | `pc` | scheduling.k8s.io | false | PriorityClass |
-| `csidrivers` | | storage.k8s.io | false | CSIDriver |
-| `csinodes` | | storage.k8s.io | false | CSINode |
-| `storageclasses` | `sc` | storage.k8s.io |  false | StorageClass |
-| `volumeattachments` | | storage.k8s.io | false | VolumeAttachment |
-
-## 出力オプション
-
-ある特定のコマンドの出力に対してフォーマットやソートを行う方法については、以下の節を参照してください。どのコマンドが様々な出力オプションをサポートしているかについては、[kubectl](/docs/reference/kubectl/kubectl/)リファレンスドキュメントをご覧ください。
-
-### 出力のフォーマット
-
-すべての`kubectl`コマンドのデフォルトの出力フォーマットは、人間が読みやすいプレーンテキスト形式です。特定のフォーマットで、詳細をターミナルウィンドウに出力するには、サポートされている`kubectl`コマンドに`-o`または`--output`フラグのいずれかを追加します。
-
-#### 構文
-
-```shell
-kubectl [command] [TYPE] [NAME] -o <output_format>
-```
-
-`kubectl`の操作に応じて、以下の出力フォーマットがサポートされています。
-
-出力フォーマット | 説明
---------------| -----------
-`-o custom-columns=<spec>` | [カスタムカラム](#custom-columns)のコンマ区切りのリストを使用して、テーブルを表示します。
-`-o custom-columns-file=<filename>` | `<filename>`ファイル内の[カスタムカラム](#custom-columns)のテンプレートを使用して、テーブルを表示します。
-`-o json`     | JSON形式のAPIオブジェクトを出力します。
-`-o jsonpath=<template>` | [jsonpath](/ja/docs/reference/kubectl/jsonpath/)式で定義されたフィールドを表示します。
-`-o jsonpath-file=<filename>` | `<filename>`ファイル内の[jsonpath](/ja/docs/reference/kubectl/jsonpath/)式で定義されたフィールドを表示します。
-`-o name`     | リソース名のみを表示します。
-`-o wide`     | 追加情報を含めて、プレーンテキスト形式で出力します。Podの場合は、Node名が含まれます。
-`-o yaml`     | YAML形式のAPIオブジェクトを出力します。
-
-##### 例
-
-この例において、以下のコマンドは1つのPodの詳細を、YAML形式のオブジェクトとして出力します。
-
-```shell
-kubectl get pod web-pod-13je7 -o yaml
-```
-
-各コマンドでサポートされている出力フォーマットの詳細については、[kubectl](/docs/reference/kubectl/kubectl/)リファレンスドキュメントを参照してください。
-
-#### カスタムカラム {#custom-columns}
-
-カスタムカラムを定義して、必要な詳細のみをテーブルに出力するには、`custom-columns`オプションを使います。カスタムカラムをインラインで定義するか、`-o custom-columns=<spec>`または`-o custom-columns-file=<filename>`のようにテンプレートファイルを使用するかを選択できます。
-
-##### 例
-
-インラインで定義する例は、以下の通りです。
-
-```shell
-kubectl get pods <pod-name> -o custom-columns=NAME:.metadata.name,RSRC:.metadata.resourceVersion
-```
-
-テンプレートファイルを使用して定義する例は、以下の通りです。
-
-```shell
-kubectl get pods <pod-name> -o custom-columns-file=template.txt
-```
-
-ここで、`template.txt`には以下の内容が含まれます。
-
-```
-NAME          RSRC
-metadata.name metadata.resourceVersion
-```
-どちらのコマンドを実行した場合でも、以下の結果を得ます。
-
-```
-NAME           RSRC
-submit-queue   610995
-```
-
-#### サーバーサイドカラム
-
-`kubectl`は、サーバーからオブジェクトに関する特定のカラム情報を受け取ることをサポートしています。
-つまり、与えられた任意のリソースについて、サーバーはそのリソースに関連する列や行を返し、クライアントが表示できるようにします。
-これにより、サーバーが表示の詳細をカプセル化することで、同一クラスターに対して使用されているクライアント間で、一貫した人間が読みやすい出力が可能です。
-
-この機能は、デフォルトで有効になっています。無効にするには、`kubectl get`コマンドに`--server-print=false`フラグを追加します。
-
-##### 例
-
-Podの状態に関する情報を表示するには、以下のようなコマンドを使用します。
-
-```shell
-kubectl get pods <pod-name> --server-print=false
-```
-
-以下のように出力されます。
-
-```
-NAME       AGE
-pod-name   1m
-```
-
-### オブジェクトリストのソート
-
-ターミナルウィンドウで、オブジェクトをソートされたリストに出力するには、サポートされている`kubectl`コマンドに`--sort-by`フラグを追加します。`--sort-by`フラグで任意の数値フィールドや文字列フィールドを指定することで、オブジェクトをソートします。フィールドの指定には、[jsonpath](/ja/docs/reference/kubectl/jsonpath/)式を使用します。
-
-#### 構文
-
-```shell
-kubectl [command] [TYPE] [NAME] --sort-by=<jsonpath_exp>
-```
-
-##### 例
-
-名前でソートしたPodのリストを表示するには、以下のように実行します。
-
-```shell
-kubectl get pods --sort-by=.metadata.name
-```
-
-## 例: 一般的な操作
-
-よく使われる`kubectl`の操作に慣れるために、以下の例を使用してください。
-
-`kubectl apply` - ファイルや標準出力から、リソースの適用や更新を行います。
-
-```shell
-# example-service.yaml内の定義を使用して、Serviceを作成します。
-kubectl apply -f example-service.yaml
-
-# example-controller.yaml内の定義を使用して、ReplicationControllerを作成します。
-kubectl apply -f example-controller.yaml
-
-# <directory>ディレクトリ内の、任意の.yaml、.yml、.jsonファイルで定義されているオブジェクトを作成します。
-kubectl apply -f <directory>
-```
-
-`kubectl get` - 1つ以上のリソースの一覧を表示します。
-
-```shell
-# すべてのPodの一覧をプレーンテキスト形式で表示します。
-kubectl get pods
-
-# すべてのPodの一覧を、ノード名などの追加情報を含めて、プレーンテキスト形式で表示します。
-kubectl get pods -o wide
-
-# 指定した名前のReplicationControllerの一覧をプレーンテキスト形式で表示します。'replicationcontroller'リソースタイプを短縮して、エイリアス'rc'で置き換えることもできます。
-kubectl get replicationcontroller <rc-name>
-
-# すべてのReplicationControllerとServiceの一覧をまとめてプレーンテキスト形式で表示します。
-kubectl get rc,services
-
-# すべてのDaemonSetの一覧をプレーンテキスト形式で表示します。
-kubectl get ds
-
-# server01ノードで実行中のPodの一覧をプレーンテキスト形式で表示します。
-kubectl get pods --field-selector=spec.nodeName=server01
-```
-
-`kubectl describe` - 1つ以上のリソースの詳細な状態を、デフォルトでは初期化されないものも含めて表示します。
-
-```shell
-# Node <node-name>の詳細を表示します。
-kubectl describe nodes <node-name>
-
-# Pod <pod-name>の詳細を表示します。
-kubectl describe pods/<pod-name>
-
-# ReplicationController <rc-name>が管理しているすべてのPodの詳細を表示します。
-# ReplicationControllerによって作成された任意のPodには、ReplicationControllerの名前がプレフィックスとして付与されます。
-kubectl describe pods <rc-name>
-
-# すべてのPodの詳細を表示します。
-kubectl describe pods
-```
-
-{{< note >}}
-`kubectl get`コマンドは通常、同じリソースタイプの1つ以上のリソースを取得するために使用します。豊富なフラグが用意されており、例えば`-o`や`--output`フラグを使って、出力フォーマットをカスタマイズできます。`-w`や`--watch`フラグを指定することで、特定のオブジェクトの更新を監視できます。`kubectl describe`コマンドは、指定されたリソースに関する多くの側面を説明することに重点を置いています。ユーザーに対してビューを構築するために、APIサーバーへ複数のAPIコールを呼び出すことができます。例えば、`kubectl describe node`コマンドは、Nodeに関する情報だけでなく、その上で動いているPodやNodeで生成されたイベントなどをまとめて表示します。
-{{< /note >}}
-
-`kubectl delete` - ファイル、標準出力、または指定したラベルセレクター、名前、リソースセレクター、リソースを指定して、リソースを削除します。
-
-```shell
-# pod.yamlファイルで指定されたタイプと名前を用いて、Podを削除します。
-kubectl delete -f pod.yaml
-
-# '<label-key>=<label-value>'というラベルを持つPodとServiceをすべて削除します。
-kubectl delete pods,services -l <label-key>=<label-value>
-
-# 初期化されていないPodを含む、すべてのPodを削除します。
-kubectl delete pods --all
-```
-
-`kubectl exec` - Pod内のコンテナに対してコマンドを実行します。
-
-```shell
-# Pod <pod-name>から、'date'を実行している時の出力を取得します。デフォルトでは、最初のコンテナから出力されます。
-kubectl exec <pod-name> -- date
-
-# Pod <pod-name>のコンテナ <container-name>から、'date'を実行している時の出力を取得します。
-kubectl exec <pod-name> -c <container-name> -- date
-
-# インタラクティブな TTY を取得し、Pod <pod-name>から/bin/bashを実行します。デフォルトでは、最初のコンテナから出力されます。
-kubectl exec -ti <pod-name> -- /bin/bash
-```
-
-`kubectl logs` - Pod内のコンテナのログを表示します。
-
-```shell
-# Pod <pod-name>のログのスナップショットを返します。
-kubectl logs <pod-name>
-
-# Pod <pod-name>から、ログのストリーミングを開始します。Linuxの'tail -f'コマンドと似ています。
-kubectl logs -f <pod-name>
-```
-
-`kubectl diff` - 提案されたクラスタに対する更新の差分を表示します。
-
-```shell
-# pod.jsonに含まれるリソースの差分を表示します。
-kubectl diff -f pod.json
-
-# 標準出力から読み込んだファイルの差分を表示します。
-cat service.yaml | kubectl diff -f -
-```
-
-## 例: プラグインの作成と使用
-
-`kubectl`プラグインの書き方や使い方に慣れるために、以下の例を使用してください。
-
-```shell
-# 任意の言語でシンプルなプラグインを作成し、生成される実行可能なファイルに
-# プレフィックス"kubectl-"で始まる名前を付けます。
-cat ./kubectl-hello
-```
-```shell
-#!/bin/sh
-
-# このプラグインは、"hello world"という単語を表示します。
-echo "hello world"
-```
-プラグインを書いたら、実行可能にします。
-```bash
-chmod a+x ./kubectl-hello
-
-# さらに、PATH内の場所に移動させます。
-sudo mv ./kubectl-hello /usr/local/bin
-sudo chown root:root /usr/local/bin
-
-# これでkubectlプラグインを作成し、"インストール"できました。
-# 通常のコマンドのようにkubectlから呼び出すことで、プラグインを使用できます。
-kubectl hello
-```
-```
-hello world
-```
-
-```shell
-# 配置したPATHのフォルダから削除することで、プラグインを"アンインストール"できます。
-sudo rm /usr/local/bin/kubectl-hello
-```
-
-`kubectl`で利用可能なプラグインをすべて表示するには、`kubectl plugin list`サブコマンドを使用してください。
-
-```shell
-kubectl plugin list
-```
-出力は以下のようになります。
-```
-The following kubectl-compatible plugins are available:
-
-/usr/local/bin/kubectl-hello
-/usr/local/bin/kubectl-foo
-/usr/local/bin/kubectl-bar
-```
-
-`kubectl plugin list`コマンドは、実行不可能なプラグインや、他のプラグインの影に隠れてしまっているプラグインなどについて、警告することもできます。例えば、以下のようになります。
-```shell
-sudo chmod -x /usr/local/bin/kubectl-foo # 実行権限を削除します。
-kubectl plugin list
-```
-```
-The following kubectl-compatible plugins are available:
-
-/usr/local/bin/kubectl-hello
-/usr/local/bin/kubectl-foo
-  - warning: /usr/local/bin/kubectl-foo identified as a plugin, but it is not executable
-/usr/local/bin/kubectl-bar
-
-error: one plugin warning was found
-```
-
-プラグインは、既存の`kubectl`コマンドの上に、より複雑な機能を構築するための手段であると考えることができます。
-
-```shell
-cat ./kubectl-whoami
-```
-次の例では、下記の内容を含んだ`kubectl-whoami`が既に作成済であることを前提としています。
-```shell
-#!/bin/bash
-
-# このプラグインは、`kubectl config`コマンドを使って
-# 現在選択されているコンテキストに基づいて、現在のユーザーに関する情報を提供します。
-kubectl config view --template='{{ range .contexts }}{{ if eq .name "'$(kubectl config current-context)'" }}Current user: {{ printf "%s\n" .context.user }}{{ end }}{{ end }}'
-```
-
-上記のコマンドを実行すると、KUBECONFIGファイル内のカレントコンテキストのユーザーを含んだ出力を得られます。
-
-```shell
-# ファイルを実行可能にします。
-sudo chmod +x ./kubectl-whoami
-
-# さらに、ファイルをPATHに移動します。
-sudo mv ./kubectl-whoami /usr/local/bin
-
-kubectl whoami
-Current user: plugins-user
-```
-
-## {{% heading "whatsnext" %}}
-
-* [kubectl](/docs/reference/generated/kubectl/kubectl-commands/)を使い始めてください。
-
-* プラグインについてより詳しく知りたい場合は, [example cli plugin](https://github.com/kubernetes/sample-cli-plugin)を御覧ください。
diff --git a/content/ja/docs/setup/learning-environment/minikube.md b/content/ja/docs/setup/learning-environment/minikube.md
index f394897fcfdde..65054b66fb95b 100644
--- a/content/ja/docs/setup/learning-environment/minikube.md
+++ b/content/ja/docs/setup/learning-environment/minikube.md
@@ -198,7 +198,7 @@ MinikubeのサポートするKubernetesの機能:
 
 `minikube start`コマンドを使用してクラスターを起動することができます。
 このコマンドはシングルノードのKubernetesクラスターを実行する仮想マシンを作成・設定します。
-また、このクラスターと通信する[kubectl](/ja/docs/reference/kubectl/overview/)のインストールも設定します。
+また、このクラスターと通信する[kubectl](/ja/docs/reference/kubectl/)のインストールも設定します。
 
 {{< note >}}
 もしWebプロキシーを通している場合、そのプロキシー情報を`minikube start`コマンドに渡す必要があります:
diff --git a/content/ja/docs/setup/production-environment/tools/kops.md b/content/ja/docs/setup/production-environment/tools/kops.md
index 9d490751dbcf5..78b51d29913c5 100644
--- a/content/ja/docs/setup/production-environment/tools/kops.md
+++ b/content/ja/docs/setup/production-environment/tools/kops.md
@@ -231,7 +231,7 @@ See the [list of add-ons](/ja/docs/concepts/cluster-administration/addons/) to e
 ## {{% heading "whatsnext" %}}
 
 
-* Learn more about Kubernetes [concepts](/docs/concepts/) and [`kubectl`](/docs/reference/kubectl/overview/).
+* Learn more about Kubernetes [concepts](/docs/concepts/) and [`kubectl`](/ja/docs/reference/kubectl/).
 * Learn more about `kops` [advanced usage](https://kops.sigs.k8s.io/) for tutorials, best practices and advanced configuration options.
 * Follow `kops` community discussions on Slack: [community discussions](https://github.com/kubernetes/kops#other-ways-to-communicate-with-the-contributors)
 * Contribute to `kops` by addressing or raising an issue [GitHub Issues](https://github.com/kubernetes/kops/issues)
diff --git a/content/ja/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md b/content/ja/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
index d1ab5ef49b6bf..36b197a629c9b 100644
--- a/content/ja/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
+++ b/content/ja/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
@@ -394,7 +394,7 @@ kubectl delete node <node name>
 * [Sonobuoy](https://github.com/heptio/sonobuoy)を使用してクラスターが適切に動作しているか検証する。
 * <a id="lifecycle" />`kubeadm`を使用したクラスターをアップグレードする方法について、[kubeadmクラスターをアップグレードする](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)を読む。
 * `kubeadm`の高度な利用方法について[kubeadmリファレンスドキュメント](/docs/reference/setup-tools/kubeadm/kubeadm)で学ぶ。
-* Kubernetesの[コンセプト](/ja/docs/concepts/)や[`kubectl`](/ja/docs/reference/kubectl/overview/)についてもっと学ぶ。
+* Kubernetesの[コンセプト](/ja/docs/concepts/)や[`kubectl`](/ja/docs/reference/kubectl/)についてもっと学ぶ。
 * Podネットワークアドオンのより完全なリストを[クラスターのネットワーク](/ja/docs/concepts/cluster-administration/networking/)で確認する。
 * <a id="other-addons" />ロギング、モニタリング、ネットワークポリシー、仮想化、Kubernetesクラスターの制御のためのツールなど、その他のアドオンについて、[アドオンのリスト](/ja/docs/concepts/cluster-administration/addons/)で確認する。
 * クラスターイベントやPod内で実行中のアプリケーションから送られるログをクラスターがハンドリングする方法を設定する。関係する要素の概要を理解するために、[ロギングのアーキテクチャ](/docs/concepts/cluster-administration/logging/)を読んでください。
diff --git a/content/ja/docs/setup/production-environment/windows/user-guide-windows-containers.md b/content/ja/docs/setup/production-environment/windows/user-guide-windows-containers.md
index ebd4d5e8b3143..5ea749f98a381 100644
--- a/content/ja/docs/setup/production-environment/windows/user-guide-windows-containers.md
+++ b/content/ja/docs/setup/production-environment/windows/user-guide-windows-containers.md
@@ -20,7 +20,7 @@ Windowsアプリケーションは、多くの組織で実行されるサービ
 ## 始める前に
 
 * [Windows Serverを実行するマスターノードとワーカーノード](/ja/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes)を含むKubernetesクラスターを作成します
-* Kubernetes上にServiceとワークロードを作成してデプロイすることは、LinuxコンテナとWindowsコンテナ共に、ほぼ同じように動作することに注意してください。クラスターとのインタフェースとなる[Kubectlコマンド](/docs/reference/kubectl/overview/)も同じです。Windowsコンテナをすぐに体験できる例を以下セクションに用意しています。
+* Kubernetes上にServiceとワークロードを作成してデプロイすることは、LinuxコンテナとWindowsコンテナ共に、ほぼ同じように動作することに注意してください。クラスターとのインタフェースとなる[Kubectlコマンド](/ja/docs/reference/kubectl/)も同じです。Windowsコンテナをすぐに体験できる例を以下セクションに用意しています。
 
 ## はじめに:Windowsコンテナのデプロイ
 
diff --git a/content/ja/docs/tasks/tools/install-kubectl.md b/content/ja/docs/tasks/tools/install-kubectl.md
index 8a904b78d837d..779bd82045694 100644
--- a/content/ja/docs/tasks/tools/install-kubectl.md
+++ b/content/ja/docs/tasks/tools/install-kubectl.md
@@ -9,7 +9,7 @@ card:
 ---
 
 <!-- overview -->
-Kubernetesのコマンドラインツールである[kubectl](/ja/docs/reference/kubectl/overview/)を使用して、Kubernetesクラスターに対してコマンドを実行することができます。kubectlによってアプリケーションのデプロイや、クラスターのリソース管理、検査およびログの表示を行うことができます。kubectlの操作に関する完全なリストは、[kubectlの概要](/ja/docs/reference/kubectl/overview/)を参照してください。
+Kubernetesのコマンドラインツールである[kubectl](/ja/docs/reference/kubectl/kubectl)を使用して、Kubernetesクラスターに対してコマンドを実行することができます。kubectlによってアプリケーションのデプロイや、クラスターのリソース管理、検査およびログの表示を行うことができます。kubectlの操作に関する完全なリストは、[kubectlリファレンスドキュメント](/ja/docs/reference/kubectl/)を参照してください。
 
 
 ## {{% heading "prerequisites" %}}
diff --git a/content/ja/docs/tutorials/hello-minikube.md b/content/ja/docs/tutorials/hello-minikube.md
index b2c2ba0e4c9d2..b144c8d64eba9 100644
--- a/content/ja/docs/tutorials/hello-minikube.md
+++ b/content/ja/docs/tutorials/hello-minikube.md
@@ -112,7 +112,7 @@ Kubernetesの[*Pod*](/ja/docs/concepts/workloads/pods/) は、コンテナの管
     ```
 
 {{< note >}}
-`kubectl`コマンドの詳細な情報は[kubectl overview](/ja/docs/reference/kubectl/overview/)を参照してください。
+`kubectl`コマンドの詳細な情報は[コマンドラインツール(kubectl)](/ja/docs/reference/kubectl/)を参照してください。
 {{< /note >}}
 
 ## Serviceの作成

From b6a0d1c29ddd30e914c595092c6d6629eb861576 Mon Sep 17 00:00:00 2001
From: Santosh Kaluskar <dtshbl@gmail.com>
Date: Sun, 19 Feb 2023 17:55:04 +0530
Subject: [PATCH 082/215] update calico link

Signed-off-by: Santosh Kaluskar <dtshbl@gmail.com>
---
 content/en/docs/concepts/cluster-administration/addons.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/cluster-administration/addons.md b/content/en/docs/concepts/cluster-administration/addons.md
index 0e691a248654e..e149e4b0d0e3a 100644
--- a/content/en/docs/concepts/cluster-administration/addons.md
+++ b/content/en/docs/concepts/cluster-administration/addons.md
@@ -18,7 +18,7 @@ This page lists some of the available add-ons and links to their respective inst
 
 * [ACI](https://www.github.com/noironetworks/aci-containers) provides integrated container networking and network security with Cisco ACI.
 * [Antrea](https://antrea.io/) operates at Layer 3/4 to provide networking and security services for Kubernetes, leveraging Open vSwitch as the networking data plane. Antrea is a [CNCF project at the Sandbox level](https://www.cncf.io/projects/antrea/). 
-* [Calico](https://docs.projectcalico.org/latest/introduction/) is a networking and network policy provider. Calico supports a flexible set of networking options so you can choose the most efficient option for your situation, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio & Envoy) applications at the service mesh layer.
+* [Calico](https://www.tigera.io/project-calico/) is a networking and network policy provider. Calico supports a flexible set of networking options so you can choose the most efficient option for your situation, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio & Envoy) applications at the service mesh layer.
 * [Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel) unites Flannel and Calico, providing networking and network policy.
 * [Cilium](https://github.com/cilium/cilium) is a networking, observability, and security solution with an eBPF-based data plane. Cilium provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay/encapsulation mode, and can enforce network policies on L3-L7 using an identity-based security model that is decoupled from network addressing. Cilium can act as a replacement for kube-proxy; it also offers additional, opt-in observability and security features. Cilium is a [CNCF project at the Incubation level](https://www.cncf.io/projects/cilium/).
 * [CNI-Genie](https://github.com/cni-genie/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, or Weave. CNI-Genie is a [CNCF project at the Sandbox level](https://www.cncf.io/projects/cni-genie/).

From a5dacd219fc76743340c8303c7365f2426fc6301 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 9 Mar 2023 14:56:23 +0800
Subject: [PATCH 083/215] Replace k8s.gcr.io references with registry.k8s.io
 for de

---
 content/de/docs/setup/minikube.md           | 2 +-
 content/de/docs/tutorials/hello-minikube.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/de/docs/setup/minikube.md b/content/de/docs/setup/minikube.md
index 35de917a6572e..ec078c60042c4 100644
--- a/content/de/docs/setup/minikube.md
+++ b/content/de/docs/setup/minikube.md
@@ -52,7 +52,7 @@ Creating machine...
 Starting local Kubernetes cluster...
 ```
 ```shell
-kubectl create deployment hello-minikube --image=k8s.gcr.io/echoserver:1.10
+kubectl create deployment hello-minikube --image=registry.k8s.io/echoserver:1.10
 ```
 ```
 deployment.apps/hello-minikube created
diff --git a/content/de/docs/tutorials/hello-minikube.md b/content/de/docs/tutorials/hello-minikube.md
index 2137c5fdd9f37..ba54846cb649b 100644
--- a/content/de/docs/tutorials/hello-minikube.md
+++ b/content/de/docs/tutorials/hello-minikube.md
@@ -77,7 +77,7 @@ Deployments sind die empfohlene Methode zum Verwalten der Erstellung und Skalier
 Der Pod führt einen Container basierend auf dem bereitgestellten Docker-Image aus.
 
     ```shell
-    kubectl create deployment hello-node --image=k8s.gcr.io/echoserver:1.4
+    kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4
     ```
 
 2. Anzeigen des Deployments:

From 4217aeb23664e8b08b2a696e9e17921cfc6afdf0 Mon Sep 17 00:00:00 2001
From: adi-wan-askui <105295410+adi-wan-askui@users.noreply.github.com>
Date: Thu, 9 Mar 2023 08:25:27 +0100
Subject: [PATCH 084/215] Update cron-jobs.md (#39813)

fix typo
---
 content/en/docs/concepts/workloads/controllers/cron-jobs.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/workloads/controllers/cron-jobs.md b/content/en/docs/concepts/workloads/controllers/cron-jobs.md
index dd327758e332b..4428822b7102c 100644
--- a/content/en/docs/concepts/workloads/controllers/cron-jobs.md
+++ b/content/en/docs/concepts/workloads/controllers/cron-jobs.md
@@ -202,7 +202,7 @@ That is, the CronJob does _not_ update existing Jobs, even if those remain runni
 A CronJob creates a Job object approximately once per execution time of its schedule.
 The scheduling is approximate because there
 are certain circumstances where two Jobs might be created, or no Job might be created.
-Kubernetes tries to avoid those situations, but do not completely prevent them. Therefore,
+Kubernetes tries to avoid those situations, but does not completely prevent them. Therefore,
 the Jobs that you define should be _idempotent_.
 
 If `startingDeadlineSeconds` is set to a large value or left unset (the default)

From 1290b02fd365ff0e28685c5d5ec7466d7c93332b Mon Sep 17 00:00:00 2001
From: EliSzBr <elizszb@gmail.com>
Date: Thu, 9 Mar 2023 09:39:42 +0200
Subject: [PATCH 085/215] adjust docs for feature maturity (#39791)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

as per the [docs](https://github.com/kubernetes/website/blob/main/content/en/docs/concepts/services-networking/service.md?plain=1#L697) this is no longer an alpha feature, but stable.

Either that or I don't understand it well as a k8s noobie and it should be clarified 😄
---
 content/en/docs/concepts/services-networking/service.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md
index 09690eb71ece4..d096096ec2ae1 100644
--- a/content/en/docs/concepts/services-networking/service.md
+++ b/content/en/docs/concepts/services-networking/service.md
@@ -656,7 +656,7 @@ by making the changes that are equivalent to you requesting a Service of
 `type: NodePort`. The cloud-controller-manager component then configures the external load balancer to
 forward traffic to that assigned node port.
 
-_As an alpha feature_, you can configure a load balanced Service to
+You can configure a load balanced Service to
 [omit](#load-balancer-nodeport-allocation) assigning a node port, provided that the
 cloud provider implementation supports this.
 

From 5c1d1009f26407aa9b8e451cf06dcea23492873b Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 9 Mar 2023 15:45:44 +0800
Subject: [PATCH 086/215] Replace k8s.gcr.io references with registry.k8s.io
 for es

---
 .../manage-resources-containers.md             |  2 +-
 .../es/docs/concepts/configuration/secret.md   |  2 +-
 .../overview/working-with-objects/labels.md    |  2 +-
 content/es/docs/concepts/storage/volumes.md    | 18 +++++++++---------
 .../workloads/controllers/statefulset.md       |  2 +-
 content/es/docs/tutorials/hello-minikube.md    |  2 +-
 6 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/content/es/docs/concepts/configuration/manage-resources-containers.md b/content/es/docs/concepts/configuration/manage-resources-containers.md
index 4cdc6c4a26ab2..5b27b6ca7cd32 100644
--- a/content/es/docs/concepts/configuration/manage-resources-containers.md
+++ b/content/es/docs/concepts/configuration/manage-resources-containers.md
@@ -722,7 +722,7 @@ Conditions:
 Events:
   FirstSeen                         LastSeen                         Count  From                              SubobjectPath                       Reason      Message
   Tue, 07 Jul 2015 12:53:51 -0700   Tue, 07 Jul 2015 12:53:51 -0700  1      {scheduler }                                                          scheduled   Successfully assigned simmemleak-hra99 to kubernetes-node-tf0f
-  Tue, 07 Jul 2015 12:53:51 -0700   Tue, 07 Jul 2015 12:53:51 -0700  1      {kubelet kubernetes-node-tf0f}    implicitly required container POD   pulled      Pod container image "k8s.gcr.io/pause:0.8.0" already present on machine
+  Tue, 07 Jul 2015 12:53:51 -0700   Tue, 07 Jul 2015 12:53:51 -0700  1      {kubelet kubernetes-node-tf0f}    implicitly required container POD   pulled      Pod container image "registry.k8s.io/pause:0.8.0" already present on machine
   Tue, 07 Jul 2015 12:53:51 -0700   Tue, 07 Jul 2015 12:53:51 -0700  1      {kubelet kubernetes-node-tf0f}    implicitly required container POD   created     Created with docker id 6a41280f516d
   Tue, 07 Jul 2015 12:53:51 -0700   Tue, 07 Jul 2015 12:53:51 -0700  1      {kubelet kubernetes-node-tf0f}    implicitly required container POD   started     Started with docker id 6a41280f516d
   Tue, 07 Jul 2015 12:53:51 -0700   Tue, 07 Jul 2015 12:53:51 -0700  1      {kubelet kubernetes-node-tf0f}    spec.containers{simmemleak}         created     Created with docker id 87348f12526a
diff --git a/content/es/docs/concepts/configuration/secret.md b/content/es/docs/concepts/configuration/secret.md
index 1025ebd78519d..42c63f81b66ba 100644
--- a/content/es/docs/concepts/configuration/secret.md
+++ b/content/es/docs/concepts/configuration/secret.md
@@ -840,7 +840,7 @@ spec:
       secretName: dotfile-secret
   containers:
   - name: dotfile-test-container
-    image: k8s.gcr.io/busybox
+    image: registry.k8s.io/busybox
     command:
     - ls
     - "-l"
diff --git a/content/es/docs/concepts/overview/working-with-objects/labels.md b/content/es/docs/concepts/overview/working-with-objects/labels.md
index 18815c01a4ee2..7420aac5c6dc7 100644
--- a/content/es/docs/concepts/overview/working-with-objects/labels.md
+++ b/content/es/docs/concepts/overview/working-with-objects/labels.md
@@ -95,7 +95,7 @@ metadata:
 spec:
   containers:
     - name: cuda-test
-      image: "k8s.gcr.io/cuda-vector-add:v0.1"
+      image: "registry.k8s.io/cuda-vector-add:v0.1"
       resources:
         limits:
           nvidia.com/gpu: 1
diff --git a/content/es/docs/concepts/storage/volumes.md b/content/es/docs/concepts/storage/volumes.md
index ff079512bd4df..ac462bec7b130 100644
--- a/content/es/docs/concepts/storage/volumes.md
+++ b/content/es/docs/concepts/storage/volumes.md
@@ -72,7 +72,7 @@ metadata:
   name: test-ebs
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-container
       volumeMounts:
         - mountPath: /test-ebs
@@ -160,7 +160,7 @@ metadata:
   name: test-cinder
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-cinder-container
       volumeMounts:
         - mountPath: /test-cinder
@@ -271,7 +271,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-container
       volumeMounts:
         - mountPath: /cache
@@ -349,7 +349,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-container
       volumeMounts:
         - mountPath: /test-pd
@@ -496,7 +496,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-container
       volumeMounts:
         - mountPath: /test-pd
@@ -526,7 +526,7 @@ metadata:
 spec:
   containers:
     - name: test-webserver
-      image: k8s.gcr.io/test-webserver:latest
+      image: registry.k8s.io/test-webserver:latest
       volumeMounts:
         - mountPath: /var/local/aaa
           name: mydir
@@ -657,7 +657,7 @@ metadata:
   name: test-portworx-volume-pod
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-container
       volumeMounts:
         - mountPath: /mnt
@@ -847,7 +847,7 @@ metadata:
   name: pod-0
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: pod-0
       volumeMounts:
         - mountPath: /test-pd
@@ -976,7 +976,7 @@ metadata:
   name: test-vmdk
 spec:
   containers:
-    - image: k8s.gcr.io/test-webserver
+    - image: registry.k8s.io/test-webserver
       name: test-container
       volumeMounts:
         - mountPath: /test-vmdk
diff --git a/content/es/docs/concepts/workloads/controllers/statefulset.md b/content/es/docs/concepts/workloads/controllers/statefulset.md
index 4ff09f2148c8d..95e86a7a3f674 100644
--- a/content/es/docs/concepts/workloads/controllers/statefulset.md
+++ b/content/es/docs/concepts/workloads/controllers/statefulset.md
@@ -85,7 +85,7 @@ spec:
       terminationGracePeriodSeconds: 10
       containers:
       - name: nginx
-        image: k8s.gcr.io/nginx-slim:0.8
+        image: registry.k8s.io/nginx-slim:0.8
         ports:
         - containerPort: 80
           name: web
diff --git a/content/es/docs/tutorials/hello-minikube.md b/content/es/docs/tutorials/hello-minikube.md
index fb40f2fdb0bf1..ed78c76a16c4f 100644
--- a/content/es/docs/tutorials/hello-minikube.md
+++ b/content/es/docs/tutorials/hello-minikube.md
@@ -76,7 +76,7 @@ Un [*Deployment*](/docs/concepts/workloads/controllers/deployment/) en Kubernete
 1. Ejecutar el comando `kubectl create` para crear un Deployment que maneje un Pod. El Pod ejecuta un contenedor basado en la imagen proveida por Docker.
 
     ```shell
-    kubectl create deployment hello-node --image=k8s.gcr.io/echoserver:1.4
+    kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4
     ```
 
 2. Ver el Deployment:

From d54fd93f73cb1f0633c7c2da1b93c31ff97cb064 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 9 Mar 2023 20:08:50 +0800
Subject: [PATCH 087/215] Replace k8s.gcr.io references with registry.k8s.io
 for fr

---
 content/fr/docs/concepts/configuration/secret.md |  2 +-
 .../docs/concepts/storage/persistent-volumes.md  |  2 +-
 content/fr/docs/concepts/storage/volumes.md      | 16 ++++++++--------
 .../workloads/controllers/statefulset.md         |  2 +-
 .../concepts/workloads/pods/pod-lifecycle.md     |  2 +-
 .../generate-ref-docs/federation-api.md          |  2 +-
 content/fr/docs/reference/kubectl/cheatsheet.md  |  4 ++--
 .../kubeadm/generated/kubeadm_init.md            |  2 +-
 .../setup-tools/kubeadm/kubeadm-init.md          |  6 +++---
 .../docs/setup/learning-environment/minikube.md  |  2 +-
 ...onfigure-liveness-readiness-startup-probes.md | 12 ++++++------
 .../translate-compose-kubernetes.md              |  2 +-
 content/fr/docs/tutorials/hello-minikube.md      |  2 +-
 content/fr/examples/admin/cloud/ccm-example.yaml |  4 ++--
 .../two-files-counter-pod-agent-sidecar.yaml     |  2 +-
 .../guestbook/redis-master-deployment.yaml       |  2 +-
 .../pods/pod-configmap-env-var-valueFrom.yaml    |  2 +-
 .../fr/examples/pods/pod-configmap-envFrom.yaml  |  2 +-
 .../pods/pod-configmap-volume-specific-key.yaml  |  2 +-
 .../fr/examples/pods/pod-configmap-volume.yaml   |  2 +-
 .../pod-multiple-configmap-env-variable.yaml     |  2 +-
 .../pods/pod-single-configmap-env-variable.yaml  |  2 +-
 .../fr/examples/pods/probe/exec-liveness.yaml    |  2 +-
 .../fr/examples/pods/probe/http-liveness.yaml    |  2 +-
 .../pods/probe/tcp-liveness-readiness.yaml       |  2 +-
 .../one-constraint-with-nodeaffinity.yaml        |  2 +-
 .../one-constraint.yaml                          |  2 +-
 .../two-constraints.yaml                         |  2 +-
 28 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/content/fr/docs/concepts/configuration/secret.md b/content/fr/docs/concepts/configuration/secret.md
index bad71e79d7c47..eecabde7807f9 100644
--- a/content/fr/docs/concepts/configuration/secret.md
+++ b/content/fr/docs/concepts/configuration/secret.md
@@ -889,7 +889,7 @@ spec:
       secretName: dotfile-secret
   containers:
   - name: dotfile-test-container
-    image: k8s.gcr.io/busybox
+    image: registry.k8s.io/busybox
     command:
     - ls
     - "-l"
diff --git a/content/fr/docs/concepts/storage/persistent-volumes.md b/content/fr/docs/concepts/storage/persistent-volumes.md
index ad88ec14caadb..230ce5f7024c7 100644
--- a/content/fr/docs/concepts/storage/persistent-volumes.md
+++ b/content/fr/docs/concepts/storage/persistent-volumes.md
@@ -192,7 +192,7 @@ spec:
       path: /any/path/it/will/be/replaced
   containers:
   - name: pv-recycler
-    image: "k8s.gcr.io/busybox"
+    image: "registry.k8s.io/busybox"
     command: ["/bin/sh", "-c", "test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/*  && test -z \"$(ls -A /scrub)\" || exit 1"]
     volumeMounts:
     - name: vol
diff --git a/content/fr/docs/concepts/storage/volumes.md b/content/fr/docs/concepts/storage/volumes.md
index e694a96661ee8..e78e7ce76b348 100644
--- a/content/fr/docs/concepts/storage/volumes.md
+++ b/content/fr/docs/concepts/storage/volumes.md
@@ -113,7 +113,7 @@ metadata:
   name: test-ebs
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-ebs
@@ -190,7 +190,7 @@ metadata:
   name: test-cinder
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-cinder-container
     volumeMounts:
     - mountPath: /test-cinder
@@ -294,7 +294,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /cache
@@ -369,7 +369,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-pd
@@ -509,7 +509,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-pd
@@ -759,7 +759,7 @@ metadata:
   name: test-portworx-volume-pod
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /mnt
@@ -824,7 +824,7 @@ metadata:
   name: pod-0
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: pod-0
     volumeMounts:
     - mountPath: /test-pd
@@ -953,7 +953,7 @@ metadata:
   name: test-vmdk
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-vmdk
diff --git a/content/fr/docs/concepts/workloads/controllers/statefulset.md b/content/fr/docs/concepts/workloads/controllers/statefulset.md
index 14221ba82af30..b89e0416b8135 100644
--- a/content/fr/docs/concepts/workloads/controllers/statefulset.md
+++ b/content/fr/docs/concepts/workloads/controllers/statefulset.md
@@ -78,7 +78,7 @@ spec:
       terminationGracePeriodSeconds: 10
       containers:
       - name: nginx
-        image: k8s.gcr.io/nginx-slim:0.8
+        image: registry.k8s.io/nginx-slim:0.8
         ports:
         - containerPort: 80
           name: web
diff --git a/content/fr/docs/concepts/workloads/pods/pod-lifecycle.md b/content/fr/docs/concepts/workloads/pods/pod-lifecycle.md
index aece7de62cf76..833b60fbf52e2 100644
--- a/content/fr/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/fr/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -329,7 +329,7 @@ spec:
   containers:
   - args:
     - /server
-    image: k8s.gcr.io/liveness
+    image: registry.k8s.io/liveness
     livenessProbe:
       httpGet:
         # lorsque "host" n'est pas défini, "PodIP" sera utilisé
diff --git a/content/fr/docs/contribute/generate-ref-docs/federation-api.md b/content/fr/docs/contribute/generate-ref-docs/federation-api.md
index aa25853d64aa0..30bb6c525d807 100644
--- a/content/fr/docs/contribute/generate-ref-docs/federation-api.md
+++ b/content/fr/docs/contribute/generate-ref-docs/federation-api.md
@@ -48,7 +48,7 @@ cd <fed-base>
 hack/update-federation-api-reference-docs.sh
 ```
 
-Le script exécute le [k8s.gcr.io/gen-swagger-docs](https://console.cloud.google.com/gcr/images/google-containers/GLOBAL/gen-swagger-docs?gcrImageListquery=%255B%255D&gcrImageListpage=%257B%2522t%2522%253A%2522%2522%252C%2522i%2522%253A0%257D&gcrImageListsize=50&gcrImageListsort=%255B%257B%2522p%2522%253A%2522uploaded%2522%252C%2522s%2522%253Afalse%257D%255D) image pour générer cet ensemble de documents de référence:
+Le script exécute le [registry.k8s.io/gen-swagger-docs](https://console.cloud.google.com/gcr/images/google-containers/GLOBAL/gen-swagger-docs?gcrImageListquery=%255B%255D&gcrImageListpage=%257B%2522t%2522%253A%2522%2522%252C%2522i%2522%253A0%257D&gcrImageListsize=50&gcrImageListsort=%255B%257B%2522p%2522%253A%2522uploaded%2522%252C%2522s%2522%253Afalse%257D%255D) image pour générer cet ensemble de documents de référence:
 
 * /docs/api-reference/extensions/v1beta1/operations.html
 * /docs/api-reference/extensions/v1beta1/definitions.html
diff --git a/content/fr/docs/reference/kubectl/cheatsheet.md b/content/fr/docs/reference/kubectl/cheatsheet.md
index e1d86f7dac9fb..9d2f018bb8cb7 100644
--- a/content/fr/docs/reference/kubectl/cheatsheet.md
+++ b/content/fr/docs/reference/kubectl/cheatsheet.md
@@ -359,8 +359,8 @@ Exemples utilisant `-o=custom-columns` :
 # Toutes les images s'exécutant dans un cluster
 kubectl get pods -A -o=custom-columns='DATA:spec.containers[*].image'
 
- # Toutes les images excepté "k8s.gcr.io/coredns:1.6.2"
-kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="k8s.gcr.io/coredns:1.6.2")].image'
+ # Toutes les images excepté "registry.k8s.io/coredns:1.6.2"
+kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="registry.k8s.io/coredns:1.6.2")].image'
 
 # Tous les champs dans metadata quel que soit leur nom
 kubectl get pods -A -o=custom-columns='DATA:metadata.*'
diff --git a/content/fr/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/content/fr/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
index 1e8d0971f90dd..88ccdd8c6f630 100644
--- a/content/fr/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
+++ b/content/fr/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
@@ -62,7 +62,7 @@ kubeadm init [flags]
       --feature-gates string                 Un ensemble de paires clef=valeur qui décrivent l'entrée de configuration pour des fonctionnalités diverses. Il n'y en a aucune dans cette version.
   -h, --help                                 aide pour l'initialisation (init)
       --ignore-preflight-errors strings      Une liste de contrôles dont les erreurs seront catégorisées comme "warnings" (avertissements). Par exemple : 'IsPrivilegedUser,Swap'. La valeur 'all' ignore les erreurs de tous les contrôles.
-      --image-repository string              Choisis un container registry d'où télécharger les images du control plane. (par défaut "k8s.gcr.io")
+      --image-repository string              Choisis un container registry d'où télécharger les images du control plane. (par défaut "registry.k8s.io")
       --kubernetes-version string            Choisis une version Kubernetes spécifique pour le control plane. (par défaut "stable-1")
       --node-name string                     Spécifie le nom du noeud.
       --pod-network-cidr string              Spécifie l'intervalle des adresses IP pour le réseau des pods. Si fournie, le control plane allouera automatiquement les CIDRs pour chacun des noeuds.
diff --git a/content/fr/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/fr/docs/reference/setup-tools/kubeadm/kubeadm-init.md
index 0df7c1a65b51d..0f7db594856b3 100644
--- a/content/fr/docs/reference/setup-tools/kubeadm/kubeadm-init.md
+++ b/content/fr/docs/reference/setup-tools/kubeadm/kubeadm-init.md
@@ -131,12 +131,12 @@ Pour de l'information sur comment passer des options aux composants du control p
 
 ### Utiliser des images personnalisées {#custom-images}
 
-Par défaut, kubeadm télécharge les images depuis `k8s.gcr.io`, à moins que la version demandée de Kubernetes soit une version Intégration Continue (CI). Dans ce cas, `gcr.io/k8s-staging-ci-images` est utilisé.
+Par défaut, kubeadm télécharge les images depuis `registry.k8s.io`, à moins que la version demandée de Kubernetes soit une version Intégration Continue (CI). Dans ce cas, `gcr.io/k8s-staging-ci-images` est utilisé.
 
 Vous pouvez outrepasser ce comportement en utilisant [kubeadm avec un fichier de configuration](#config-file).
 Les personnalisations permises sont :
 
-* fournir un `imageRepository` à utiliser à la place de `k8s.gcr.io`.
+* fournir un `imageRepository` à utiliser à la place de `registry.k8s.io`.
 * régler `useHyperKubeImage` à `true` pour utiliser l'image HyperKube.
 * fournir un `imageRepository` et un `imageTag` pour etcd et l'extension (add-on) DNS.
 
@@ -264,7 +264,7 @@ kubeadm config images list
 kubeadm config images pull
 ```
 
-A partir de Kubernetes 1.12, les images prefixées par `k8s.gcr.io/kube-*`, `k8s.gcr.io/etcd` et `k8s.gcr.io/pause`
+A partir de Kubernetes 1.12, les images prefixées par `registry.k8s.io/kube-*`, `registry.k8s.io/etcd` et `registry.k8s.io/pause`
 ne nécessitent pas un suffix `-${ARCH}`.
 
 ### Automatiser kubeadm
diff --git a/content/fr/docs/setup/learning-environment/minikube.md b/content/fr/docs/setup/learning-environment/minikube.md
index 94bd0744f56e1..5c843f4b3fd1f 100644
--- a/content/fr/docs/setup/learning-environment/minikube.md
+++ b/content/fr/docs/setup/learning-environment/minikube.md
@@ -56,7 +56,7 @@ Suivez les étapes ci-dessous pour commencer et explorer Minikube.
     Créons un déploiement Kubernetes en utilisant une image existante nommée `echoserver`, qui est un serveur HTTP, et exposez-la sur le port 8080 à l’aide de `--port`.
 
     ```shell
-    kubectl create deployment hello-minikube --image=k8s.gcr.io/echoserver:1.10
+    kubectl create deployment hello-minikube --image=registry.k8s.io/echoserver:1.10
     ```
 
     Le résultat est similaire à ceci:
diff --git a/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 2aa904144f2e7..39cf2ecbd42ba 100644
--- a/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/fr/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -27,7 +27,7 @@ Cela peut être utilisé dans le cas des liveness checks sur les conteneurs à d
 
 De nombreuses applications fonctionnant pour des longues périodes finissent par passer à des états de rupture et ne peuvent pas se rétablir, sauf en étant redémarrées. Kubernetes fournit des liveness probes pour détecter et remédier à ces situations.
 
-Dans cet exercice, vous allez créer un Pod qui exécute un conteneur basé sur l'image  `k8s.gcr.io/busybox`. Voici le fichier de configuration pour le Pod :
+Dans cet exercice, vous allez créer un Pod qui exécute un conteneur basé sur l'image  `registry.k8s.io/busybox`. Voici le fichier de configuration pour le Pod :
 
 {{< codenew file="pods/probe/exec-liveness.yaml" >}}
 
@@ -61,8 +61,8 @@ La sortie indique qu'aucune liveness probe n'a encore échoué :
 FirstSeen    LastSeen    Count   From            SubobjectPath           Type        Reason      Message
 --------- --------    -----   ----            -------------           --------    ------      -------
 24s       24s     1   {default-scheduler }                    Normal      Scheduled   Successfully assigned liveness-exec to worker0
-23s       23s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulling     pulling image "k8s.gcr.io/busybox"
-23s       23s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulled      Successfully pulled image "k8s.gcr.io/busybox"
+23s       23s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulling     pulling image "registry.k8s.io/busybox"
+23s       23s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulled      Successfully pulled image "registry.k8s.io/busybox"
 23s       23s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Created     Created container with docker id 86849c15382e; Security:[seccomp=unconfined]
 23s       23s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Started     Started container with docker id 86849c15382e
 ```
@@ -79,8 +79,8 @@ Au bas de la sortie, il y a des messages indiquant que les liveness probes ont 
 FirstSeen LastSeen    Count   From            SubobjectPath           Type        Reason      Message
 --------- --------    -----   ----            -------------           --------    ------      -------
 37s       37s     1   {default-scheduler }                    Normal      Scheduled   Successfully assigned liveness-exec to worker0
-36s       36s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulling     pulling image "k8s.gcr.io/busybox"
-36s       36s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulled      Successfully pulled image "k8s.gcr.io/busybox"
+36s       36s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulling     pulling image "registry.k8s.io/busybox"
+36s       36s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Pulled      Successfully pulled image "registry.k8s.io/busybox"
 36s       36s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Created     Created container with docker id 86849c15382e; Security:[seccomp=unconfined]
 36s       36s     1   {kubelet worker0}   spec.containers{liveness}   Normal      Started     Started container with docker id 86849c15382e
 2s        2s      1   {kubelet worker0}   spec.containers{liveness}   Warning     Unhealthy   Liveness probe failed: cat: can't open '/tmp/healthy': No such file or directory
@@ -102,7 +102,7 @@ liveness-exec   1/1       Running   1          1m
 ## Définir une requête HTTP de liveness
 
 Un autre type de liveness probe utilise une requête GET HTTP. Voici la configuration
-d'un Pod qui fait fonctionner un conteneur basé sur l'image `k8s.gcr.io/liveness`.
+d'un Pod qui fait fonctionner un conteneur basé sur l'image `registry.k8s.io/liveness`.
 
 {{< codenew file="pods/probe/http-liveness.yaml" >}}
 
diff --git a/content/fr/docs/tasks/configure-pod-container/translate-compose-kubernetes.md b/content/fr/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
index 0ade44801bd82..aec742396662b 100644
--- a/content/fr/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
+++ b/content/fr/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
@@ -100,7 +100,7 @@ En quelques étapes, nous vous emmenons de Docker Compose à Kubernetes. Tous do
       services:
 
         redis-master:
-          image: k8s.gcr.io/redis:e2e
+          image: registry.k8s.io/redis:e2e
           ports:
             - "6379"
 
diff --git a/content/fr/docs/tutorials/hello-minikube.md b/content/fr/docs/tutorials/hello-minikube.md
index a934464b7772d..f097b375a47ed 100644
--- a/content/fr/docs/tutorials/hello-minikube.md
+++ b/content/fr/docs/tutorials/hello-minikube.md
@@ -78,7 +78,7 @@ Les déploiements sont le moyen recommandé pour gérer la création et la mise
 Pod utilise un conteneur basé sur l'image Docker fournie.
 
     ```shell
-    kubectl create deployment hello-node --image=k8s.gcr.io/echoserver:1.4
+    kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4
     ```
 
 2. Affichez le déploiement :
diff --git a/content/fr/examples/admin/cloud/ccm-example.yaml b/content/fr/examples/admin/cloud/ccm-example.yaml
index e3bc52e53c0d9..2f789446a2369 100644
--- a/content/fr/examples/admin/cloud/ccm-example.yaml
+++ b/content/fr/examples/admin/cloud/ccm-example.yaml
@@ -41,9 +41,9 @@ spec:
       serviceAccountName: cloud-controller-manager
       containers:
       - name: cloud-controller-manager
-        # pour les fournisseurs in-tree, nous utilisons k8s.gcr.io/cloud-controller-manager
+        # pour les fournisseurs in-tree, nous utilisons registry.k8s.io/cloud-controller-manager
         # cela peut être remplacé par n'importe quelle autre image pour les fournisseurs out-of-tree
-        image: k8s.gcr.io/cloud-controller-manager:v1.8.0
+        image: registry.k8s.io/cloud-controller-manager:v1.8.0
         command:
         - /usr/local/bin/cloud-controller-manager
         - --cloud-provider=<YOUR_CLOUD_PROVIDER>   # Ajoutez votre propre fournisseur de cloud ici!
diff --git a/content/fr/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml b/content/fr/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
index b37b616e6f7c7..1053cac577292 100644
--- a/content/fr/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
+++ b/content/fr/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
@@ -22,7 +22,7 @@ spec:
     - name: varlog
       mountPath: /var/log
   - name: count-agent
-    image: k8s.gcr.io/fluentd-gcp:1.30
+    image: registry.k8s.io/fluentd-gcp:1.30
     env:
     - name: FLUENTD_ARGS
       value: -c /etc/fluentd-config/fluentd.conf
diff --git a/content/fr/examples/application/guestbook/redis-master-deployment.yaml b/content/fr/examples/application/guestbook/redis-master-deployment.yaml
index 478216d1accfa..d96f9d6d76b8b 100644
--- a/content/fr/examples/application/guestbook/redis-master-deployment.yaml
+++ b/content/fr/examples/application/guestbook/redis-master-deployment.yaml
@@ -20,7 +20,7 @@ spec:
     spec:
       containers:
       - name: master
-        image: k8s.gcr.io/redis:e2e  # or just image: redis
+        image: registry.k8s.io/redis:e2e  # or just image: redis
         resources:
           requests:
             cpu: 100m
diff --git a/content/fr/examples/pods/pod-configmap-env-var-valueFrom.yaml b/content/fr/examples/pods/pod-configmap-env-var-valueFrom.yaml
index 00827ec98aaa3..fa172abd37135 100644
--- a/content/fr/examples/pods/pod-configmap-env-var-valueFrom.yaml
+++ b/content/fr/examples/pods/pod-configmap-env-var-valueFrom.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/echo", "$(SPECIAL_LEVEL_KEY) $(SPECIAL_TYPE_KEY)" ]
       env:
         - name: SPECIAL_LEVEL_KEY
diff --git a/content/fr/examples/pods/pod-configmap-envFrom.yaml b/content/fr/examples/pods/pod-configmap-envFrom.yaml
index 70ae7e5bcfaf9..e7b5b60841edc 100644
--- a/content/fr/examples/pods/pod-configmap-envFrom.yaml
+++ b/content/fr/examples/pods/pod-configmap-envFrom.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/sh", "-c", "env" ]
       envFrom:
       - configMapRef:
diff --git a/content/fr/examples/pods/pod-configmap-volume-specific-key.yaml b/content/fr/examples/pods/pod-configmap-volume-specific-key.yaml
index 72e38fd83635c..ec7a8fb541cf0 100644
--- a/content/fr/examples/pods/pod-configmap-volume-specific-key.yaml
+++ b/content/fr/examples/pods/pod-configmap-volume-specific-key.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/sh","-c","cat /etc/config/keys" ]
       volumeMounts:
       - name: config-volume
diff --git a/content/fr/examples/pods/pod-configmap-volume.yaml b/content/fr/examples/pods/pod-configmap-volume.yaml
index 478c2e8d2b7ab..1724ae5c04943 100644
--- a/content/fr/examples/pods/pod-configmap-volume.yaml
+++ b/content/fr/examples/pods/pod-configmap-volume.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/sh", "-c", "ls /etc/config/" ]
       volumeMounts:
       - name: config-volume
diff --git a/content/fr/examples/pods/pod-multiple-configmap-env-variable.yaml b/content/fr/examples/pods/pod-multiple-configmap-env-variable.yaml
index 4790a9c661c84..c7b2b7abb8217 100644
--- a/content/fr/examples/pods/pod-multiple-configmap-env-variable.yaml
+++ b/content/fr/examples/pods/pod-multiple-configmap-env-variable.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/sh", "-c", "env" ]
       env:
         - name: SPECIAL_LEVEL_KEY
diff --git a/content/fr/examples/pods/pod-single-configmap-env-variable.yaml b/content/fr/examples/pods/pod-single-configmap-env-variable.yaml
index 09d6f4a696fdd..e8061133504f7 100644
--- a/content/fr/examples/pods/pod-single-configmap-env-variable.yaml
+++ b/content/fr/examples/pods/pod-single-configmap-env-variable.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/sh", "-c", "env" ]
       env:
         # Définie la variable d'environnement
diff --git a/content/fr/examples/pods/probe/exec-liveness.yaml b/content/fr/examples/pods/probe/exec-liveness.yaml
index 6a9c9b3213718..7d6ca96b3d611 100644
--- a/content/fr/examples/pods/probe/exec-liveness.yaml
+++ b/content/fr/examples/pods/probe/exec-liveness.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   containers:
   - name: liveness
-    image: k8s.gcr.io/busybox
+    image: registry.k8s.io/busybox
     args:
     - /bin/sh
     - -c
diff --git a/content/fr/examples/pods/probe/http-liveness.yaml b/content/fr/examples/pods/probe/http-liveness.yaml
index 670af18399e20..48ca861c14271 100644
--- a/content/fr/examples/pods/probe/http-liveness.yaml
+++ b/content/fr/examples/pods/probe/http-liveness.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   containers:
   - name: liveness
-    image: k8s.gcr.io/liveness
+    image: registry.k8s.io/liveness
     args:
     - /server
     livenessProbe:
diff --git a/content/fr/examples/pods/probe/tcp-liveness-readiness.yaml b/content/fr/examples/pods/probe/tcp-liveness-readiness.yaml
index 08fb77ff0f58c..ef8a2f9500b00 100644
--- a/content/fr/examples/pods/probe/tcp-liveness-readiness.yaml
+++ b/content/fr/examples/pods/probe/tcp-liveness-readiness.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   containers:
   - name: goproxy
-    image: k8s.gcr.io/goproxy:0.1
+    image: registry.k8s.io/goproxy:0.1
     ports:
     - containerPort: 8080
     readinessProbe:
diff --git a/content/fr/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml b/content/fr/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml
index 858ecd1b9bbc6..ed6c7ffbcae16 100644
--- a/content/fr/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml
+++ b/content/fr/examples/pods/topology-spread-constraints/one-constraint-with-nodeaffinity.yaml
@@ -23,4 +23,4 @@ spec:
             - zoneC
   containers:
   - name: pause
-    image: k8s.gcr.io/pause:3.1
+    image: registry.k8s.io/pause:3.1
diff --git a/content/fr/examples/pods/topology-spread-constraints/one-constraint.yaml b/content/fr/examples/pods/topology-spread-constraints/one-constraint.yaml
index 1062e8a489e4f..cc1d503c5d950 100644
--- a/content/fr/examples/pods/topology-spread-constraints/one-constraint.yaml
+++ b/content/fr/examples/pods/topology-spread-constraints/one-constraint.yaml
@@ -14,4 +14,4 @@ spec:
         foo: bar
   containers:
   - name: pause
-    image: k8s.gcr.io/pause:3.1
+    image: registry.k8s.io/pause:3.1
diff --git a/content/fr/examples/pods/topology-spread-constraints/two-constraints.yaml b/content/fr/examples/pods/topology-spread-constraints/two-constraints.yaml
index 6c0ab0009bea3..a75749b28413f 100644
--- a/content/fr/examples/pods/topology-spread-constraints/two-constraints.yaml
+++ b/content/fr/examples/pods/topology-spread-constraints/two-constraints.yaml
@@ -20,4 +20,4 @@ spec:
         foo: bar
   containers:
   - name: pause
-    image: k8s.gcr.io/pause:3.1
+    image: registry.k8s.io/pause:3.1

From 8dca32fedb12a956bcf03107abe281d498e46da0 Mon Sep 17 00:00:00 2001
From: "Mr. Erlison" <sisal.cordame_0a@icloud.com>
Date: Thu, 9 Mar 2023 08:42:10 -0300
Subject: [PATCH 088/215] Add
 pt-br/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md

---
 ...23-02-06-k8s-gcr-io-freeze-announcement.md | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 content/pt-br/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md

diff --git a/content/pt-br/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md b/content/pt-br/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
new file mode 100644
index 0000000000000..1e841dbc2f4c4
--- /dev/null
+++ b/content/pt-br/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
@@ -0,0 +1,52 @@
+---
+layout: blog
+title: "k8s.gcr.io O registro de imagens será congelado a partir de 3 de abril de 2023"
+date: 2023-02-06
+slug: k8s-gcr-io-freeze-announcement
+---
+
+**Autor**: Mahamed Ali (Rackspace Technology)
+
+O projeto Kubernetes executa um registro de imagens de propriedade da comunidade chamado `registry.k8s.io` para hospedar suas imagens de contêiner. 
+No dia 3 de abril de 2023, o antigo registro k8s.gcr.io será congelado e nenhuma nova imagem para o Kubernetes e subprojetos relacionados será enviada para o registro antigo.
+
+Este registro `registry.k8s.io` substituiu o antigo e está disponível há vários meses. Publicamos uma [postagem no blog](/pt-br/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) sobre seus benefícios para a comunidade e o projeto Kubernetes. 
+Este post também anunciou que versões futuras do Kubernetes não estarão disponíveis no registro antigo. Agora chegou essa hora.
+
+O que essa mudança significa para os colaboradores:
+- Se você é um mantenedor de um subprojeto, precisará atualizar seus manifestos e Helm charts para usar o novo registro.
+
+O que essa mudança significa para os usuários finais:
+- A versão 1.27 do Kubernetes não será publicada no registro antigo.
+- As versões de patch para 1.24, 1.25 e 1.26 não serão mais publicadas no registro antigo a partir de abril. Leia a linha do tempo abaixo para obter detalhes sobre os lançamentos finais de patches no registro antigo.
+- A partir da versão 1.25, o registro de imagem padrão foi definido como `registry.k8s.io`. Este valor é substituível nos programas `kubeadm` e `kubelet`, mas defini-lo como `k8s.gcr.io` falhará para novas versões após abril, pois as imagens dessas novas versões não estarão disponíveis no registro antigo.
+- Se você quiser aumentar a confiabilidade do seu cluster e remover a dependência do registro de propriedade da comunidade ou se estiver executando o Kubernetes em redes onde o tráfego externo é restrito, considere hospedar uma cópia local do registro de imagens. Alguns fornecedores de nuvem podem oferecer soluções para isso.
+
+## Linha do tempo das mudanças
+
+- `k8s.gcr.io` será congelado no dia 3 de abril de 2023
+- Espera-se que a versão 1.27 seja lançada em 12 de abril de 2023
+- A última versão da 1.23 no `k8s.gcr.io` será 1.23.18 (a versão 1.23 deixará de ser suportada antes do congelamento do k8s.gcr.io)
+- A última versão 1.24 no `k8s.gcr.io` será 1.24.12
+- A última versão 1.25 no `k8s.gcr.io` será 1.25.8
+- A última versão 1.26 no `k8s.gcr.io` será 1.26.3
+
+## Próximos passos
+
+Certifique-se de que o seu cluster não tenha dependências no registro de imagens antigo. Por exemplo, você pode executar este comando para listar as imagens usadas pelos Pods:
+
+```shell
+kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
+tr -s '[[:space:]]' '\n' |\
+sort |\
+uniq -c
+```
+
+Pode haver outras dependências no antigo registro de imagens. 
+Certifique-se de revisar quaisquer dependências potenciais para manter seu cluster saudável e atualizado.
+
+## Agradecimentos
+
+__A mudança é difícil__, e a evolução de nossa plataforma de serviço de imagem é necessária para garantir um futuro sustentável para o projeto. Nós nos esforçamos para melhorar as coisas para todos que utilizam o Kubernetes. Muitos colaboradores de todos os cantos da nossa comunidade têm trabalhado muito e com dedicação para garantir que estamos tomando as melhores decisões possíveis, executando planos e fazendo o nosso melhor para comunicar esses planos.
+
+Obrigado a Aaron Crickenberger, Arnaud Meukam, Benjamin Elder, Caleb Woodbine, Davanum Srinivas, Mahamed Ali, e Tim Hockin do grupo de interesse especial (SIG) K8s Infra, Brian McQueen, e Sergey Kanzhelev do SIG Node, Lubomir Ivanov do SIG Cluster Lifecycle, Adolfo García Veytia, Jeremy Rickard, Sascha Grunert, e Stephen Augustus do SIG Release, Bob Killen and Kaslin Fields do SIG Contribex, Tim Allclair do Comitê de Resposta de Segurança. Um grande obrigado também aos nossos amigos que atuam como pontos de contato com nossos provedores de nuvem parceiros: Jay Pipes da Amazon e Jon Johnson Jr. do Google.
\ No newline at end of file

From bc812e00d663b27e6bb0010a0c3f560e4da9f4f7 Mon Sep 17 00:00:00 2001
From: "Diego W. Antunes" <devlware@gmail.com>
Date: Thu, 9 Mar 2023 09:40:38 -0300
Subject: [PATCH 089/215] Update and standardize pt-br cheatsheet

---
 .../docs/reference/kubectl/cheatsheet.md      | 298 +++++++++---------
 1 file changed, 151 insertions(+), 147 deletions(-)

diff --git a/content/pt-br/docs/reference/kubectl/cheatsheet.md b/content/pt-br/docs/reference/kubectl/cheatsheet.md
index 3a272c35fb624..3b2bcd684657a 100644
--- a/content/pt-br/docs/reference/kubectl/cheatsheet.md
+++ b/content/pt-br/docs/reference/kubectl/cheatsheet.md
@@ -8,12 +8,10 @@ card:
 
 <!-- overview -->
 
-Esta página contém uma lista de comandos e sinalizadores `kubectl` comumente usados.
+Esta página contém uma lista de comandos `kubectl` e flags frequentemente usados.
 
 <!-- body -->
 
-# kubectl - Cheat Sheet
-
 ## Kubectl Autocomplete
 
 ### BASH
@@ -27,7 +25,7 @@ Você também pode usar uma abreviação para o atalho para `kubectl` que també
 
 ```bash
 alias k=kubectl
-complete -F __start_kubectl k
+complete -o default -F __start_kubectl k
 ```
 
 ### ZSH
@@ -45,12 +43,12 @@ Acrescentar `--all-namespaces` acontece com bastante frequência, onde você dev
 
 ##  Contexto e Configuração do Kubectl
 
-Defina com qual cluster Kubernetes o `kubectl` se comunica e modifique os detalhes da configuração.
+Define com qual cluster Kubernetes o `kubectl` se comunica e modifica os detalhes da configuração.
 Veja a documentação [Autenticando entre clusters com o kubeconfig](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) para
 informações detalhadas do arquivo de configuração.
 
 ```bash
-kubectl config view # Mostrar configurações do kubeconfig mergeadas.
+kubectl config view # Mostra configurações do kubeconfig mergeadas
 
 # use vários arquivos kubeconfig ao mesmo tempo e visualize a configuração mergeada
 KUBECONFIG=~/.kube/config:~/.kube/kubconfig2 
@@ -60,59 +58,60 @@ kubectl config view
 # obtenha a senha para o usuário e2e
 kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'
 
-kubectl config view -o jsonpath='{.users[].name}'    # exibir o primeiro usuário
-kubectl config view -o jsonpath='{.users[*].name}'   # obtenha uma lista de usuários
-kubectl config get-contexts                          # exibir lista de contextos
-kubectl config current-context                       # exibir o contexto atual
-kubectl config use-context my-cluster-name           # defina o contexto padrão como my-cluster-name
+kubectl config view -o jsonpath='{.users[].name}'    # exibe o primeiro usuário
+kubectl config view -o jsonpath='{.users[*].name}'   # obtém uma lista de usuários
+kubectl config get-contexts                          # exibe lista de contextos
+kubectl config current-context                       # exibe o contexto atual
+kubectl config use-context my-cluster-name           # define o contexto padrão como my-cluster-name
 
-kubectl config set-cluster my-cluster-name           # defina uma entrada de cluster no kubeconfig
+kubectl config set-cluster my-cluster-name           # define uma entrada de cluster no kubeconfig
 
-# configurar a URL para um servidor proxy a ser usado para solicitações feitas por este cliente no kubeconfig
+# configura a URL para um servidor proxy a ser usado para solicitações feitas por este cliente no kubeconfig
 kubectl config set-cluster my-cluster-name --proxy-url=my-proxy-url
 
-# adicione um novo cluster ao seu kubeconfig que suporte autenticação básica
+# adiciona um novo cluster ao seu kubeconfig que suporte autenticação básica
 kubectl config set-credentials kubeuser/foo.kubernetes.com --username=kubeuser --password=kubepassword
 
-# salve o namespace permanentemente para todos os comandos subsequentes do kubectl nesse contexto.
+# salva o namespace permanentemente para todos os comandos subsequentes do kubectl nesse contexto
 kubectl config set-context --current --namespace=ggckad-s2
 
-# defina um contexto utilizando um nome de usuário e o namespace.
+# define um contexto utilizando um nome de usuário e o namespace
 kubectl config set-context gce --user=cluster-admin --namespace=foo \
   && kubectl config use-context gce
  
-kubectl config unset users.foo                       # excluir usuário foo
+kubectl config unset users.foo                       # exclui usuário foo
 
 # alias curto para definir/mostrar contexto/namespace (funciona apenas para bash e shells compatíveis com bash, contexto atual a ser definido antes de usar kn para definir namespace)
 alias kx='f() { [ "$1" ] && kubectl config use-context $1 || kubectl config current-context ; } ; f'
 alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1 || kubectl config view --minify | grep namespace | cut -d" " -f6 ; } ; f'
 ```
 
-## Aplicar
+## Kubectl apply
+
 `apply` gerencia aplicações através de arquivos que definem os recursos do Kubernetes. Ele cria e atualiza recursos em um cluster através da execução `kubectl apply`.
-Esta é a maneira recomendada de gerenciar aplicações Kubernetes em ambiente de produção. Veja a [documentação do Kubectl](https://kubectl.docs.kubernetes.io).
+Esta é a maneira recomendada para gerenciar aplicações Kubernetes em ambiente de produção. Veja a [documentação do Kubectl](https://kubectl.docs.kubernetes.io).
 
 ## Criando objetos
 
-Manifestos Kubernetes podem ser definidos em YAML ou JSON. A extensão de arquivo `.yaml`,
-`.yml`, e `.json` pode ser usado.
+Manifestos Kubernetes podem ser definidos em YAML ou JSON. As extensões de arquivo `.yaml`,
+`.yml`, e `.json` podem ser usadas.
 
 ```bash
-kubectl apply -f ./my-manifest.yaml            # criar recurso(s)
-kubectl apply -f ./my1.yaml -f ./my2.yaml      # criar a partir de vários arquivos
-kubectl apply -f ./dir                         # criar recurso(s) em todos os arquivos de manifesto no diretório
-kubectl apply -f https://git.io/vPieo          # criar recurso(s) a partir de URL
-kubectl create deployment nginx --image=nginx  # iniciar uma única instância do nginx
+kubectl apply -f ./my-manifest.yaml            # cria recurso(s)
+kubectl apply -f ./my1.yaml -f ./my2.yaml      # cria a partir de vários arquivos
+kubectl apply -f ./dir                         # cria recurso(s) em todos os arquivos de manifesto no diretório
+kubectl apply -f https://git.io/vPieo          # cria recurso(s) a partir de URL
+kubectl create deployment nginx --image=nginx  # inicia uma única instância do nginx
 
-# crie um Job que imprime "Hello World"
+# cria um Job que exibe "Hello World"
 kubectl create job hello --image=busybox:1.28 -- echo "Hello World"
 
-# crie um CronJob que imprime "Hello World" a cada minuto
+# cria um CronJob que exibe "Hello World" a cada minuto
 kubectl create cronjob hello --image=busybox:1.28   --schedule="*/1 * * * *" -- echo "Hello World"
 
-kubectl explain pods                           # obtenha a documentação de manifesto do pod
+kubectl explain pods                           # obtém a documentação de manifesto do pod
 
-# Crie vários objetos YAML a partir de stdin
+# Cria vários objetos YAML a partir de stdin
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Pod
@@ -139,7 +138,7 @@ spec:
     - "1000"
 EOF
 
-# Crie um segredo com várias chaves
+# Cria um segredo com várias chaves
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Secret
@@ -153,199 +152,208 @@ EOF
 
 ```
 
-## Visualizando e Localizando Recursos
+## Visualizando e localizando recursos
 
 ```bash
-# Obter comandos com saída simples
-kubectl get services                          # Listar todos os serviços do namespace
-kubectl get pods --all-namespaces             # Listar todos os pods em todos namespaces
-kubectl get pods -o wide                      # Listar todos os pods no namespace atual, com mais detalhes
-kubectl get deployment my-dep                 # Listar um deployment específico
-kubectl get pods                              # Listar todos os pods no namespace
-kubectl get pod my-pod -o yaml                # Obter o YAML de um pod
-
-# Descrever comandos com saída detalhada
+# Comandos get com saída simples
+kubectl get services                          # Lista todos os serviços do namespace
+kubectl get pods --all-namespaces             # Lista todos os Pods em todos namespaces
+kubectl get pods -o wide                      # Lista todos os Pods no namespace atual, com mais detalhes
+kubectl get deployment my-dep                 # Lista um deployment específico
+kubectl get pods                              # Lista todos os Pods no namespace
+kubectl get pod my-pod -o yaml                # Obtém o YAML de um pod
+
+# Comandos describe com saída detalhada
 kubectl describe nodes my-node
 kubectl describe pods my-pod
 
-# Listar serviços classificados por nome
+# Lista serviços classificados por nome
 kubectl get services --sort-by=.metadata.name
 
-# Listar pods classificados por contagem de reinicializações
+# Lista Pods classificados por contagem de reinicializações
 kubectl get pods --sort-by='.status.containerStatuses[0].restartCount'
 
-# Listar PersistentVolumes classificado por capacidade
+# Lista PersistentVolumes classificados por capacidade
 kubectl get pv --sort-by=.spec.capacity.storage
 
-# Obtenha a versão da label de todos os pods com a label app=cassandra
+# Obtém a versão da label de todos os Pods com a label app=cassandra
 kubectl get pods --selector=app=cassandra -o \
   jsonpath='{.items[*].metadata.labels.version}'
 
-# Recupere o valor de uma chave com pontos, por exemplo 'ca.crt'
+# Recupera o valor de uma chave com pontos, por exemplo 'ca.crt'
 kubectl get configmap myconfig \
   -o jsonpath='{.data.ca\.crt}'
 
-# Recupere um valor codificado em base64 com traços em vez de sublinhados
+# Recupera um valor codificado em base64 com traços em vez de sublinhados
 kubectl get secret my-secret --template='{{index .data "key-name-with-dashes"}}'
 
-# Obter todos os nós workers (use um seletor para excluir resultados que possuem uma label
+# Obtém todos os nós workers (use um seletor para excluir resultados que possuem uma label
 # nomeado 'node-role.kubernetes.io/control-plane')
 kubectl get node --selector='!node-role.kubernetes.io/control-plane'
 
-# Obter todos os pods em execução no namespace
+# Obtém todos os Pods em execução no namespace
 kubectl get pods --field-selector=status.phase=Running
 
-# Obter ExternalIPs de todos os nós
+# Obtém ExternalIPs de todos os nós
 kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'
 
-# Listar nomes de pods pertencentes a um RC particular 
+# Lista nomes de Pods pertencentes a um RC particular
 # O comando "jq" é útil para transformações que são muito complexas para jsonpath, pode ser encontrado em https://stedolan.github.io/jq/
 sel=${$(kubectl get rc my-rc --output=json | jq -j '.spec.selector | to_entries | .[] | "\(.key)=\(.value),"')%?}
 echo $(kubectl get pods --selector=$sel --output=jsonpath={.items..metadata.name})
 
-# Mostrar marcadores para todos os pods(ou qualquer outro objeto Kubernetes que suporte rotulagem)
+# Exibe marcadores para todos os Pods (ou qualquer outro objeto Kubernetes que suporte rotulagem)
 kubectl get pods --show-labels
 
-# Verifique quais nós estão prontos
+# Verifica quais nós estão prontos
 JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}' \
  && kubectl get nodes -o jsonpath="$JSONPATH" | grep "Ready=True"
 
-# Listar todos os segredos atualmente em uso por um pod
+# Exibe o segredo decodificado sem utilizar ferramentas externas
+kubectl get secret my-secret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'
+
+# Lista todos os segredos atualmente em uso por um pod
 kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | sort | uniq
 
-# Listar todos os containerIDs de initContainer de todos os pods
+# Lista todos os containerIDs de initContainer de todos os Pods
 # Útil ao limpar contêineres parados, evitando a remoção de initContainers.
 kubectl get pods --all-namespaces -o jsonpath='{range .items[*].status.initContainerStatuses[*]}{.containerID}{"\n"}{end}' | cut -d/ -f3
 
-# Listar eventos classificados por timestamp
+# Lista eventos classificados por timestamp
 kubectl get events --sort-by=.metadata.creationTimestamp
 
+# Lista todos eventos do tipo Warning
+kubectl events --types=Warning
+
 # Compara o estado atual do cluster com o estado em que o cluster estaria se o manifesto fosse aplicado.
 kubectl diff -f ./my-manifest.yaml
 
-# Produzir uma árvore delimitada por ponto de todas as chaves retornadas para nós
+# Produz uma árvore delimitada por ponto de todas as chaves retornadas para nós
 # Útil ao localizar uma chave em uma estrutura JSON aninhada complexa
 kubectl get nodes -o json | jq -c 'paths|join(".")'
 
-# Produzir uma árvore delimitada por ponto de todas as chaves retornadas para pods, etc.
+# Produz uma árvore delimitada por ponto de todas as chaves retornadas para Pods, etc.
 kubectl get pods -o json | jq -c 'paths|join(".")'
 
-# Produza ENV para todos os pods, supondo que você tenha um contêiner padrão para os pods, namespace padrão e o comando `env` é compatível.
-# Útil ao executar qualquer comando suportado em todos os pods, não apenas `env`
+# Produz ENV para todos os Pods, supondo que você tenha um contêiner padrão para os Pods, namespace padrão e o comando `env` é compatível.
+# Útil ao executar qualquer comando suportado em todos os Pods, não apenas `env`
 for pod in $(kubectl get po --output=jsonpath={.items..metadata.name}); do echo $pod && kubectl exec -it $pod -- env; done
 
-# Obtenha o sub-recurso de status de uma implantação
+# Obtém o status de um sub-recurso de uma implantação
 kubectl get deployment nginx-deployment --subresource=status
 ```
 
-## Atualizando Recursos
+## Atualizando recursos
 
 ```bash
 kubectl set image deployment/frontend www=image:v2               # Aplica o rollout nos containers "www" do deployment "frontend", atualizando a imagem
 kubectl rollout history deployment/frontend                      # Verifica o histórico do deployment, incluindo a revisão
 kubectl rollout undo deployment/frontend                         # Rollback para o deployment anterior
 kubectl rollout undo deployment/frontend --to-revision=2         # Rollback para uma revisão específica
-kubectl rollout status -w deployment/frontend                    # Acompanhe o status de atualização do "frontend" até sua conclusão sem interrupção 
-kubectl rollout restart deployment/frontend                      # Reinício contínuo do deployment "frontend"
+kubectl rollout status -w deployment/frontend                    # Acompanha o status de atualização do "frontend" até sua conclusão sem interrupção 
+kubectl rollout restart deployment/frontend                      # Reinicia contínuo do deployment "frontend"
 
-cat pod.json | kubectl replace -f -                              # Substitua um pod com base no JSON passado para std
+cat pod.json | kubectl replace -f -                              # Substitue um pod com base no JSON passado para stdin
 
 # Força a substituição, exclui e recria o recurso. Causará uma interrupção do serviço.
 kubectl replace --force -f ./pod.json
 
-# Crie um serviço para um nginx replicado, que serve na porta 80 e se conecta aos contêineres na porta 8000
+# Cria um serviço para um nginx replicado, que serve na porta 80 e se conecta aos contêineres na porta 8000
 kubectl expose rc nginx --port=80 --target-port=8000
 
-# Atualizar a versão da imagem (tag) de um pod de contêiner único para a v4
+# Atualiza a versão da imagem (tag) de um pod de contêiner único para a v4
 kubectl get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | kubectl replace -f -
 
-kubectl label pods my-pod new-label=awesome                      # Adicionar uma label
-kubectl annotate pods my-pod icon-url=http://goo.gl/XXBTWq       # Adicionar uma anotação
-kubectl autoscale deployment foo --min=2 --max=10                # Escalar automaticamente um deployment "foo"
+kubectl label pods my-pod new-label=awesome                      # Adiciona uma label
+kubectl label pods my-pod new-label-                             # Remove a label new-label
+kubectl annotate pods my-pod icon-url=http://goo.gl/XXBTWq       # Adiciona uma anotação
+kubectl autoscale deployment foo --min=2 --max=10                # Escala automaticamente um deployment "foo"
 ```
 
-## Recursos de Correção
+## Recursos de correção
 
 ```bash
-# Atualizar parcialmente um nó
+# Atualiza parcialmente um nó
 kubectl patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'
 
-# Atualizar a imagem de um contêiner; spec.containers[*].name é obrigatório porque é uma chave de mesclagem
+# Atualiza a imagem de um contêiner; spec.containers[*].name é obrigatório porque é uma chave de mesclagem
 kubectl patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'
 
-# Atualizar a imagem de um contêiner usando um patch json com matrizes posicionais
+# Atualiza a imagem de um contêiner usando um patch json com matrizes posicionais
 kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'
 
-# Desative um livenessProbe de deployment usando um patch json com matrizes posicionais
+# Desativa um livenessProbe de deployment usando um patch json com matrizes posicionais
 kubectl patch deployment valid-deployment  --type json   -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/livenessProbe"}]'
 
-# Adicionar um novo elemento a uma matriz posicional
+# Adiciona um novo elemento a uma matriz posicional
 kubectl patch sa default --type='json' -p='[{"op": "add", "path": "/secrets/1", "value": {"name": "whatever" } }]'
 
-# Atualize a contagem de réplicas de uma implantação corrigindo seu sub-recurso de escala
+# Atualiza a contagem de réplicas de uma implantação corrigindo seu sub-recurso de escala
 kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
 ```
 
-## Editando Recursos
-Edite qualquer recurso da API no seu editor preferido.
+## Editando recursos
+
+Edita qualquer recurso da API no seu editor preferido.
 
 ```bash
-kubectl edit svc/docker-registry                      # Edite o serviço chamado docker-registry
-KUBE_EDITOR="nano" kubectl edit svc/docker-registry   # Use um editor alternativo
+kubectl edit svc/docker-registry                      # Edita o serviço chamado docker-registry
+KUBE_EDITOR="nano" kubectl edit svc/docker-registry   # Usa um editor alternativo
 ```
 
-## Escalando Recursos
+## Escalando recursos
 
 ```bash
-kubectl scale --replicas=3 rs/foo                                 # Escale um replicaset chamado 'foo' para 3
-kubectl scale --replicas=3 -f foo.yaml                            # Escale um recurso especificado em "foo.yaml" para 3
-kubectl scale --current-replicas=2 --replicas=3 deployment/mysql  # Se o tamanho atual do deployment chamado mysql for dois, assim escale para 3
-kubectl scale --replicas=5 rc/foo rc/bar rc/baz                   # Escalar vários replicaset
+kubectl scale --replicas=3 rs/foo                                 # Escala um replicaset chamado 'foo' para 3
+kubectl scale --replicas=3 -f foo.yaml                            # Escala um recurso especificado em "foo.yaml" para 3
+kubectl scale --current-replicas=2 --replicas=3 deployment/mysql  # Se o tamanho atual do deployment chamado mysql for 2, escala para 3
+kubectl scale --replicas=5 rc/foo rc/bar rc/baz                   # Escala vários controladores de replicaset
 ```
 
-## Deleting resources
+## Deletando resources
 
 ```bash
-kubectl delete -f ./pod.json                                              # Exclua um pod usando o tipo e o nome especificados em pod.json
-kubectl delete pod,service baz foo                                        # Excluir pods e serviços com os mesmos nomes "baz" e "foo"
-kubectl delete pods,services -l name=myLabel                              # Excluir pods e serviços com o nome da label = myLabel
-kubectl -n my-ns delete pod,svc --all                                     # Exclua todos os pods e serviços no namespace my-ns,
-# Excluir todos os pods que correspondem ao awk pattern1 ou pattern2
+kubectl delete -f ./pod.json                                              # Exclui um Pod usando o tipo e o nome especificados em pod.json
+kubectl delete pod unwanted --now                          ........       # Exclui um Pod imediatamente sem esperar pelo tempo configurado
+kubectl delete pod,service baz foo                                        # Exclui Pods e serviços com os mesmos nomes "baz" e "foo"
+kubectl delete pods,services -l name=myLabel                              # Exclui Pods e serviços com o nome da label = myLabel
+kubectl -n my-ns delete pod,svc --all                                     # Exclui todos os Pods e serviços no namespace my-ns,
+# Exclui todos os Pods que correspondem ao awk pattern1 ou pattern2
 kubectl get pods  -n mynamespace --no-headers=true | awk '/pattern1|pattern2/{print $1}' | xargs  kubectl delete -n mynamespace pod
 ```
 
 ## Interagindo com Pods em execução
 
 ```bash
-kubectl logs my-pod                                 # despejar logs de pod (stdout)
-kubectl logs -l name=myLabel                        # despejar logs de pod, com a label de name=myLabel (stdout)
-kubectl logs my-pod --previous                      # despejar logs de pod (stdout) para a instância anterior de um contêiner
-kubectl logs my-pod -c my-container                 # despejar logs de um específico contêiner em um pod (stdout, no caso de vários contêineres)
-kubectl logs -l name=myLabel -c my-container        # despejar logs de pod, com nome da label = myLabel (stdout)
-kubectl logs my-pod -c my-container --previous      # despejar logs de um contêiner específico em um pod (stdout, no caso de vários contêineres) para uma instanciação anterior de um contêiner
+kubectl logs my-pod                                 # despeja logs de pod (stdout)
+kubectl logs -l name=myLabel                        # despeja logs de pod, com a label de name=myLabel (stdout)
+kubectl logs my-pod --previous                      # despeja logs de pod (stdout) para a instância anterior de um contêiner
+kubectl logs my-pod -c my-container                 # despeja logs de um específico contêiner em um pod (stdout, no caso de vários contêineres)
+kubectl logs -l name=myLabel -c my-container        # despeja logs de pod, com nome da label = myLabel (stdout)
+kubectl logs my-pod -c my-container --previous      # despeja logs de um contêiner específico em um pod (stdout, no caso de vários contêineres) para uma instanciação anterior de um contêiner
 kubectl logs -f my-pod                              # Fluxo de logs de pod (stdout)
 kubectl logs -f my-pod -c my-container              # Fluxo de logs para um específico contêiner em um pod (stdout, caixa com vários contêineres)
-kubectl logs -f -l name=myLabel --all-containers    # transmitir todos os logs de pods com a label name=myLabel (stdout)
-kubectl run -i --tty busybox --image=busybox:1.28 -- sh  # Executar pod como shell interativo
-kubectl run nginx --image=nginx -n mynamespace      # Inicie uma única instância do pod nginx no namespace de mynamespace
+kubectl logs -f -l name=myLabel --all-containers    # transmite todos os logs de Pods com a label name=myLabel (stdout)
+kubectl run -i --tty busybox --image=busybox:1.28 -- sh  # Executa pod como shell interativo
+kubectl run nginx --image=nginx -n mynamespace      # Inicia uma única instância do pod nginx no namespace de mynamespace
 kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
-                                                    # Gere a especificação para executar o pod nginx e grave-a em um arquivo chamado pod.yaml 
-kubectl attach my-pod -i                            # Anexar ao contêiner em execução
+                                                    # Gera a especificação para executar o pod nginx e grave-a em um arquivo chamado pod.yaml 
+kubectl attach my-pod -i                            # Anexa ao contêiner em execução
 kubectl port-forward my-pod 5000:6000               # Ouça na porta 5000 na máquina local e encaminhe para a porta 6000 no my-pod
-kubectl exec my-pod -- ls /                         # Executar comando no pod existente (1 contêiner)
+kubectl exec my-pod -- ls /                         # Executa comando no pod existente (1 contêiner)
 kubectl exec --stdin --tty my-pod -- /bin/sh        # Acesso de shell interativo a um pod em execução (apenas 1 contêiner)
-kubectl exec my-pod -c my-container -- ls /         # Executar comando no pod existente (pod com vários contêineres)
-kubectl top pod POD_NAME --containers               # Mostrar métricas para um determinado pod e seus contêineres
-kubectl top pod POD_NAME --sort-by=cpu              # Mostrar métricas para um determinado pod e classificá-lo por 'cpu' ou 'memória'
+kubectl exec my-pod -c my-container -- ls /         # Executa comando no pod existente (pod com vários contêineres)
+kubectl top pod POD_NAME --containers               # Mostra métricas para um determinado pod e seus contêineres
+kubectl top pod POD_NAME --sort-by=cpu              # Mostra métricas para um determinado pod e classificá-lo por 'cpu' ou 'memória'
 ```
 
-## Copiar arquivos e diretórios de e para contêineres
+## Copiando arquivos e diretórios de e para contêineres
 
 ```bash
-kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir            # Copie o diretório local /tmp/foo_dir para /tmp/bar_dir em um pod remoto no namespace atual
-kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container    # Copie o arquivo local /tmp/foo para /tmp/bar em um pod remoto em um contêiner específico
-kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar       # Copie o arquivo local /tmp/foo para /tmp/bar em um pod remoto no namespace my-namespace
-kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar       # Copie /tmp/foo de um pod remoto para /tmp/bar localmente
+kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir            # Copia o diretório local /tmp/foo_dir para /tmp/bar_dir em um pod remoto no namespace atual
+kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container    # Copia o arquivo local /tmp/foo para /tmp/bar em um pod remoto em um contêiner específico
+kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar       # Copia o arquivo local /tmp/foo para /tmp/bar em um pod remoto no namespace my-namespace
+kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar       # Copia /tmp/foo de um pod remoto para /tmp/bar localmente
 ```
 {{< note >}}
 `kubectl cp` requer que o binário 'tar' esteja presente em sua imagem de contêiner. Se 'tar' não estiver presente, `kubectl cp` falhará.
@@ -353,32 +361,33 @@ Para casos de uso avançado, como links simbólicos, expansão curinga ou preser
 {{< /note >}}
 
 ```bash
-tar cf - /tmp/foo | kubectl exec -i -n my-namespace my-pod -- tar xf - -C /tmp/bar           # Copie o arquivo local /tmp/foo para /tmp/bar em um pod remoto no namespace my-namespace
-kubectl exec -n my-namespace my-pod -- tar cf - /tmp/foo | tar xf - -C /tmp/bar    # Copie /tmp/foo de um pod remoto para /tmp/bar localmente
+tar cf - /tmp/foo | kubectl exec -i -n my-namespace my-pod -- tar xf - -C /tmp/bar           # Copia o arquivo local /tmp/foo para /tmp/bar em um pod remoto no namespace my-namespace
+kubectl exec -n my-namespace my-pod -- tar cf - /tmp/foo | tar xf - -C /tmp/bar    # Copia /tmp/foo de um pod remoto para /tmp/bar localmente
 ```
 
 ## Interagindo com implantações e serviços
+
 ```bash
-kubectl logs deploy/my-deployment                         # despejar logs de pod para uma implantação (caso de contêiner único)
-kubectl logs deploy/my-deployment -c my-container         # despejar logs de pod para uma implantação (caso de vários contêineres)
+kubectl logs deploy/my-deployment                         # despeja logs de pod para uma implantação (caso de contêiner único)
+kubectl logs deploy/my-deployment -c my-container         # despeja logs de pod para uma implantação (caso de vários contêineres)
 
-kubectl port-forward svc/my-service 5000                  # escute na porta local 5000 e encaminhe para a porta 5000 no back-end do serviço
-kubectl port-forward svc/my-service 5000:my-service-port  # escute na porta local 5000 e encaminhe para a porta de destino do serviço com o nome <my-service-port>
+kubectl port-forward svc/my-service 5000                  # escuta na porta local 5000 e encaminhe para a porta 5000 no back-end do serviço
+kubectl port-forward svc/my-service 5000:my-service-port  # escuta na porta local 5000 e encaminhe para a porta de destino do serviço com o nome <my-service-port>
 
-kubectl port-forward deploy/my-deployment 5000:6000       # escute na porta local 5000 e encaminhe para a porta 6000 em um pod criado por <my-deployment>
-kubectl exec deploy/my-deployment -- ls                   # execute o comando no primeiro pod e primeiro contêiner na implantação (casos de um ou vários contêineres)
+kubectl port-forward deploy/my-deployment 5000:6000       # escuta na porta local 5000 e encaminhe para a porta 6000 em um pod criado por <my-deployment>
+kubectl exec deploy/my-deployment -- ls                   # executa o comando no primeiro pod e primeiro contêiner na implantação (casos de um ou vários contêineres)
 ```
 
 ## Interagindo com Nós e Cluster
 
 ```bash
-kubectl cordon my-node                                                # Marcar o nó my-node como não agendável
-kubectl drain my-node                                                 # Drene o nó my-node na preparação para manutenção
-kubectl uncordon my-node                                              # Marcar nó my-node como agendável
-kubectl top node my-node                                              # Mostrar métricas para um determinado nó
-kubectl cluster-info                                                  # Exibir endereços da master e serviços
-kubectl cluster-info dump                                             # Despejar o estado atual do cluster no stdout
-kubectl cluster-info dump --output-directory=/path/to/cluster-state   # Despejar o estado atual do cluster em /path/to/cluster-state
+kubectl cordon my-node                                                # Marca o nó my-node como não agendável
+kubectl drain my-node                                                 # Drena o nó my-node na preparação para manutenção
+kubectl uncordon my-node                                              # Marca nó my-node como agendável
+kubectl top node my-node                                              # Mostra métricas para um determinado nó
+kubectl cluster-info                                                  # Exibe endereços da master e serviços
+kubectl cluster-info dump                                             # Despeja o estado atual do cluster no stdout
+kubectl cluster-info dump --output-directory=/path/to/cluster-state   # Despeja o estado atual do cluster em /path/to/cluster-state
 
 # Veja os taints existentes nos nós atuais.
 kubectl get nodes -o='custom-columns=NodeName:.metadata.name,TaintKey:.spec.taints[*].key,TaintValue:.spec.taints[*].value,TaintEffect:.spec.taints[*].effect'
@@ -389,7 +398,7 @@ kubectl taint nodes foo dedicated=special-user:NoSchedule
 
 ### Tipos de Recursos
 
-Liste todos os tipos de recursos suportados junto com seus nomes abreviados, [grupo de API](/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning), sejam eles [namespaced](/docs/concepts/overview/working-with-objects/namespaces) e [Kind](/docs/concepts/overview/working-with-objects/kubernetes-objects):
+Lista todos os tipos de recursos suportados junto com seus nomes abreviados, [grupo de API](/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning), sejam eles [namespaced](/docs/concepts/overview/working-with-objects/namespaces) e [Kind](/docs/concepts/overview/working-with-objects/kubernetes-objects):
 
 ```bash
 kubectl api-resources
@@ -406,19 +415,19 @@ kubectl api-resources --verbs=list,get       # Todos os recursos que suportam os
 kubectl api-resources --api-group=extensions # Todos os recursos no grupo de API "extensions"
 ```
 
-### Formatação de Saída
+### Formatação de saída
 
 Para enviar detalhes para a janela do terminal em um formato específico, adicione a flag `-o` (ou `--output`) para um comando `kubectl` suportado.
 
 Formato de saída | Descrição
 --------------| -----------
-`-o=custom-columns=<spec>` | Imprimir uma tabela usando uma lista separada por vírgula de colunas personalizadas
-`-o=custom-columns-file=<filename>` | Imprima uma tabela usando o modelo de colunas personalizadas no arquivo `<nome do arquivo>`
+`-o=custom-columns=<spec>` | Exibe uma tabela usando uma lista separada por vírgula de colunas personalizadas
+`-o=custom-columns-file=<filename>` | Exibe uma tabela usando o modelo de colunas personalizadas no arquivo `<nome do arquivo>`
 `-o=json`     | Saída de um objeto de API formatado em JSON
-`-o=jsonpath=<template>` | Imprima os campos definidos em uma expressão [jsonpath](/docs/reference/kubectl/jsonpath) 
-`-o=jsonpath-file=<filename>` | Imprima os campos definidos pela expressão [jsonpath](/docs/reference/kubectl/jsonpath) no arquivo `<nome do arquivo>`
-`-o=name`     | Imprima apenas o nome do recurso e nada mais
-`-o=wide`     | Saída no formato de texto sem formatação com qualquer informação adicional e, para pods, o nome do nó está incluído
+`-o=jsonpath=<template>` | Exibe os campos definidos em uma expressão [jsonpath](/docs/reference/kubectl/jsonpath) 
+`-o=jsonpath-file=<filename>` | Exibe os campos definidos pela expressão [jsonpath](/docs/reference/kubectl/jsonpath) no arquivo `<nome do arquivo>`
+`-o=name`     | Exibe apenas o nome do recurso e nada mais
+`-o=wide`     | Saída no formato de texto sem formatação com qualquer informação adicional e, para Pods, o nome do nó está incluído
 `-o=yaml`     | Saída de um objeto de API formatado em YAML
 
 Exemplos usando `-o=custom-columns`:
@@ -437,9 +446,9 @@ kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="registry
 kubectl get pods -A -o=custom-columns='DATA:metadata.*'
 ```
 
-Mais exemplos no kubectl [documentação de referência](/docs/reference/kubectl/#custom-columns).
+Mais exemplos na [documentação de referência](/docs/reference/kubectl/#custom-columns) do kubectl.
 
-### Verbosidade da Saída do Kubectl e Debugging
+### Verbosidade de saída do Kubectl e depuração
 
 A verbosidade do Kubectl é controlado com as flags `-v` ou` --v` seguidos por um número inteiro representando o nível do log. As convenções gerais de log do Kubernetes e os níveis de log associados são descritos [aqui](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md).
 
@@ -451,22 +460,17 @@ Verbosidade | Descrição
 `--v=3` | Informações estendidas sobre alterações.
 `--v=4` | Detalhamento no nível de debugging.
 `--v=5` | Verbosidade do nível de rastreamento.
-`--v=6` | Exibir os recursos solicitados.
-`--v=7` | Exibir cabeçalhos de solicitação HTTP.
-`--v=8` | Exibir conteúdo da solicitação HTTP.
-`--v=9` | Exiba o conteúdo da solicitação HTTP sem o truncamento do conteúdo.
-
-
+`--v=6` | Exibe os recursos solicitados.
+`--v=7` | Exibe cabeçalhos de solicitação HTTP.
+`--v=8` | Exibe conteúdo da solicitação HTTP.
+`--v=9` | Exibe o conteúdo da solicitação HTTP sem o truncamento do conteúdo.
 
 ## {{% heading "whatsnext" %}}
 
-
 * Leia a [visão geral do kubectl](/docs/reference/kubectl/) e aprenda sobre [JsonPath](/docs/reference/kubectl/jsonpath).
 
 * Veja as opções do [kubectl](/docs/reference/kubectl/kubectl/).
 
-* Veja as [Convenções de uso do kubectl](/docs/reference/kubectl/conventions/) para entender como usá-lo em scripts reutilizáveis.
+* Leia as [Convenções de uso do kubectl](/docs/reference/kubectl/conventions/) para entender como usá-lo em scripts reutilizáveis.
 
 * Ver mais comunidade [kubectl cheatsheets](https://github.com/dennyzhang/cheatsheet-kubernetes-A4).
-
-

From 16a725f798e2ff55a4209a8823ac92bdeae67ae6 Mon Sep 17 00:00:00 2001
From: "xin.li" <xin.li@daocloud.io>
Date: Thu, 9 Mar 2023 21:30:46 +0800
Subject: [PATCH 090/215] [zh-cn]sync services-networking/service.md

Signed-off-by: xin.li <xin.li@daocloud.io>
---
 .../docs/concepts/services-networking/service.md      | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/concepts/services-networking/service.md b/content/zh-cn/docs/concepts/services-networking/service.md
index 1ab32ec16ba46..d283efb234f00 100644
--- a/content/zh-cn/docs/concepts/services-networking/service.md
+++ b/content/zh-cn/docs/concepts/services-networking/service.md
@@ -26,7 +26,10 @@ weight: 10
 
 <!-- overview -->
 
+<!--
 {{< glossary_definition term_id="service" length="short" >}}
+-->
+{{< glossary_definition term_id="service" length="short" prepend="Kubernetes 中 Service 是" >}}
 
 <!--
 A key aim of Services in Kubernetes is that you don't need to modify your existing
@@ -1091,14 +1094,14 @@ by making the changes that are equivalent to you requesting a Service of
 `type: NodePort`. The cloud-controller-manager component then configures the external load balancer to
 forward traffic to that assigned node port.
 
-_As an alpha feature_, you can configure a load balanced Service to
+You can configure a load balanced Service to
 [omit](#load-balancer-nodeport-allocation) assigning a node port, provided that the
 cloud provider implementation supports this.
 -->
 要实现 `type: LoadBalancer` 的服务，Kubernetes 通常首先进行与请求 `type: NodePort` 服务等效的更改。
 cloud-controller-manager 组件然后配置外部负载均衡器以将流量转发到已分配的节点端口。
 
-**作为 Alpha 特性**，你可以将负载均衡服务配置为[忽略](#load-balancer-nodeport-allocation)分配节点端口，
+你可以将负载均衡服务配置为[忽略](#load-balancer-nodeport-allocation)分配节点端口，
 前提是云提供商实现支持这点。
 
 {{< note >}}
@@ -1810,7 +1813,7 @@ will be routed to one of the Service endpoints. `externalIPs` are not managed by
 of the cluster administrator.
 
 In the Service spec, `externalIPs` can be specified along with any of the `ServiceTypes`.
-In the example below, "`my-service`" can be accessed by clients on "`80.11.12.10:80`" (`externalIP:port`)
+In the example below, "`my-service`" can be accessed by clients on "198.51.100.32:80`" (`externalIP:port`)
 -->
 ### 外部 IP  {#external-ips}
 
@@ -1820,7 +1823,7 @@ In the example below, "`my-service`" can be accessed by clients on "`80.11.12.10
 `externalIPs` 不会被 Kubernetes 管理，它属于集群管理员的职责范畴。
 
 根据 Service 的规定，`externalIPs` 可以同任意的 `ServiceType` 来一起指定。
-在上面的例子中，`my-service` 可以在 "`80.11.12.10:80`" (`externalIP:port`) 上被客户端访问。
+在上面的例子中，`my-service` 可以在 "`198.51.100.32:80`" (`externalIP:port`) 上被客户端访问。
 
 ```yaml
 apiVersion: v1

From acbdb1f3d803c3e847b49c802f3da66eca80e972 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 9 Mar 2023 21:57:19 +0800
Subject: [PATCH 091/215] Replace k8s.gcr.io references with registry.k8s.io
 for it

---
 content/it/docs/tutorials/hello-minikube.md                     | 2 +-
 .../admin/logging/two-files-counter-pod-agent-sidecar.yaml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/it/docs/tutorials/hello-minikube.md b/content/it/docs/tutorials/hello-minikube.md
index 3dadc7a0cca93..566ed41918562 100644
--- a/content/it/docs/tutorials/hello-minikube.md
+++ b/content/it/docs/tutorials/hello-minikube.md
@@ -76,7 +76,7 @@ modalità raccomandata per gestire la creazione e lo scaling dei Pods.
 eseguirà un Container basato sulla Docker image specificata.
 
     ```shell
-    kubectl create deployment hello-node --image=k8s.gcr.io/echoserver:1.4
+    kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4
     ```
 
 2. Visualizza il Deployment:
diff --git a/content/it/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml b/content/it/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
index b37b616e6f7c7..1053cac577292 100644
--- a/content/it/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
+++ b/content/it/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
@@ -22,7 +22,7 @@ spec:
     - name: varlog
       mountPath: /var/log
   - name: count-agent
-    image: k8s.gcr.io/fluentd-gcp:1.30
+    image: registry.k8s.io/fluentd-gcp:1.30
     env:
     - name: FLUENTD_ARGS
       value: -c /etc/fluentd-config/fluentd.conf

From 832dbb5f1b9de09eab0715974d3b78c9927b753a Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 9 Mar 2023 22:10:52 +0800
Subject: [PATCH 092/215] Replace k8s.gcr.io references with registry.k8s.io
 for pt-br

---
 .../pt-br/docs/concepts/configuration/secret.md  |  4 ++--
 .../docs/concepts/storage/persistent-volumes.md  |  2 +-
 content/pt-br/docs/concepts/storage/volumes.md   | 16 ++++++++--------
 .../generated/kubeadm_config_images_list.md      |  2 +-
 .../kubeadm/generated/kubeadm_init.md            |  2 +-
 .../setup-tools/kubeadm/kubeadm-init.md          | 12 ++++++------
 content/pt-br/docs/tutorials/hello-minikube.md   |  4 ++--
 .../two-files-counter-pod-agent-sidecar.yaml     |  2 +-
 8 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/content/pt-br/docs/concepts/configuration/secret.md b/content/pt-br/docs/concepts/configuration/secret.md
index 7cc174e88c32e..8e964be37d8e0 100644
--- a/content/pt-br/docs/concepts/configuration/secret.md
+++ b/content/pt-br/docs/concepts/configuration/secret.md
@@ -617,7 +617,7 @@ metadata:
 spec:
   containers:
     - name: test-container
-      image: k8s.gcr.io/busybox
+      image: registry.k8s.io/busybox
       command: [ "/bin/sh", "-c", "env" ]
       envFrom:
       - secretRef:
@@ -855,7 +855,7 @@ spec:
       secretName: dotfile-secret
   containers:
   - name: dotfile-test-container
-    image: k8s.gcr.io/busybox
+    image: registry.k8s.io/busybox
     command:
     - ls
     - "-l"
diff --git a/content/pt-br/docs/concepts/storage/persistent-volumes.md b/content/pt-br/docs/concepts/storage/persistent-volumes.md
index b4848ab32f44e..ec27b23a44b49 100644
--- a/content/pt-br/docs/concepts/storage/persistent-volumes.md
+++ b/content/pt-br/docs/concepts/storage/persistent-volumes.md
@@ -148,7 +148,7 @@ spec:
       path: /any/path/it/will/be/replaced
   containers:
   - name: pv-recycler
-    image: "k8s.gcr.io/busybox"
+    image: "registry.k8s.io/busybox"
     command: ["/bin/sh", "-c", "test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/*  && test -z \"$(ls -A /scrub)\" || exit 1"]
     volumeMounts:
     - name: vol
diff --git a/content/pt-br/docs/concepts/storage/volumes.md b/content/pt-br/docs/concepts/storage/volumes.md
index 10c38ee5dbece..768be2a1eedc3 100644
--- a/content/pt-br/docs/concepts/storage/volumes.md
+++ b/content/pt-br/docs/concepts/storage/volumes.md
@@ -70,7 +70,7 @@ metadata:
   name: test-ebs
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-ebs
@@ -158,7 +158,7 @@ metadata:
   name: test-cinder
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-cinder-container
     volumeMounts:
     - mountPath: /test-cinder
@@ -247,7 +247,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /cache
@@ -307,7 +307,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-pd
@@ -452,7 +452,7 @@ metadata:
   name: test-pd
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-pd
@@ -478,7 +478,7 @@ metadata:
 spec:
   containers:
   - name: test-webserver
-    image: k8s.gcr.io/test-webserver:latest
+    image: registry.k8s.io/test-webserver:latest
     volumeMounts:
     - mountPath: /var/local/aaa
       name: mydir
@@ -580,7 +580,7 @@ metadata:
   name: test-portworx-volume-pod
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /mnt
@@ -728,7 +728,7 @@ metadata:
   name: test-vmdk
 spec:
   containers:
-  - image: k8s.gcr.io/test-webserver
+  - image: registry.k8s.io/test-webserver
     name: test-container
     volumeMounts:
     - mountPath: /test-vmdk
diff --git a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
index bebe22b240c55..0f3a855a3034f 100644
--- a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
+++ b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_images_list.md
@@ -65,7 +65,7 @@ kubeadm config images list [flags]
 </tr>
 
 <tr>
-<td colspan="2">--image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Padrão: "k8s.gcr.io"</td>
+<td colspan="2">--image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Padrão: "registry.k8s.io"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Escolha um registro de contêineres para baixar imagens da camada de gerenciamento</p></td>
diff --git a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
index 7c6a0f16b2306..bc8b63a888699 100644
--- a/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
+++ b/content/pt-br/docs/reference/setup-tools/kubeadm/generated/kubeadm_init.md
@@ -144,7 +144,7 @@ kubeadm init [flags]
 </tr>
 
 <tr>
-<td colspan="2">--image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Padrão: "k8s.gcr.io"</td>
+<td colspan="2">--image-repository string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Padrão: "registry.k8s.io"</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;"><p>Seleciona um registro de contêineres de onde baixar imagens.</p></td>
diff --git a/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md
index 969425de72ecf..b11cbef569c70 100644
--- a/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md
+++ b/content/pt-br/docs/reference/setup-tools/kubeadm/kubeadm-init.md
@@ -266,13 +266,13 @@ Você pode passar a opção `--config` para os comandos acima através de um
 [arquivo de configuração do kubeadm](#config-file) para controlar os campos
 `kubernetesVersion` e `imageRepository`.
 
-Todas as imagens padrão hospedadas em `k8s.gcr.io` que o kubeadm requer suportam
+Todas as imagens padrão hospedadas em `registry.k8s.io` que o kubeadm requer suportam
 múltiplas arquiteturas.
 
 ### Utilizando imagens personalizadas {#custom-images}
 
 Por padrão, o kubeadm baixa imagens hospedadas no repositório de contêineres
-`k8s.gcr.io`. Se a versão requisitada do Kubernetes é um rótulo de integração
+`registry.k8s.io`. Se a versão requisitada do Kubernetes é um rótulo de integração
 contínua (por exemplo, `ci/latest`), o repositório de contêineres
 `gcr.io/k8s-staging-ci-images` é utilizado.
 
@@ -283,22 +283,22 @@ são:
 * Fornecer um valor para o campo `kubernetesVersion` que afeta a versão das
   imagens.
 * Fornecer um repositório de contêineres alternativo através do campo
-  `imageRepository` para ser utilizado no lugar de `k8s.gcr.io`.
+  `imageRepository` para ser utilizado no lugar de `registry.k8s.io`.
 * Fornecer um valor específico para os campos `imageRepository` e `imageTag`,
   correspondendo ao repositório de contêineres e tag a ser utilizada, para as imagens
   dos componentes etcd ou CoreDNS.
 
-Caminhos de imagens do repositório de contêineres padrão `k8s.gcr.io` podem diferir
+Caminhos de imagens do repositório de contêineres padrão `registry.k8s.io` podem diferir
 dos utilizados em repositórios de contêineres personalizados através do campo
 `imageRepository` devido a razões de retrocompatibilidade. Por exemplo, uma
-imagem pode ter um subcaminho em `k8s.gcr.io/subcaminho/imagem`, mas quando
+imagem pode ter um subcaminho em `registry.k8s.io/subcaminho/imagem`, mas quando
 utilizado um repositório de contêineres personalizado, o valor padrão será
 `meu.repositoriopersonalizado.io/imagem`.
 
 Para garantir que você terá as imagens no seu repositório personalizado em
 caminhos que o kubeadm consiga consumir, você deve:
 
-* Baixar as imagens dos caminhos padrão `k8s.gcr.io` utilizando o comando
+* Baixar as imagens dos caminhos padrão `registry.k8s.io` utilizando o comando
   `kubeadm config images {list|pull}`.
 * Subir as imagens para os caminhos listados no resultado do comando
   `kubeadm config images list --config=config.yaml`, onde `config.yaml` contém
diff --git a/content/pt-br/docs/tutorials/hello-minikube.md b/content/pt-br/docs/tutorials/hello-minikube.md
index 55d8fc6c5c283..ee3a68b8dae25 100644
--- a/content/pt-br/docs/tutorials/hello-minikube.md
+++ b/content/pt-br/docs/tutorials/hello-minikube.md
@@ -83,7 +83,7 @@ Um [*Pod*](/docs/concepts/workloads/pods/) Kubernetes consiste em um ou mais con
 1. Usando o comando `kubectl create` para criar um Deployment que gerencia um Pod. O Pod executa um contêiner baseado na imagem docker disponibilizada.
 
     ```shell
-    kubectl create deployment hello-node --image=k8s.gcr.io/echoserver:1.4
+    kubectl create deployment hello-node --image=registry.k8s.io/echoserver:1.4
     ```
 
 2. Visualizando o Deployment:
@@ -140,7 +140,7 @@ Por padrão, um Pod só é acessível utilizando o seu endereço IP interno no c
 
     O parâmetro `--type=LoadBalancer` indica que você deseja expor o seu serviço fora do cluster Kubernetes.
     
-    A aplicação dentro da imagem `k8s.gcr.io/echoserver` "escuta" apenas na porta TCP 8080. Se você usou
+    A aplicação dentro da imagem `registry.k8s.io/echoserver` "escuta" apenas na porta TCP 8080. Se você usou
      `kubectl expose` para expor uma porta diferente, os clientes não conseguirão se conectar a essa outra porta.
 
 2. Visualizando o serviço que você acabou de criar:
diff --git a/content/pt-br/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml b/content/pt-br/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
index b37b616e6f7c7..1053cac577292 100644
--- a/content/pt-br/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
+++ b/content/pt-br/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
@@ -22,7 +22,7 @@ spec:
     - name: varlog
       mountPath: /var/log
   - name: count-agent
-    image: k8s.gcr.io/fluentd-gcp:1.30
+    image: registry.k8s.io/fluentd-gcp:1.30
     env:
     - name: FLUENTD_ARGS
       value: -c /etc/fluentd-config/fluentd.conf

From be7d5813e68195b3343846392eb73fee327516fc Mon Sep 17 00:00:00 2001
From: Manikandan Muruganandam <manikandan.muruganandam@ibm.com>
Date: Thu, 9 Mar 2023 15:16:46 +0000
Subject: [PATCH 093/215] update-hugo-hyper-link

* Updating the Hugo-Hyperlink in ##using this repository
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7aa81971cf126..2c70f76b8c53f 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ This repository contains the assets required to build the [Kubernetes website an
 
 ## Using this repository
 
-You can run the website locally using Hugo (Extended version), or you can run it in a container runtime. We strongly recommend using the container runtime, as it gives deployment consistency with the live website.
+You can run the website locally using [Hugo (Extended version)](https://gohugo.io/), or you can run it in a container runtime. We strongly recommend using the container runtime, as it gives deployment consistency with the live website.
 
 ## Prerequisites
 

From e28b74f5c598ad493dfbb34c6d92642c5b9dab08 Mon Sep 17 00:00:00 2001
From: Joe Betz <jpbetz@google.com>
Date: Thu, 23 Feb 2023 16:18:04 -0500
Subject: [PATCH 094/215] Add reference page for CEL in Kubernetes

---
 content/en/docs/reference/using-api/cel.md | 293 +++++++++++++++++++++
 1 file changed, 293 insertions(+)
 create mode 100644 content/en/docs/reference/using-api/cel.md

diff --git a/content/en/docs/reference/using-api/cel.md b/content/en/docs/reference/using-api/cel.md
new file mode 100644
index 0000000000000..23ba98af4062a
--- /dev/null
+++ b/content/en/docs/reference/using-api/cel.md
@@ -0,0 +1,293 @@
+---
+title: Common Expression Language in Kubernetes
+reviewers:
+- jpbetz
+- cici37
+content_type: concept
+weight: 35
+min-kubernetes-server-version: 1.25
+---
+
+<!-- overview -->
+
+The [Common Expression Language (CEL)](https://github.com/google/cel-go) is used
+in the Kubernetes API to declare validation rules, policy rules, and other
+constraints or conditions.
+
+CEL expressions are evaluated directly in the
+{{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}, making CEL a
+convenient alternative to out-of-process mechanisms, such as webhooks, for many
+extensibility use cases. Your CEL expressions continue to execute so long as the
+control plane's API server component remains available.
+
+<!-- body -->
+
+## Language overview
+
+The [CEL
+language](https://github.com/google/cel-spec/blob/master/doc/langdef.md) has a
+straightforward syntax that is similar to the expressions in C, C++, Java,
+JavaScript and Go.
+
+CEL was designed to be embedded into applications. Each CEL "program" is a
+single expression that evaluates to a single value. CEL expressions are
+typically short "one-liners" that inline well into the string fields of Kubernetes
+API resources.
+
+Inputs to a CEL program are "variables". Each Kubernetes API field that contains
+CEL declares in the API documentation which variables are available to use for
+that field. For example, in the `x-kubernetes-validations[i].rules` field of
+CustomResourceDefinitions, the `self` and `oldSelf` variables are available and
+refer to the previous and current state of the custom resource data to be
+validated by the CEL expression. Other Kubernetes API fields may declare
+different variables. See the API documentation of the API fields to learn which
+variables are available for that field.
+
+Example CEL expressions:
+
+{{< table caption="Examples of CEL expressions and the purpose of each" >}}
+| Rule                                                                               | Purpose                                                                           |
+|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
+| `self.minReplicas <= self.replicas && self.replicas <= self.maxReplicas`           | Validate that the three fields defining replicas are ordered appropriately        |
+| `'Available' in self.stateCounts`                                                  | Validate that an entry with the 'Available' key exists in a map                   |
+| `(self.list1.size() == 0) != (self.list2.size() == 0)`                             | Validate that one of two lists is non-empty, but not both                         |
+| `self.envars.filter(e, e.name = 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')`   | Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'  |
+| `has(self.expired) && self.created + self.ttl < self.expired`                      | Validate that 'expired' date is after a 'create' date plus a 'ttl' duration       |
+| `self.health.startsWith('ok')`                                                     | Validate a 'health' string field has the prefix 'ok'                              |
+| `self.widgets.exists(w, w.key == 'x' && w.foo < 10)`                               | Validate that the 'foo' property of a listMap item with a key 'x' is less than 10 |
+| `type(self) == string ? self == '99%' : self == 42`                                | Validate an int-or-string field for both the the int and string cases             |
+| `self.metadata.name == 'singleton'`                                                | Validate that an object's name matches a specific value (making it a singleton)   |
+| `self.set1.all(e, !(e in self.set2))`                                              | Validate that two listSets are disjoint                                           |
+| `self.names.size() == self.details.size() && self.names.all(n, n in self.details)` | Validate the 'details' map is keyed by the items in the 'names' listSet           |
+
+## CEL community libraries
+
+Kubernetes CEL expressions have access to the following CEL community libraries:
+
+- CEL standard functions, defined in the [list of standard definitions](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions)
+- CEL standard [macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
+- CEL [extended string function library](https://pkg.go.dev/github.com/google/cel-go/ext#Strings)
+
+## Kubernetes CEL libraries
+
+In additional to the CEL community libraries, Kubernetes includes CEL libraries
+that are available everywhere CEL is used in Kubernetes.
+
+### Kubernetes list library
+
+The list library includes `indexOf` and `lastIndexOf`, which work similar to the
+strings functions of the same names. These functions either the first or last
+positional index of the provided element in the list.
+
+The list library also includes `min`, `max` and `sum`. Sum is supported on all
+number types as well as the duration type. Min and max are supported on all
+comparable types.
+
+`isSorted` is also provided as a convenience function and is supported on all
+comparable types.
+
+Examples:
+
+{{< table caption="Examples of CEL expressions using list library functions" >}}
+| CEL Expression                                                                     | Purpose                                                   |
+|------------------------------------------------------------------------------------|-----------------------------------------------------------|
+| `names.isSorted()`                                                                 | Verify that a list of names is kept in alphabetical order |
+| `items.map(x, x.weight).sum() == 1.0`                                              | Verify that the "weights" of a list of objects sum to 1.0 |
+| `lowPriorities.map(x, x.priority).max() < highPriorities.map(x, x.priority).min()` | Verify that two sets of priorities do not overlap         |
+| `names.indexOf('should-be-first') == 1`                                            | Require that the first name in a list if a specific value | 
+
+See the [Kubernetes List Library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Lists)
+godoc for more information.
+
+### Kubernetes regex library
+
+In addition to the `matches` function provided by the CEL standard library, the
+regex library provides `find` and `findAll`, enabling a much wider range of
+regex operations.
+
+Examples:
+
+{{< table caption="Examples of CEL expressions using regex library functions" >}}
+| CEL Expression                                              | Purpose                                                  |
+|-------------------------------------------------------------|----------------------------------------------------------|
+| `"abc 123".find('[0-9]*')`                                  | Find the first number in a string                        |
+| `"1, 2, 3, 4".findAll('[0-9]*').map(x, int(x)).sum() < 100` | Verify that the numbers in a string sum to less than 100 |
+
+See the [Kubernetes regex library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Regex)
+godoc for more information.
+
+### Kubernetes URL library
+
+To make it easier and safer to process URLs, the following functions have been added:
+
+- `isURL(string)` checks if a string is a valid URL according to the [Go's
+  net/url](https://pkg.go.dev/net/url#URL) package. The string must be an
+  absolute URL.
+- `url(string) URL` converts a string to a URL or results in an error if the
+  string is not a valid URL.
+
+Once parsed via the `url` function, the resulting URL object has `getScheme`,
+`getHost`, `getHostname`, `getPort`, `getEscapedPath` and `getQuery` accessors.
+
+Examples:
+
+{{< table caption="Examples of CEL expressions using URL library functions" >}}
+| CEL Expression                                                  | Purpose                                        |
+|-----------------------------------------------------------------|------------------------------------------------|
+| `url('https://example.com:80/').getHost()`                      | Get the 'example.com:80' host part of the URL. |
+| `url('https://example.com/path with spaces/').getEscapedPath()` | Returns '/path%20with%20spaces/'               |
+
+See the [Kubernetes URL library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#URLs)
+godoc for more information.
+
+## Type checking
+
+CEL is a [gradually typed language](https://github.com/google/cel-spec/blob/master/doc/langdef.md#gradual-type-checking).
+
+Some Kubernetes API fields contain fully type checked CEL expressions. For
+example, [CustomResourceDefinitions Validation
+Rules](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules)
+are fully type checked.
+
+Some Kubernetes API fields contain partially type checked CEL expressions. A
+partially type checked expression is an experessions where some of the variables
+are statically typed but others are dynamically typed. For example, in the CEL
+expressions of
+[ValidatingAdmissionPolicies](/docs/reference/access-authn-authz/validating-admission-policy/)
+the `request` variable is typed, but the `object` variable is dynamically typed.
+As a result, an expression containing `request.namex` would fail type checking
+because the `namex` field is not defined. However, `object.namex` would pass
+type checking even when the `namex` field is not defined for the resource kinds
+that `object` refers to, because `object` is dynamically typed.
+
+The `has()` macro in CEL may be used in CEL expressions to check if a field of a
+dynamically typed variable is accessable before attempting to access the field's
+value. For example:
+
+```cel
+has(object.namex) ? object.namex == 'special' : request.name == 'special'
+```
+
+## Type system integration
+
+{{< table caption="Table showing the relationship between OpenAPIv3 types and CEL types" >}}
+| OpenAPIv3 type                                     | CEL type                                                                                                                     |
+|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
+| 'object' with Properties                           | object / "message type" (`type(<object>)` evaluates to `selfType<uniqueNumber>.path.to.object.from.self`                     |
+| 'object' with AdditionalProperties                 | map                                                                                                                          |
+| 'object' with x-kubernetes-embedded-type           | object / "message type", 'apiVersion', 'kind', 'metadata.name' and 'metadata.generateName' are implicitly included in schema |
+| 'object' with x-kubernetes-preserve-unknown-fields | object / "message type", unknown fields are NOT accessible in CEL expression                                                 |
+| x-kubernetes-int-or-string                         | union of int or string,  `self.intOrString < 100 \|\| self.intOrString == '50%'` evaluates to true for both `50` and `"50%"` |
+| 'array                                             | list                                                                                                                         |
+| 'array' with x-kubernetes-list-type=map            | list with map based Equality & unique key guarantees                                                                         |
+| 'array' with x-kubernetes-list-type=set            | list with set based Equality & unique entry guarantees                                                                       |
+| 'boolean'                                          | boolean                                                                                                                      |
+| 'number' (all formats)                             | double                                                                                                                       |
+| 'integer' (all formats)                            | int (64)                                                                                                                     |
+| _no equivalent_                                    | uint (64)                                                                                                                    |
+| 'null'                                             | null_type                                                                                                                    |
+| 'string'                                           | string                                                                                                                       |
+| 'string' with format=byte (base64 encoded)         | bytes                                                                                                                        |
+| 'string' with format=date                          | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 'string' with format=datetime                      | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 'string' with format=duration                      | duration (google.protobuf.Duration)                                                                                          |
+
+Also see: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values),
+[OpenAPI types](https://swagger.io/specification/#data-types),
+[Kubernetes Structural Schemas](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
+
+Equality comparison for arrays with `x-kubernetes-list-type` of `set` or `map` ignores element
+order. For example `[1, 2] == [2, 1]` if the arrays represent Kubernetes `set` values.
+
+Concatenation on arrays with `x-kubernetes-list-type` use the semantics of the
+list type:
+
+- `set`: `X + Y` performs a union where the array positions of all elements in
+  `X` are preserved and non-intersecting elements in `Y` are appended, retaining
+  their partial order.
+- `map`: `X + Y` performs a merge where the array positions of all keys in `X`
+  are preserved but the values are overwritten by values in `Y` when the key
+  sets of `X` and `Y` intersect. Elements in `Y` with non-intersecting keys are
+  appended, retaining their partial order.
+
+## Escaping
+
+Only Kubernetes resource property names of the form
+`[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible from CEL. Accessible property
+names are escaped according to the following rules when accessed in the
+expression:
+
+{{< table caption="Table of CEL identifier escaping rules" >}}
+| escape sequence   | property name equivalent                                                                     |
+|-------------------|----------------------------------------------------------------------------------------------|
+| `__underscores__` | `__`                                                                                         |
+| `__dot__`         | `.`                                                                                          |
+| `__dash__`        | `-`                                                                                          |
+| `__slash__`       | `/`                                                                                          |
+| `__{keyword}__`   | [CEL **RESERVED** keyword](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax) |
+
+When you escape any of CEL's **RESERVED** keywords you need to match the exact property name
+use the underscore escaping
+(for example, `int` in the word `sprint` would not be escaped and nor would it need to be).
+
+Examples on escaping:
+
+{{< table caption="Examples escaped CEL identifiers" >}}
+| property name | rule with escaped property name   |
+|---------------|-----------------------------------|
+| `namespace`   | `self.__namespace__ > 0`          |
+| `x-prop`      | `self.x__dash__prop > 0`          |
+| `redact__d`   | `self.redact__underscores__d > 0` |
+| `string`      | `self.startsWith('kube')`         |
+
+## Resource constraints
+
+CEL is non-Turing complete and offers a variety of production safety controls to
+limit execution time. CEL's _resource constraint_ features provide feedback to
+developers about expression complexity and help protect the API server from
+excessive resource consumption during evaluation. CEL's resource constraint
+features are used to prevent CEL evaluation from consuming excessive API server
+resources.
+
+A key element of the resource constraint features is a _cost unit_ that CEL
+defines as a way of tracking CPU utilization. Cost units are independant of
+system load and hardware. Cost units are also deterministic; for any given CEL
+expression and input data, evaluation of the expression by the CEL interpreter
+will always result in the same cost.
+
+Many of CEL's core operations have fixed costs. The simplest operations, such as
+comparisons (e.g. `<`) have a cost of 1. Some have a higher fixed cost, for
+example list literal declarations have a fixed base cost of 40 cost units.
+
+Calls to functions implemented in native code approximate cost based on the time
+complexity of the operation. For example: operations that use regular
+expressions, such as `match` and `find`, are estimated using an approximated
+cost of `length(regexString)*length(inputString)`. The approximated cost
+reflects the worst case time complexity of Go's RE2 implementation.
+
+### Runtime cost budget
+
+All CEL expressions evaluated by Kubernetes are constrained by a runtime cost
+budget. The runtime cost budget is an estimate of actual CPU utilization
+computed by incrementing a cost unit counter while interpreting a CEL
+expression. If the CEL interpreter executes too many instructions, the runtime
+cost budget will be exceeded, execution of the expressions will be halted, and
+an error will result.
+
+Some Kubernetes resources define an additional runtime cost budget that bounds
+the execution of multiple expressions. If the sum total of the cost of
+expressions exceed the budget, execution of the expressions will be halted, and
+an error will result. For example the validation of a custom resource has a
+_per-validation_ runtime cost budget for all [Validation
+Rules](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules)
+evaluated to validate the custom resource.
+
+### Estimated cost limits
+
+For some Kubernetes resources, the API server may also check if worst case
+estimated running time of CEL expressions would be prohibitively expensive to
+execute. If so, the API server prevent the CEL expression from being written to
+API resources by rejecting create or update operations containing the CEL
+expression to the API resources. This feature offers a stronger assurance that
+CEL expressions written to the API resource will be evaluate at runtime without
+exceeding the runtime cost budget.
\ No newline at end of file

From c33ef3e54f752f91183be625a72e55207f4c6e3e Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Thu, 9 Mar 2023 06:23:22 +0000
Subject: [PATCH 095/215] [ja] Update page weights under 5 sections of concepts

---
 content/ja/docs/concepts/architecture/cri.md                    | 2 +-
 content/ja/docs/concepts/architecture/garbage-collection.md     | 2 +-
 content/ja/docs/concepts/cluster-administration/addons.md       | 1 +
 content/ja/docs/concepts/cluster-administration/proxies.md      | 2 +-
 content/ja/docs/concepts/cluster-administration/system-logs.md  | 2 +-
 .../ja/docs/concepts/containers/container-lifecycle-hooks.md    | 2 +-
 content/ja/docs/concepts/containers/runtime-class.md            | 2 +-
 .../ja/docs/concepts/extend-kubernetes/api-extension/_index.md  | 2 +-
 content/ja/docs/concepts/policy/resource-quotas.md              | 2 +-
 9 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/content/ja/docs/concepts/architecture/cri.md b/content/ja/docs/concepts/architecture/cri.md
index 9ca24e41f068c..fa1ba57750445 100644
--- a/content/ja/docs/concepts/architecture/cri.md
+++ b/content/ja/docs/concepts/architecture/cri.md
@@ -1,7 +1,7 @@
 ---
 title: コンテナランタイムインターフェイス(CRI)
 content_type: concept
-weight: 50
+weight: 60
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/architecture/garbage-collection.md b/content/ja/docs/concepts/architecture/garbage-collection.md
index 2ac48608b911a..108c6a0c4508c 100644
--- a/content/ja/docs/concepts/architecture/garbage-collection.md
+++ b/content/ja/docs/concepts/architecture/garbage-collection.md
@@ -1,7 +1,7 @@
 ---
 title: ガベージコレクション
 content_type: concept
-weight: 50
+weight: 70
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/cluster-administration/addons.md b/content/ja/docs/concepts/cluster-administration/addons.md
index 4e8adfd7bfdbf..aea14c681a6da 100644
--- a/content/ja/docs/concepts/cluster-administration/addons.md
+++ b/content/ja/docs/concepts/cluster-administration/addons.md
@@ -1,6 +1,7 @@
 ---
 title: アドオンのインストール
 content_type: concept
+weight: 120
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/cluster-administration/proxies.md b/content/ja/docs/concepts/cluster-administration/proxies.md
index 4738993ab053e..5f815ed401b88 100644
--- a/content/ja/docs/concepts/cluster-administration/proxies.md
+++ b/content/ja/docs/concepts/cluster-administration/proxies.md
@@ -1,7 +1,7 @@
 ---
 title: Kubernetesのプロキシー
 content_type: concept
-weight: 90
+weight: 100
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/cluster-administration/system-logs.md b/content/ja/docs/concepts/cluster-administration/system-logs.md
index cae76d7e34bbf..a83c4c0c29604 100644
--- a/content/ja/docs/concepts/cluster-administration/system-logs.md
+++ b/content/ja/docs/concepts/cluster-administration/system-logs.md
@@ -1,7 +1,7 @@
 ---
 title: システムログ
 content_type: concept
-weight: 60
+weight: 80
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/containers/container-lifecycle-hooks.md b/content/ja/docs/concepts/containers/container-lifecycle-hooks.md
index 908025a175031..b59fe65300234 100644
--- a/content/ja/docs/concepts/containers/container-lifecycle-hooks.md
+++ b/content/ja/docs/concepts/containers/container-lifecycle-hooks.md
@@ -1,7 +1,7 @@
 ---
 title: コンテナライフサイクルフック
 content_type: concept
-weight: 30
+weight: 40
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/containers/runtime-class.md b/content/ja/docs/concepts/containers/runtime-class.md
index 2c663bf7c13d9..87110cf13f3ca 100644
--- a/content/ja/docs/concepts/containers/runtime-class.md
+++ b/content/ja/docs/concepts/containers/runtime-class.md
@@ -2,7 +2,7 @@
 reviewers:
 title: ランタイムクラス(Runtime Class)
 content_type: concept
-weight: 20
+weight: 30
 ---
 
 <!-- overview -->
diff --git a/content/ja/docs/concepts/extend-kubernetes/api-extension/_index.md b/content/ja/docs/concepts/extend-kubernetes/api-extension/_index.md
index fc1a95ddfffc8..b00bd839eb29d 100644
--- a/content/ja/docs/concepts/extend-kubernetes/api-extension/_index.md
+++ b/content/ja/docs/concepts/extend-kubernetes/api-extension/_index.md
@@ -1,4 +1,4 @@
 ---
 title: Kubernetes APIの拡張
-weight: 20
+weight: 30
 ---
diff --git a/content/ja/docs/concepts/policy/resource-quotas.md b/content/ja/docs/concepts/policy/resource-quotas.md
index 86fe7194ae41a..89e8b3f7b884b 100644
--- a/content/ja/docs/concepts/policy/resource-quotas.md
+++ b/content/ja/docs/concepts/policy/resource-quotas.md
@@ -2,7 +2,7 @@
 reviewers:
 title: リソースクォータ
 content_type: concept
-weight: 10
+weight: 20
 ---
 
 <!-- overview -->

From 4beceb16beefef4c38b7c393da43fc42553b1196 Mon Sep 17 00:00:00 2001
From: Gary Miguel <garymm@garymm.org>
Date: Thu, 9 Mar 2023 16:13:58 -0800
Subject: [PATCH 096/215] Reference nvidia gpu feature discovery

And remove excessive detail about how to use AMD Node Labeler.
---
 .../docs/tasks/manage-gpus/scheduling-gpus.md | 64 +------------------
 1 file changed, 2 insertions(+), 62 deletions(-)

diff --git a/content/en/docs/tasks/manage-gpus/scheduling-gpus.md b/content/en/docs/tasks/manage-gpus/scheduling-gpus.md
index 40e7bf547b167..7549ebb46af25 100644
--- a/content/en/docs/tasks/manage-gpus/scheduling-gpus.md
+++ b/content/en/docs/tasks/manage-gpus/scheduling-gpus.md
@@ -88,65 +88,5 @@ If you're using AMD GPU devices, you can deploy
 Node Labeller is a {{< glossary_tooltip text="controller" term_id="controller" >}} that automatically
 labels your nodes with GPU device properties.
 
-At the moment, that controller can add labels for:
-
-* Device ID (-device-id)
-* VRAM Size (-vram)
-* Number of SIMD (-simd-count)
-* Number of Compute Unit (-cu-count)
-* Firmware and Feature Versions (-firmware)
-* GPU Family, in two letters acronym (-family)
-  * SI - Southern Islands
-  * CI - Sea Islands
-  * KV - Kaveri
-  * VI - Volcanic Islands
-  * CZ - Carrizo
-  * AI - Arctic Islands
-  * RV - Raven
-
-```shell
-kubectl describe node cluster-node-23
-```
-
-```
-Name:               cluster-node-23
-Roles:              <none>
-Labels:             beta.amd.com/gpu.cu-count.64=1
-                    beta.amd.com/gpu.device-id.6860=1
-                    beta.amd.com/gpu.family.AI=1
-                    beta.amd.com/gpu.simd-count.256=1
-                    beta.amd.com/gpu.vram.16G=1
-                    kubernetes.io/arch=amd64
-                    kubernetes.io/os=linux
-                    kubernetes.io/hostname=cluster-node-23
-Annotations:        node.alpha.kubernetes.io/ttl: 0
-…
-```
-
-With the Node Labeller in use, you can specify the GPU type in the Pod spec:
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: cuda-vector-add
-spec:
-  restartPolicy: OnFailure
-  containers:
-    - name: cuda-vector-add
-      # https://github.com/kubernetes/kubernetes/blob/v1.7.11/test/images/nvidia-cuda/Dockerfile
-      image: "registry.k8s.io/cuda-vector-add:v0.1"
-      resources:
-        limits:
-          nvidia.com/gpu: 1
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-        – matchExpressions:
-          – key: beta.amd.com/gpu.family.AI # Arctic Islands GPU family
-            operator: Exist
-```
-
-This ensures that the Pod will be scheduled to a node that has the GPU type
-you specified.
+Similar functionality for NVIDIA is provied by
+[GPU feature discovery](https://github.com/NVIDIA/gpu-feature-discovery/blob/main/README.md).

From b5fdc997c7ecb548bc2261422b62be993e3f997c Mon Sep 17 00:00:00 2001
From: "paul.zhang" <javadoors@126.com>
Date: Tue, 7 Mar 2023 09:32:58 +0800
Subject: [PATCH 097/215] =?UTF-8?q?[zh-cn]Fix=20=E4=BF=AE=E5=A4=8D?=
 =?UTF-8?q?=E4=B8=8D=E9=80=9A=E9=A1=BA=E7=9A=84=E8=AF=AD=E5=8F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

修改“会添被加到”-》“会被添加到”

Update content/zh-cn/docs/concepts/workloads/pods/disruptions.md

Co-authored-by: Qiming Teng <tengqm@outlook.com>
---
 content/zh-cn/docs/concepts/workloads/pods/disruptions.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/disruptions.md b/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
index b671c782cdeaa..be0a46dc1977e 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/disruptions.md
@@ -514,7 +514,7 @@ deleted. In such a situation, after some time, the
 Pod disruption condition will be cleared.
 -->
 Pod 的干扰可能会被中断。控制平面可能会重新尝试继续干扰同一个 Pod，但这没办法保证。
-因此，`DisruptionTarget` 条件可能会添被加到 Pod 上，
+因此，`DisruptionTarget` 状况可能会被添加到 Pod 上，
 但该 Pod 实际上可能不会被删除。
 在这种情况下，一段时间后，Pod 干扰状况将被清除。
 {{< /note >}}

From 7827b67ba2f3bfb343842b139617402a44e5ff21 Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Fri, 10 Mar 2023 02:38:20 +0000
Subject: [PATCH 098/215] [ja] Update page weights under
 content/ja/docs/contribute

---
 content/ja/docs/contribute/localization.md                | 1 +
 content/ja/docs/contribute/style/hugo-shortcodes/index.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/content/ja/docs/contribute/localization.md b/content/ja/docs/contribute/localization.md
index f151b850e94d4..f75e25bcba97e 100644
--- a/content/ja/docs/contribute/localization.md
+++ b/content/ja/docs/contribute/localization.md
@@ -1,6 +1,7 @@
 ---
 title: Kubernetesのドキュメントを翻訳する
 content_type: concept
+weight: 50
 card:
   name: contribute
   weight: 30
diff --git a/content/ja/docs/contribute/style/hugo-shortcodes/index.md b/content/ja/docs/contribute/style/hugo-shortcodes/index.md
index a5596e027bb17..1aedca628bee3 100644
--- a/content/ja/docs/contribute/style/hugo-shortcodes/index.md
+++ b/content/ja/docs/contribute/style/hugo-shortcodes/index.md
@@ -1,6 +1,7 @@
 ---
 title: カスタムHugoショートコード
 content_type: concept
+weight: 120
 ---
 
 <!-- overview -->

From 6e33512bbc257f5be2e4e4f837d45c0c36d9ab64 Mon Sep 17 00:00:00 2001
From: ziyi-xie <kai-shii@nec.com>
Date: Fri, 10 Mar 2023 07:12:23 +0000
Subject: [PATCH 099/215] add heading IDs

---
 .../scheduling-eviction/assign-pod-node.md         | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
index 6377b8540836a..e01cef7d0f301 100644
--- a/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/ja/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -31,7 +31,7 @@ Kubernetesが特定のPodの配置場所を選択するために、以下の方
 例えば、`kubernetes.io/hostname`の値はある環境ではNode名と同じになり、他の環境では異なる値になることがあります。
 {{</note>}}
 
-### Nodeの分離/制限
+### Nodeの分離/制限 {#node-isolation-restriction}
 
 Nodeにラベルを追加することで、Podを特定のNodeまたはNodeグループ上でのスケジューリングの対象にすることができます。この機能を使用すると、特定のPodが一定の独立性、安全性、または規制といった属性を持ったNode上でのみ実行されるようにすることができます。
 
@@ -109,7 +109,7 @@ Podのspec(仕様)にある`.spec.affinity.nodeAffinity`フィールドを使用
 
 詳細については[Nodeアフィニティを利用してPodをNodeに割り当てる](/ja/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)を参照してください。
 
-#### Nodeアフィニティの重み
+#### Nodeアフィニティの重み {#node-affinity-weight}
 
 `preferredDuringSchedulingIgnoredDuringExecution`アフィニティタイプの各インスタンスに、1から100の範囲の`weight`を指定できます。
 Podの他のスケジューリング要件をすべて満たすNodeを見つけると、スケジューラーはそのNodeが満たすすべての優先ルールを繰り返し実行し、対応する式の`weight`値を合計に加算します。
@@ -160,7 +160,7 @@ profiles:
 [DaemonSetのPodを作成する](/ja/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler)DaemonSetコントローラーは、スケジューリングプロファイルをサポートしていません。DaemonSetコントローラーがPodを作成すると、デフォルトのKubernetesスケジューラーがそれらのPodを配置し、DaemonSetコントローラーの`nodeAffinity`ルールに優先して従います。
 {{< /note >}}
 
-### Pod間のアフィニティとアンチアフィニティ
+### Pod間のアフィニティとアンチアフィニティ {#inter-pod-affinity-and-anti-affinity}
 
 Pod間のアフィニティとアンチアフィニティは、Nodeのラベルではなく、すでにNode上で稼働している**Pod**のラベルに従って、PodがどのNodeにスケジュールされるかを制限できます。
 
@@ -181,7 +181,7 @@ Podのアンチアフィニティは、Nodeに必ず一貫性の持つラベル
 一部、または全部のNodeに`topologyKey`ラベルが指定されていない場合、意図しない挙動に繋がる可能性があります。
 {{< /note >}}
 
-#### Pod間のアフィニティとアンチアフィニティの種類
+#### Pod間のアフィニティとアンチアフィニティの種類 {#types-of-inter-pod-affinity-and-anti-affinity}
 
 [Nodeアフィニティ](#node-affinity)と同様に、Podアフィニティとアンチアフィニティにも下記の2種類があります:
 
@@ -217,14 +217,14 @@ Podアフィニティとアンチアフィニティの`operator`フィールド
 
 `labelSelector`と`topologyKey`に加え、`labelSelector`と`topologyKey`と同じレベルの`namespaces`フィールドを使用して、`labelSelector`が合致すべき名前空間のリストを任意に指定することができます。省略または空の場合、`namespaces`がデフォルトで、アフィニティとアンチアフィニティが定義されたPodの名前空間に設定されます。
 
-#### 名前空間セレクター
+#### 名前空間セレクター {#namespace-selector}
 {{< feature-state for_k8s_version="v1.24" state="stable" >}}
 
 `namespaceSelector`を使用し、ラベルで名前空間の集合に対して検索することによって、名前空間を選択することができます。
 アフィニティ項は`namespaceSelector`と`namespaces`フィールドによって選択された名前空間に適用されます。
 要注意なのは、空の`namespaceSelector`({})はすべての名前空間にマッチし、nullまたは空の`namespaces`リストとnullの`namespaceSelector`は、ルールが定義されているPodの名前空間にマッチします。
 
-#### 実践的なユースケース
+#### 実践的なユースケース {#more-practical-use-cases}
 
 Pod間アフィニティとアンチアフィニティは、ReplicaSet、StatefulSet、Deploymentなどのより高レベルなコレクションと併せて使用するとさらに有用です。これらのルールにより、ワークロードのセットが同じ定義されたトポロジーに併置されるように設定できます。たとえば、2つの関連するPodを同じNodeに配置することが好ましい場合です。
 
@@ -315,7 +315,7 @@ spec:
 Podアンチアフィニティを使用する理由は他にもあります。
 この例と同様の方法で、アンチアフィニティを用いて高可用性を実現したStatefulSetの使用例は[ZooKeeperチュートリアル](/docs/tutorials/stateful-application/zookeeper/#tolerating-node-failure)を参照してください。
 
-## nodeName
+## nodeName {#nodename}
 
 `nodeName`はアフィニティや`nodeSelector`よりも直接的なNode選択形式になります。`nodeName`はPod仕様(spec)内のフィールドです。`nodeName`フィールドが空でない場合、スケジューラーはPodを考慮せずに、指定されたNodeにあるkubeletがそのNodeにPodを配置しようとします。`nodeName`を使用すると、`nodeSelector`やアフィニティおよびアンチアフィニティルールを使用するよりも優先されます。
 

From 890a00b5de48d170798208e23fecc193fd80ac0b Mon Sep 17 00:00:00 2001
From: muemich <michaelmuellerrw@gmail.com>
Date: Fri, 10 Mar 2023 09:09:31 +0100
Subject: [PATCH 100/215] adding German translation

---
 ...23-02-06-k8s-gcr-io-freeze-announcement.md | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md

diff --git a/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md b/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
new file mode 100644
index 0000000000000..615d00a4f12b8
--- /dev/null
+++ b/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
@@ -0,0 +1,48 @@
+---
+layout: blog
+title: "k8s.gcr.io Image Registry Will Be Frozen From the 3rd of April 2023"
+date: 2023-02-06
+slug: k8s-gcr-io-freeze-announcement
+---
+
+**Authors**: Michael Mueller (Giant Swarm)
+
+Das Kubernetes-Projekt betreibt eine zur Community gehörende Container-Image-Registry namens `registry.k8s.io`, um die zum Projekt gehörenden Container-Images hosten. Am 3. April 2023 wird dies Registry `k8s.gcr.io` eingefroren und es werden keine weiteren Container-Images für Kubernetes und der Teilprojekte in die alte Registry gepusht.
+
+Die Registry `registry.k8s.io` ist bereits seit einigen Monaten verfügbar und wird die alte Registry ersetzten. Wir haben einen [Blogbeitrag](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) über die Vorteile für die Community und das Kubernetes-Projekt veröffentlicht. In diesem Beitrag wurde auch angekündigt, dass zukünftige Versionen von Kubernetes nicht mehr in der alten Registry verfügbar sein werden. Jetzt ist diese Zeit gekommen.
+
+Was bedeutet dies für die Contributors:
+- Wenn Du ein maintainer eines Teilprojekts bist, musst Du die Manifeste und Helm-Charts entsprechend anpassen, um die neue Container-Registry zu verwenden.
+
+Was bedeutet dies Änderung für Endnutzer:
+- 1.27 Kubernetes release wird nicht auf der alten Registry veröffentlicht.
+- Patchreleases für 1.24, 1.25 und 1.26 werden ab April nicht mehr in der alten Container-Registry veröffentlicht. Bitte beachte den untenstehenden Zeitplan für Details zu Patchreleases in der alten Container-Registry.
+- Beginnend mit 1.25, die Standardeinstellung der Container-Registry wurde auf `registry.k8s.io` geändert. Dieser Wert wird von `kubeadm` und dem `kubelet` überschrieben, sollte der Wert jedoch auf `k8s.gcr.io` geändert werden, wird dies für neue Releases ab April fehlschlagen, die diese nicht in die alte Image-Registry gepusht werden.
+- Solltest Du die Zuverlässigkeit der Cluster erhöhen wollen und Abhänigkeiten zu dem zur Community gehörende Container-Image-Registry auflösen wollen, oder betreibst Cluster in einer Umgebung mit eingeschränktem Zugriff auf externe Ressourcen, solltest Du überlgen eine lokale Image-Registry als Mirror zu betreiben. Einige Cloud-Anbieter haben hierfür entsprechende Angebote.
+
+## Zeitplan der Änderungen
+
+- `k8s.gcr.io` wird zum 3.April 2023 eingefroren
+- Der 1.27 Release wird zum 12.April 2023 erwartet
+- Das letzte 1.23 Release auf `k8s.gcr.io` wird 1.23.18 sein (1.23 wird end-of-life vor dem einfrieren erreichen)
+- Das letzte 1.24 Release auf `k8s.gcr.io` wird 1.24.12 sein
+- Das letzte 1.25 Release auf `k8s.gcr.io` wird 1.25.8 sein
+- Das letzte 1.26 Release auf `k8s.gcr.io` wird 1.26.3 sein
+
+## Was geschieht nun?
+
+Bitte stelle sicher das deine Cluster keine Abhängigkeiten zu der Alten Image-Registry hat. Zum Beispiel, kannst Du dieses Kommando ausführen eine Liste zu erhalten welche Images ein Pod verwendet:
+
+```shell
+kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
+tr -s '[[:space:]]' '\n' |\
+sort |\
+uniq -c
+```
+
+Es können noch weitere Abhängigkeiten zu der alten Image-Registry bestehen, stelle sicher das du alle möglichen Abhängigkeiten überprüfst um die Cluster funktional und auf dem neuesten Stand zu halten.
+## Acknowledgments
+
+__Change is hard__, die Weiterentwicklung unserer Image-Registry ist notwendig, um eine nachhaltige Zukunft für das Projekt zu gewährleisten. Wir bemühen uns, Dinge für alle, die Kubernetes nutzen, zu verbessern. Viele Mitwirkende aus allen Ecken unserer Community haben lange und hart daran gearbeitet, sicherzustellen, dass wir die bestmöglichen Entscheidungen treffen, Pläne umsetzen und unser Bestes tun, um diese Pläne zu kommunizieren. 
+
+Dank geht an Aaron Crickenberger, Arnaud Meukam, Benjamin Elder, Caleb Woodbine, Davanum Srinivas, Mahamed Ali, und Tim Hockin von SIG K8s Infra, Brian McQueen, und Sergey Kanzhelev von SIG Node, Lubomir Ivanov von SIG Cluster Lifecycle, Adolfo García Veytia, Jeremy Rickard, Sascha Grunert, und Stephen Augustus von SIG Release, Bob Killen und Kaslin Fields von SIG Contribex, Tim Allclair von the Security Response Committee. Also a big thank you to our friends acting as liaisons with our cloud provider partners: Jay Pipes von Amazon und Jon Johnson Jr. von Google.
\ No newline at end of file

From 424ca659314ece7aa7c0dbd73806e7864118c221 Mon Sep 17 00:00:00 2001
From: muemich <michaelmuellerrw@gmail.com>
Date: Fri, 10 Mar 2023 10:08:23 +0100
Subject: [PATCH 101/215] fix wording, grammer and small corrections

---
 ...23-02-06-k8s-gcr-io-freeze-announcement.md | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md b/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
index 615d00a4f12b8..298809c1276f1 100644
--- a/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
+++ b/content/de/blog/_posts/2023-02-06-k8s-gcr-io-freeze-announcement.md
@@ -1,24 +1,24 @@
 ---
 layout: blog
 title: "k8s.gcr.io Image Registry Will Be Frozen From the 3rd of April 2023"
-date: 2023-02-06
+date: 2023-03-10
 slug: k8s-gcr-io-freeze-announcement
 ---
 
 **Authors**: Michael Mueller (Giant Swarm)
 
-Das Kubernetes-Projekt betreibt eine zur Community gehörende Container-Image-Registry namens `registry.k8s.io`, um die zum Projekt gehörenden Container-Images hosten. Am 3. April 2023 wird dies Registry `k8s.gcr.io` eingefroren und es werden keine weiteren Container-Images für Kubernetes und der Teilprojekte in die alte Registry gepusht.
+Das Kubernetes-Projekt betreibt eine zur Community gehörende Container-Image-Registry namens `registry.k8s.io`, um die zum Projekt gehörenden Container-Images zu hosten. Am 3. April 2023 wird diese Container-Image-Registry `k8s.gcr.io` eingefroren und es werden keine weiteren Container-Images für Kubernetes und Teilprojekte in die alte Registry gepusht.
 
-Die Registry `registry.k8s.io` ist bereits seit einigen Monaten verfügbar und wird die alte Registry ersetzten. Wir haben einen [Blogbeitrag](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) über die Vorteile für die Community und das Kubernetes-Projekt veröffentlicht. In diesem Beitrag wurde auch angekündigt, dass zukünftige Versionen von Kubernetes nicht mehr in der alten Registry verfügbar sein werden. Jetzt ist diese Zeit gekommen.
+Die Container-Image-Registry `registry.k8s.io` ist bereits seit einigen Monaten verfügbar und wird die alte Registry ersetzen. Wir haben einen [Blogbeitrag](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) über die Vorteile für die Community und das Kubernetes-Projekt veröffentlicht. In diesem Beitrag wurde auch angekündigt, dass zukünftige Versionen von Kubernetes nicht mehr in der alten Registry Released sein werden.
 
-Was bedeutet dies für die Contributors:
-- Wenn Du ein maintainer eines Teilprojekts bist, musst Du die Manifeste und Helm-Charts entsprechend anpassen, um die neue Container-Registry zu verwenden.
+Was bedeutet dies für Contributors:
+- Wenn Du ein Maintainer eines Teilprojekts bist, musst du die Manifeste und Helm-Charts entsprechend anpassen, um die neue Container-Registry zu verwenden.
 
-Was bedeutet dies Änderung für Endnutzer:
-- 1.27 Kubernetes release wird nicht auf der alten Registry veröffentlicht.
-- Patchreleases für 1.24, 1.25 und 1.26 werden ab April nicht mehr in der alten Container-Registry veröffentlicht. Bitte beachte den untenstehenden Zeitplan für Details zu Patchreleases in der alten Container-Registry.
-- Beginnend mit 1.25, die Standardeinstellung der Container-Registry wurde auf `registry.k8s.io` geändert. Dieser Wert wird von `kubeadm` und dem `kubelet` überschrieben, sollte der Wert jedoch auf `k8s.gcr.io` geändert werden, wird dies für neue Releases ab April fehlschlagen, die diese nicht in die alte Image-Registry gepusht werden.
-- Solltest Du die Zuverlässigkeit der Cluster erhöhen wollen und Abhänigkeiten zu dem zur Community gehörende Container-Image-Registry auflösen wollen, oder betreibst Cluster in einer Umgebung mit eingeschränktem Zugriff auf externe Ressourcen, solltest Du überlgen eine lokale Image-Registry als Mirror zu betreiben. Einige Cloud-Anbieter haben hierfür entsprechende Angebote.
+Was bedeutet dies Änderung für Endanwender:
+- Das Kubernetes Release 1.27 wird nicht auf der alten Registry veröffentlicht.
+- Patchreleases für 1.24, 1.25 und 1.26 werden ab April nicht mehr in der alten Container-Image-Registry veröffentlicht. Bitte beachte den untenstehenden Zeitplan für die Details zu Patchreleases in der alten Container-Registry.
+- Beginnend mit dem Release 1.25, wurde die Standardeinstellung der Container-Image-Registry auf `registry.k8s.io` geändert. Diese Einstellung kann in `kubeadm` und dem `kubelet` abgeändert werden, sollte der Wert jedoch auf `k8s.gcr.io` gesetzt werden, wird dies für neue Releases ab April fehlschlagen, da diese nicht in die alte Container-Image-Registry gepusht werden.
+- Solltest Du die Zuverlässigkeit der Cluster erhöhen wollen und Abhängigkeiten zu dem zur Community gehörenden Container-Image-Registry auflösen wollen, oder betreibst Cluster in einer Umgebung mit eingeschränktem externen Netzwerkzugriff, solltest Du in Betracht ziehen eine lokale Container-Image-Registry als Mirror zu betreiben. Einige Cloud-Anbieter haben hierfür entsprechende Angebote.
 
 ## Zeitplan der Änderungen
 
@@ -29,9 +29,9 @@ Was bedeutet dies Änderung für Endnutzer:
 - Das letzte 1.25 Release auf `k8s.gcr.io` wird 1.25.8 sein
 - Das letzte 1.26 Release auf `k8s.gcr.io` wird 1.26.3 sein
 
-## Was geschieht nun?
+## Was geschieht nun
 
-Bitte stelle sicher das deine Cluster keine Abhängigkeiten zu der Alten Image-Registry hat. Zum Beispiel, kannst Du dieses Kommando ausführen eine Liste zu erhalten welche Images ein Pod verwendet:
+Bitte stelle sicher, dass die Cluster keine Abhängigkeiten zu der Alten Container-Image-Registry haben. Dies kann zum Beispiel folgendermaßen überprüft werden, durch Ausführung des fogenden Kommandos erhält man eine Liste der Container-Images die ein Pod verwendet:
 
 ```shell
 kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
@@ -40,9 +40,9 @@ sort |\
 uniq -c
 ```
 
-Es können noch weitere Abhängigkeiten zu der alten Image-Registry bestehen, stelle sicher das du alle möglichen Abhängigkeiten überprüfst um die Cluster funktional und auf dem neuesten Stand zu halten.
+Es können durchaus weitere Abhängigkeiten zu der alten Container-Image-Registry bestehen, stelle also sicher, dass du alle möglichen Abhängigkeiten überprüfst, um die Cluster funktional und auf dem neuesten Stand zu halten.
 ## Acknowledgments
 
-__Change is hard__, die Weiterentwicklung unserer Image-Registry ist notwendig, um eine nachhaltige Zukunft für das Projekt zu gewährleisten. Wir bemühen uns, Dinge für alle, die Kubernetes nutzen, zu verbessern. Viele Mitwirkende aus allen Ecken unserer Community haben lange und hart daran gearbeitet, sicherzustellen, dass wir die bestmöglichen Entscheidungen treffen, Pläne umsetzen und unser Bestes tun, um diese Pläne zu kommunizieren. 
+__Change is hard__, die Weiterentwicklung unserer Container-Image-Registry ist notwendig, um eine nachhaltige Zukunft für das Projekt zu gewährleisten. Wir bemühen uns, Dinge für alle, die Kubernetes nutzen, zu verbessern. Viele Mitwirkende aus allen Ecken unserer Community haben lange und hart daran gearbeitet, sicherzustellen, dass wir die bestmöglichen Entscheidungen treffen, Pläne umsetzen und unser Bestes tun, um diese Pläne zu kommunizieren. 
 
 Dank geht an Aaron Crickenberger, Arnaud Meukam, Benjamin Elder, Caleb Woodbine, Davanum Srinivas, Mahamed Ali, und Tim Hockin von SIG K8s Infra, Brian McQueen, und Sergey Kanzhelev von SIG Node, Lubomir Ivanov von SIG Cluster Lifecycle, Adolfo García Veytia, Jeremy Rickard, Sascha Grunert, und Stephen Augustus von SIG Release, Bob Killen und Kaslin Fields von SIG Contribex, Tim Allclair von the Security Response Committee. Also a big thank you to our friends acting as liaisons with our cloud provider partners: Jay Pipes von Amazon und Jon Johnson Jr. von Google.
\ No newline at end of file

From 6ee697735dd94440ad3631dd1144784e442f8a7b Mon Sep 17 00:00:00 2001
From: Paco Xu <paco.xu@daocloud.io>
Date: Fri, 10 Mar 2023 10:15:56 +0800
Subject: [PATCH 102/215] add kubectl.kubernetes.io/default-logs-container
 deprecated information

Signed-off-by: Paco Xu <paco.xu@daocloud.io>
---
 .../labels-annotations-taints/_index.md        | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/reference/labels-annotations-taints/_index.md b/content/en/docs/reference/labels-annotations-taints/_index.md
index ed27e3dcdd34c..03397f462f5bb 100644
--- a/content/en/docs/reference/labels-annotations-taints/_index.md
+++ b/content/en/docs/reference/labels-annotations-taints/_index.md
@@ -168,6 +168,7 @@ Automanaged APIService objects are deleted by kube-apiserver when it has no buil
 {{< /note >}}
 
 There are two possible values:
+
 - `onstart`: The APIService should be reconciled when an API server starts up, but not otherwise.
 - `true`: The API server should reconcile this APIService continuously.
 
@@ -191,7 +192,6 @@ The Kubelet populates this label with the hostname. Note that the hostname can b
 
 This label is also used as part of the topology hierarchy.  See [topology.kubernetes.io/zone](#topologykubernetesiozone) for more information.
 
-
 ### kubernetes.io/change-cause {#change-cause}
 
 Example: `kubernetes.io/change-cause: "kubectl edit --record deployment foo"`
@@ -409,6 +409,7 @@ A zone represents a logical failure domain.  It is common for Kubernetes cluster
 A region represents a larger domain, made up of one or more zones.  It is uncommon for Kubernetes clusters to span multiple regions,  While the exact definition of a zone or region is left to infrastructure implementations, common properties of a region include higher network latency between them than within them, non-zero cost for network traffic between them, and failure independence from other zones or regions.  For example, nodes within a region might share power infrastructure (e.g. a UPS or generator), but nodes in different regions typically would not.
 
 Kubernetes makes a few assumptions about the structure of zones and regions:
+
 1) regions and zones are hierarchical: zones are strict subsets of regions and no zone can be in 2 regions
 2) zone names are unique across regions; for example region "africa-east-1" might be comprised of zones "africa-east-1a" and "africa-east-1b"
 
@@ -539,7 +540,6 @@ a request where the client authenticated using the service account token.
 If a legacy token was last used before the cluster gained the feature (added in Kubernetes v1.26), then
 the label isn't set.
 
-
 ### endpointslice.kubernetes.io/managed-by {#endpointslicekubernetesiomanaged-by}
 
 Example: `endpointslice.kubernetes.io/managed-by: "controller"`
@@ -625,6 +625,17 @@ Example: `kubectl.kubernetes.io/default-container: "front-end-app"`
 
 The value of the annotation is the container name that is default for this Pod. For example, `kubectl logs` or `kubectl exec` without `-c` or `--container` flag will use this default container.
 
+### kubectl.kubernetes.io/default-logs-container (deprecated)
+
+Example: `kubectl.kubernetes.io/default-logs-container: "front-end-app"`
+
+The value of the annotation is the container name that is the default logging container for this Pod. For example, `kubectl logs` without `-c` or `--container` flag will use this default container.
+
+{{< note >}}
+This annotation is deprecated. You should use the [`kubectl.kubernetes.io/default-container`](#kubectl-kubernetes-io-default-container) annotation instead.
+Kubernetes versions 1.25 and newer ignore this annotation.
+{{< /note >}}
+
 ### endpoints.kubernetes.io/over-capacity
 
 Example: `endpoints.kubernetes.io/over-capacity:truncated`
@@ -645,7 +656,7 @@ The presence of this annotation on a Job indicates that the control plane is
 [tracking the Job status using finalizers](/docs/concepts/workloads/controllers/job/#job-tracking-with-finalizers).
 The control plane uses this annotation to safely transition to tracking Jobs
 using finalizers, while the feature is in development.
-You should **not** manually add or remove this annotation. 
+You should **not** manually add or remove this annotation.
 
 {{< note >}}
 Starting from Kubernetes 1.26, this annotation is deprecated.
@@ -727,7 +738,6 @@ Refer to
 for further details about when and how to use this taint.
 {{< /caution >}}
 
-
 ### node.cloudprovider.kubernetes.io/uninitialized
 
 Example: `node.cloudprovider.kubernetes.io/uninitialized: "NoSchedule"`

From ad7b108bc85aa32c98124a96b93f1a987f8a8feb Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Fri, 17 Feb 2023 13:33:35 +0100
Subject: [PATCH 103/215] CVE feed: add RSS feed format

Add tabs to display the various feeds thanks to sftim!
---
 .../issues-security/official-cve-feed.md      | 28 ++++++++++++-------
 layouts/_default/cve-feed.rss.xml             | 25 +++++++++++++++++
 2 files changed, 43 insertions(+), 10 deletions(-)
 create mode 100644 layouts/_default/cve-feed.rss.xml

diff --git a/content/en/docs/reference/issues-security/official-cve-feed.md b/content/en/docs/reference/issues-security/official-cve-feed.md
index ea0a9bffc74e5..11eb4edee1de7 100644
--- a/content/en/docs/reference/issues-security/official-cve-feed.md
+++ b/content/en/docs/reference/issues-security/official-cve-feed.md
@@ -1,9 +1,11 @@
 ---
 title: Official CVE Feed
+linkTitle: CVE feed
 weight: 25
 outputs:
   - json
-  - html 
+  - html
+  - rss
 layout: cve-feed
 ---
 
@@ -14,19 +16,25 @@ the Kubernetes Security Response Committee. See
 [Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/)
 for more details.
 
-The Kubernetes project publishes a programmatically accessible
-[JSON Feed](/docs/reference/issues-security/official-cve-feed/index.json) of 
-published security issues. You can access it by executing the following command:
-
-{{< comment >}}
-`replace` is used to bypass known issue with rendering ">"
-: https://github.com/gohugoio/hugo/issues/7229 in JSON layouts template
-`layouts/_default/cve-feed.json`
-{{< /comment >}}
+The Kubernetes project publishes a programmatically accessible feed of published
+security issues in [JSON feed](/docs/reference/issues-security/official-cve-feed/index.json)
+and [RSS feed](/docs/reference/issues-security/official-cve-feed/feed.xml)
+formats. You can access it by executing the following commands:
 
+{{< tabs name="CVE feeds" >}}
+{{% tab name="JSON feed" %}}
+[Link to JSON format](/docs/reference/issues-security/official-cve-feed/index.json)
 ```shell
 curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/index.json
 ```
+{{% /tab %}}
+{{% tab name="RSS feed" %}}
+[Link to RSS format](/docs/reference/issues-security/official-cve-feed/feed.xml)
+```shell
+curl -Lv https://k8s.io/docs/reference/issues-security/official-cve-feed/feed.xml
+```
+{{% /tab %}}
+{{< /tabs >}}
 
 {{< cve-feed >}}
 
diff --git a/layouts/_default/cve-feed.rss.xml b/layouts/_default/cve-feed.rss.xml
new file mode 100644
index 0000000000000..811469c924e98
--- /dev/null
+++ b/layouts/_default/cve-feed.rss.xml
@@ -0,0 +1,25 @@
+{{ $feed := getJSON .Site.Params.cveFeedBucket -}}
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>{{ $feed.title }}</title>
+    <link>{{ .Site.BaseURL }}docs/reference/issues-security/official-cve-feed/</link>
+    <description>{{ $feed.description }}</description>
+    <generator>Hugo -- gohugo.io</generator>
+    <language>en-US</language>
+	<copyright>{{ .Site.Params.Copyright_k8s }}</copyright>
+    <lastBuildDate>{{ time.Format "Mon, 02 Jan 2006 15:04:05 -0700" $feed._kubernetes_io.updated_at | safeHTML }}</lastBuildDate>
+    {{ with .OutputFormats.Get "RSS" -}}
+	{{ printf "<atom:link href=%q rel=\"self\" type=%q />" .Permalink .MediaType | safeHTML }}
+    {{ end -}}
+    {{ range $feed.items -}}
+    <item>
+      <title>{{ .id }}</title>
+      <link>{{ .url }}</link>
+      <pubDate>{{ time.Format "Mon, 02 Jan 2006 15:04:05 -0700" .date_published | safeHTML }}</pubDate>
+      <guid>{{ .external_url }}</guid>
+      <description>{{ htmlEscape .summary }}</description>
+    </item>
+    {{ end -}}
+  </channel>
+</rss>
+

From 15f730c13806929216e257c83f63677283b75676 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Frederico=20Mu=C3=B1oz?= <frederico.munoz@sas.com>
Date: Thu, 9 Mar 2023 21:07:01 +0000
Subject: [PATCH 104/215] Registry redirect blog article.

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Rey Lejano <rlejano@gmail.com>
---
 .../2023-03-10-image-registry-change.md       | 190 ++++++++++++++++++
 static/_redirects                             |   3 +
 2 files changed, 193 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-03-10-image-registry-change.md

diff --git a/content/en/blog/_posts/2023-03-10-image-registry-change.md b/content/en/blog/_posts/2023-03-10-image-registry-change.md
new file mode 100644
index 0000000000000..9622c96d76cd8
--- /dev/null
+++ b/content/en/blog/_posts/2023-03-10-image-registry-change.md
@@ -0,0 +1,190 @@
+---
+layout: blog
+title: "k8s.gcr.io Redirect to registry.k8s.io - What You Need to Know"
+date: 2023-03-10T17:00:00.000Z
+slug: image-registry-redirect
+---
+
+**Authors**: Bob Killen (Google), Davanum Srinivas (AWS), Chris Short (AWS), Frederico Muñoz (SAS
+Institute), Tim Bannister (The Scale Factory), Ricky Sadowski (AWS), Grace Nguyen (Expo), Mahamed
+Ali (Rackspace Technology), Mars Toktonaliev (independent), Laura Santamaria (Dell), Kat Cosgrove
+(Dell)
+
+
+On Monday, March 20th, the k8s.gcr.io registry [will be redirected to the community owned
+registry](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/),
+**registry.k8s.io** .
+
+
+## TL;DR: What you need to know about this change
+
+- On Monday, March 20th, traffic from the older k8s.gcr.io registry will be redirected to
+  registry.k8s.io with the eventual goal of sunsetting k8s.gcr.io.
+- If you run in a restricted environment, and apply strict domain name or IP address access policies
+  limited to k8s.gcr.io, **the image pulls will not function** after k8s.gcr.io starts redirecting
+  to the new registry. 
+- A small subset of non-standard clients do not handle HTTP redirects by image registries, and will
+  need to be pointed directly at registry.k8s.io.
+- The redirect is a stopgap to assist users in making the switch. The deprecated k8s.gcr.io registry
+  will be phased out at some point. **Please update your manifests as soon as possible to point to
+  registry.k8s.io**.
+- If you host your own image registry, you can copy images you need there as well to reduce traffic
+  to community owned registries.
+
+If you think you may be impacted, or would like to know more about this change, please keep reading.
+
+## Why did Kubernetes change to a different image registry?
+
+k8s.gcr.io is hosted on a custom [Google Container Registry
+(GCR)](https://cloud.google.com/container-registry) domain that was set up solely for the Kubernetes
+project. This has worked well since the inception of the project, and we thank Google for providing
+these resources, but today, there are other cloud providers and vendors that would like to host
+images to provide a better experience for the people on their platforms. In addition to Google’s
+[renewed commitment to donate $3
+million](https://www.cncf.io/google-cloud-recommits-3m-to-kubernetes/) to support the project's
+infrastructure last year, Amazon Web Services announced a matching donation [during their Kubecon NA
+2022 keynote in Detroit](https://youtu.be/PPdimejomWo?t=236). This will provide a better experience
+for users (closer servers = faster downloads) and will reduce the egress bandwidth and costs from
+GCR at the same time.
+
+For more details on this change, check out [registry.k8s.io: faster, cheaper and Generally Available
+(GA)](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
+
+## Why is a redirect being put in place?
+
+The project switched to [registry.k8s.io last year with the 1.25
+release](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/); however, most of
+the image pull traffic is still directed at the old endpoint k8s.gcr.io. This has not been
+sustainable for us as a project, as it is not utilizing the resources that have been donated to the
+project from other providers, and we are in the danger of running out of funds due to the cost of
+serving this traffic.
+
+A redirect will enable the project to take advantage of these new resources, significantly reducing
+our egress bandwidth costs. We only expect this change to impact a small subset of users running in
+restricted environments or using very old clients that do not respect redirects properly.
+
+## What images will be impacted?
+
+**ALL** images on k8s.gcr.io will be impacted by this change. k8s.gcr.io hosts many images beyond
+Kubernetes releases. A large number of Kubernetes subprojects host their images there as well. Some
+examples include the `dns/k8s-dns-node-cache`, `ingress-nginx/controller`, and
+`node-problem-detector/node-problem-detector` images.
+
+## What will happen to k8s.gcr.io?
+
+Separate from the the redirect, k8s.gcr.io will be frozen [and will not be updated with new images
+after April 3rd, 2023](https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/). `k8s.gcr.io` 
+will not get any new releases, patches, or security updates. It will continue to remain available to
+help people migrate, but it **WILL** be phased out entirely in the future.
+
+## I run in a restricted environment. What should I do?
+
+For impacted users that run in a restricted environment, the best option is to copy over the
+required images to a private registry or configure a pull-through cache in their registry.
+
+There are several tools to copy images between registries;
+[crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) is one
+of those tools, and images can be copied to a private registry by using `crane copy SRC DST`. There
+are also vendor-specific tools, like e.g. Google’s
+[gcrane](https://cloud.google.com/container-registry/docs/migrate-external-containers#copy), that
+perform a similar function but are streamlined for their platform.
+
+## How can I check registry.k8s.io is accessible from my cluster?
+
+To test connectivity to registry.k8s.io and being able to pull images from there, here is a sample
+command that can be executed in the namespace of your choosing:
+
+```
+kubectl run hello-world --tty --rm -i --image=registry.k8s.io/busybox:latest sh
+```
+
+When you run the command above, here’s what to expect when things work correctly:
+
+```
+$ kubectl run hello-world --tty --rm -i --image=registry.k8s.io/busybox:latest sh
+If you don't see a command prompt, try pressing enter.
+/ # exit
+Session ended, resume using 'kubectl attach hello-world -c hello-world -i -t' command when the pod is running
+pod "hello-world" deleted
+```
+
+
+## What kind of errors will I see if I’m impacted? 
+
+Errors may depend on what kind of container runtime you are using, and what endpoint you are routed
+to, but it should present such as `ErrImagePull`, `ImagePullBackOff`, or a container failing to be
+created with the warning `FailedCreatePodSandBox`.
+
+Below is an example error message showing a proxied deployment failing to pull due to an unknown
+certificate:
+
+```
+FailedCreatePodSandBox: Failed to create pod sandbox: rpc error: code = Unknown desc = Error response from daemon: Head “https://us-west1-docker.pkg.dev/v2/k8s-artifacts-prod/images/pause/manifests/3.8”: x509: certificate signed by unknown authority
+```
+
+## How can I find which images are using the legacy registry, and fix them?
+
+**Option 1**: See the one line kubectl command in our [earlier blog
+post](https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/#what-s-next):
+
+```
+kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
+tr -s '[[:space:]]' '\n' |\
+sort |\
+uniq -c
+```
+
+**Option 2**: A `kubectl` [krew](https://krew.sigs.k8s.io/) plugin has been developed called
+[`community-images`](https://github.com/kubernetes-sigs/community-images#kubectl-community-images),
+that will scan and report any images using the k8s.gcr.io endpoint.
+
+If you have krew installed, you can install it with:
+
+```
+kubectl krew install community-images
+```
+
+and generate a report with:
+
+```
+kubectl community-images
+```
+
+For alternate methods of install and example output, check out the repo:
+[kubernetes-sigs/community-images](https://github.com/kubernetes-sigs/community-image).
+
+**Option 3**: If you do not have access to a cluster directly, or manage many clusters - the best
+way is to run a search over your manifests and charts for _"k8s.gcr.io"_.
+
+**Option 4**: If you wish to prevent k8s.gcr.io based images from running in your cluster, example
+policies for [Gatekeeper](https://open-policy-agent.github.io/gatekeeper-library/website/) and
+[Kyverno](https://kyverno.io/) are available in the [AWS EKS Best Practices
+repository](https://github.com/aws/aws-eks-best-practices/tree/master/policies/k8s-registry-deprecation)
+that will block them from being pulled. You can use these third-party policies with any Kubernetes
+cluster.
+
+**Option 5**: As a **LAST** possible option, you can use a [Mutating
+Admission Webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks)
+to change the image address dynamically. This should only be
+considered a stopgap till your manifests have been updated. You can
+find a (third party) Mutating Webhook and Kyverno policy in
+[k8s-gcr-quickfix](https://github.com/abstractinfrastructure/k8s-gcr-quickfix).
+
+## I still have questions, where should I go?
+
+For more information on registry.k8s.io and why it was developed, see [registry.k8s.io: faster,
+cheaper and Generally Available](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
+
+If you would like to know more about the image freeze and the last images that will be available
+there, see the blog post: [k8s.gcr.io Image Registry Will Be Frozen From the 3rd of April
+2023](/blog/2023/02/06/k8s-gcr-io-freeze-announcement/).
+
+Information on the architecture of registry.k8s.io and its [request handling decision
+tree](https://github.com/kubernetes/registry.k8s.io/blob/8408d0501a88b3d2531ff54b14eeb0e3c900a4f3/cmd/archeio/docs/request-handling.md)
+can be found in the [kubernetes/registry.k8s.io
+repo](https://github.com/kubernetes/registry.k8s.io).
+
+If you believe you have encountered a bug with the new registry or the redirect, please open an
+issue in the [kubernetes/registry.k8s.io
+repo](https://github.com/kubernetes/registry.k8s.io/issues/new/choose). **Please check if there is an issue already
+open similar to what you are seeing before you create a new issue**.
diff --git a/static/_redirects b/static/_redirects
index f4bd3250907d1..65f0758f31376 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -369,6 +369,9 @@
 /dockershim /blog/2022/02/17/dockershim-faq/ 302
 /dockershim/ /blog/2022/02/17/dockershim-faq/ 302
 
+/image-registry-redirect  /blog/2023/03/10/image-registry-redirect/ 302
+/image-registry-redirect/ /blog/2022/02/10/image-registry-redirect/ 302
+
 /docs/setup/release/notes/     /releases/notes/   302
 /docs/setup/release/                 /releases/   301
 /docs/setup/version-skew-policy/     /releases/version-skew-policy/   301

From 4195de416967b97ebd0e855e640cef5baa2cd21c Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Fri, 10 Mar 2023 10:39:15 -0800
Subject: [PATCH 105/215] Reorder registry blog sections

---
 .../2023-03-10-image-registry-change.md       | 125 +++++++++---------
 1 file changed, 61 insertions(+), 64 deletions(-)

diff --git a/content/en/blog/_posts/2023-03-10-image-registry-change.md b/content/en/blog/_posts/2023-03-10-image-registry-change.md
index 9622c96d76cd8..2d33b22db9931 100644
--- a/content/en/blog/_posts/2023-03-10-image-registry-change.md
+++ b/content/en/blog/_posts/2023-03-10-image-registry-change.md
@@ -33,83 +33,24 @@ registry](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-g
 
 If you think you may be impacted, or would like to know more about this change, please keep reading.
 
-## Why did Kubernetes change to a different image registry?
-
-k8s.gcr.io is hosted on a custom [Google Container Registry
-(GCR)](https://cloud.google.com/container-registry) domain that was set up solely for the Kubernetes
-project. This has worked well since the inception of the project, and we thank Google for providing
-these resources, but today, there are other cloud providers and vendors that would like to host
-images to provide a better experience for the people on their platforms. In addition to Google’s
-[renewed commitment to donate $3
-million](https://www.cncf.io/google-cloud-recommits-3m-to-kubernetes/) to support the project's
-infrastructure last year, Amazon Web Services announced a matching donation [during their Kubecon NA
-2022 keynote in Detroit](https://youtu.be/PPdimejomWo?t=236). This will provide a better experience
-for users (closer servers = faster downloads) and will reduce the egress bandwidth and costs from
-GCR at the same time.
-
-For more details on this change, check out [registry.k8s.io: faster, cheaper and Generally Available
-(GA)](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
-
-## Why is a redirect being put in place?
-
-The project switched to [registry.k8s.io last year with the 1.25
-release](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/); however, most of
-the image pull traffic is still directed at the old endpoint k8s.gcr.io. This has not been
-sustainable for us as a project, as it is not utilizing the resources that have been donated to the
-project from other providers, and we are in the danger of running out of funds due to the cost of
-serving this traffic.
-
-A redirect will enable the project to take advantage of these new resources, significantly reducing
-our egress bandwidth costs. We only expect this change to impact a small subset of users running in
-restricted environments or using very old clients that do not respect redirects properly.
-
-## What images will be impacted?
-
-**ALL** images on k8s.gcr.io will be impacted by this change. k8s.gcr.io hosts many images beyond
-Kubernetes releases. A large number of Kubernetes subprojects host their images there as well. Some
-examples include the `dns/k8s-dns-node-cache`, `ingress-nginx/controller`, and
-`node-problem-detector/node-problem-detector` images.
-
-## What will happen to k8s.gcr.io?
-
-Separate from the the redirect, k8s.gcr.io will be frozen [and will not be updated with new images
-after April 3rd, 2023](https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/). `k8s.gcr.io` 
-will not get any new releases, patches, or security updates. It will continue to remain available to
-help people migrate, but it **WILL** be phased out entirely in the future.
-
-## I run in a restricted environment. What should I do?
-
-For impacted users that run in a restricted environment, the best option is to copy over the
-required images to a private registry or configure a pull-through cache in their registry.
-
-There are several tools to copy images between registries;
-[crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) is one
-of those tools, and images can be copied to a private registry by using `crane copy SRC DST`. There
-are also vendor-specific tools, like e.g. Google’s
-[gcrane](https://cloud.google.com/container-registry/docs/migrate-external-containers#copy), that
-perform a similar function but are streamlined for their platform.
-
-## How can I check registry.k8s.io is accessible from my cluster?
+## How can I check if I am impacted?
 
 To test connectivity to registry.k8s.io and being able to pull images from there, here is a sample
 command that can be executed in the namespace of your choosing:
 
 ```
-kubectl run hello-world --tty --rm -i --image=registry.k8s.io/busybox:latest sh
+kubectl run hello-world -ti --rm --image=registry.k8s.io/busybox:latest --restart=Never -- date
 ```
 
 When you run the command above, here’s what to expect when things work correctly:
 
 ```
-$ kubectl run hello-world --tty --rm -i --image=registry.k8s.io/busybox:latest sh
-If you don't see a command prompt, try pressing enter.
-/ # exit
-Session ended, resume using 'kubectl attach hello-world -c hello-world -i -t' command when the pod is running
+$ kubectl run hello-world -ti --rm --image=registry.k8s.io/busybox:latest --restart=Never -- date
+Fri Feb 31 07:07:07 UTC 2023
 pod "hello-world" deleted
 ```
 
-
-## What kind of errors will I see if I’m impacted? 
+## What kind of errors will I see if I’m impacted?
 
 Errors may depend on what kind of container runtime you are using, and what endpoint you are routed
 to, but it should present such as `ErrImagePull`, `ImagePullBackOff`, or a container failing to be
@@ -122,6 +63,25 @@ certificate:
 FailedCreatePodSandBox: Failed to create pod sandbox: rpc error: code = Unknown desc = Error response from daemon: Head “https://us-west1-docker.pkg.dev/v2/k8s-artifacts-prod/images/pause/manifests/3.8”: x509: certificate signed by unknown authority
 ```
 
+## What images will be impacted?
+
+**ALL** images on k8s.gcr.io will be impacted by this change. k8s.gcr.io hosts many images beyond
+Kubernetes releases. A large number of Kubernetes subprojects host their images there as well. Some
+examples include the `dns/k8s-dns-node-cache`, `ingress-nginx/controller`, and
+`node-problem-detector/node-problem-detector` images.
+
+## I am impacted. What should I do?
+
+For impacted users that run in a restricted environment, the best option is to copy over the
+required images to a private registry or configure a pull-through cache in their registry.
+
+There are several tools to copy images between registries;
+[crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) is one
+of those tools, and images can be copied to a private registry by using `crane copy SRC DST`. There
+are also vendor-specific tools, like e.g. Google’s
+[gcrane](https://cloud.google.com/container-registry/docs/migrate-external-containers#copy), that
+perform a similar function but are streamlined for their platform.
+
 ## How can I find which images are using the legacy registry, and fix them?
 
 **Option 1**: See the one line kubectl command in our [earlier blog
@@ -170,6 +130,43 @@ considered a stopgap till your manifests have been updated. You can
 find a (third party) Mutating Webhook and Kyverno policy in
 [k8s-gcr-quickfix](https://github.com/abstractinfrastructure/k8s-gcr-quickfix).
 
+## Why did Kubernetes change to a different image registry?
+
+k8s.gcr.io is hosted on a custom [Google Container Registry
+(GCR)](https://cloud.google.com/container-registry) domain that was set up solely for the Kubernetes
+project. This has worked well since the inception of the project, and we thank Google for providing
+these resources, but today, there are other cloud providers and vendors that would like to host
+images to provide a better experience for the people on their platforms. In addition to Google’s
+[renewed commitment to donate $3
+million](https://www.cncf.io/google-cloud-recommits-3m-to-kubernetes/) to support the project's
+infrastructure last year, Amazon Web Services announced a matching donation [during their Kubecon NA
+2022 keynote in Detroit](https://youtu.be/PPdimejomWo?t=236). This will provide a better experience
+for users (closer servers = faster downloads) and will reduce the egress bandwidth and costs from
+GCR at the same time.
+
+For more details on this change, check out [registry.k8s.io: faster, cheaper and Generally Available
+(GA)](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
+
+## Why is a redirect being put in place?
+
+The project switched to [registry.k8s.io last year with the 1.25
+release](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/); however, most of
+the image pull traffic is still directed at the old endpoint k8s.gcr.io. This has not been
+sustainable for us as a project, as it is not utilizing the resources that have been donated to the
+project from other providers, and we are in the danger of running out of funds due to the cost of
+serving this traffic.
+
+A redirect will enable the project to take advantage of these new resources, significantly reducing
+our egress bandwidth costs. We only expect this change to impact a small subset of users running in
+restricted environments or using very old clients that do not respect redirects properly.
+
+## What will happen to k8s.gcr.io?
+
+Separate from the the redirect, k8s.gcr.io will be frozen [and will not be updated with new images
+after April 3rd, 2023](https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/). `k8s.gcr.io`
+will not get any new releases, patches, or security updates. It will continue to remain available to
+help people migrate, but it **WILL** be phased out entirely in the future.
+
 ## I still have questions, where should I go?
 
 For more information on registry.k8s.io and why it was developed, see [registry.k8s.io: faster,

From 0e6a3b08c4b773cc2b3fe08411916b192b581c1d Mon Sep 17 00:00:00 2001
From: Benjamin Elder <bentheelder@google.com>
Date: Fri, 10 Mar 2023 11:19:18 -0800
Subject: [PATCH 106/215] preempt registry freeze announcement with redirect
 announcement

---
 data/announcements/scheduled.yaml | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/data/announcements/scheduled.yaml b/data/announcements/scheduled.yaml
index 31c135a9a2039..2696127cf112c 100644
--- a/data/announcements/scheduled.yaml
+++ b/data/announcements/scheduled.yaml
@@ -134,7 +134,7 @@ announcements:
 - name: Freezing k8s.gcr.io - Before
   startTime: 2023-02-20T00:00:00 # Added in https://github.com/kubernetes/website/pull/39575
                                  # This should run before and after Kubecon EU 2023
-  endTime: 2023-03-26T00:00:00
+  endTime: 2023-03-10T00:00:00
   style: "background: #c70202"
   title: "Legacy k8s.gcr.io container image registry will be frozen in early April 2023"
   message: |
@@ -142,13 +142,22 @@ announcements:
     Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry.<br/>
     Please read our [announcement](/blog/2023/02/06/k8s-gcr-io-freeze-announcement/) for more details.
 
-- name: Freezing k8s.gcr.io - After
-  startTime: 2023-04-05T00:00:00 # Added in https://github.com/kubernetes/website/pull/39575
-                                 # This should run before and after Kubecon EU 2023
+- name: Redirecting k8s.gcr.io - Before
+  startTime: 2023-03-10T00:00:00 # This should run before and after Kubecon EU 2023
+  endTime: 2023-03-26T00:00:00
+  style: "background: #c70202"
+  title: Legacy k8s.gcr.io container image registry will be redirected to registry.k8s.io
+  message: |
+    k8s.gcr.io image registry will be redirected to registry.k8s.io on Monday March 20th.<br>
+    All images available in k8s.gcr.io are available at registry.k8s.io.</br>
+    Please read our [announcement](blog/2023/03/10/image-registry-redirect/) for more details.
+
+- name: Redirecting k8s.gcr.io - After
+  startTime: 2023-04-05T00:00:00 # This should run before and after Kubecon EU 2023
   endTime: 2023-05-31T00:00:00
   style: "background: #c70202"
-  title: Legacy k8s.gcr.io container image registry was frozen on the 3rd of April 2023
+  title: Legacy k8s.gcr.io container image registry will be redirected to registry.k8s.io
   message: |
-    k8s.gcr.io image registry has been frozen on the 3rd of April 2023.<br/>
-    Images for Kubernetes 1.27 are not available in the k8s.gcr.io image registry.<br/>
-    Please read our [announcement](/blog/2023/02/06/k8s-gcr-io-freeze-announcement/) for more details.
+    k8s.gcr.io image registry will be redirected to registry.k8s.io on Monday March 20th.<br>
+    All images available in k8s.gcr.io are available at registry.k8s.io.</br>
+    Please read our [announcement](blog/2023/03/10/image-registry-redirect/) for more details.

From 91b297c3e8e4214886bd2616a4fbef7008334e18 Mon Sep 17 00:00:00 2001
From: Benjamin Elder <bentheelder@google.com>
Date: Fri, 10 Mar 2023 15:02:57 -0800
Subject: [PATCH 107/215] add suggested fixes to registry redirect announcement

---
 data/announcements/scheduled.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/announcements/scheduled.yaml b/data/announcements/scheduled.yaml
index 2696127cf112c..9c797ec191716 100644
--- a/data/announcements/scheduled.yaml
+++ b/data/announcements/scheduled.yaml
@@ -150,7 +150,7 @@ announcements:
   message: |
     k8s.gcr.io image registry will be redirected to registry.k8s.io on Monday March 20th.<br>
     All images available in k8s.gcr.io are available at registry.k8s.io.</br>
-    Please read our [announcement](blog/2023/03/10/image-registry-redirect/) for more details.
+    Please read our [announcement](/blog/2023/03/10/image-registry-redirect/) for more details.
 
 - name: Redirecting k8s.gcr.io - After
   startTime: 2023-04-05T00:00:00 # This should run before and after Kubecon EU 2023
@@ -158,6 +158,6 @@ announcements:
   style: "background: #c70202"
   title: Legacy k8s.gcr.io container image registry will be redirected to registry.k8s.io
   message: |
-    k8s.gcr.io image registry will be redirected to registry.k8s.io on Monday March 20th.<br>
+    k8s.gcr.io image registry is being redirected to registry.k8s.io (since Monday March 20th).<br>
     All images available in k8s.gcr.io are available at registry.k8s.io.</br>
-    Please read our [announcement](blog/2023/03/10/image-registry-redirect/) for more details.
+    Please read our [announcement](/blog/2023/03/10/image-registry-redirect/) for more details.

From 1d0a0b77da9371e07f85293a4445c26e8a0091f3 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Sat, 11 Mar 2023 14:27:32 +0200
Subject: [PATCH 108/215] [ja] Change shell to console for code snippet

---
 .../configure-pod-container/configure-volume-storage.md     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md
index a7bb1a0d65ce3..5fb2769bdd31c 100644
--- a/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/ja/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -46,7 +46,7 @@ weight: 50
 
     出力は次のようになります:
 
-    ```shell
+    ```console
     NAME      READY     STATUS    RESTARTS   AGE
     redis     1/1       Running   0          13s
     ```
@@ -74,7 +74,7 @@ weight: 50
 
     出力はこのようになります:
 
-    ```shell
+    ```console
     USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
     redis        1  0.1  0.1  33308  3828 ?        Ssl  00:46   0:00 redis-server *:6379
     root        12  0.0  0.0  20228  3020 ?        Ss   00:47   0:00 /bin/bash
@@ -91,7 +91,7 @@ weight: 50
 
 1. 元の端末で、Redis Podへの変更を監視します。最終的には、このようなものが表示されます:
 
-    ```shell
+    ```console
     NAME      READY     STATUS     RESTARTS   AGE
     redis     1/1       Running    0          13s
     redis     0/1       Completed  0         6m

From 106f28ef0eb02a30e835de3ef59bc7706bc8dbcf Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Sun, 12 Mar 2023 00:22:29 +0200
Subject: [PATCH 109/215] [id] Removed spec.Replicas

---
 content/id/examples/application/php-apache.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/content/id/examples/application/php-apache.yaml b/content/id/examples/application/php-apache.yaml
index d29d2b91593f3..a194dce6f958a 100644
--- a/content/id/examples/application/php-apache.yaml
+++ b/content/id/examples/application/php-apache.yaml
@@ -6,7 +6,6 @@ spec:
   selector:
     matchLabels:
       run: php-apache
-  replicas: 1
   template:
     metadata:
       labels:

From 64af02f2817d5103fb3d2a35d032781af2548889 Mon Sep 17 00:00:00 2001
From: Dhairya-Arora01 <90555081+Dhairya-Arora01@users.noreply.github.com>
Date: Sun, 12 Mar 2023 13:40:03 +0000
Subject: [PATCH 110/215] fixed the outdated link

---
 content/en/docs/concepts/scheduling-eviction/assign-pod-node.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
index 1ce5ea8e95337..67bcf7e4dd133 100644
--- a/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/en/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -221,7 +221,7 @@ unexpected to them. Use node labels that have a clear correlation to the
 scheduler profile name.
 
 {{< note >}}
-The DaemonSet controller, which [creates Pods for DaemonSets](/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler),
+The DaemonSet controller, which [creates Pods for DaemonSets](/docs/concepts/workloads/controllers/daemonset/#how-daemon-pods-are-scheduled),
 does not support scheduling profiles. When the DaemonSet controller creates
 Pods, the default Kubernetes scheduler places those Pods and honors any
 `nodeAffinity` rules in the DaemonSet controller.

From fba2add4ccc58770c41324b37a0cac214cb88ebc Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:46:56 +1300
Subject: [PATCH 111/215] Shortcode fixes for de

---
 content/de/docs/setup/_index.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/de/docs/setup/_index.md b/content/de/docs/setup/_index.md
index 2203fcc19cf59..b1c8bbb9b7803 100644
--- a/content/de/docs/setup/_index.md
+++ b/content/de/docs/setup/_index.md
@@ -34,7 +34,7 @@ Benutzen Sie eine Docker-basierende Lösung, wenn Sie Kubernetes erlernen wollen
 |                     | [IBM Cloud Private-CE (Community Edition)](https://github.com/IBM/deploy-ibm-cloud-private) |
 |                     | [IBM Cloud Private-CE (Community Edition) on Linux Containers](https://github.com/HSBawa/icp-ce-on-linux-containers)|
 |                     | [k3s](https://k3s.io)|
-
+{{< /table >}}
 
 ## Produktionsumgebung
 
@@ -98,5 +98,6 @@ Die folgende Tabelle für Produktionsumgebungs-Lösungen listet Anbieter und der
 | [VEXXHOST](https://vexxhost.com/)         | &#x2714;             | &#x2714;      |             |      |          |
 | [VMware](https://cloud.vmware.com/) | [VMware Cloud PKS](https://cloud.vmware.com/vmware-cloud-pks)              |[VMware Enterprise PKS](https://cloud.vmware.com/vmware-enterprise-pks)        |   [VMware Enterprise PKS](https://cloud.vmware.com/vmware-enterprise-pks)          | [VMware Essential PKS](https://cloud.vmware.com/vmware-essential-pks)      |          |[VMware Essential PKS](https://cloud.vmware.com/vmware-essential-pks)
 | [Z.A.R.V.I.S.](https://zarvis.ai/) | &#x2714; | | | | | |
+{{< /table >}}
 
 

From 46bf59d941b1b644a9239a1efcca99ff52d59f00 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:50:13 +1300
Subject: [PATCH 112/215] Shortcode fixes for en

---
 .../en/blog/_posts/2021-04-20-annotating-k8s-for-humans.md | 1 +
 .../command-line-tools-reference/feature-gates-removed.md  | 1 +
 content/en/docs/reference/using-api/cel.md                 | 7 +++++++
 content/en/docs/tasks/administer-cluster/encrypt-data.md   | 1 +
 4 files changed, 10 insertions(+)

diff --git a/content/en/blog/_posts/2021-04-20-annotating-k8s-for-humans.md b/content/en/blog/_posts/2021-04-20-annotating-k8s-for-humans.md
index 155ff5a3b31f5..f4820fced31e9 100644
--- a/content/en/blog/_posts/2021-04-20-annotating-k8s-for-humans.md
+++ b/content/en/blog/_posts/2021-04-20-annotating-k8s-for-humans.md
@@ -83,6 +83,7 @@ Adopting a common convention for annotations ensures consistency and understanda
 | `a8r.io/uptime`                            | Link to external uptime dashboard. |
 | `a8r.io/performance`                       | Link to external performance dashboard. |
 | `a8r.io/dependencies`                      | Unstructured text describing the service dependencies for humans. |
+{{< /table >}}
 
 
 ## Visualizing annotations: Service Catalogs
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md
index a3b704d891e5b..0244c7703e1de 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md
@@ -333,6 +333,7 @@ In the following table:
 | `WindowsRunAsUserName` | `false` | Alpha | 1.16 | 1.16 |
 | `WindowsRunAsUserName` | `true` | Beta | 1.17 | 1.17 |
 | `WindowsRunAsUserName` | `true` | GA | 1.18 | 1.20 |
+{{< /table >}}
 
 ## Descriptions for removed feature gates
 
diff --git a/content/en/docs/reference/using-api/cel.md b/content/en/docs/reference/using-api/cel.md
index 23ba98af4062a..532a214f009fc 100644
--- a/content/en/docs/reference/using-api/cel.md
+++ b/content/en/docs/reference/using-api/cel.md
@@ -59,6 +59,7 @@ Example CEL expressions:
 | `self.metadata.name == 'singleton'`                                                | Validate that an object's name matches a specific value (making it a singleton)   |
 | `self.set1.all(e, !(e in self.set2))`                                              | Validate that two listSets are disjoint                                           |
 | `self.names.size() == self.details.size() && self.names.all(n, n in self.details)` | Validate the 'details' map is keyed by the items in the 'names' listSet           |
+{{< /table >}}
 
 ## CEL community libraries
 
@@ -95,6 +96,7 @@ Examples:
 | `items.map(x, x.weight).sum() == 1.0`                                              | Verify that the "weights" of a list of objects sum to 1.0 |
 | `lowPriorities.map(x, x.priority).max() < highPriorities.map(x, x.priority).min()` | Verify that two sets of priorities do not overlap         |
 | `names.indexOf('should-be-first') == 1`                                            | Require that the first name in a list if a specific value | 
+{{< /table >}}
 
 See the [Kubernetes List Library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Lists)
 godoc for more information.
@@ -112,6 +114,7 @@ Examples:
 |-------------------------------------------------------------|----------------------------------------------------------|
 | `"abc 123".find('[0-9]*')`                                  | Find the first number in a string                        |
 | `"1, 2, 3, 4".findAll('[0-9]*').map(x, int(x)).sum() < 100` | Verify that the numbers in a string sum to less than 100 |
+{{< /table >}}
 
 See the [Kubernetes regex library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Regex)
 godoc for more information.
@@ -136,6 +139,7 @@ Examples:
 |-----------------------------------------------------------------|------------------------------------------------|
 | `url('https://example.com:80/').getHost()`                      | Get the 'example.com:80' host part of the URL. |
 | `url('https://example.com/path with spaces/').getEscapedPath()` | Returns '/path%20with%20spaces/'               |
+{{< /table >}}
 
 See the [Kubernetes URL library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#URLs)
 godoc for more information.
@@ -191,6 +195,7 @@ has(object.namex) ? object.namex == 'special' : request.name == 'special'
 | 'string' with format=date                          | timestamp (google.protobuf.Timestamp)                                                                                        |
 | 'string' with format=datetime                      | timestamp (google.protobuf.Timestamp)                                                                                        |
 | 'string' with format=duration                      | duration (google.protobuf.Duration)                                                                                          |
+{{< /table >}}
 
 Also see: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values),
 [OpenAPI types](https://swagger.io/specification/#data-types),
@@ -225,6 +230,7 @@ expression:
 | `__dash__`        | `-`                                                                                          |
 | `__slash__`       | `/`                                                                                          |
 | `__{keyword}__`   | [CEL **RESERVED** keyword](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax) |
+{{< /table >}}
 
 When you escape any of CEL's **RESERVED** keywords you need to match the exact property name
 use the underscore escaping
@@ -239,6 +245,7 @@ Examples on escaping:
 | `x-prop`      | `self.x__dash__prop > 0`          |
 | `redact__d`   | `self.redact__underscores__d > 0` |
 | `string`      | `self.startsWith('kube')`         |
+{{< /table >}}
 
 ## Resource constraints
 
diff --git a/content/en/docs/tasks/administer-cluster/encrypt-data.md b/content/en/docs/tasks/administer-cluster/encrypt-data.md
index c683c5aa9b2c3..656762c30f506 100644
--- a/content/en/docs/tasks/administer-cluster/encrypt-data.md
+++ b/content/en/docs/tasks/administer-cluster/encrypt-data.md
@@ -103,6 +103,7 @@ Name | Encryption | Strength | Speed | Key Length | Other Considerations
 `aesgcm` | AES-GCM with random nonce | Must be rotated every 200k writes | Fastest | 16, 24, or 32-byte | Is not recommended for use except when an automated key rotation scheme is implemented.
 `aescbc` | AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding | Weak | Fast | 32-byte | Not recommended due to CBC's vulnerability to padding oracle attacks.
 `kms` | Uses envelope encryption scheme: Data is encrypted by data encryption keys (DEKs) using AES-CBC with [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) padding (prior to v1.25), using AES-GCM starting from v1.25, DEKs are encrypted by key encryption keys (KEKs) according to configuration in Key Management Service (KMS) | Strongest | Fast | 32-bytes |  The recommended choice for using a third party tool for key management. Simplifies key rotation, with a new DEK generated for each encryption, and KEK rotation controlled by the user. [Configure the KMS provider](/docs/tasks/administer-cluster/kms-provider/).
+{{< /table >}}
 
 Each provider supports multiple keys - the keys are tried in order for decryption, and if the provider
 is the first provider, the first key is used for encryption.

From a68a79bc15ea01f809ca6196d3f1e7bf03660e3f Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:50:58 +1300
Subject: [PATCH 113/215] Shortcode fixes for id

---
 content/id/docs/concepts/cluster-administration/flow-control.md | 1 +
 content/id/docs/tasks/administer-cluster/sysctl-cluster.md      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/content/id/docs/concepts/cluster-administration/flow-control.md b/content/id/docs/concepts/cluster-administration/flow-control.md
index 9cfe98e650f10..5aa02f4725f5d 100644
--- a/content/id/docs/concepts/cluster-administration/flow-control.md
+++ b/content/id/docs/concepts/cluster-administration/flow-control.md
@@ -243,6 +243,7 @@ https://play.golang.org/p/Gi0PLgVHiUg, yang digunakan untuk menghitung nilai-nil
 |       6|        256|	2.7134626662687968e-12|	2.9516464018476436e-07|	0.0008895654642000348|
 |       6|        512|	4.116062922897309e-14|	4.982983350480894e-09|	2.26025764343413e-05|
 |       6|       1024|	6.337324016514285e-16|	8.09060164312957e-11|	4.517408062903668e-07|
+{{< /table >}}
 
 ### FlowSchema
 
diff --git a/content/id/docs/tasks/administer-cluster/sysctl-cluster.md b/content/id/docs/tasks/administer-cluster/sysctl-cluster.md
index 42acb5d0f599e..667017180fe38 100644
--- a/content/id/docs/tasks/administer-cluster/sysctl-cluster.md
+++ b/content/id/docs/tasks/administer-cluster/sysctl-cluster.md
@@ -60,6 +60,7 @@ Sysctl berikut ini didukung dalam kelompok _safe_:
 
 {{< note >}}
 Contoh `net.ipv4.tcp_syncookies` bukan merupakan Namespace pada kernel Linux versi 4.4 atau lebih rendah.
+{{< /note >}}
 
 Daftar ini akan terus dikembangkan dalam versi Kubernetes berikutnya ketika kubelet
 mendukung mekanisme isolasi yang lebih baik.

From 1578937e2c1bd463dc90be239de637a79e30cbaa Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:53:11 +1300
Subject: [PATCH 114/215] Shortcode fixes for ko

---
 .../concepts/architecture/control-plane-node-communication.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ko/docs/concepts/architecture/control-plane-node-communication.md b/content/ko/docs/concepts/architecture/control-plane-node-communication.md
index ed963638b18d3..ff1d9fb11959e 100644
--- a/content/ko/docs/concepts/architecture/control-plane-node-communication.md
+++ b/content/ko/docs/concepts/architecture/control-plane-node-communication.md
@@ -100,7 +100,7 @@ kubelet, 노드, 파드 또는 서비스로 향하는 모든 트래픽을 전달
 SSH 터널은 현재 더 이상 사용되지 않으므로, 수행 중인 작업이 어떤 것인지 모른다면 사용하면 안 된다. 
 [Konnectivity 서비스](#konnectivity-service)가 SSH 통신 채널을 
 대체한다.
-{{< note >}}
+{{< /note >}}
 
 ### Konnectivity 서비스 {#konnectivity-service}
 

From dc643c140f8e302d322b495307db1d18b6b5ae26 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:53:53 +1300
Subject: [PATCH 115/215] Shortcode fixes for uk

---
 content/uk/docs/setup/_index.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/content/uk/docs/setup/_index.md b/content/uk/docs/setup/_index.md
index 2168e1eb378f4..89bda3862d60f 100644
--- a/content/uk/docs/setup/_index.md
+++ b/content/uk/docs/setup/_index.md
@@ -60,6 +60,7 @@ card:
 |                     | [IBM Cloud Private-CE (Community Edition)](https://github.com/IBM/deploy-ibm-cloud-private) |
 |                     | [IBM Cloud Private-CE (Community Edition) on Linux Containers](https://github.com/HSBawa/icp-ce-on-linux-containers)|
 |                     | [k3s](https://k3s.io)|
+{{< /table >}}
 
 
 ## Прод оточення {#прод-оточення}
@@ -132,5 +133,6 @@ card:
 | [VEXXHOST](https://vexxhost.com/)         | &#x2714;             | &#x2714;      |             |      |          |
 | [VMware](https://cloud.vmware.com/) | [VMware Cloud PKS](https://cloud.vmware.com/vmware-cloud-pks)              |[VMware Enterprise PKS](https://cloud.vmware.com/vmware-enterprise-pks)        |   [VMware Enterprise PKS](https://cloud.vmware.com/vmware-enterprise-pks)          | [VMware Essential PKS](https://cloud.vmware.com/vmware-essential-pks)      |          |[VMware Essential PKS](https://cloud.vmware.com/vmware-essential-pks)
 | [Z.A.R.V.I.S.](https://zarvis.ai/) | &#x2714; | | | | | |
+{{< /table >}}
 
 

From 16abc209b807edd17658170196730ce78ad80bb1 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:54:52 +1300
Subject: [PATCH 116/215] Shortcode fixes for zh-cn

---
 .../docs/concepts/scheduling-eviction/scheduler-perf-tuning.md   | 1 +
 .../command-line-tools-reference/feature-gates-removed.md        | 1 +
 content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md      | 1 +
 content/zh-cn/docs/tutorials/stateful-application/cassandra.md   | 1 +
 4 files changed, 4 insertions(+)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md b/content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
index 01574c7e0775d..d0f99047bae88 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning.md
@@ -207,6 +207,7 @@ change will have no or little effect, for a similar reason.
 If your cluster has several hundred Nodes or fewer, leave this configuration option
 at its default value. Making changes is unlikely to improve the
 scheduler's performance significantly.
+{{< /note >}}
 -->
 {{< note >}}
 当集群中的可调度节点少于 50 个时，调度器仍然会去检查所有的 Node，
diff --git a/content/zh-cn/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/zh-cn/docs/reference/command-line-tools-reference/feature-gates-removed.md
index 4c1f7f5344661..0917e56fd824f 100644
--- a/content/zh-cn/docs/reference/command-line-tools-reference/feature-gates-removed.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/feature-gates-removed.md
@@ -360,6 +360,7 @@ In the following table:
 | `WindowsRunAsUserName` | `false` | Alpha | 1.16 | 1.16 |
 | `WindowsRunAsUserName` | `true` | Beta | 1.17 | 1.17 |
 | `WindowsRunAsUserName` | `true` | GA | 1.18 | 1.20 |
+{{< /table >}}
 
 <!--
 ## Descriptions for removed feature gates
diff --git a/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
index 4a387565ebee8..5b92b689af8da 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
@@ -169,6 +169,7 @@ is the first provider, the first key is used for encryption.
 `aesgcm` | 带有随机数的 AES-GCM | 必须每 200k 写入一次 | 最快 | 16、24 或者 32字节 | 建议不要使用，除非实施了自动密钥循环方案。
 `aescbc` | 填充 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 的 AES-CBC | 弱 | 快 | 32 字节 | 由于 CBC 容易受到密文填塞攻击（Padding Oracle Attack），不推荐使用。
 `kms` | 使用信封加密方案：数据使用带有 [PKCS#7](https://datatracker.ietf.org/doc/html/rfc2315) 填充的 AES-CBC（v1.25 之前），从 v1.25 开始使用 AES-GCM 通过数据加密密钥（DEK）加密，DEK 根据 Key Management Service（KMS）中的配置通过密钥加密密钥（Key Encryption Keys，KEK）加密 | 最强 | 快 | 32 字节 | 建议使用第三方工具进行密钥管理。为每个加密生成新的 DEK，并由用户控制 KEK 轮换来简化密钥轮换。[配置 KMS 提供程序](/zh-cn/docs/tasks/administer-cluster/kms-provider/)
+{{< /table >}}
 
 每个 provider 都支持多个密钥 - 在解密时会按顺序使用密钥，如果是第一个 provider，则第一个密钥用于加密。
 
diff --git a/content/zh-cn/docs/tutorials/stateful-application/cassandra.md b/content/zh-cn/docs/tutorials/stateful-application/cassandra.md
index ee38e89338bf2..e1afdedbb841e 100644
--- a/content/zh-cn/docs/tutorials/stateful-application/cassandra.md
+++ b/content/zh-cn/docs/tutorials/stateful-application/cassandra.md
@@ -91,6 +91,7 @@ To complete this tutorial, you should already have a basic familiarity with
 [Minikube](https://minikube.sigs.k8s.io/docs/) defaults to 2048MB of memory and 2 CPU.
 Running Minikube with the default resource configuration results in insufficient resource
 errors during this tutorial. To avoid these errors, start Minikube with the following settings:
+{{< /caution >}}
 -->
 ### 额外的 Minikube 设置说明
 

From 99abcbf23b3d9762d99fce4158b3f25a7b57509d Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:55:39 +1300
Subject: [PATCH 117/215] Shortcode fixes for es

---
 .../tasks/tools/included/install-kubectl-windows.md    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/es/docs/tasks/tools/included/install-kubectl-windows.md b/content/es/docs/tasks/tools/included/install-kubectl-windows.md
index 46a43a35ca855..4665883943617 100644
--- a/content/es/docs/tasks/tools/included/install-kubectl-windows.md
+++ b/content/es/docs/tasks/tools/included/install-kubectl-windows.md
@@ -30,7 +30,7 @@ Existen los siguientes métodos para instalar kubectl en Windows:
    O si tiene `curl` instalado, use este comando:
 
    ```powershell
-   curl -LO https://dl.k8s.io/release/{{< param "fullversion" >}}/bin/windows/amd64/kubectl.exe
+   curl -LO https://dl.k8s.io/release/{{% param "fullversion" %}}/bin/windows/amd64/kubectl.exe
    ```
 
    {{< note >}}
@@ -42,7 +42,7 @@ Existen los siguientes métodos para instalar kubectl en Windows:
    Descargue el archivo de comprobación de kubectl:
 
    ```powershell
-   curl -LO https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubectl.exe.sha256
+   curl -LO https://dl.k8s.io/{{% param "fullversion" %}}/bin/windows/amd64/kubectl.exe.sha256
    ```
 
    Valide el binario kubectl con el archivo de comprobación:
@@ -148,7 +148,7 @@ A continuación se muestran los procedimientos para configurar el autocompletado
 1. Descargue la última versión con el comando:
 
    ```powershell
-   curl -LO https://dl.k8s.io/release/{{< param "fullversion" >}}/bin/windows/amd64/kubectl-convert.exe
+   curl -LO https://dl.k8s.io/release/{{% param "fullversion" %}}/bin/windows/amd64/kubectl-convert.exe
    ```
 
 1. Validar el binario (opcional)
@@ -156,7 +156,7 @@ A continuación se muestran los procedimientos para configurar el autocompletado
    Descargue el archivo de comprobación kubectl-convert:
 
    ```powershell
-   curl -LO https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubectl-convert.exe.sha256
+   curl -LO https://dl.k8s.io/{{% param "fullversion" %}}/bin/windows/amd64/kubectl-convert.exe.sha256
    ```
 
    Valide el binario kubectl-convert con el archivo de comprobación:
@@ -187,4 +187,4 @@ A continuación se muestran los procedimientos para configurar el autocompletado
 
 ## {{% heading "whatsnext" %}}
 
-{{< include "kubectl-whats-next.md" >}}
\ No newline at end of file
+{{< include "kubectl-whats-next.md" >}}

From 8850ccdf613933ca9a489c75f3fc95a307f0a708 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 10:56:17 +1300
Subject: [PATCH 118/215] Shortcode fixes for hi

---
 content/hi/docs/tasks/tools/install-kubectl-windows.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/hi/docs/tasks/tools/install-kubectl-windows.md b/content/hi/docs/tasks/tools/install-kubectl-windows.md
index 5af06aaf32792..7632d08486f80 100644
--- a/content/hi/docs/tasks/tools/install-kubectl-windows.md
+++ b/content/hi/docs/tasks/tools/install-kubectl-windows.md
@@ -27,7 +27,7 @@ Windows पर kubectl संस्थापित करने के लिए
    या यदि आपके पास `curl` है, तो इस कमांड का उपयोग करें:
 
    ```powershell
-   curl -LO https://dl.k8s.io/release/{{< param "fullversion" >}}/bin/windows/amd64/kubectl.exe
+   curl -LO https://dl.k8s.io/release/{{% param "fullversion" %}}/bin/windows/amd64/kubectl.exe
    ```
 
    {{< note >}}
@@ -39,7 +39,7 @@ Windows पर kubectl संस्थापित करने के लिए
    kubectl चेकसम फाइल डाउनलोड करें:
 
    ```powershell
-   curl -LO https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubectl.exe.sha256
+   curl -LO https://dl.k8s.io/{{% param "fullversion" %}}/bin/windows/amd64/kubectl.exe.sha256
    ```
 
    चेकसम फ़ाइल से kubectl बाइनरी को मान्य करें:
@@ -143,7 +143,7 @@ kubectl Bash और Zsh के लिए ऑटोकम्प्लेशन 
 1. इस कमांड से नवीनतम रिलीज डाउनलोड करें:
 
    ```powershell
-   curl -LO https://dl.k8s.io/release/{{< param "fullversion" >}}/bin/windows/amd64/kubectl-convert.exe
+   curl -LO https://dl.k8s.io/release/{{% param "fullversion" %}}/bin/windows/amd64/kubectl-convert.exe
    ```
 
 1. बाइनरी को मान्य करें (वैकल्पिक)
@@ -151,7 +151,7 @@ kubectl Bash और Zsh के लिए ऑटोकम्प्लेशन 
    kubectl-convert चेकसम फ़ाइल डाउनलोड करें:
 
    ```powershell
-   curl -LO https://dl.k8s.io/{{< param "fullversion" >}}/bin/windows/amd64/kubectl-convert.exe.sha256
+   curl -LO https://dl.k8s.io/{{% param "fullversion" %}}/bin/windows/amd64/kubectl-convert.exe.sha256
    ```
 
    चेकसम फ़ाइल से kubectl-convert बाइनरी को मान्य करें:

From a24742afbd8956d67d78ec3b2969915e9d101dfb Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Mon, 13 Mar 2023 13:15:59 +1300
Subject: [PATCH 119/215] Empty commit


From bf5dc69ee4795938592a553671062fa0bc1960fa Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 13 Mar 2023 09:47:31 +0800
Subject: [PATCH 120/215] [zh] sync a link with en

---
 .../docs/concepts/scheduling-eviction/assign-pod-node.md      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
index 46967e8aa1605..b394f0de6fec3 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -411,12 +411,12 @@ scheduler profile name.
 
 {{< note >}}
 <!--
-The DaemonSet controller, which [creates Pods for DaemonSets](/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler),
+The DaemonSet controller, which [creates Pods for DaemonSets](/docs/concepts/workloads/controllers/daemonset/#how-daemon-pods-are-scheduled),
 does not support scheduling profiles. When the DaemonSet controller creates
 Pods, the default Kubernetes scheduler places those Pods and honors any
 `nodeAffinity` rules in the DaemonSet controller.
 -->
-DaemonSet 控制器[为 DaemonSet 创建 Pods](/zh-cn/docs/concepts/workloads/controllers/daemonset/#scheduled-by-default-scheduler)，
+DaemonSet 控制器[为 DaemonSet 创建 Pod](/zh-cn/docs/concepts/workloads/controllers/daemonset/#how-daemon-pods-are-scheduled)，
 但该控制器不理会调度方案。
 DaemonSet 控制器创建 Pod 时，默认的 Kubernetes 调度器负责放置 Pod，
 并遵从 DaemonSet 控制器中奢侈的 `nodeAffinity` 规则。

From 7a44d0223ff65f5a24f9f9277fd33c5cca6a1e3b Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 13 Mar 2023 09:55:31 +0800
Subject: [PATCH 121/215] [zh] sync kustomization.md

---
 .../docs/tasks/manage-kubernetes-objects/kustomization.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md b/content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md
index 1f58cb6dd5284..1878390be479e 100644
--- a/content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md
+++ b/content/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization.md
@@ -172,12 +172,12 @@ metadata:
   name: example-configmap-1-42cfbf598f
 ```
 
+{{< note >}}
 <!--
-Each variable in the `.env` file becomes a separate key in the ConfigMap that you generate. This is different from the previous example which embeds a file named `.properties` (and all its entries) as the value for a single key.
+Each variable in the `.env` file becomes a separate key in the ConfigMap that you generate. This is different from the previous example which embeds a file named `application.properties` (and all its entries) as the value for a single key.
 -->
-{{< note >}}
-`.env` 文件中的每个变量在生成的 ConfigMap 中成为一个单独的键。
-这与之前的示例不同，前一个示例将一个名为 `.properties` 的文件（及其所有条目）嵌入到同一个键的值中。
+`.env` 文件中的每个变量在生成的 ConfigMap 中成为一个单独的键。这与之前的示例不同，
+前一个示例将一个名为 `application.properties` 的文件（及其所有条目）嵌入到同一个键的值中。
 {{< /note >}}
 
 <!--

From a4a5b15ee7b5143fee897fd17a9c283f3acd592e Mon Sep 17 00:00:00 2001
From: JenTing Hsiao <hsiaoairplane@gmail.com>
Date: Mon, 13 Mar 2023 10:14:24 +0800
Subject: [PATCH 122/215] Quota the variable

Signed-off-by: JenTing Hsiao <hsiaoairplane@gmail.com>
---
 content/en/docs/concepts/policy/resource-quotas.md    | 2 +-
 content/zh-cn/docs/concepts/policy/resource-quotas.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/concepts/policy/resource-quotas.md b/content/en/docs/concepts/policy/resource-quotas.md
index 3adab67be31fc..c67880458a355 100644
--- a/content/en/docs/concepts/policy/resource-quotas.md
+++ b/content/en/docs/concepts/policy/resource-quotas.md
@@ -122,7 +122,7 @@ In addition, you can limit consumption of storage resources based on associated
 | `requests.storage` | Across all persistent volume claims, the sum of storage requests cannot exceed this value. |
 | `persistentvolumeclaims` | The total number of [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
 | `<storage-class-name>.storageclass.storage.k8s.io/requests.storage` | Across all persistent volume claims associated with the `<storage-class-name>`, the sum of storage requests cannot exceed this value. |
-| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | Across all persistent volume claims associated with the storage-class-name, the total number of [persistent volume claims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
+| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | Across all persistent volume claims associated with the `<storage-class-name>`, the total number of [persistent volume claims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
 
 For example, if an operator wants to quota storage with `gold` storage class separate from `bronze` storage class, the operator can
 define a quota as follows:
diff --git a/content/zh-cn/docs/concepts/policy/resource-quotas.md b/content/zh-cn/docs/concepts/policy/resource-quotas.md
index 8441336738678..09b791f14c730 100644
--- a/content/zh-cn/docs/concepts/policy/resource-quotas.md
+++ b/content/zh-cn/docs/concepts/policy/resource-quotas.md
@@ -235,7 +235,7 @@ In addition, you can limit consumption of storage resources based on associated
 | `requests.storage` | Across all persistent volume claims, the sum of storage requests cannot exceed this value. |
 | `persistentvolumeclaims` | The total number of [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
 | `<storage-class-name>.storageclass.storage.k8s.io/requests.storage` | Across all persistent volume claims associated with the `<storage-class-name>`, the sum of storage requests cannot exceed this value. |
-| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | Across all persistent volume claims associated with the storage-class-name, the total number of [persistent volume claims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
+| `<storage-class-name>.storageclass.storage.k8s.io/persistentvolumeclaims` | Across all persistent volume claims associated with the `<storage-class-name>`, the total number of [persistent volume claims](/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) that can exist in the namespace. |
 -->
 | 资源名称 | 描述 |
 | --------------------- | ----------------------------------------------------------- |

From 4c20add09eb84c4ef62b7f7c0a25f5951a18ad09 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 13 Mar 2023 10:15:47 +0800
Subject: [PATCH 123/215] Tweak line wrappings in blog:
 Security-Bahavior-Analysis

---
 .../index.md                                  | 144 ++++++++++++++----
 1 file changed, 118 insertions(+), 26 deletions(-)

diff --git a/content/en/blog/_posts/2023-01-20-Security-Bahavior-Analysis/index.md b/content/en/blog/_posts/2023-01-20-Security-Bahavior-Analysis/index.md
index 433fac80e40c9..8ffcd99cfdd23 100644
--- a/content/en/blog/_posts/2023-01-20-Security-Bahavior-Analysis/index.md
+++ b/content/en/blog/_posts/2023-01-20-Security-Bahavior-Analysis/index.md
@@ -8,39 +8,99 @@ slug: security-behavior-analysis
 **Author:**
 David Hadas (IBM Research Labs)
 
-_This post warns Devops from a false sense of security. Following security best practices when developing and configuring microservices do not result in non-vulnerable microservices. The post shows that although all deployed microservices are vulnerable, there is much that can be done to ensure microservices are not exploited. It explains how analyzing the behavior of clients and services from a security standpoint, named here **"Security-Behavior Analytics"**, can protect the deployed vulnerable microservices. It points to [Guard](http://knative.dev/security-guard), an open source project offering security-behavior monitoring and control of Kubernetes microservices presumed vulnerable._
-
-As cyber attacks continue to intensify in sophistication, organizations deploying cloud services continue to grow their cyber investments aiming to produce safe and non-vulnerable services. However, the year-by-year growth in cyber investments does not result in a parallel reduction in cyber incidents. Instead, the number of cyber incidents continues to grow annually. Evidently, organizations are doomed to fail in this struggle - no matter how much effort is made to detect and remove cyber weaknesses from deployed services, it seems offenders always have the upper hand.
-
-Considering the current spread of offensive tools, sophistication of offensive players, and ever-growing cyber financial gains to offenders, any cyber strategy that relies on constructing a non-vulnerable, weakness-free service in 2023 is clearly too naïve. It seems the only viable strategy is to:
+_This post warns Devops from a false sense of security. Following security
+best practices when developing and configuring microservices do not result
+in non-vulnerable microservices. The post shows that although all deployed
+microservices are vulnerable, there is much that can be done to ensure
+microservices are not exploited. It explains how analyzing the behavior of
+clients and services from a security standpoint, named here
+**"Security-Behavior Analytics"**, can protect the deployed vulnerable microservices.
+It points to [Guard](http://knative.dev/security-guard), an open source project offering
+security-behavior monitoring and control of Kubernetes microservices presumed vulnerable._
+
+As cyber attacks continue to intensify in sophistication, organizations deploying
+cloud services continue to grow their cyber investments aiming to produce safe and
+non-vulnerable services. However, the year-by-year growth in cyber investments does
+not result in a parallel reduction in cyber incidents. Instead, the number of cyber
+incidents continues to grow annually. Evidently, organizations are doomed to fail in
+this struggle - no matter how much effort is made to detect and remove cyber weaknesses
+from deployed services, it seems offenders always have the upper hand.
+
+Considering the current spread of offensive tools, sophistication of offensive players,
+and ever-growing cyber financial gains to offenders, any cyber strategy that relies on
+constructing a non-vulnerable, weakness-free service in 2023 is clearly too naïve.
+It seems the only viable strategy is to:
 
 &#x27A5; **Admit that your services are vulnerable!**
 
-In other words, consciously accept that you will never create completely invulnerable services. If your opponents find even a single weakness as an entry-point, you lose! Admitting that in spite of your best efforts, all your services are still vulnerable is an important first step. Next, this post discusses what you can do about it...
+In other words, consciously accept that you will never create completely invulnerable
+services. If your opponents find even a single weakness as an entry-point, you lose!
+Admitting that in spite of your best efforts, all your services are still vulnerable
+is an important first step. Next, this post discusses what you can do about it...
 
 ## How to protect microservices from being exploited
 
-Being vulnerable does not necessarily mean that your service will be exploited. Though your services are vulnerable in some ways unknown to you, offenders still need to identify these vulnerabilities and then exploit them. If offenders fail to exploit your service vulnerabilities, you win! In other words, having a vulnerability that can’t be exploited, represents a risk that can’t be realized.
+Being vulnerable does not necessarily mean that your service will be exploited.
+Though your services are vulnerable in some ways unknown to you, offenders still
+need to identify these vulnerabilities and then exploit them. If offenders fail
+to exploit your service vulnerabilities, you win! In other words, having a
+vulnerability that can’t be exploited, represents a risk that can’t be realized.
 
 {{< figure src="security_behavior_figure_1.svg" alt="Image of an example of offender gaining foothold in a service" class="diagram-large" caption="Figure 1. An Offender gaining foothold in a vulnerable service" >}}
 
-The above diagram shows an example in which the offender does not yet have a foothold in the service; that is, it is assumed that your service does not run code controlled by the offender on day 1. In our example the service has vulnerabilities in the API exposed to clients. To gain an initial foothold the offender uses a malicious client to try and exploit one of the service API vulnerabilities. The malicious client sends an exploit that triggers some unplanned behavior of the service.
-
-More specifically, let’s assume the service is vulnerable to an SQL injection. The developer failed to sanitize the user input properly, thereby allowing clients to send values that would change the intended behavior. In our example, if a client sends a query string with key “username” and value of _“tom or 1=1”_, the client will receive the data of all users. Exploiting this vulnerability requires the client to send an irregular string as the value. Note that benign users will not be sending a string with spaces or with the equal sign character as a username, instead they will normally send legal usernames which for example may be defined as a short sequence of characters a-z. No legal username can trigger service unplanned behavior.
-
-In this simple example, one can already identify several opportunities to detect and block an attempt to exploit the vulnerability (un)intentionally left behind by the developer, making the vulnerability unexploitable. First, the malicious client behavior differs from the behavior of benign clients, as it sends irregular requests. If such a change in behavior is detected and blocked, the exploit will never reach the service. Second, the service behavior in response to the exploit differs from the service behavior in response to a regular request. Such behavior may include making subsequent irregular calls to other services such as a data store, taking irregular time to respond, and/or responding to the malicious client with an irregular response (for example, containing much more data than normally sent in case of benign clients making regular requests). Service behavioral changes, if detected, will also allow blocking the exploit in different stages of the exploitation attempt.
+The above diagram shows an example in which the offender does not yet have a
+foothold in the service; that is, it is assumed that your service does not run
+code controlled by the offender on day 1. In our example the service has
+vulnerabilities in the API exposed to clients. To gain an initial foothold the
+offender uses a malicious client to try and exploit one of the service API
+vulnerabilities. The malicious client sends an exploit that triggers some
+unplanned behavior of the service.
+
+More specifically, let’s assume the service is vulnerable to an SQL injection.
+The developer failed to sanitize the user input properly, thereby allowing clients
+to send values that would change the intended behavior. In our example, if a client
+sends a query string with key “username” and value of _“tom or 1=1”_, the client will
+receive the data of all users. Exploiting this vulnerability requires the client to
+send an irregular string as the value. Note that benign users will not be sending a
+string with spaces or with the equal sign character as a username, instead they will
+normally send legal usernames which for example may be defined as a short sequence of
+characters a-z. No legal username can trigger service unplanned behavior.
+
+In this simple example, one can already identify several opportunities to detect and
+block an attempt to exploit the vulnerability (un)intentionally left behind by the
+developer, making the vulnerability unexploitable. First, the malicious client behavior
+differs from the behavior of benign clients, as it sends irregular requests. If such a
+change in behavior is detected and blocked, the exploit will never reach the service.
+Second, the service behavior in response to the exploit differs from the service behavior
+in response to a regular request. Such behavior may include making subsequent irregular
+calls to other services such as a data store, taking irregular time to respond, and/or
+responding to the malicious client with an irregular response (for example, containing
+much more data than normally sent in case of benign clients making regular requests).
+Service behavioral changes, if detected, will also allow blocking the exploit in
+different stages of the exploitation attempt.
 
 More generally:
 
-- Monitoring the behavior of clients can help detect and block exploits against service API vulnerabilities. In fact, deploying efficient client behavior monitoring makes many vulnerabilities unexploitable and others very hard to achieve. To succeed, the offender needs to create an exploit undetectable from regular requests.
+- Monitoring the behavior of clients can help detect and block exploits against
+  service API vulnerabilities. In fact, deploying efficient client behavior
+  monitoring makes many vulnerabilities unexploitable and others very hard to achieve.
+  To succeed, the offender needs to create an exploit undetectable from regular requests.
 
-- Monitoring the behavior of services can help detect services as they are being exploited regardless of the attack vector used. Efficient service behavior monitoring limits what an attacker may be able to achieve as the offender needs to ensure the service behavior is undetectable from regular service behavior.
+- Monitoring the behavior of services can help detect services as they are being
+  exploited regardless of the attack vector used. Efficient service behavior
+  monitoring limits what an attacker may be able to achieve as the offender needs
+  to ensure the service behavior is undetectable from regular service behavior.
 
-Combining both approaches may add a protection layer to the deployed vulnerable services, drastically decreasing the probability for anyone to successfully exploit any of the deployed vulnerable services. Next, let us identify four use cases where you need to use security-behavior monitoring.
+Combining both approaches may add a protection layer to the deployed vulnerable services,
+drastically decreasing the probability for anyone to successfully exploit any of the
+deployed vulnerable services. Next, let us identify four use cases where you need to
+use security-behavior monitoring.
 
 ## Use cases
 
-One can identify the following four different stages in the life of any service from a security standpoint. In each stage, security-behavior monitoring is required to meet different challenges:
+One can identify the following four different stages in the life of any service
+from a security standpoint. In each stage, security-behavior monitoring is required
+to meet different challenges:
 
 Service State | Use case | What do you need in order to cope with this use case?
 ------------- | ------------- | -----------------------------------------
@@ -53,25 +113,57 @@ Fortunately, microservice architecture is well suited to security-behavior monit
 
 ## Security-Behavior of microservices versus monoliths {#microservices-vs-monoliths}
 
-Kubernetes is often used to support workloads designed with microservice architecture. By design, microservices aim to follow the UNIX philosophy of "Do One Thing And Do It Well". Each microservice has a bounded context and a clear interface. In other words, you can expect the microservice clients to send relatively regular requests and the microservice to present a relatively regular behavior as a response to these requests. Consequently, a microservice architecture is an excellent candidate for security-behavior monitoring.
+Kubernetes is often used to support workloads designed with microservice architecture.
+By design, microservices aim to follow the UNIX philosophy of "Do One Thing And Do It Well".
+Each microservice has a bounded context and a clear interface. In other words, you can expect
+the microservice clients to send relatively regular requests and the microservice to present
+a relatively regular behavior as a response to these requests. Consequently, a microservice
+architecture is an excellent candidate for security-behavior monitoring.
 
 {{< figure src="security_behavior_figure_2.svg" alt="Image showing why microservices are well suited for security-behavior monitoring" class="diagram-large" caption="Figure 2. Microservices are well suited for security-behavior monitoring" >}}
 
-The diagram above clarifies how dividing a monolithic service to a set of microservices improves our ability to perform security-behavior monitoring and control. In a monolithic service approach, different client requests are intertwined, resulting in a diminished ability to identify irregular client behaviors. Without prior knowledge, an observer of the intertwined client requests will find it hard to distinguish between types of requests and their related characteristics. Further, internal client requests are not exposed to the observer. Lastly, the aggregated behavior of the monolithic service is a compound of the many different internal behaviors of its components, making it hard to identify irregular service behavior.
-
-In a microservice environment, each microservice is expected by design to offer a more well-defined service and serve better defined type of requests. This makes it easier for an observer to identify irregular client behavior and irregular service behavior. Further, a microservice design exposes the internal requests and internal services which offer more security-behavior data to identify irregularities by an observer. Overall, this makes the microservice design pattern better suited for security-behavior monitoring and control.
+The diagram above clarifies how dividing a monolithic service to a set of
+microservices improves our ability to perform security-behavior monitoring
+and control. In a monolithic service approach, different client requests are
+intertwined, resulting in a diminished ability to identify irregular client
+behaviors. Without prior knowledge, an observer of the intertwined client
+requests will find it hard to distinguish between types of requests and their
+related characteristics. Further, internal client requests are not exposed to
+the observer. Lastly, the aggregated behavior of the monolithic service is a
+compound of the many different internal behaviors of its components, making
+it hard to identify irregular service behavior.
+
+In a microservice environment, each microservice is expected by design to offer
+a more well-defined service and serve better defined type of requests. This makes
+it easier for an observer to identify irregular client behavior and irregular
+service behavior. Further, a microservice design exposes the internal requests
+and internal services which offer more security-behavior data to identify
+irregularities by an observer. Overall, this makes the microservice design
+pattern better suited for security-behavior monitoring and control.
 
 ## Security-Behavior monitoring on Kubernetes
 
-Kubernetes deployments seeking to add Security-Behavior may use [Guard](http://knative.dev/security-guard), developed under the CNCF project Knative. Guard is integrated into the full Knative automation suite that runs on top of Kubernetes. Alternatively, **you can deploy Guard as a standalone tool** to protect any HTTP-based workload on Kubernetes.
+Kubernetes deployments seeking to add Security-Behavior may use
+[Guard](http://knative.dev/security-guard), developed under the CNCF project Knative.
+Guard is integrated into the full Knative automation suite that runs on top of Kubernetes.
+Alternatively, **you can deploy Guard as a standalone tool** to protect any HTTP-based workload on Kubernetes.
 
 See:
 
-- [Guard](https://github.com/knative-sandbox/security-guard)  on Github, for using Guard as a standalone tool.
-- The Knative automation suite - Read about Knative, in the blog post [Opinionated Kubernetes](https://davidhadas.wordpress.com/2022/08/29/knative-an-opinionated-kubernetes) which describes how Knative simplifies and unifies the way web services are deployed on Kubernetes.
-- You may contact Guard maintainers on the [SIG Security](https://kubernetes.slack.com/archives/C019LFTGNQ3) Slack channel or on the Knative community [security](https://knative.slack.com/archives/CBYV1E0TG) Slack channel. The Knative community channel will move soon to the [CNCF Slack](https://communityinviter.com/apps/cloud-native/cncf) under the name `#knative-security`.
-
-The goal of this post is to invite the Kubernetes community to action and introduce Security-Behavior monitoring and control to help secure Kubernetes based deployments. Hopefully, the community as a follow up will:
+- [Guard](https://github.com/knative-sandbox/security-guard)  on Github,
+  for using Guard as a standalone tool.
+- The Knative automation suite - Read about Knative, in the blog post
+  [Opinionated Kubernetes](https://davidhadas.wordpress.com/2022/08/29/knative-an-opinionated-kubernetes)
+  which describes how Knative simplifies and unifies the way web services are deployed on Kubernetes.
+- You may contact Guard maintainers on the
+  [SIG Security](https://kubernetes.slack.com/archives/C019LFTGNQ3) Slack channel
+  or on the Knative community [security](https://knative.slack.com/archives/CBYV1E0TG)
+  Slack channel. The Knative community channel will move soon to the
+  [CNCF Slack](https://communityinviter.com/apps/cloud-native/cncf) under the name `#knative-security`.
+
+The goal of this post is to invite the Kubernetes community to action and introduce
+Security-Behavior monitoring and control to help secure Kubernetes based deployments.
+Hopefully, the community as a follow up will:
 
 1. Analyze the cyber challenges presented for different Kubernetes use cases
 1. Add appropriate security documentation for users on how to introduce Security-Behavior monitoring and control.

From 1548da1a123efb2f4a3436185e5f6d51b5ebb191 Mon Sep 17 00:00:00 2001
From: Edson C <edsoncelio@users.noreply.github.com>
Date: Mon, 13 Mar 2023 00:18:41 -0300
Subject: [PATCH 124/215] [PT-BR] Add
 content/pt-br/blog/_posts/2023-03-10-image-registry-change.md (#39927)

* feat: add ptbr blog post to image registry change

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Update content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>

* feat: add requested changes

* chore: empty commit

* feat: add requested changes

* feat: change registry to registro de imagem

---------

Co-authored-by: Mauren Berti <698465+stormqueen1990@users.noreply.github.com>
---
 .../2023-03-10-image-registry-change.md       | 155 ++++++++++++++++++
 1 file changed, 155 insertions(+)
 create mode 100644 content/pt-br/blog/_posts/2023-03-10-image-registry-change.md

diff --git a/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md b/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md
new file mode 100644
index 0000000000000..21146d51bffd4
--- /dev/null
+++ b/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md
@@ -0,0 +1,155 @@
+---
+layout: blog
+title: "Redirecionamento do registro de imagens k8s.gcr.io para registry.k8s.io - O que você precisa saber"
+date: 2023-03-10T17:00:00.000Z
+slug: image-registry-redirect
+---
+
+**Autores**: Bob Killen (Google), Davanum Srinivas (AWS), Chris Short (AWS), Frederico Muñoz (SAS
+Institute), Tim Bannister (The Scale Factory), Ricky Sadowski (AWS), Grace Nguyen (Expo), Mahamed
+Ali (Rackspace Technology), Mars Toktonaliev (independent), Laura Santamaria (Dell), Kat Cosgrove
+(Dell)
+
+
+Na segunda-feira, dia 20 de março, o registro de imagens k8s.gcr.io [vai ser redirecionado para o registro de imagens da comunidade](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/), **registry.k8s.io**.
+
+
+## O que você precisa saber sobre essa mudança
+- Na segunda-feira, dia 20 de março, o tráfego do registro de imagens antigo k8s.gcr.io vai ser redirecionado para
+registry.k8s.io com o objetivo final de encerramento do k8s.gcr.io.
+- Se você está executando em um ambiente restrito, e aplica políticas rígidas de acesso a nomes de domínios
+ou endereços IPs limitado a k8s.gcr.io, **o pull de imagens não vai funcionar** depois que o k8s.gcr.io começar
+a redirecionar para o novo registro de imagens.
+- Um pequeno subconjunto de clientes que não seguem o padrão não lidam com redirecionamentos HTTP, e neste caso eles
+precisam ser apontados diretamente para registry.k8s.io.
+- O redirecionamento é um paliativo para ajudar os usuários a fazer essa troca. O registro obsoleto k8s.gcr.io será desativado em algum momento. **Por isso, atualize seus manifestos o mais rápido possível para apontar para registry.k8s.io**.
+- Se você mantém seu próprio registro de imagens, você pode copiar as imagens que você precisa para reduzir o tráfego
+ao registro de imagens da comunidade.
+
+Se você acha que vai ser impactado, ou gostaria de saber mais sobre essa mudança, leia mais abaixo.
+
+## Como eu posso checar se eu vou ser afetado?
+Para testar a conectividade ao registry.k8s.io (e saber se consegue baixar as imagens), pode executar o
+comando abaixo em um namespace da sua escolha:
+
+```
+kubectl run hello-world -ti --rm --image=registry.k8s.io/busybox:latest --restart=Never -- date
+```
+
+Quando executar o comando acima, é esperada a seguinte saída caso tudo esteja funcionando corretamente:
+
+```
+$ kubectl run hello-world -ti --rm --image=registry.k8s.io/busybox:latest --restart=Never -- date
+Fri Feb 31 07:07:07 UTC 2023
+pod "hello-world" deleted
+```
+
+## Quais erros são esperados caso eu seja afetado?
+Os erros podem depender do tipo de agente de execução de contêiner que você está usando, e para qual endpoint você está
+sendo direcionado, mas devem ser erros como `ErrImagePull`, `ImagePullBackOff`, ou falha na criação do
+container com o aviso `FailedCreatePodSandBox`.
+
+Abaixo um exemplo de uma mensagem de erro mostrando uma instalação por trás de um proxy falhando devido um certificado desconhecido:
+
+```
+FailedCreatePodSandBox: Failed to create pod sandbox: rpc error: code = Unknown desc = Error response from daemon: Head “https://us-west1-docker.pkg.dev/v2/k8s-artifacts-prod/images/pause/manifests/3.8”: x509: certificate signed by unknown authority
+```
+
+## Quais imagens serão afetadas?
+**TODAS** as imagens no k8s.gcr.io serão afetadas por essa mudança. O k8s.gcr.io hospeda muitas imagens além das releases do Kubernetes. Um grande número de subprojetos do Kubernetes hospedam seus projetos nele também. Alguns exemplos incluem 
+as imagens `dns/k8s-dns-node-cache`, `ingress-nginx/controller`, e
+`node-problem-detector/node-problem-detector`.
+
+## Eu fui afetado, o que devo fazer?
+Para usuários afetados que usam um ambiente restrito, a melhor opção é copiar as imagens necessárias
+para um registro privado ou configurar um cache de _pull-through_ nos seu registro de imagens.
+
+Existem várias ferramentas para copiar imagens entre registries. [Crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) é uma dessas ferramentas, as imagens podem ser copiadas para um registro de imagens privado com `crane copy SRC DST`. Também existem ferramentas específicas de fornecedores, como o [gcrane](https://cloud.google.com/container-registry/docs/migrate-external-containers#copy) que faz uma função similar mas simplificada para a plataforma da Google.
+
+
+## Como eu posso encontrar quais imagens estão usando o registro de imagens antigo, e corrigir elas?
+
+**Opção 1**: Veja esse comando do kubectl no [blog post anterior](/pt-br/blog/2023/02/06/k8s-gcr-io-freeze-announcement/#próximos-passos):
+
+```
+kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
+tr -s '[[:space:]]' '\n' |\
+sort |\
+uniq -c
+```
+
+**Opção 2**: Um plugin do `kubectl` [krew](https://krew.sigs.k8s.io/) chamado [`community-images`](https://github.com/kubernetes-sigs/community-images#kubectl-community-images) foi desenvolvido para escanear e reportar qualquer
+imagem usando o endpoint k8s.gcr.io.
+
+Se você tem o krew instalado, pode instalar o plugin com:
+
+```
+kubectl krew install community-images
+```
+
+E gerar um relatório com:
+
+```
+kubectl community-images
+```
+
+Para métodos alternativos de instalação ou exemplos de saída, veja o repositório [kubernetes-sigs/community-images](https://github.com/kubernetes-sigs/community-image).
+
+**Opção 3**: Se você não tem acesso diretamente ao cluster, ou gerencia muitos clusters - o melhor
+caminho é executar uma busca sobre seus manifestos e charts por _"k8s.gcr.io"_.
+
+**Opção 4**: Se você quer prevenir a execução de imagens a partir do k8s.gcr.io no seu cluster, existem políticas
+para [Gatekeeper](https://open-policy-agent.github.io/gatekeeper-library/website/) e
+[Kyverno](https://kyverno.io/) disponíveis no [repositório de melhores práticas para AWS EKS](https://github.com/aws/aws-eks-best-practices/tree/master/policies/k8s-registry-deprecation) que vão bloquear o pull das imagens. Você
+pode usar essas políticas de terceiros com qualquer cluster Kubernetes.
+
+**Opção 5**: Como a **ÚLTIMA** opção, você pode usar um [webhook de admissão](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks) para alterar o
+endereço da imagem dinamicamente. Isso deve ser feito apenas como uma medida paliativa enquanto os
+seus manifestos são atualizados. Você pode encontrar um webhook de admissão e uma política do 
+Kyverno (de terceiros) em [k8s-gcr-quickfix](https://github.com/abstractinfrastructure/k8s-gcr-quickfix).
+
+
+## Por que o Kubernetes mudou para um registro de imagem diferente?
+
+O k8s.gcr.io é hospedado em um domínio customizado no [Google Cloud Registry (GCR)](https://cloud.google.com/container-registry?hl=pt-br)
+que foi configurado exclusivamente para o projeto do Kubernetes. Isso funcionou desde o nascimento do projeto,
+e nós agradecemos ao Google por prover esses recursos, mas atualmente, existem outros provedores de nuvem e fornecedores
+que gostariam de hospedar imagens para fornecer uma melhor experiência para as pessoas nas suas plataformas. 
+Além do Google ter [renovado o compromisso de doar $3 milhões](https://www.cncf.io/google-cloud-recommits-3m-to-kubernetes/) para manter a infraestrutura do projeto ano passado, a Amazon Web Services anunciou uma doação correspondente 
+[durante o seu keynote na Kubecon NA 2022 em Detroit](https://youtu.be/PPdimejomWo?t=236). Isso proporcionará
+uma melhor experiência para os usuários (servidores mais pertos = downloads mais rápidos) e vai reduzir 
+a largura de banda de saída e os custos do GCR ao mesmo tempo.
+
+Para mais detalhes sobre essa mudança, leia mais em [registry.k8s.io: rápido, barato e em disponibilidade geral (GA)](/pt-br/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
+
+
+## Por que está sendo feito um redirecionamento?
+
+O projeto mudou para o [registry.k8s.io ano passado na versão 1.25](/pt-br/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/); entretanto, a maioria do tráfego de pull de imagens ainda continua sendo
+feito para o antigo endpoint k8s.gcr.io. Isso não foi sustentável para nós como um projeto pois não estamos
+usando os recursos que foram doados para o projeto por outros provedores e estamos correndo o risco de ficar 
+sem recursos dado o custo de servir esse tráfego.
+
+O redirecionamento vai permitir que o projeto aproveite as vantagens desses novos recursos, reduzindo
+significantemente os cursos da largura de banda de saída. Nós esperamos que apenas um pequeno subconjunto
+de usuários executando em ambientes restritos ou clientes antigos que não consigam fazer o redirecionamento
+apropriadamente sejam impactados.
+
+## O que vai acontecer com o k8s.gcr.io?
+Para além do redirecionamento, o k8s.gcr.io vai ser congelado [e não vai ser atualizado com novas imagens
+depois do dia 03 de abril de 2023](https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/).
+O `k8s.gcr.io` não vai receber nenhuma nova release, patch ou atualização de segurança. Ele continuará 
+disponível para ajudar as pessoas na migração, mas **SERÁ** removido totalmente no futuro.
+
+## Ainda tenho perguntas, onde devo ir?
+Para mais informações sobre o registry.k8s.io e porque foi desenvolvido, leia em [registry.k8s.io: rápido, barato e em disponibilidade geral (GA)](/pt-br/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
+
+Se você quer saber mais sobre o congelamento das imagens e as últimas imagens que vão ficar disponíveis lá, 
+leia o blog post: [kk8s.gcr.io O registro de imagens será congelado a partir de 3 de abril de 2023](/pt-br/blog/2023/02/06/k8s-gcr-io-freeze-announcement/).
+
+Informações sobre a arquitetura do registry.k8s.io e sobre sua [árvore de decisão de tratamento das requisições](https://github.com/kubernetes/registry.k8s.io/blob/8408d0501a88b3d2531ff54b14eeb0e3c900a4f3/cmd/archeio/docs/request-handling.md) 
+pode ser encontradas no repositório [kubernetes/registry.k8s.io](https://github.com/kubernetes/registry.k8s.io).
+
+Se você encontrar um bug no novo registro de imagens ou no redirecionamento, por favor abra uma issue no repositório [kubernetes/registry.k8s.io](https://github.com/kubernetes/registry.k8s.io/issues/new/choose).
+**Por favor verifique se já não existe uma issue aberta parecida antes de abrir uma nova**.
+

From abf022825ecc180784c52b4027a1e3c76807931b Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Mon, 13 Mar 2023 14:24:37 +0800
Subject: [PATCH 125/215] Replace k8s.gcr.io references with registry.k8s.io

---
 .../admin/logging/two-files-counter-pod-agent-sidecar.yaml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml b/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
index ddfb8104cb946..a621a9fb2acce 100644
--- a/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
+++ b/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
@@ -22,7 +22,7 @@ spec:
     - name: varlog
       mountPath: /var/log
   - name: count-agent
-    image: k8s.gcr.io/fluentd-gcp:1.30
+    image: registry.k8s.io/fluentd-gcp:1.30
     env:
     - name: FLUENTD_ARGS
       value: -c /etc/fluentd-config/fluentd.conf

From 7f1d8a90af811d15aec1589b3c89d2e328c118ce Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 13 Mar 2023 17:16:17 +0800
Subject: [PATCH 126/215] Add windonsea to sig-docs-zh-owners

---
 OWNERS_ALIASES | 1 +
 1 file changed, 1 insertion(+)

diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
index 22c9332976326..7e7bbdef6b5f5 100644
--- a/OWNERS_ALIASES
+++ b/OWNERS_ALIASES
@@ -138,6 +138,7 @@ aliases:
     - Sea-n
     - tanjunchen
     - tengqm
+    - windsonsea
     - xichengliudui
   sig-docs-zh-reviews: # PR reviews for Chinese content
     - chenrui333

From 7306b6ab68d70dc694d30622e74c7a29d3eec00c Mon Sep 17 00:00:00 2001
From: "Chris \"Not So\" Short" <chris@chrisshort.net>
Date: Mon, 13 Mar 2023 08:35:42 -0400
Subject: [PATCH 127/215] Update _redirects

Adding an alias for https://k8s.io/image-registry-change because I hurriedly put this out to the k-dev mailing list overnight.
---
 static/_redirects | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/static/_redirects b/static/_redirects
index 65f0758f31376..1e7babdd208a6 100644
--- a/static/_redirects
+++ b/static/_redirects
@@ -371,6 +371,8 @@
 
 /image-registry-redirect  /blog/2023/03/10/image-registry-redirect/ 302
 /image-registry-redirect/ /blog/2022/02/10/image-registry-redirect/ 302
+/image-registry-change  /blog/2023/03/10/image-registry-redirect/ 302
+/image-registry-change/ /blog/2022/02/10/image-registry-redirect/ 302
 
 /docs/setup/release/notes/     /releases/notes/   302
 /docs/setup/release/                 /releases/   301

From 7d150e4f91182dd3fa547431ab6808a9afff776e Mon Sep 17 00:00:00 2001
From: Mauren Berti <stormqueen1990@gmail.com>
Date: Mon, 13 Mar 2023 09:19:45 -0400
Subject: [PATCH 128/215] [pt-br] Fix minor typos in image-registry-change.md
 blog post.

---
 .../blog/_posts/2023-03-10-image-registry-change.md    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md b/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md
index 21146d51bffd4..5494eee2abf22 100644
--- a/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md
+++ b/content/pt-br/blog/_posts/2023-03-10-image-registry-change.md
@@ -18,7 +18,7 @@ Na segunda-feira, dia 20 de março, o registro de imagens k8s.gcr.io [vai ser re
 - Na segunda-feira, dia 20 de março, o tráfego do registro de imagens antigo k8s.gcr.io vai ser redirecionado para
 registry.k8s.io com o objetivo final de encerramento do k8s.gcr.io.
 - Se você está executando em um ambiente restrito, e aplica políticas rígidas de acesso a nomes de domínios
-ou endereços IPs limitado a k8s.gcr.io, **o pull de imagens não vai funcionar** depois que o k8s.gcr.io começar
+ou endereços IPs limitado a k8s.gcr.io, **o _pull_ de imagens não vai funcionar** depois que o k8s.gcr.io começar
 a redirecionar para o novo registro de imagens.
 - Um pequeno subconjunto de clientes que não seguem o padrão não lidam com redirecionamentos HTTP, e neste caso eles
 precisam ser apontados diretamente para registry.k8s.io.
@@ -49,7 +49,7 @@ Os erros podem depender do tipo de agente de execução de contêiner que você
 sendo direcionado, mas devem ser erros como `ErrImagePull`, `ImagePullBackOff`, ou falha na criação do
 container com o aviso `FailedCreatePodSandBox`.
 
-Abaixo um exemplo de uma mensagem de erro mostrando uma instalação por trás de um proxy falhando devido um certificado desconhecido:
+Abaixo um exemplo de uma mensagem de erro mostrando uma instalação por trás de um proxy falhando devido a um certificado desconhecido:
 
 ```
 FailedCreatePodSandBox: Failed to create pod sandbox: rpc error: code = Unknown desc = Error response from daemon: Head “https://us-west1-docker.pkg.dev/v2/k8s-artifacts-prod/images/pause/manifests/3.8”: x509: certificate signed by unknown authority
@@ -62,9 +62,9 @@ as imagens `dns/k8s-dns-node-cache`, `ingress-nginx/controller`, e
 
 ## Eu fui afetado, o que devo fazer?
 Para usuários afetados que usam um ambiente restrito, a melhor opção é copiar as imagens necessárias
-para um registro privado ou configurar um cache de _pull-through_ nos seu registro de imagens.
+para um registro privado ou configurar um cache de _pull-through_ no seu registro de imagens.
 
-Existem várias ferramentas para copiar imagens entre registries. [Crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) é uma dessas ferramentas, as imagens podem ser copiadas para um registro de imagens privado com `crane copy SRC DST`. Também existem ferramentas específicas de fornecedores, como o [gcrane](https://cloud.google.com/container-registry/docs/migrate-external-containers#copy) que faz uma função similar mas simplificada para a plataforma da Google.
+Existem várias ferramentas para copiar imagens entre registros de imagens. [Crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md) é uma dessas ferramentas, as imagens podem ser copiadas para um registro de imagens privado com `crane copy SRC DST`. Também existem ferramentas específicas de fornecedores, como o [gcrane](https://cloud.google.com/container-registry/docs/migrate-external-containers#copy) que faz uma função similar mas simplificada para a plataforma da Google.
 
 
 ## Como eu posso encontrar quais imagens estão usando o registro de imagens antigo, e corrigir elas?
@@ -145,7 +145,7 @@ disponível para ajudar as pessoas na migração, mas **SERÁ** removido totalme
 Para mais informações sobre o registry.k8s.io e porque foi desenvolvido, leia em [registry.k8s.io: rápido, barato e em disponibilidade geral (GA)](/pt-br/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/).
 
 Se você quer saber mais sobre o congelamento das imagens e as últimas imagens que vão ficar disponíveis lá, 
-leia o blog post: [kk8s.gcr.io O registro de imagens será congelado a partir de 3 de abril de 2023](/pt-br/blog/2023/02/06/k8s-gcr-io-freeze-announcement/).
+leia o blog post: [k8s.gcr.io O registro de imagens será congelado a partir de 3 de abril de 2023](/pt-br/blog/2023/02/06/k8s-gcr-io-freeze-announcement/).
 
 Informações sobre a arquitetura do registry.k8s.io e sobre sua [árvore de decisão de tratamento das requisições](https://github.com/kubernetes/registry.k8s.io/blob/8408d0501a88b3d2531ff54b14eeb0e3c900a4f3/cmd/archeio/docs/request-handling.md) 
 pode ser encontradas no repositório [kubernetes/registry.k8s.io](https://github.com/kubernetes/registry.k8s.io).

From f47e1d118b6eba199ea10ea25a2e38558853b67d Mon Sep 17 00:00:00 2001
From: ystkfujii <ystk.fujii0731@gmail.com>
Date: Tue, 14 Mar 2023 03:54:23 +0900
Subject: [PATCH 129/215] fix skew in kubeadm-cert.md

---
 .../ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index 1bac7b00183fd..3b3da490e91ec 100644
--- a/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/ja/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -224,13 +224,13 @@ serverTLSBootstrap: true
 
 すでにクラスターを作成している場合は、以下の手順で適応させる必要があります。
 
- - kube-system` ネームスペースにある `kubelet-config-{{< skew latestVersion >}}` ConfigMapを見つけて編集します。
+ - `kube-system`ネームスペースにある`kubelet-config-{{< skew currentVersion >}}` ConfigMapを見つけて編集します。
 
 そのConfigMapの`kubelet`キーの値として[KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)ドキュメントを指定します。KubeletConfigurationドキュメントを編集し、`serverTLSBootstrap: true`を設定します。
 
 - 各ノードで、`/var/lib/kubelet/config.yaml`に`serverTLSBootstrap: true`フィールドを追加し、`systemctl restart kubelet`でkubeletを再起動します。
 
-`serverTLSBootstrap: true`フィールドは、kubeleサービングのブートストラップを有効にします。
+`serverTLSBootstrap: true`フィールドは、kubeletサービングのブートストラップを有効にします。
 証明書を`certificates.k8s.io`APIにリクエストすることで、証明書を発行することができます。
 
 既知の制限事項として、これらの証明書のCSR(Certificate Signing Requests)はkube-controller-managerのデフォルトサイナーによって自動的に承認されないことがあります。

From 0db354b6a4ad4ece1e2df878213bdf7972193b6f Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Mon, 13 Mar 2023 23:44:59 +0000
Subject: [PATCH 130/215] [ja] Translate
 tasks/administer-cluster/use-cascading-deletion/ into Japanese

---
 .../use-cascading-deletion.md                 | 194 ++++++++++++++++++
 .../run-stateless-application-deployment.md   |   2 +-
 2 files changed, 195 insertions(+), 1 deletion(-)
 create mode 100644 content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md

diff --git a/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md b/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md
new file mode 100644
index 0000000000000..9c4394c120038
--- /dev/null
+++ b/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md
@@ -0,0 +1,194 @@
+---
+title: クラスターでカスケード削除を使用する
+content_type: task
+weight: 360
+---
+
+<!--overview-->
+
+このページでは、{{<glossary_tooltip text="ガベージコレクション" term_id="garbage-collection">}}中にクラスターで使用する[カスケード削除](/ja/docs/concepts/architecture/garbage-collection/#cascading-deletion)のタイプを指定する方法を示します。
+
+## {{% heading "prerequisites" %}}
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+また、さまざまな種類のカスケード削除を試すために、[サンプルのDeploymentを作成する](/ja/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment)必要があります。 タイプごとにDeploymentを再作成する必要があります。
+
+## Podのオーナーリファレンスを確認する {#check-owner-references-on-your-pods}
+
+Podに`ownerReferences`フィールドが存在することを確認します:
+
+```shell
+kubectl get pods -l app=nginx --output=yaml
+```
+
+出力には、次のように`ownerReferences`フィールドがあります。
+
+```yaml
+apiVersion: v1
+    ...
+    ownerReferences:
+    - apiVersion: apps/v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: ReplicaSet
+      name: nginx-deployment-6b474476c4
+      uid: 4fdcd81c-bd5d-41f7-97af-3a3b759af9a7
+    ...
+```
+
+## フォアグラウンドカスケード削除を使用する {#use-foreground-cascading-deletion}
+
+デフォルトでは、Kubernetesは[バックグラウンドカスケード削除](/ja/docs/concepts/architecture/garbage-collection/#background-deletion)を使用して、オブジェクトの依存関係を削除します。
+クラスターが動作しているKubernetesのバージョンに応じて、`kubectl`またはKubernetes APIのいずれかを使用して、フォアグラウンドカスケード削除に切り替えることができます。 {{<version-check>}}
+
+`kubectl`またはKubernetes APIを使用して、フォアグラウンドカスケード削除を使用してオブジェクトを削除することができます。
+
+**kubectlを使用する**
+
+以下のコマンドを実行してください:
+<!--TODO: verify release after which the --cascade flag is switched to a string in https://github.com/kubernetes/kubectl/commit/fd930e3995957b0093ecc4b9fd8b0525d94d3b4e-->
+
+
+```shell
+kubectl delete deployment nginx-deployment --cascade=foreground
+```
+
+**Kubernetes APIを使用する**
+
+1. ローカルプロキシーセッションを開始します:
+
+   ```shell
+   kubectl proxy --port=8080
+   ```
+
+1. 削除のトリガーとして`curl`を使用します:
+
+   ```shell
+   curl -X DELETE localhost:8080/apis/apps/v1/namespaces/default/deployments/nginx-deployment \
+       -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Foreground"}' \
+       -H "Content-Type: application/json"
+   ```
+
+   出力には、次のように`foregroundDeletion`{{<glossary_tooltip text="ファイナライザー" term_id="finalizer">}}が含まれています。
+
+   ```
+   "kind": "Deployment",
+   "apiVersion": "apps/v1",
+   "metadata": {
+       "name": "nginx-deployment",
+       "namespace": "default",
+       "uid": "d1ce1b02-cae8-4288-8a53-30e84d8fa505",
+       "resourceVersion": "1363097",
+       "creationTimestamp": "2021-07-08T20:24:37Z",
+       "deletionTimestamp": "2021-07-08T20:27:39Z",
+       "finalizers": [
+         "foregroundDeletion"
+       ]
+       ...
+   ```
+
+## バッググラウンドカスケード削除を使用する {#use-background-cascading-deletion}
+
+1. [サンプルのDeploymentを作成する](/ja/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment).
+1. クラスターが動作しているKubernetesのバージョンに応じて、`kubectl`またはKubernetes APIのいずれかを使用してDeploymentを削除します。{{<version-check>}}
+
+`kubectl`またはKubernetes APIを使用して、バックグラウンドカスケード削除を使用してオブジェクトを削除できます。
+
+Kubernetesはデフォルトでバックグラウンドカスケード削除を使用し、`--cascade`フラグまたは`propagationPolicy`引数なしで以下のコマンドを実行した場合も同様です。
+
+**kubectlを使用する**
+
+以下のコマンドを実行してください:
+
+```shell
+kubectl delete deployment nginx-deployment --cascade=background
+```
+
+**Kubernetes APIを使用する**
+
+1. ローカルプロキシーセッションを開始します:
+
+   ```shell
+   kubectl proxy --port=8080
+   ```
+
+1. 削除のトリガーとして`curl`を使用します:
+
+   ```shell
+   curl -X DELETE localhost:8080/apis/apps/v1/namespaces/default/deployments/nginx-deployment \
+       -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Background"}' \
+       -H "Content-Type: application/json"
+   ```
+
+   出力は、次のようになります。
+
+   ```
+   "kind": "Status",
+   "apiVersion": "v1",
+   ...
+   "status": "Success",
+   "details": {
+       "name": "nginx-deployment",
+       "group": "apps",
+       "kind": "deployments",
+       "uid": "cc9eefb9-2d49-4445-b1c1-d261c9396456"
+   }
+   ```
+
+
+## オーナーオブジェクトの削除と従属オブジェクトの孤立 {#set-orphan-deletion-policy}
+
+デフォルトでは、Kubernetesにオブジェクトの削除を指示すると、{{<glossary_tooltip text="コントローラー" term_id="controller">}}は従属オブジェクトも削除します。クラスタが動作しているKubernetesのバージョンに応じて、`kubectl`またはKubernetes APIを使用して、これらの従属オブジェクトをKubernetesで*orphan*にすることができます。{{<version-check>}}
+
+**kubectlを使用する**
+
+以下のコマンドを実行してください:
+
+```shell
+kubectl delete deployment nginx-deployment --cascade=orphan
+```
+
+**Kubernetes APIを使用する**
+
+1. ローカルプロキシーセッションを開始します:
+
+   ```shell
+   kubectl proxy --port=8080
+   ```
+
+1. 削除のトリガーとして`curl`を使用します:
+
+   ```shell
+   curl -X DELETE localhost:8080/apis/apps/v1/namespaces/default/deployments/nginx-deployment \
+       -d '{"kind":"DeleteOptions","apiVersion":"v1","propagationPolicy":"Orphan"}' \
+       -H "Content-Type: application/json"
+   ```
+
+   出力には、次のように`finalizers`フィールドに`orphan`が含まれます。
+
+   ```
+   "kind": "Deployment",
+   "apiVersion": "apps/v1",
+   "namespace": "default",
+   "uid": "6f577034-42a0-479d-be21-78018c466f1f",
+   "creationTimestamp": "2021-07-09T16:46:37Z",
+   "deletionTimestamp": "2021-07-09T16:47:08Z",
+   "deletionGracePeriodSeconds": 0,
+   "finalizers": [
+     "orphan"
+   ],
+   ...
+   ```
+
+Deploymentによって管理されているPodがまだ実行中であることを確認できます。
+
+```shell
+kubectl get pods -l app=nginx
+```
+
+## {{% heading "whatsnext" %}}
+
+* Kubernetesの[オーナーと従属](/ja/docs/concepts/overview/working-with-objects/owners-dependents/)について学ぶ。
+* Kubernetes [ファイナライザー(Finalizers)](/ja/docs/concepts/overview/working-with-objects/finalizers/)について学ぶ。
+* [ガベージコレクション](/ja/docs/concepts/architecture/garbage-collection/)について学ぶ。
diff --git a/content/ja/docs/tasks/run-application/run-stateless-application-deployment.md b/content/ja/docs/tasks/run-application/run-stateless-application-deployment.md
index da7c286f89b95..099e9e2a9161e 100644
--- a/content/ja/docs/tasks/run-application/run-stateless-application-deployment.md
+++ b/content/ja/docs/tasks/run-application/run-stateless-application-deployment.md
@@ -32,7 +32,7 @@ weight: 10
 
 <!-- lessoncontent -->
 
-## nginx deploymentの作成と探検
+## nginx deploymentの作成と探検 {#creating-and-exploring-an-nginx-deployment}
 
 Kubernetes Deploymentオブジェクトを作成することでアプリケーションを実行できます。また、YAMLファイルでDeploymentを記述できます。例えば、このYAMLファイルはnginx:1.14.2 Dockerイメージを実行するデプロイメントを記述しています:
 

From a72a97be72892ca067631745505ad872ed1123e2 Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Mon, 13 Mar 2023 23:46:30 +0000
Subject: [PATCH 131/215] [ja] update link to use-cascading-deletion

---
 .../ja/docs/concepts/architecture/garbage-collection.md   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/ja/docs/concepts/architecture/garbage-collection.md b/content/ja/docs/concepts/architecture/garbage-collection.md
index 2ac48608b911a..9b37e3c87cd44 100644
--- a/content/ja/docs/concepts/architecture/garbage-collection.md
+++ b/content/ja/docs/concepts/architecture/garbage-collection.md
@@ -70,19 +70,19 @@ Kubernetesは、ReplicaSetを削除したときに残されたPodなど、owner
 この時点で、オブジェクトはKubernetesAPIに表示されなくなります。
 
 フォアグラウンドカスケード削除中に、オーナーの削除をブロックする依存関係は、`ownerReference.blockOwnerDeletion=true`フィールドを持つ依存関係のみです。
-詳細については、[フォアグラウンドカスケード削除の使用](/docs/tasks/administer-cluster/use-cascading-deletion/#use-foreground-cascading-deletion)を参照してください。
+詳細については、[フォアグラウンドカスケード削除の使用](/ja/docs/tasks/administer-cluster/use-cascading-deletion/#use-foreground-cascading-deletion)を参照してください。
 
 ### バックグラウンドカスケード削除 {#background-deletion}
 
 バックグラウンドカスケード削除では、Kubernetes APIサーバーがオーナーオブジェクトをすぐに削除し、コントローラーがバックグラウンドで依存オブジェクトをクリーンアップします。
 デフォルトでは、フォアグラウンド削除を手動で使用するか、依存オブジェクトを孤立させることを選択しない限り、Kubernetesはバックグラウンドカスケード削除を使用します。
 
-詳細については、[バックグラウンドカスケード削除の使用](/docs/tasks/administer-cluster/use-cascading-deletion/#use-background-cascading-deletion)を参照してください。
+詳細については、[バックグラウンドカスケード削除の使用](/ja/docs/tasks/administer-cluster/use-cascading-deletion/#use-background-cascading-deletion)を参照してください。
 
 ### 孤立した依存関係
 
 Kubernetesがオーナーオブジェクトを削除すると、残された依存関係は*orphan*オブジェクトと呼ばれます。
-デフォルトでは、Kubernetesは依存関係オブジェクトを削除します。この動作をオーバーライドする方法については、[オーナーオブジェクトと孤立した依存関係の削除](/docs/tasks/administer-cluster/use-cascading-deletion/#set-orphan-deletion-policy)を参照してください。
+デフォルトでは、Kubernetesは依存関係オブジェクトを削除します。この動作をオーバーライドする方法については、[オーナーオブジェクトの削除と従属オブジェクトの孤立](/ja/docs/tasks/administer-cluster/use-cascading-deletion/#set-orphan-deletion-policy)を参照してください。
 
 ## 未使用のコンテナとイメージのガベージコレクション {#containers-images}
 
@@ -124,7 +124,7 @@ kubeletは、次の変数に基づいて未使用のコンテナをガベージ
 
 これらのリソースを管理するコントローラーに固有のオプションを設定することにより、リソースのガベージコレクションを調整できます。次のページは、ガベージコレクションを設定する方法を示しています。
 
-  * [Kubernetesオブジェクトのカスケード削除の設定](/docs/tasks/administer-cluster/use-cascading-deletion/)
+  * [Kubernetesオブジェクトのカスケード削除の設定](/ja/docs/tasks/administer-cluster/use-cascading-deletion/)
   * [完了したジョブのクリーンアップの設定](/ja/docs/concepts/workloads/controllers/ttlafterfinished/)
   
 <!-- * [Configuring unused container and image garbage collection](/docs/tasks/administer-cluster/reconfigure-kubelet/) -->

From 0812c9bbf42fbda71c4818ba268062044a4e6735 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Tue, 14 Mar 2023 15:00:35 +1300
Subject: [PATCH 132/215] Empty commit


From c0739b585b2e97563c14cd4bde9935ce1145dd2d Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Tue, 14 Mar 2023 15:00:53 +1300
Subject: [PATCH 133/215] Empty commit


From cb2ab099e4df05a2e729bd551103c21d731a41b3 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Tue, 14 Mar 2023 15:07:11 +1300
Subject: [PATCH 134/215] Don't add newline at end of file

---
 content/es/docs/tasks/tools/included/install-kubectl-windows.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/es/docs/tasks/tools/included/install-kubectl-windows.md b/content/es/docs/tasks/tools/included/install-kubectl-windows.md
index 4665883943617..64401d47b9b88 100644
--- a/content/es/docs/tasks/tools/included/install-kubectl-windows.md
+++ b/content/es/docs/tasks/tools/included/install-kubectl-windows.md
@@ -187,4 +187,4 @@ A continuación se muestran los procedimientos para configurar el autocompletado
 
 ## {{% heading "whatsnext" %}}
 
-{{< include "kubectl-whats-next.md" >}}
+{{< include "kubectl-whats-next.md" >}}
\ No newline at end of file

From 5dc0185920981bf0803e018c994f2a25c7a5cfa6 Mon Sep 17 00:00:00 2001
From: Oliver L Schoenborn <oliver.schoenborn@gmail.com>
Date: Thu, 9 Mar 2023 14:30:33 -0500
Subject: [PATCH 135/215] Simplify by focussing on kubectl ie no curl left
 except one mention; moved notes to the end where nuances are discussed such
 as upper/lower case env var, use of proxy-url, meaning of localhost vs
 socks5h, etc

---
 .../socks5-proxy-access-api.md                | 57 ++++++++++---------
 1 file changed, 31 insertions(+), 26 deletions(-)

diff --git a/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md b/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
index 5dddd1119a580..0a1d401499990 100644
--- a/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
+++ b/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
@@ -59,46 +59,32 @@ Figure 1. SOCKS5 tutorial components
 
 ## Using ssh to create a SOCKS5 proxy
 
-This command starts a SOCKS5 proxy between your client machine and the remote server.
-The SOCKS5 proxy lets you connect to your cluster's API server.
+The following command starts a SOCKS5 proxy between your client machine and the remote SOCKS server:
 
 ```shell
 # The SSH tunnel continues running in the foreground after you run this
 ssh -D 1080 -q -N username@kubernetes-remote-server.example
 ```
 
+The SOCKS5 proxy lets you connect to your cluster's API server based on the following configuration: 
 * `-D 1080`: opens a SOCKS proxy on local port :1080.
 * `-q`: quiet mode. Causes most warning and diagnostic messages to be suppressed.
 * `-N`: Do not execute a remote command. Useful for just forwarding ports.
-* `username@kubernetes-remote-server.example`: the remote SSH server where the Kubernetes cluster is running.
+* `username@kubernetes-remote-server.example`: the remote SSH server behind which the Kubernetes cluster 
+  is running (eg: a bastion host).
 
 ## Client configuration
 
-To explore the Kubernetes API you'll first need to instruct your clients to send their queries through
-the SOCKS5 proxy we created earlier.
-
-For command-line tools, set the `https_proxy` environment variable and pass it to commands that you run.
+To access the Kubernetes API server through the proxy you must instruct `kubectl` to send queries through
+the `SOCKS` proxy we created earlier. Do this by either setting the appropriate environment variable, 
+or via the `proxy-url` attribute in the kubeconfig file. Using an environment variable: 
 
 ```shell
-export https_proxy=socks5h://localhost:1080
+export HTTPS_PROXY=socks5://localhost:1080
 ```
 
-When you set the `https_proxy` variable, tools such as `curl` route HTTPS traffic through the proxy
-you configured. For this to work, the tool must support SOCKS5 proxying.
-
-{{< note >}}
-In the URL https://localhost:6443/api, `localhost` does not refer to your local client computer.
-Instead, it refers to the endpoint on the remote server known as `localhost`.
-The `curl` tool sends the hostname from the HTTPS URL over SOCKS, and the remote server
-resolves that locally (to an address that belongs to its loopback interface).
-{{</ note >}}
-
-```shell
-curl -k -v https://localhost:6443/api
-```
-
-To use the official Kubernetes client `kubectl` with a proxy, set the `proxy-url` element
-for the relevant `cluster` entry within  your `~/.kube/config` file. For example:
+To always use this setting on a specific `kubectl` context, specify the `proxy-url` attribute in the relevant 
+`cluster` entry within the `~/.kube/config` file. For example:
 
 ```yaml
 apiVersion: v1
@@ -106,7 +92,7 @@ clusters:
 - cluster:
     certificate-authority-data: LRMEMMW2 # shortened for readability 
     server: https://<API_SERVER_IP_ADRESS>:6443  # the "Kubernetes API" server, in other words the IP address of kubernetes-remote-server.example
-    proxy-url: socks5://localhost:1080   # the "SSH SOCKS5 proxy" in the diagram above (DNS resolution over socks is built-in)
+    proxy-url: socks5://localhost:1080   # the "SSH SOCKS5 proxy" in the diagram above
   name: default
 contexts:
 - context:
@@ -123,7 +109,8 @@ users:
     client-key-data: LS0tLS1CRUdJT=      # shortened for readability
 ```
 
-If the tunnel is operating and you use `kubectl` with a context that uses this cluster, you can interact with your cluster through that proxy. For example:
+Once you have created the tunnel via the ssh command mentioned earlier, and defined either the environment variable or 
+the `proxy-url` attribute, you can interact with your cluster through that proxy. For example:
 
 ```shell
 kubectl get pods
@@ -134,6 +121,24 @@ NAMESPACE     NAME                                     READY   STATUS      RESTA
 kube-system   coredns-85cb69466-klwq8                  1/1     Running     0          5m46s
 ```
 
+{{< notes >}}
+- Before `kubectl` 1.24, most `kubectl` commands worked when using a socks proxy, except `kubectl exec`.
+- `kubectl` supports both `HTTPS_PROXY` and `https_proxy` environment variables. These are used by other 
+  programs that support SOCKS, such as `curl`. Therefore in some cases it 
+  will be better to define the environment variable on the command line:
+  ```shell
+  HTTPS_PROXY=socks5://localhost:1080 kubectl get pods
+  ```
+- When using `proxy-url`, the proxy is used only for the relevant `kubectl` context, 
+  whereas the environment variable will affect all contexts.
+- The k8s API server hostname can be further protected from DNS leakage by using the `socks5h` protocol name
+  instead of the more commonly known `socks5` protocol shown above. In this case, `kubectl` will ask the proxy server
+  (such as an ssh bastion) to resolve the k8s API server domain name, instead of resolving it on the system running
+  `kubectl`. Note also that with `socks5h`, a k8s API server URL like `https://localhost:6443/api` does not refer 
+  to your local client computer. Instead, it refers to `localhost` as known on the proxy server (eg the ssh bastion).
+{{</ note >}}
+
+
 ## Clean up
 
 Stop the ssh port-forwarding process by pressing `CTRL+C` on the terminal where it is running.

From 07ec542ee9df2a73dbf18d25229d45926a453e78 Mon Sep 17 00:00:00 2001
From: Oliver L Schoenborn <oliver.schoenborn@gmail.com>
Date: Mon, 13 Mar 2023 22:27:38 -0400
Subject: [PATCH 136/215] typo in notes section

Co-authored-by: Qiming Teng <tengqm@outlook.com>
---
 .../en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md b/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
index 0a1d401499990..2de5a39c522af 100644
--- a/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
+++ b/content/en/docs/tasks/extend-kubernetes/socks5-proxy-access-api.md
@@ -121,7 +121,7 @@ NAMESPACE     NAME                                     READY   STATUS      RESTA
 kube-system   coredns-85cb69466-klwq8                  1/1     Running     0          5m46s
 ```
 
-{{< notes >}}
+{{< note >}}
 - Before `kubectl` 1.24, most `kubectl` commands worked when using a socks proxy, except `kubectl exec`.
 - `kubectl` supports both `HTTPS_PROXY` and `https_proxy` environment variables. These are used by other 
   programs that support SOCKS, such as `curl`. Therefore in some cases it 

From d1f5453d8ffe98018021032bbb8a5f2006800bd8 Mon Sep 17 00:00:00 2001
From: zhuzhenghao <zhenghao.zhu@daocloud.io>
Date: Mon, 6 Mar 2023 16:29:43 +0800
Subject: [PATCH 137/215] [zh] sync cluster-level-pss

---
 .../tutorials/security/cluster-level-pss.md   | 85 +++++++++++++++----
 1 file changed, 67 insertions(+), 18 deletions(-)

diff --git a/content/zh-cn/docs/tutorials/security/cluster-level-pss.md b/content/zh-cn/docs/tutorials/security/cluster-level-pss.md
index 37872e561c58a..ec97783d6af51 100644
--- a/content/zh-cn/docs/tutorials/security/cluster-level-pss.md
+++ b/content/zh-cn/docs/tutorials/security/cluster-level-pss.md
@@ -57,6 +57,16 @@ Install the following on your workstation:
 - [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
 - [kubectl](/zh-cn/docs/tasks/tools/)
 
+<!--
+This tutorial demonstrates what you can configure for a Kubernetes cluster that you fully
+control. If you are learning how to configure Pod Security Admission for a managed cluster
+where you are not able to configure the control plane, read
+[Apply Pod Security Standards at the namespace level](/docs/tutorials/security/ns-level-pss).
+-->
+本教程演示了你可以对完全由你控制的 Kubernetes 集群所配置的内容。
+如果你正在学习如何为一个无法配置控制平面的托管集群配置 Pod 安全准入，
+请参阅[在名字空间级别应用 Pod 安全标准](/zh-cn/docs/tutorials/security/ns-level-pss)。
+
 <!--
 ## Choose the right Pod Security Standard to apply
 
@@ -82,13 +92,17 @@ that are most appropriate for your configuration, do the following:
 1. 创建一个没有应用 Pod 安全标准的集群：
 
    ```shell
-   kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.24.0
+   kind create cluster --name psa-wo-cluster-pss
    ```
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to:
+   -->
+
    输出类似于：
+
    ```
    Creating cluster "psa-wo-cluster-pss" ...
-   ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
+   ✓ Ensuring node image (kindest/node:v{{< skew currentVersion >}}.0) 🖼
    ✓ Preparing nodes 📦
    ✓ Writing configuration 📜
    ✓ Starting control-plane 🕹️
@@ -110,8 +124,12 @@ that are most appropriate for your configuration, do the following:
    ```shell
    kubectl cluster-info --context kind-psa-wo-cluster-pss
    ```
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
+
    输出类似于：
+
    ```
    Kubernetes control plane is running at https://127.0.0.1:61350
 
@@ -128,8 +146,12 @@ that are most appropriate for your configuration, do the following:
    ```shell
    kubectl get ns
    ```
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
+
    输出类似于：
+
    ```
    NAME                 STATUS   AGE
    default              Active   9m30s
@@ -150,8 +172,13 @@ that are most appropriate for your configuration, do the following:
       kubectl label --dry-run=server --overwrite ns --all \
       pod-security.kubernetes.io/enforce=privileged
       ```
-      <!-- The output is similar to this: -->
+
+      <!--
+      The output is similar to:
+      -->
+
       输出类似于：
+
       ```
       namespace/default labeled
       namespace/kube-node-lease labeled
@@ -164,8 +191,13 @@ that are most appropriate for your configuration, do the following:
       kubectl label --dry-run=server --overwrite ns --all \
       pod-security.kubernetes.io/enforce=baseline
       ```
-      <!-- The output is similar to this: -->
+
+      <!--
+      The output is similar to:
+      -->
+
       输出类似于：
+
       ```
       namespace/default labeled
       namespace/kube-node-lease labeled
@@ -183,8 +215,13 @@ that are most appropriate for your configuration, do the following:
       kubectl label --dry-run=server --overwrite ns --all \
       pod-security.kubernetes.io/enforce=restricted
       ```
-      <!-- The output is similar to this: -->
+
+      <!--
+      The output is similar to:
+      -->
+
       输出类似于：
+
       ```
       namespace/default labeled
       namespace/kube-node-lease labeled
@@ -351,13 +388,17 @@ following:
 5. 创建一个使用 Pod 安全准入的集群来应用这些 Pod 安全标准：
 
    ```shell
-   kind create cluster --name psa-with-cluster-pss --image kindest/node:v1.24.0 --config /tmp/pss/cluster-config.yaml
+   kind create cluster --name psa-with-cluster-pss --config /tmp/pss/cluster-config.yaml
    ```
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
+
    输出类似于：
+
    ```
    Creating cluster "psa-with-cluster-pss" ...
-    ✓ Ensuring node image (kindest/node:v1.24.0) 🖼
+    ✓ Ensuring node image (kindest/node:v{{< skew currentVersion >}}.0) 🖼
     ✓ Preparing nodes 📦
     ✓ Writing configuration 📜
     ✓ Starting control-plane 🕹️
@@ -379,18 +420,23 @@ following:
    ```shell
    kubectl cluster-info --context kind-psa-with-cluster-pss
    ```
-   <!-- The output is similar to this: -->
+   <!--
+   The output is similar to this:
+   -->
+
    输出类似于：
+
    ```
    Kubernetes control plane is running at https://127.0.0.1:63855
    CoreDNS is running at https://127.0.0.1:63855/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
 
    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
    ```
+
 <!--
-1. Create the following Pod specification for a minimal configuration in the default namespace:
+1. Create a Pod in the default namespace:
 -->
-7. 创建以下 Pod 规约作为在 default 名字空间中的一个最小配置：
+7. 在 default 名字空间下创建一个 Pod：
 
    ```
    cat <<EOF > /tmp/pss/nginx-pod.yaml
@@ -412,12 +458,15 @@ following:
 8. 在集群中创建 Pod：
 
    ```shell
-   kubectl apply -f /tmp/pss/nginx-pod.yaml
+   kubectl apply -f https://k8s.io/examples/security/example-baseline-pod.yaml
    ```
-   <!-- The output is similar to this: -->
-   输出类似于：
+
+   <!--
+   The pod is started normally, but the output includes a warning:
+   -->
+   这个 Pod 正常启动，但输出包含警告：
    ```
-   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext seccompProfile.type to "RuntimeDefault" or "Localhost")
+   Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    pod/nginx created
    ```
 

From b9cd673f5c6682d3787f4b8631b9306dd4f1867e Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Mon, 13 Mar 2023 14:24:37 +0800
Subject: [PATCH 138/215] Replace k8s.gcr.io references with registry.k8s.io
 rebuild

---
 .../admin/logging/two-files-counter-pod-agent-sidecar.yaml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml b/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
index ddfb8104cb946..a621a9fb2acce 100644
--- a/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
+++ b/content/ru/examples/admin/logging/two-files-counter-pod-agent-sidecar.yaml
@@ -22,7 +22,7 @@ spec:
     - name: varlog
       mountPath: /var/log
   - name: count-agent
-    image: k8s.gcr.io/fluentd-gcp:1.30
+    image: registry.k8s.io/fluentd-gcp:1.30
     env:
     - name: FLUENTD_ARGS
       value: -c /etc/fluentd-config/fluentd.conf

From 70613a30a6edb59747f415889524138d90693685 Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Tue, 14 Mar 2023 08:12:31 +0000
Subject: [PATCH 139/215] [ja] update the link from kubectl tooltip

---
 content/ja/docs/reference/glossary/kubectl.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/reference/glossary/kubectl.md b/content/ja/docs/reference/glossary/kubectl.md
index ff7796060bd61..14bf028f9437d 100644
--- a/content/ja/docs/reference/glossary/kubectl.md
+++ b/content/ja/docs/reference/glossary/kubectl.md
@@ -2,7 +2,7 @@
 title: Kubectl
 id: kubectl
 date: 2018-04-12
-full_link: /docs/reference/kubectl/
+full_link: /ja/docs/reference/kubectl/
 short_description: >
   Kubernetesクラスターと通信するためのコマンドラインツールです。
 

From 079cb54c58ea43d8ef595a3f678b17db9060147e Mon Sep 17 00:00:00 2001
From: Michael <cloudyonspring@126.com>
Date: Tue, 14 Mar 2023 19:39:02 +0800
Subject: [PATCH 140/215] [zh] sync access-api-from-pod.md

---
 .../docs/tasks/run-application/_index.md      |  9 +++-
 .../run-application/access-api-from-pod.md    | 51 +++++++++++++------
 .../force-delete-stateful-set-pod.md          | 47 +++++++++--------
 3 files changed, 65 insertions(+), 42 deletions(-)

diff --git a/content/zh-cn/docs/tasks/run-application/_index.md b/content/zh-cn/docs/tasks/run-application/_index.md
index d4846746ae560..46cdf904233dc 100644
--- a/content/zh-cn/docs/tasks/run-application/_index.md
+++ b/content/zh-cn/docs/tasks/run-application/_index.md
@@ -1,5 +1,10 @@
 ---
 title: "运行应用"
-weight: 40
-description: 运行和管理无状态和有状态的应用程序。
+weight: 80
+description: 运行和管理无状态和有状态的应用。
 ---
+<!--
+title: "Run Applications"
+description: Run and manage both stateless and stateful applications.
+weight: 80
+-->
diff --git a/content/zh-cn/docs/tasks/run-application/access-api-from-pod.md b/content/zh-cn/docs/tasks/run-application/access-api-from-pod.md
index f80b4fc04516c..53217200e0df3 100644
--- a/content/zh-cn/docs/tasks/run-application/access-api-from-pod.md
+++ b/content/zh-cn/docs/tasks/run-application/access-api-from-pod.md
@@ -3,7 +3,6 @@ title: 从 Pod 中访问 Kubernetes API
 content_type: task
 weight: 120
 ---
-
 <!--
 title: Accessing the Kubernetes API from a Pod
 content_type: task
@@ -31,8 +30,7 @@ to the API server are slightly different to the external client case.
 -->
 ### 从 Pod 中访问 API   {#accessing-the-api-from-within-a-pod}
 
-从 Pod 内部访问 API 时，定位 API 服务器和向服务器认证身份的操作
-与外部客户端场景不同。
+从 Pod 内部访问 API 时，定位 API 服务器和向服务器认证身份的操作与外部客户端场景不同。
 
 <!--
 The easiest way to use the Kubernetes API from a Pod is to use
@@ -47,7 +45,12 @@ libraries can automatically discover the API server and authenticate.
 ### Using Official Client Libraries
 
 From within a Pod, the recommended ways to connect to the Kubernetes API are:
+-->
+#### 使用官方客户端库   {#using-official-client-libraries}
+
+从一个 Pod 内部连接到 Kubernetes API 的推荐方式为：
 
+<!--
 - For a Go client, use the official
   [Go client library](https://github.com/kubernetes/client-go/).
   The `rest.InClusterConfig()` function handles API host discovery and authentication automatically.
@@ -60,14 +63,7 @@ From within a Pod, the recommended ways to connect to the Kubernetes API are:
 
 - There are a number of other libraries available, please refer to the
   [Client Libraries](/docs/reference/using-api/client-libraries/) page.
-
-In each case, the service account credentials of the Pod are used to communicate
-securely with the API server.
 -->
-#### 使用官方客户端库   {#using-official-client-libraries}
-
-从一个 Pod 内部连接到 Kubernetes API 的推荐方式为：
-
 - 对于 Go 语言客户端，使用官方的 [Go 客户端库](https://github.com/kubernetes/client-go/)。
   函数 `rest.InClusterConfig()` 自动处理 API 主机发现和身份认证。
   参见[这里的一个例子](https://git.k8s.io/client-go/examples/in-cluster-client-configuration/main.go)。
@@ -78,6 +74,10 @@ securely with the API server.
 
 - 还有一些其他可用的客户端库，请参阅[客户端库](/zh-cn/docs/reference/using-api/client-libraries/)页面。
 
+<!--
+In each case, the service account credentials of the Pod are used to communicate
+securely with the API server.
+-->
 在以上场景中，客户端库都使用 Pod 的服务账号凭据来与 API 服务器安全地通信。
 
 <!--
@@ -118,15 +118,15 @@ at `/var/run/secrets/kubernetes.io/serviceaccount/token`.
 -->
 向 API 服务器进行身份认证的推荐做法是使用
 [服务账号](/zh-cn/docs/tasks/configure-pod-container/configure-service-account/)凭据。
-默认情况下，每个 Pod 与一个服务账号关联，该服务账户的凭证（令牌）放置在此 Pod 中
-每个容器的文件系统树中的 `/var/run/secrets/kubernetes.io/serviceaccount/token` 处。
+默认情况下，每个 Pod 与一个服务账号关联，该服务账号的凭据（令牌）放置在此 Pod
+中每个容器的文件系统树中的 `/var/run/secrets/kubernetes.io/serviceaccount/token` 处。
 
 <!--
 If available, a certificate bundle is placed into the filesystem tree of each
 container at `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`, and should be
 used to verify the serving certificate of the API server.
 -->
-如果证书包可用，则凭证包被放入每个容器的文件系统树中的
+如果证书包可用，则凭据包被放入每个容器的文件系统树中的
 `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` 处，
 且将被用于验证 API 服务器的服务证书。
 
@@ -151,8 +151,8 @@ in the Pod can use it directly.
 如果你希望不使用官方客户端库就完成 API 查询，可以将 `kubectl proxy` 作为
 [command](/zh-cn/docs/tasks/inject-data-application/define-command-argument-container/)
 在 Pod 中启动一个边车（Sidecar）容器。这样，`kubectl proxy` 自动完成对 API
-的身份认证，并将其暴露到 Pod 的 `localhost` 接口，从而 Pod 中的其他容器可以
-直接使用 API。
+的身份认证，并将其暴露到 Pod 的 `localhost` 接口，从而 Pod
+中的其他容器可以直接使用 API。
 
 <!--
 ### Without using a proxy
@@ -163,8 +163,27 @@ directly to the API server. The internal certificate secures the connection.
 ### 不使用代理   {#without-using-a-proxy}
 
 通过将认证令牌直接发送到 API 服务器，也可以避免运行 kubectl proxy 命令。
-内部的证书机制能够为链接提供保护。
+内部的证书机制能够为连接提供保护。
+
+<!--
+# Point to the internal API server hostname
+APISERVER=https://kubernetes.default.svc
+
+# Path to ServiceAccount token
+SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
 
+# Read this Pod's namespace
+NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+
+# Read the ServiceAccount bearer token
+TOKEN=$(cat ${SERVICEACCOUNT}/token)
+
+# Reference the internal certificate authority (CA)
+CACERT=${SERVICEACCOUNT}/ca.crt
+
+# Explore the API with TOKEN
+curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
+-->
 ```shell
 # 指向内部 API 服务器的主机名
 APISERVER=https://kubernetes.default.svc
diff --git a/content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md b/content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md
index f25453745adf2..f18be26d5bc64 100644
--- a/content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md
+++ b/content/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod.md
@@ -3,7 +3,6 @@ title: 强制删除 StatefulSet 中的 Pod
 content_type: task
 weight: 70
 ---
-
 <!--
 reviewers:
 - bprashanth
@@ -16,23 +15,24 @@ weight: 70
 -->
 
 <!-- overview -->
+
 <!--
 This page shows how to delete Pods which are part of a
 {{< glossary_tooltip text="stateful set" term_id="StatefulSet" >}},
 and explains the considerations to keep in mind when doing so.
 -->
 本文介绍如何删除 {{< glossary_tooltip text="StatefulSet" term_id="StatefulSet" >}}
-管理的 Pod，并解释这样操作时需要记住的注意事项。
+管理的 Pod，并解释这样操作时需要记住的一些注意事项。
 
 ## {{% heading "prerequisites" %}}
 
 <!--
-* This is a fairly advanced task and has the potential to violate some of the properties
+- This is a fairly advanced task and has the potential to violate some of the properties
   inherent to StatefulSet.
-* Before proceeding, make yourself familiar with the considerations enumerated below.
+- Before proceeding, make yourself familiar with the considerations enumerated below.
 -->
-* 这是一项相当高级的任务，并且可能会违反 StatefulSet 固有的某些属性。
-* 继续任务之前，请熟悉下面列举的注意事项。
+- 这是一项相当高级的任务，并且可能会违反 StatefulSet 固有的某些属性。
+- 请先熟悉下面列举的注意事项再开始操作。
 
 <!-- steps -->
 
@@ -46,11 +46,11 @@ number of Pods from ordinal 0 through N-1 are alive and ready. StatefulSet ensur
 there is at most one Pod with a given identity running in a cluster. This is referred to as
 *at most one* semantics provided by a StatefulSet.
 -->
-## StatefulSet 注意事项
+## StatefulSet 注意事项   {#statefulset-considerations}
 
-在 StatefulSet 的正常操作中，**永远不**需要强制删除 StatefulSet 管理的 Pod。
+在正常操作 StatefulSet 时，**永远不**需要强制删除 StatefulSet 管理的 Pod。
 [StatefulSet 控制器](/zh-cn/docs/concepts/workloads/controllers/statefulset/)负责创建、
-扩缩和删除 StatefulSet 管理的 Pod。它尝试确保指定数量的从序数 0 到 N-1 的 Pod
+扩缩和删除 StatefulSet 管理的 Pod。此控制器尽力确保指定数量的从序数 0 到 N-1 的 Pod
 处于活跃状态并准备就绪。StatefulSet 确保在任何时候，集群中最多只有一个具有给定标识的 Pod。
 这就是所谓的由 StatefulSet 提供的**最多一个（At Most One）** Pod 的语义。
 
@@ -63,9 +63,9 @@ members with fixed identities. Having multiple members with the same identity ca
 and may lead to data loss (e.g. split brain scenario in quorum-based systems).
 -->
 应谨慎进行手动强制删除操作，因为它可能会违反 StatefulSet 固有的至多一个的语义。
-StatefulSets 可用于运行分布式和集群级的应用，这些应用需要稳定的网络标识和可靠的存储。
+StatefulSet 可用于运行分布式和集群级的应用，这些应用需要稳定的网络标识和可靠的存储。
 这些应用通常配置为具有固定标识固定数量的成员集合。
-具有相同身份的多个成员可能是灾难性的，并且可能导致数据丢失 (例如：票选系统中的脑裂场景)。
+具有相同身份的多个成员可能是灾难性的，并且可能导致数据丢失 (例如票选系统中的脑裂场景)。
 
 <!--
 ## Delete Pods
@@ -101,24 +101,23 @@ Pods may also enter these states when the user attempts graceful deletion of a P
 on an unreachable Node.
 The only ways in which a Pod in such a state can be removed from the apiserver are as follows:
 -->
-当某个节点不可达时，不会引发自动删除 Pod。
-在无法访问的节点上运行的 Pod 在
-[超时](/zh-cn/docs/concepts/architecture/nodes/#condition)
-后会进入 “Terminating” 或者 “Unknown” 状态。
+当某个节点不可达时，不会引发自动删除 Pod。在无法访问的节点上运行的 Pod
+在[超时](/zh-cn/docs/concepts/architecture/nodes/#condition)后会进入
+“Terminating” 或者 “Unknown” 状态。
 当用户尝试体面地删除无法访问的节点上的 Pod 时 Pod 也可能会进入这些状态。
 从 API 服务器上删除处于这些状态 Pod 的仅有可行方法如下：
 
 <!--
-* The Node object is deleted (either by you, or by the
+- The Node object is deleted (either by you, or by the
   [Node Controller](/docs/concepts/architecture/nodes/#node-controller)).
-* The kubelet on the unresponsive Node starts responding, kills the Pod and removes the entry
+- The kubelet on the unresponsive Node starts responding, kills the Pod and removes the entry
    from the apiserver.
-* Force deletion of the Pod by the user.
+- Force deletion of the Pod by the user.
 -->
-* 删除 Node 对象（要么你来删除, 要么[节点控制器](/zh-cn/docs/concepts/architecture/nodes/#node-controller)
+- 删除 Node 对象（要么你来删除, 要么[节点控制器](/zh-cn/docs/concepts/architecture/nodes/#node-controller)
   来删除）
-* 无响应节点上的 kubelet 开始响应，杀死 Pod 并从 API 服务器上移除 Pod 对象
-* 用户强制删除 pod
+- 无响应节点上的 kubelet 开始响应，杀死 Pod 并从 API 服务器上移除 Pod 对象
+- 用户强制删除 Pod
 
 <!--
 The recommended best practice is to use the first or second approach. If a Node is confirmed
@@ -155,8 +154,8 @@ will violate the at most one semantics that StatefulSet is designed to guarantee
 强制删除**不会**等待来自 kubelet 对 Pod 已终止的确认消息。
 无论强制删除是否成功杀死了 Pod，它都会立即从 API 服务器中释放该名字。
 这将让 StatefulSet 控制器创建一个具有相同标识的替身 Pod；因而可能导致正在运行 Pod 的重复，
-并且如果所述 Pod 仍然可以与 StatefulSet 的成员通信，则将违反 StatefulSet 所要保证的
-最多一个的语义。
+并且如果所述 Pod 仍然可以与 StatefulSet 的成员通信，则将违反 StatefulSet
+所要保证的最多一个的语义。
 
 <!--
 When you force delete a StatefulSet pod, you are asserting that the Pod in question will never
@@ -188,7 +187,7 @@ kubectl delete pods <pod> --grace-period=0
 If even after these commands the pod is stuck on `Unknown` state, use the following command to
 remove the pod from the cluster:
 -->
-如果在这些命令后 Pod 仍处于 `Unknown` 状态，请使用以下命令从集群中删除 Pod:
+如果在执行这些命令后 Pod 仍处于 `Unknown` 状态，请使用以下命令从集群中删除 Pod:
 
 ```shell
 kubectl patch pod <pod> -p '{"metadata":{"finalizers":null}}'

From 4b60ed9c191461bcef66f1df6f22b941abbf9b02 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Tue, 14 Mar 2023 15:53:27 +0800
Subject: [PATCH 141/215] [zh] sync /run-application/scale-stateful-set.md

---
 .../tasks/run-application/configure-pdb.md    | 109 +++++++++---------
 .../run-application/delete-stateful-set.md    |  34 +++---
 .../run-application/scale-stateful-set.md     |  54 +++++----
 3 files changed, 103 insertions(+), 94 deletions(-)

diff --git a/content/zh-cn/docs/tasks/run-application/configure-pdb.md b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
index 8ed9f740354f0..5feb2d58ca6d0 100644
--- a/content/zh-cn/docs/tasks/run-application/configure-pdb.md
+++ b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
@@ -28,19 +28,19 @@ nodes.
 {{< version-check >}}
 
 <!--
-* You are the owner of an application running on a Kubernetes cluster that requires
+- You are the owner of an application running on a Kubernetes cluster that requires
   high availability.
-* You should know how to deploy [Replicated Stateless Applications](/docs/tasks/run-application/run-stateless-application-deployment/)
+- You should know how to deploy [Replicated Stateless Applications](/docs/tasks/run-application/run-stateless-application-deployment/)
   and/or [Replicated Stateful Applications](/docs/tasks/run-application/run-replicated-stateful-application/).
-* You should have read about [Pod Disruptions](/docs/concepts/workloads/pods/disruptions/).
-* You should confirm with your cluster owner or service provider that they respect
+- You should have read about [Pod Disruptions](/docs/concepts/workloads/pods/disruptions/).
+- You should confirm with your cluster owner or service provider that they respect
   Pod Disruption Budgets.
 -->
-* 你是 Kubernetes 集群中某应用的所有者，该应用有高可用要求。
-* 你应了解如何部署[无状态应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)
+- 你是 Kubernetes 集群中某应用的所有者，该应用有高可用要求。
+- 你应了解如何部署[无状态应用](/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/)
   和/或[有状态应用](/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/)。
-* 你应当已经阅读过关于 [Pod 干扰](/zh-cn/docs/concepts/workloads/pods/disruptions/) 的文档。
-* 用户应当与集群所有者或服务提供者确认其遵从 Pod 干扰预算（Pod Disruption Budgets）的规则。
+- 你应当已经阅读过关于 [Pod 干扰](/zh-cn/docs/concepts/workloads/pods/disruptions/) 的文档。
+- 用户应当与集群所有者或服务提供者确认其遵从 Pod 干扰预算（Pod Disruption Budgets）的规则。
 
 <!-- steps -->
 
@@ -52,11 +52,11 @@ nodes.
 1. Create a PDB definition as a YAML file.
 1. Create the PDB object from the YAML file.
 -->
-## 用 PodDisruptionBudget 来保护应用
+## 用 PodDisruptionBudget 来保护应用   {#protecting-app-with-pdb}
 
 1. 确定想要使用 PodDisruptionBudget (PDB) 来保护的应用。
 1. 考虑应用对干扰的反应。
-1. 以 YAML 文件形式定义 PDB 。
+1. 以 YAML 文件形式定义 PDB。
 1. 通过 YAML 文件创建 PDB 对象。
 
 <!-- discussion -->
@@ -67,7 +67,7 @@ nodes.
 The most common use case when you want to protect an application
 specified by one of the built-in Kubernetes controllers:
 -->
-## 确定要保护的应用
+## 确定要保护的应用   {#identify-app-to-protect}
 
 用户想要保护通过内置的 Kubernetes 控制器指定的应用，这是最常见的使用场景：
 
@@ -150,7 +150,7 @@ due to a voluntary disruption.
 
 Values for `minAvailable` or `maxUnavailable` can be expressed as integers or as a percentage.
 -->
-### 指定百分比时的舍入逻辑
+### 指定百分比时的舍入逻辑   {#rounding-logic-when-specifying-percentages}
 
 `minAvailable` 或 `maxUnavailable` 的值可以表示为整数或百分比。
 
@@ -158,52 +158,54 @@ Values for `minAvailable` or `maxUnavailable` can be expressed as integers or as
 - When you specify an integer, it represents a number of Pods. For instance, if you set `minAvailable` to 10, then 10
   Pods must always be available, even during a disruption.
 - When you specify a percentage by setting the value to a string representation of a percentage (eg. `"50%"`), it represents a percentage of
-  total Pods. For instance, if you set `maxUnavailable` to `"50%"`, then only 50% of the Pods can be unavailable during a
+  total Pods. For instance, if you set `minAvailable` to `"50%"`, then at least 50% of the Pods remain available during a
   disruption.
 -->
-- 指定整数值时，它表示 Pod 个数。例如，如果将 minAvailable 设置为 10，
-  那么即使在干扰期间，也必须始终有 10 个Pod可用。
-- 通过将值设置为百分比的字符串表示形式（例如 “50％”）来指定百分比时，它表示占总 Pod 数的百分比。
-  例如，如果将 "maxUnavailable" 设置为 “50％”，则干扰期间只允许 50％ 的 Pod 不可用。
+- 指定整数值时，它表示 Pod 个数。例如，如果将 `minAvailable` 设置为 10，
+  那么即使在干扰期间，也必须始终有 10 个 Pod 可用。
+- 通过将值设置为百分比的字符串表示形式（例如 `"50％"`）来指定百分比时，它表示占总 Pod 数的百分比。
+  例如，如果将 `minAvailable` 设置为 `"50％"`，则干扰期间至少 50％ 的 Pod 保持可用。
 
 <!--
 When you specify the value as a percentage, it may not map to an exact number of Pods. For example, if you have 7 Pods and
 you set `minAvailable` to `"50%"`, it's not immediately obvious whether that means 3 Pods or 4 Pods must be available.
-Kubernetes rounds up to the nearest integer, so in this case, 4 Pods must be available. You can examine the
+Kubernetes rounds up to the nearest integer, so in this case, 4 Pods must be available. When you specify the value 
+`maxUnavailable` as a percentage, Kubernetes rounds up the number of Pods that may be disrupted. Thereby a disruption 
+can exceed your defined `maxUnavailable` percentage. You can examine the
 [code](https://github.com/kubernetes/kubernetes/blob/23be9587a0f8677eb8091464098881df939c44a9/pkg/controller/disruption/disruption.go#L539)
 that controls this behavior.
 -->
 如果将值指定为百分比，则可能无法映射到确切数量的 Pod。例如，如果你有 7 个 Pod，
-并且你将 `minAvailable` 设置为 `"50％"`，具体是 3 个 Pod 或 4 个 Pod 必须可用
-并非显而易见。
+并且你将 `minAvailable` 设置为 `"50％"`，具体是 3 个 Pod 或 4 个 Pod 必须可用并非显而易见。
 Kubernetes 采用向上取整到最接近的整数的办法，因此在这种情况下，必须有 4 个 Pod。
-你可以检查控制此行为的
-[代码](https://github.com/kubernetes/kubernetes/blob/23be9587a0f8677eb8091464098881df939c44a9/pkg/controller/disruption/disruption.go#L539)。
+当你将 `maxUnavailable` 值指定为一个百分比时，Kubernetes 将可以干扰的 Pod 个数向上取整。
+因此干扰可以超过你定义的 `maxUnavailable` 百分比。
+你可以检查控制此行为的[代码](https://github.com/kubernetes/kubernetes/blob/23be9587a0f8677eb8091464098881df939c44a9/pkg/controller/disruption/disruption.go#L539)。
 
 <!--
 ## Specifying a PodDisruptionBudget
 
 A `PodDisruptionBudget` has three fields:
 -->
-## 指定 PodDisruptionBudget
+## 指定 PodDisruptionBudget   {#specifying-a-poddisruptionbudget}
 
 一个 `PodDisruptionBudget` 有 3 个字段：
 
 <!--
-* A label selector `.spec.selector` to specify the set of
-pods to which it applies. This field is required.
-* `.spec.minAvailable` which is a description of the number of pods from that
-set that must still be available after the eviction, even in the absence
-of the evicted pod. `minAvailable` can be either an absolute number or a percentage.
-* `.spec.maxUnavailable` (available in Kubernetes 1.7 and higher) which is a description
-of the number of pods from that set that can be unavailable after the eviction.
-It can be either an absolute number or a percentage.
+- A label selector `.spec.selector` to specify the set of
+  pods to which it applies. This field is required.
+- `.spec.minAvailable` which is a description of the number of pods from that
+  set that must still be available after the eviction, even in the absence
+  of the evicted pod. `minAvailable` can be either an absolute number or a percentage.
+- `.spec.maxUnavailable` (available in Kubernetes 1.7 and higher) which is a description
+  of the number of pods from that set that can be unavailable after the eviction.
+  It can be either an absolute number or a percentage.
 -->
-* 标签选择算符 `.spec.selector` 用于指定其所作用的 Pod 集合，该字段为必需字段。
-* `.spec.minAvailable` 表示驱逐后仍须保证可用的 Pod 数量。即使因此影响到 Pod 驱逐
+- 标签选择算符 `.spec.selector` 用于指定其所作用的 Pod 集合，该字段为必需字段。
+- `.spec.minAvailable` 表示驱逐后仍须保证可用的 Pod 数量。即使因此影响到 Pod 驱逐
   （即该条件在和 Pod 驱逐发生冲突时优先保证）。
   `minAvailable` 值可以是绝对值，也可以是百分比。
-* `.spec.maxUnavailable` （Kubernetes 1.7 及更高的版本中可用）表示驱逐后允许不可用的
+- `.spec.maxUnavailable` （Kubernetes 1.7 及更高的版本中可用）表示驱逐后允许不可用的
   Pod 的最大数量。其值可以是绝对值或是百分比。
 
 {{< note >}}
@@ -249,10 +251,14 @@ unhealthy replicas among the total number of desired replicas.
 示例 3：设置 `maxUnavailable` 值为 5 的情况下，驱逐时需保证所需副本中最多 5 个处于不可用状态。
 
 <!--
-Example 4: With a `maxUnavailable` of 30%, evictions are allowed as long as no more than 30%
-of the desired replicas are unhealthy.
+Example 4: With a `maxUnavailable` of 30%, evictions are allowed as long as the number of 
+unhealthy replicas does not exceed 30% of the total number of desired replica rounded up to 
+the nearest integer. If the total number of desired replicas is just one, that single replica
+is still allowed for disruption, leading to an effective unavailability of 100%.
 -->
-示例 4：设置 `maxUnavailable` 值为 30% 的情况下，驱逐时需保证所需副本中最多 30% 处于不可用状态。
+示例 4：设置 `maxUnavailable` 值为 30% 的情况下，只要不健康的副本数量不超过所需副本总数的 30%
+（取整到最接近的整数），就允许驱逐。如果所需副本的总数仅为一个，则仍允许该单个副本中断，
+从而导致不可用性实际达到 100%。
 
 <!--
 In typical usage, a single budget would be used for a collection of pods managed by
@@ -270,9 +276,9 @@ specified in the budget, thus bringing the number of available pods from the
 collection below the specified size. The budget can only protect against
 voluntary evictions, not all causes of unavailability.
 -->
-干扰预算并不能真正保证指定数量/百分比的 Pod 一直处于运行状态。例如： 当 Pod 集合的
-规模处于预算指定的最小值时，承载集合中某个 Pod 的节点发生了故障，这样就导致集合中可用 Pod 的
-数量低于预算指定值。预算只能够针对自发的驱逐提供保护，而不能针对所有 Pod 不可用的诱因。
+干扰预算并不能真正保证指定数量/百分比的 Pod 一直处于运行状态。例如：当 Pod
+集合的规模处于预算指定的最小值时，承载集合中某个 Pod 的节点发生了故障，这样就导致集合中可用
+Pod 的数量低于预算指定值。预算只能够针对自发的驱逐提供保护，而不能针对所有 Pod 不可用的诱因。
 {{< /note >}}
 
 <!--
@@ -292,12 +298,12 @@ semantics of `PodDisruptionBudget`.
 You can find examples of pod disruption budgets defined below. They match pods with the label
 `app: zookeeper`.
 -->
-用户可以在下面看到 pod 干扰预算定义的示例，它们与带有 `app: zookeeper` 标签的 pod 相匹配：
+用户可以在下面看到 Pod 干扰预算定义的示例，它们与带有 `app: zookeeper` 标签的 Pod 相匹配：
 
 <!--
 Example PDB Using minAvailable:
 -->
-使用 minAvailable 的PDB 示例：
+使用 minAvailable 的 PDB 示例：
 
 {{< codenew file="policy/zookeeper-pod-disruption-budget-minavailable.yaml" >}}
 
@@ -315,34 +321,27 @@ automatically responds to changes in the number of replicas of the corresponding
 -->
 例如，如果上述 `zk-pdb` 选择的是一个规格为 3 的 StatefulSet 对应的 Pod，
 那么上面两种规范的含义完全相同。
-推荐使用 `maxUnavailable` ，因为它自动响应控制器副本数量的变化。
+推荐使用 `maxUnavailable`，因为它自动响应控制器副本数量的变化。
 
 <!--
 ## Create the PDB object
 
 You can create or update the PDB object using kubectl.
-```shell
-kubectl apply -f mypdb.yaml
-```
 -->
-## 创建 PDB 对象
+## 创建 PDB 对象   {#create-pdb-object}
 
 你可以使用 kubectl 创建或更新 PDB 对象。
+
 ```shell
 kubectl apply -f mypdb.yaml
 ```
 
-<!--
-You cannot update PDB objects.  They must be deleted and re-created.
--->
-PDB 对象无法更新，必须删除后重新创建。
-
 <!--
 ## Check the status of the PDB
 
 Use kubectl to check that your PDB is created.
 -->
-## 检查 PDB 的状态
+## 检查 PDB 的状态   {#check-status-of-pdb}
 
 使用 kubectl 来确认 PDB 被创建。
 
@@ -531,5 +530,5 @@ so most users will want to avoid overlapping selectors. One reasonable use of ov
 PDBs is when pods are being transitioned from one PDB to another.
 -->
 你可以令选择算符选择一个内置控制器所控制 Pod 的子集或父集。
-驱逐 API 将不允许驱逐被多个 PDB 覆盖的任何 Pod，因此大多数用户都希望避免重叠的选择算符。重叠 PDB 的一种合理用途是当 Pod 从一个 PDB 过渡到另一个 PDB 时再使用。
-
+驱逐 API 将不允许驱逐被多个 PDB 覆盖的任何 Pod，因此大多数用户都希望避免重叠的选择算符。
+重叠 PDB 的一种合理用途是当 Pod 从一个 PDB 过渡到另一个 PDB 时再使用。
diff --git a/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md b/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
index d331419eb5b62..8a61b54c7ae28 100644
--- a/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
+++ b/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
@@ -3,7 +3,6 @@ title: 删除 StatefulSet
 content_type: task
 weight: 60
 ---
-
 <!--
 reviewers:
 - bprashanth
@@ -26,18 +25,21 @@ This task shows you how to delete a {{< glossary_tooltip term_id="StatefulSet" >
 ## {{% heading "prerequisites" %}}
 
 <!--
-* This task assumes you have an application running on your cluster represented by a StatefulSet.
+- This task assumes you have an application running on your cluster represented by a StatefulSet.
 -->
-* 本任务假设在你的集群上已经运行了由 StatefulSet 创建的应用。
+- 本任务假设在你的集群上已经运行了由 StatefulSet 创建的应用。
 
 <!-- steps -->
 
-## 删除 StatefulSet   {#deleting-a-statefulset}
-
 <!--
+## Deleting a StatefulSet
+
 You can delete a StatefulSet in the same way you delete other resources in Kubernetes: use the `kubectl delete` command, and specify the StatefulSet either by file or by name.
 -->
-你可以像删除 Kubernetes 中的其他资源一样删除 StatefulSet：使用 `kubectl delete` 命令，并按文件或者名字指定 StatefulSet。
+## 删除 StatefulSet   {#deleting-a-statefulset}
+
+你可以像删除 Kubernetes 中的其他资源一样删除 StatefulSet：
+使用 `kubectl delete` 命令，并按文件或者名字指定 StatefulSet。
 
 ```shell
 kubectl delete -f <file.yaml>
@@ -81,14 +83,13 @@ kubectl delete -f <file.yaml> --cascade=orphan
 By passing `--cascade=orphan` to `kubectl delete`, the Pods managed by the StatefulSet are left behind even after the StatefulSet object itself is deleted. If the pods have a label `app.kubernetes.io/name=MyApp`, you can then delete them as follows:
 --->
 通过将 `--cascade=orphan` 传递给 `kubectl delete`，在删除 StatefulSet 对象之后，
-StatefulSet 管理的 Pod 会被保留下来。如果 Pod 具有标签 `app.kubernetes.io/name=MyApp`，则可以按照
-如下方式删除它们：
+StatefulSet 管理的 Pod 会被保留下来。如果 Pod 具有标签 `app.kubernetes.io/name=MyApp`，
+则可以按照如下方式删除它们：
 
 ```shell
 kubectl delete pods -l app.kubernetes.io/name=MyApp
 ```
 
-
 <!--
 ### Persistent Volumes
 
@@ -100,10 +101,10 @@ Deleting the Pods in a StatefulSet will not delete the associated volumes. This
 在 Pod 已经终止后删除 PVC 可能会触发删除背后的 PV 持久卷，具体取决于存储类和回收策略。
 永远不要假定在 PVC 删除后仍然能够访问卷。
 
+{{< note >}}
 <!--
 Use caution when deleting a PVC, as it may lead to data loss.
 -->
-{{< note >}}
 删除 PVC 时要谨慎，因为这可能会导致数据丢失。
 {{< /note >}}
 
@@ -114,8 +115,8 @@ To delete everything in a StatefulSet, including the associated pods, you can ru
 -->
 ### 完全删除 StatefulSet  {#complete-deletion-of-a-statefulset}
 
-要删除 StatefulSet 中的所有内容，包括关联的 Pod，你可以运行
-一系列如下所示的命令：
+要删除 StatefulSet 中的所有内容，包括关联的 Pod，
+你可以运行如下所示的一系列命令：
 
 ```shell
 grace=$(kubectl get pods <stateful-set-pod> --template '{{.spec.terminationGracePeriodSeconds}}')
@@ -134,12 +135,11 @@ In the example above, the Pods have the label `app.kubernetes.io/name=MyApp`; su
 
 If you find that some pods in your StatefulSet are stuck in the 'Terminating' or 'Unknown' states for an extended period of time, you may need to manually intervene to forcefully delete the pods from the apiserver. This is a potentially dangerous task. Refer to [Force Delete StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/) for details.
 -->
-### 强制删除 StatefulSet 的 Pod
+### 强制删除 StatefulSet 的 Pod   {#force-deletion-of-statefulset-pods}
 
 如果你发现 StatefulSet 的某些 Pod 长时间处于 'Terminating' 或者 'Unknown' 状态，
-则可能需要手动干预以强制从 API 服务器中删除这些 Pod。
-这是一项有点危险的任务。详细信息请阅读
-[强制删除 StatefulSet 的 Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)。
+则可能需要手动干预以强制从 API 服务器中删除这些 Pod。这是一项有点危险的任务。
+详细信息请阅读[强制删除 StatefulSet 的 Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)。
 
 ## {{% heading "whatsnext" %}}
 
@@ -147,5 +147,3 @@ If you find that some pods in your StatefulSet are stuck in the 'Terminating' or
 Learn more about [force deleting StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/).
 -->
 进一步了解[强制删除 StatefulSet 的 Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)。
-
-
diff --git a/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md b/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
index c8ca657e8335c..4354689635980 100644
--- a/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
+++ b/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
@@ -3,32 +3,45 @@ title: 扩缩 StatefulSet
 content_type: task
 weight: 50
 ---
+<!--
+reviewers:
+- bprashanth
+- enisoc
+- erictune
+- foxish
+- janetkuo
+- kow3ns
+- smarterclayton
+title: Scale a StatefulSet
+content_type: task
+weight: 50
+-->
 
 <!-- overview -->
 <!--
 This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to increasing or decreasing the number of replicas.
 -->
-本文介绍如何扩缩StatefulSet。StatefulSet 的扩缩指的是增加或者减少副本个数。
-
+本文介绍如何扩缩 StatefulSet。StatefulSet 的扩缩指的是增加或者减少副本个数。
 
 ## {{% heading "prerequisites" %}}
 
 <!--
-* StatefulSets are only available in Kubernetes version 1.5 or later.
+- StatefulSets are only available in Kubernetes version 1.5 or later.
   To check your version of Kubernetes, run `kubectl version`.
 
-* Not all stateful applications scale nicely. If you are unsure about whether to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/) or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information.
+- Not all stateful applications scale nicely. If you are unsure about whether to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/) or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information.
 
-* You should perform scaling only when you are confident that your stateful application
+- You should perform scaling only when you are confident that your stateful application
   cluster is completely healthy.
 -->
-* StatefulSets 仅适用于 Kubernetes 1.5 及以上版本。
-* 不是所有 Stateful 应用都能很好地执行扩缩操作。 
+- StatefulSets 仅适用于 Kubernetes 1.5 及以上版本。
+  要查看你的 Kubernetes 版本，运行 `kubectl version`。
+- 不是所有 Stateful 应用都能很好地执行扩缩操作。
   如果你不是很确定是否要扩缩你的 StatefulSet，可先参阅
   [StatefulSet 概念](/zh-cn/docs/concepts/workloads/controllers/statefulset/)
   或者 [StatefulSet 教程](/zh-cn/docs/tutorials/stateful-application/basic-stateful-set/)。
 
-* 仅当你确定你的有状态应用的集群是完全健康的，才可执行扩缩操作.
+- 仅当你确定你的有状态应用的集群是完全健康的，才可执行扩缩操作.
 
 <!-- steps -->
 
@@ -45,7 +58,7 @@ kubectl get statefulsets <stateful-set-name>
 -->
 ## 扩缩 StatefulSet   {#scaling-statefulset}
 
-## 使用 `kubectl` 扩缩 StatefulSet
+### 使用 `kubectl` 扩缩 StatefulSet    {#use-kubectl-to-scale-statefulsets}
 
 首先，找到你要扩缩的 StatefulSet。
 
@@ -74,12 +87,12 @@ Alternatively, you can do [in-place updates](/docs/concepts/cluster-administrati
 If your StatefulSet was initially created with `kubectl apply`,
 update `.spec.replicas` of the StatefulSet manifests, and then do a `kubectl apply`:
 -->
-### 对 StatefulSet 执行就地更新
+### 对 StatefulSet 执行就地更新    {#make-in-place-updates-on-statefulset}
 
 另外, 你可以[就地更新](/zh-cn/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources) StatefulSet。
 
-如果你的 StatefulSet 最初通过 `kubectl apply` 或 `kubectl create --save-config` 创建,
-你可以更新 StatefulSet 清单中的 `.spec.replicas`, 然后执行命令 `kubectl apply`:
+如果你的 StatefulSet 最初通过 `kubectl apply` 或 `kubectl create --save-config` 创建，
+你可以更新 StatefulSet 清单中的 `.spec.replicas`，然后执行命令 `kubectl apply`：
 
 <!--
 ```shell
@@ -121,7 +134,7 @@ kubectl patch statefulsets <statefulset 名称> -p '{"spec":{"replicas":<new-rep
 -->
 ## 故障排查  {#troubleshooting}
 
-### 缩容操作无法正常工作
+### 缩容操作无法正常工作   {#scaling-down-does-not-work}
 
 <!--
 You cannot scale down a StatefulSet when any of the stateful Pods it manages is unhealthy. Scaling down only takes place
@@ -130,7 +143,7 @@ after those stateful Pods become running and ready.
 If spec.replicas > 1, Kubernetes cannot determine the reason for an unhealthy Pod. It might be the result of a permanent fault or of a transient fault. A transient fault can be caused by a restart required by upgrading or maintenance.
 -->
 当 Stateful 所管理的任何 Pod 不健康时，你不能对该 StatefulSet 执行缩容操作。
-仅当 StatefulSet 的所有 Pod 都处于运行状态和 Ready 状况后才可缩容.
+仅当 StatefulSet 的所有 Pod 都处于运行状态和 Ready 状况后才可缩容。
 
 如果 `spec.replicas` 大于 1，Kubernetes 无法判定 Pod 不健康的原因。
 Pod 不健康可能是由于永久性故障造成也可能是瞬态故障。
@@ -142,7 +155,7 @@ without correcting the fault may lead to a state where the StatefulSet membershi
 drops below a certain minimum number of replicas that are needed to function
 correctly. This may cause your StatefulSet to become unavailable.
 -->
-如果该 Pod 不健康是由于永久性故障导致, 则在不纠正该故障的情况下进行缩容可能会导致
+如果该 Pod 不健康是由于永久性故障导致，则在不纠正该故障的情况下进行缩容可能会导致
 StatefulSet 进入一种状态，其成员 Pod 数量低于应正常运行的副本数。
 这种状态也许会导致 StatefulSet 不可用。
 
@@ -154,15 +167,14 @@ to reason about scaling operations at the application level in these cases, and
 perform scaling only when you are sure that your stateful application cluster is
 completely healthy.
 -->
-如果由于瞬态故障而导致 Pod 不健康并且 Pod 可能再次变为可用，那么瞬态错误可能会干扰
-你对 StatefulSet 的扩容/缩容操作。 一些分布式数据库在同时有节点加入和离开时
-会遇到问题。在这些情况下，最好是在应用级别进行分析扩缩操作的状态, 并且只有在确保
+如果由于瞬态故障而导致 Pod 不健康并且 Pod 可能再次变为可用，那么瞬态错误可能会干扰你对
+StatefulSet 的扩容/缩容操作。一些分布式数据库在同时有节点加入和离开时会遇到问题。
+在这些情况下，最好是在应用级别进行分析扩缩操作的状态，并且只有在确保
 Stateful 应用的集群是完全健康时才执行扩缩操作。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-* Learn more about [deleting a StatefulSet](/docs/tasks/run-application/delete-stateful-set/).
+- Learn more about [deleting a StatefulSet](/docs/tasks/run-application/delete-stateful-set/).
 -->
-* 进一步了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)
-
+- 进一步了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)

From d96eb8e8701994f13f3191a68b2c5d2045b7f6ea Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Tue, 14 Mar 2023 17:46:03 +0800
Subject: [PATCH 142/215] [zh] sync run-replicated-stateful-application.md

---
 .../run-replicated-stateful-application.md    | 136 +++++++++---------
 1 file changed, 67 insertions(+), 69 deletions(-)

diff --git a/content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md b/content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md
index 25a2e979e6907..111100c707d8c 100644
--- a/content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md
+++ b/content/zh-cn/docs/tasks/run-application/run-replicated-stateful-application.md
@@ -30,11 +30,11 @@ replication.
 示例应用的拓扑结构有一个主服务器和多个副本，使用异步的基于行（Row-Based）
 的数据复制。
 
+{{< note >}}
 <!--
 **This is not a production configuration**. MySQL settings remain on insecure defaults to keep the focus
 on general patterns for running stateful applications in Kubernetes.
 -->
-{{< note >}}
 **这一配置不适合生产环境。**
 MySQL 设置都使用的是不安全的默认值，这是因为我们想把重点放在 Kubernetes
 中运行有状态应用程序的一般模式上。
@@ -42,41 +42,40 @@ MySQL 设置都使用的是不安全的默认值，这是因为我们想把重
 
 ## {{% heading "prerequisites" %}}
 
-* {{< include "task-tutorial-prereqs.md" >}}
-* {{< include "default-storage-class-prereqs.md" >}}
-
+- {{< include "task-tutorial-prereqs.md" >}}
+- {{< include "default-storage-class-prereqs.md" >}}
 <!--
-* This tutorial assumes you are familiar with
+- This tutorial assumes you are familiar with
   [PersistentVolumes](/docs/concepts/storage/persistent-volumes/)
   and [StatefulSets](/docs/concepts/workloads/controllers/statefulset/),
   as well as other core concepts like [Pods](/docs/concepts/workloads/pods/),
   [Services](/docs/concepts/services-networking/service/), and
   [ConfigMaps](/docs/tasks/configure-pod-container/configure-pod-configmap/).
-* Some familiarity with MySQL helps, but this tutorial aims to present
+- Some familiarity with MySQL helps, but this tutorial aims to present
   general patterns that should be useful for other systems.
-* You are using the default namespace or another namespace that does not contain any conflicting objects.
+- You are using the default namespace or another namespace that does not contain any conflicting objects.
 -->
-* 本教程假定你熟悉
+- 本教程假定你熟悉
   [PersistentVolumes](/zh-cn/docs/concepts/storage/persistent-volumes/)
-  与 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/),
+  与 [StatefulSet](/zh-cn/docs/concepts/workloads/controllers/statefulset/)，
   以及其他核心概念，例如 [Pod](/zh-cn/docs/concepts/workloads/pods/)、
-  [服务](/zh-cn/docs/concepts/services-networking/service/) 与
-  [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/).
-* 熟悉 MySQL 会有所帮助，但是本教程旨在介绍对其他系统应该有用的常规模式。
-* 你正在使用默认命名空间或不包含任何冲突对象的另一个命名空间。
+  [服务](/zh-cn/docs/concepts/services-networking/service/)与
+  [ConfigMap](/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/)。
+- 熟悉 MySQL 会有所帮助，但是本教程旨在介绍对其他系统应该有用的常规模式。
+- 你正在使用默认命名空间或不包含任何冲突对象的另一个命名空间。
 
 ## {{% heading "objectives" %}}
 
 <!--
-* Deploy a replicated MySQL topology with a StatefulSet.
-* Send MySQL client traffic.
-* Observe resistance to downtime.
-* Scale the StatefulSet up and down.
+- Deploy a replicated MySQL topology with a StatefulSet.
+- Send MySQL client traffic.
+- Observe resistance to downtime.
+- Scale the StatefulSet up and down.
 -->
-* 使用 StatefulSet 部署多副本 MySQL 拓扑架构。
-* 发送 MySQL 客户端请求
-* 观察对宕机的抵抗力
-* 扩缩 StatefulSet 的规模
+- 使用 StatefulSet 部署多副本 MySQL 拓扑架构。
+- 发送 MySQL 客户端请求。
+- 观察对宕机的抵抗力。
+- 扩缩 StatefulSet 的规模。
 
 <!-- lessoncontent -->
 
@@ -119,7 +118,7 @@ and you want replicas to reject any writes that don't come via replication.
 There's nothing special about the ConfigMap itself that causes different
 portions to apply to different Pods.
 Each Pod decides which portion to look at as it's initializing,
-based on information provided by the StatefulSet controller. 
+based on information provided by the StatefulSet controller.
 -->
 ConfigMap 本身没有什么特别之处，因而也不会出现不同部分应用于不同的 Pod 的情况。
 每个 Pod 都会在初始化时基于 StatefulSet 控制器提供的信息决定要查看的部分。
@@ -145,7 +144,7 @@ The headless Service provides a home for the DNS entries that the StatefulSet
 Pod that's part of the set.
 Because the headless Service is named `mysql`, the Pods are accessible by
 resolving `<pod-name>.mysql` from within any other Pod in the same Kubernetes
-cluster and namespace. 
+cluster and namespace.
 -->
 这个无头 Service 给 StatefulSet {{< glossary_tooltip text="控制器" term_id="controller" >}}
 为集合中每个 Pod 创建的 DNS 条目提供了一个宿主。
@@ -156,7 +155,7 @@ cluster and namespace.
 The client Service, called `mysql-read`, is a normal Service with its own
 cluster IP that distributes connections across all MySQL Pods that report
 being Ready. The set of potential endpoints includes the primary MySQL server and all
-replicas. 
+replicas.
 -->
 客户端 Service 称为 `mysql-read`，是一种常规 Service，具有其自己的集群 IP。
 该集群 IP 在报告就绪的所有 MySQL Pod 之间分配连接。
@@ -166,7 +165,7 @@ replicas.
 Note that only read queries can use the load-balanced client Service.
 Because there is only one primary MySQL server, clients should connect directly to the
 primary MySQL Pod (through its DNS entry within the headless Service) to execute
-writes. 
+writes.
 -->
 请注意，只有读查询才能使用负载平衡的客户端 Service。
 因为只有一个 MySQL 主服务器，所以客户端应直接连接到 MySQL 主服务器 Pod
@@ -175,7 +174,7 @@ writes.
 <!--
 ### Create the StatefulSet {#statefulset}
 
-Finally, create the StatefulSet from the following YAML configuration file: 
+Finally, create the StatefulSet from the following YAML configuration file:
 -->
 ### 创建 StatefulSet {#statefulset}
 
@@ -218,8 +217,8 @@ Press **Ctrl+C** to cancel the watch.
 If you don't see any progress, make sure you have a dynamic PersistentVolume
 provisioner enabled, as mentioned in the [prerequisites](#before-you-begin).
 -->
-如果你看不到任何进度，确保已启用[前提条件](#准备开始)
-中提到的动态 PersistentVolume 制备程序。
+如果你看不到任何进度，确保已启用[前提条件](#准备开始)中提到的动态
+PersistentVolume 制备器。
 {{< /note >}}
 
 <!--
@@ -237,7 +236,7 @@ The StatefulSet controller starts Pods one at a time, in order by their
 ordinal index.
 It waits until each Pod reports being Ready before starting the next one. 
 -->
-## 了解有状态的 Pod 初始化
+## 了解有状态的 Pod 初始化   {#understanding-stateful-pod-init}
 
 StatefulSet 控制器按序数索引顺序地每次启动一个 Pod。
 它一直等到每个 Pod 报告就绪才再启动下一个 Pod。
@@ -263,16 +262,16 @@ Before starting any of the containers in the Pod spec, the Pod first runs any
 [init Containers](/docs/concepts/workloads/pods/init-containers/)
 in the order defined. 
 -->
-### 生成配置
+### 生成配置   {#generating-config}
 
 在启动 Pod 规约中的任何容器之前，Pod 首先按顺序运行所有的
-[初始化容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)。
+[Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)。
 
 <!--
 The first init container, named `init-mysql`, generates special MySQL config
 files based on the ordinal index. 
 -->
-第一个名为 `init-mysql` 的初始化容器根据序号索引生成特殊的 MySQL 配置文件。
+第一个名为 `init-mysql` 的 Init 容器根据序号索引生成特殊的 MySQL 配置文件。
 
 <!--
 The script determines its own ordinal index by extracting it from the end of
@@ -304,9 +303,8 @@ replicating.
 由于示例部署结构由单个 MySQL 主节点和任意数量的副本节点组成，
 因此脚本仅将序数 `0` 指定为主节点，而将其他所有节点指定为副本节点。
 
-与 StatefulSet 控制器的
-[部署顺序保证](/zh-cn/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees)
-相结合，
+与 StatefulSet
+控制器的[部署顺序保证](/zh-cn/docs/concepts/workloads/controllers/statefulset/#deployment-and-scaling-guarantees)相结合，
 可以确保 MySQL 主服务器在创建副本服务器之前已准备就绪，以便它们可以开始复制。
 
 <!--
@@ -316,7 +314,7 @@ In general, when a new Pod joins the set as a replica, it must assume the primar
 server might already have data on it. It also must assume that the replication
 logs might not go all the way back to the beginning of time. 
 -->
-### 克隆现有数据
+### 克隆现有数据   {#cloning-existing-data}
 
 通常，当新 Pod 作为副本节点加入集合时，必须假定 MySQL 主节点可能已经有数据。
 还必须假设复制日志可能不会一直追溯到时间的开始。
@@ -333,7 +331,7 @@ a replica Pod the first time it starts up on an empty PersistentVolume.
 That means it copies all existing data from another running Pod,
 so its local state is consistent enough to begin replicating from the primary server.
 -->
-第二个名为 `clone-mysql` 的初始化容器，第一次在带有空 PersistentVolume 的副本 Pod
+第二个名为 `clone-mysql` 的 Init 容器，第一次在带有空 PersistentVolume 的副本 Pod
 上启动时，会在从属 Pod 上执行克隆操作。
 这意味着它将从另一个运行中的 Pod 复制所有现有数据，使此其本地状态足够一致，
 从而可以开始从主服务器复制。
@@ -350,7 +348,7 @@ Ready before starting Pod `N+1`.
 MySQL 本身不提供执行此操作的机制，因此本示例使用了一种流行的开源工具 Percona XtraBackup。
 在克隆期间，源 MySQL 服务器性能可能会受到影响。
 为了最大程度地减少对 MySQL 主服务器的影响，该脚本指示每个 Pod 从序号较低的 Pod 中克隆。
-可以这样做的原因是 StatefulSet 控制器始终确保在启动 Pod `N + 1` 之前 Pod `N` 已准备就绪。
+可以这样做的原因是 StatefulSet 控制器始终确保在启动 Pod `N+1` 之前 Pod `N` 已准备就绪。
 
 <!--
 ### Starting replication 
@@ -360,9 +358,9 @@ The MySQL Pods consist of a `mysql` container that runs the actual `mysqld`
 server, and an `xtrabackup` container that acts as a
 [sidecar](/blog/2015/06/the-distributed-system-toolkit-patterns).
 -->
-### 开始复制
+### 开始复制   {#starting-replication}
 
-初始化容器成功完成后，应用容器将运行。MySQL Pod 由运行实际 `mysqld` 服务的 `mysql`
+Init 容器成功完成后，应用容器将运行。MySQL Pod 由运行实际 `mysqld` 服务的 `mysql`
 容器和充当[辅助工具](/blog/2015/06/the-distributed-system-toolkit-patterns)的
 xtrabackup 容器组成。
 
@@ -405,7 +403,7 @@ You can send test queries to the primary MySQL server (hostname `mysql-0.mysql`)
 by running a temporary container with the `mysql:5.7` image and running the
 `mysql` client binary. 
 -->
-## 发送客户端请求
+## 发送客户端请求   {#sending-client-traffic}
 
 你可以通过运行带有 `mysql:5.7` 镜像的临时容器并运行 `mysql` 客户端二进制文件，
 将测试查询发送到 MySQL 主服务器（主机名 `mysql-0.mysql`）。
@@ -504,9 +502,9 @@ running while you force a Pod out of the Ready state.
 
 The [readiness probe](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)
 for the `mysql` container runs the command `mysql -h 127.0.0.1 -e 'SELECT 1'`
-to make sure the server is up and able to execute queries. 
+to make sure the server is up and able to execute queries.
 -->
-### 破坏就绪态探测
+### 破坏就绪态探测   {#break-readiness-probe}
 
 `mysql` 容器的[就绪态探测](/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)
 运行命令 `mysql -h 127.0.0.1 -e 'SELECT 1'`，以确保服务器已启动并能够执行查询。
@@ -567,9 +565,9 @@ kubectl exec mysql-2 -c mysql -- mv /usr/bin/mysql.off /usr/bin/mysql
 ### Delete Pods 
 
 The StatefulSet also recreates Pods if they're deleted, similar to what a
-ReplicaSet does for stateless Pods. 
+ReplicaSet does for stateless Pods.
 -->
-### 删除 Pods
+### 删除 Pod   {#delete-pods}
 
 如果删除了 Pod，则 StatefulSet 还会重新创建 Pod，类似于 ReplicaSet 对无状态 Pod 所做的操作。
 
@@ -582,7 +580,7 @@ The StatefulSet controller notices that no `mysql-2` Pod exists anymore,
 and creates a new one with the same name and linked to the same
 PersistentVolumeClaim.
 You should see server ID `102` disappear from the loop output for a while
-and then return on its own. 
+and then return on its own.
 -->
 StatefulSet 控制器注意到不再存在 `mysql-2` Pod，于是创建一个具有相同名称并链接到相同
 PersistentVolumeClaim 的新 Pod。
@@ -593,7 +591,7 @@ PersistentVolumeClaim 的新 Pod。
 
 If your Kubernetes cluster has multiple Nodes, you can simulate Node downtime
 (such as when Nodes are upgraded) by issuing a
-[drain](/docs/reference/generated/kubectl/kubectl-commands/#drain). 
+[drain](/docs/reference/generated/kubectl/kubectl-commands/#drain).
 -->
 ### 腾空节点   {#drain-a-node}
 
@@ -628,15 +626,14 @@ Replace `<node-name>` with the name of the Node you found in the last step.
 接下来，通过运行以下命令腾空节点，该命令将其保护起来，以使新的 Pod 不能调度到该节点，
 然后逐出所有现有的 Pod。将 `<节点名称>` 替换为在上一步中找到的节点名称。
 
-
 {{< caution >}}
 <!--
-Draining a Node can impact other workloads and applications 
+Draining a Node can impact other workloads and applications
 running on the same node. Only perform the following step in a test
 cluster.
 -->
 腾空一个 Node 可能影响到在该节点上运行的其他负载和应用。
-只应在测试集群上执行下列步骤
+只应在测试集群上执行下列步骤。
 {{< /caution >}}
 
 <!--
@@ -704,7 +701,7 @@ When you use MySQL replication, you can scale your read query capacity by
 adding replicas.
 For a StatefulSet, you can achieve this with a single command:
 -->
-## 扩展副本节点数量
+## 扩展副本节点数量    {#scaling-number-of-replicas}
 
 使用 MySQL 复制时，你可以通过添加副本节点来扩展读取查询的能力。
 对于 StatefulSet，你可以使用单个命令实现此目的：
@@ -729,7 +726,7 @@ the `SELECT @@server_id` loop output.
 You can also verify that these new servers have the data you added before they
 existed: 
 -->
-一旦 Pod 启动，你应该看到服务器 IDs `103` 和 `104` 开始出现在 `SELECT @@server_id`
+一旦 Pod 启动，你应该看到服务器 ID `103` 和 `104` 开始出现在 `SELECT @@server_id`
 循环输出中。
 
 你还可以验证这些新服务器在存在之前已添加了数据：
@@ -783,7 +780,7 @@ kubectl get pvc -l app=mysql
 Which shows that all 5 PVCs still exist, despite having scaled the
 StatefulSet down to 3: 
 -->
-这表明，尽管将 StatefulSet 缩小为3，所有5个 PVC 仍然存在：
+这表明，尽管将 StatefulSet 缩小为 3，所有 5 个 PVC 仍然存在：
 
 ```
 NAME           STATUS    VOLUME                                     CAPACITY   ACCESSMODES   AGE
@@ -829,13 +826,15 @@ kubectl delete pvc data-mysql-4
 1. Verify that the Pods disappear.
    They might take some time to finish terminating. 
 -->
-3. 验证 Pod 消失。他们可能需要一些时间才能完成终止。
+3. 验证 Pod 消失。它们可能需要一些时间才能完成终止。
 
    ```shell
    kubectl get pods -l app=mysql
    ```
 
-   <!-- You'll know the Pods have terminated when the above returns: -->
+   <!--
+   You'll know the Pods have terminated when the above returns:
+   -->
    当上述命令返回如下内容时，你就知道 Pod 已终止：
 
    ```
@@ -859,23 +858,22 @@ kubectl delete pvc data-mysql-4
    Some dynamic provisioners (such as those for EBS and PD) also release the
    underlying resources upon deleting the PersistentVolumes. 
 -->
-5. 如果你手动供应 PersistentVolume，则还需要手动删除它们，并释放下层资源。
-   如果你使用了动态预配器，当得知你删除 PersistentVolumeClaim 时，它将自动删除 PersistentVolume。
-   一些动态预配器（例如用于 EBS 和 PD 的预配器）也会在删除 PersistentVolume 时释放下层资源。
+5. 如果你手动制备 PersistentVolume，则还需要手动删除它们，并释放下层资源。
+   如果你使用了动态制备器，当得知你删除 PersistentVolumeClaim 时，它将自动删除 PersistentVolume。
+   一些动态制备器（例如用于 EBS 和 PD 的制备器）也会在删除 PersistentVolume 时释放下层资源。
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-* Learn more about [scaling a StatefulSet](/docs/tasks/run-application/scale-stateful-set/).
-* Learn more about [debugging a StatefulSet](/docs/tasks/debug/debug-application/debug-statefulset/).
-* Learn more about [deleting a StatefulSet](/docs/tasks/run-application/delete-stateful-set/).
-* Learn more about [force deleting StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/).
-* Look in the [Helm Charts repository](https://artifacthub.io/)
+- Learn more about [scaling a StatefulSet](/docs/tasks/run-application/scale-stateful-set/).
+- Learn more about [debugging a StatefulSet](/docs/tasks/debug/debug-application/debug-statefulset/).
+- Learn more about [deleting a StatefulSet](/docs/tasks/run-application/delete-stateful-set/).
+- Learn more about [force deleting StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/).
+- Look in the [Helm Charts repository](https://artifacthub.io/)
   for other stateful application examples.
 -->
-* 进一步了解[为 StatefulSet 扩缩容](/zh-cn/docs/tasks/run-application/scale-stateful-set/)；
-* 进一步了解[调试 StatefulSet](/zh-cn/docs/tasks/debug/debug-application/debug-statefulset/)；
-* 进一步了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)；
-* 进一步了解[强制删除 StatefulSet Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)；
-* 在 [Helm Charts 仓库](https://artifacthub.io/)中查找其他有状态的应用程序示例。
-
+- 进一步了解[为 StatefulSet 扩缩容](/zh-cn/docs/tasks/run-application/scale-stateful-set/)；
+- 进一步了解[调试 StatefulSet](/zh-cn/docs/tasks/debug/debug-application/debug-statefulset/)；
+- 进一步了解[删除 StatefulSet](/zh-cn/docs/tasks/run-application/delete-stateful-set/)；
+- 进一步了解[强制删除 StatefulSet Pod](/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/)；
+- 在 [Helm Charts 仓库](https://artifacthub.io/)中查找其他有状态的应用程序示例。

From 56377d3b84c5c2a07c63bd0be6a4d5ab2b0d2a35 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Tue, 14 Mar 2023 22:44:17 +0800
Subject: [PATCH 143/215] [zh] sync assign-pod-node.md

---
 .../scheduling-eviction/assign-pod-node.md    | 90 +++++++++----------
 1 file changed, 45 insertions(+), 45 deletions(-)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md b/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
index b394f0de6fec3..5af2dfc044982 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node.md
@@ -45,17 +45,17 @@ Pod 被部署到哪个节点。例如，确保 Pod 最终落在连接了 SSD 的
 You can use any of the following methods to choose where Kubernetes schedules
 specific Pods:
 
-* [nodeSelector](#nodeselector) field matching against [node labels](#built-in-node-labels)
-* [Affinity and anti-affinity](#affinity-and-anti-affinity)
-* [nodeName](#nodename) field
-* [Pod topology spread constraints](#pod-topology-spread-constraints)
+- [nodeSelector](#nodeselector) field matching against [node labels](#built-in-node-labels)
+- [Affinity and anti-affinity](#affinity-and-anti-affinity)
+- [nodeName](#nodename) field
+- [Pod topology spread constraints](#pod-topology-spread-constraints)
 -->
 你可以使用下列方法中的任何一种来选择 Kubernetes 对特定 Pod 的调度：
 
-* 与[节点标签](#built-in-node-labels)匹配的 [nodeSelector](#nodeSelector)
-* [亲和性与反亲和性](#affinity-and-anti-affinity)
-* [nodeName](#nodename) 字段
-* [Pod 拓扑分布约束](#pod-topology-spread-constraints)
+- 与[节点标签](#built-in-node-labels)匹配的 [nodeSelector](#nodeSelector)
+- [亲和性与反亲和性](#affinity-and-anti-affinity)
+- [nodeName](#nodename) 字段
+- [Pod 拓扑分布约束](#pod-topology-spread-constraints)
 
 <!--
 ## Node labels {#built-in-node-labels}
@@ -162,33 +162,33 @@ define. Some of the benefits of affinity and anti-affinity include:
 亲和性和反亲和性扩展了你可以定义的约束类型。使用亲和性与反亲和性的一些好处有：
 
 <!--
-* The affinity/anti-affinity language is more expressive. `nodeSelector` only
+- The affinity/anti-affinity language is more expressive. `nodeSelector` only
   selects nodes with all the specified labels. Affinity/anti-affinity gives you
   more control over the selection logic.
-* You can indicate that a rule is *soft* or *preferred*, so that the scheduler
+- You can indicate that a rule is *soft* or *preferred*, so that the scheduler
   still schedules the Pod even if it can't find a matching node.
-* You can constrain a Pod using labels on other Pods running on the node (or other topological domain),
+- You can constrain a Pod using labels on other Pods running on the node (or other topological domain),
   instead of just node labels, which allows you to define rules for which Pods
   can be co-located on a node.
 -->
-* 亲和性、反亲和性语言的表达能力更强。`nodeSelector` 只能选择拥有所有指定标签的节点。
+- 亲和性、反亲和性语言的表达能力更强。`nodeSelector` 只能选择拥有所有指定标签的节点。
   亲和性、反亲和性为你提供对选择逻辑的更强控制能力。
-* 你可以标明某规则是“软需求”或者“偏好”，这样调度器在无法找到匹配节点时仍然调度该 Pod。
-* 你可以使用节点上（或其他拓扑域中）运行的其他 Pod 的标签来实施调度约束，
+- 你可以标明某规则是“软需求”或者“偏好”，这样调度器在无法找到匹配节点时仍然调度该 Pod。
+- 你可以使用节点上（或其他拓扑域中）运行的其他 Pod 的标签来实施调度约束，
   而不是只能使用节点本身的标签。这个能力让你能够定义规则允许哪些 Pod 可以被放置在一起。
 
 <!--
 The affinity feature consists of two types of affinity:
 
-* *Node affinity* functions like the `nodeSelector` field but is more expressive and
+- *Node affinity* functions like the `nodeSelector` field but is more expressive and
   allows you to specify soft rules.
-* *Inter-pod affinity/anti-affinity* allows you to constrain Pods against labels
+- *Inter-pod affinity/anti-affinity* allows you to constrain Pods against labels
   on other Pods.
 -->
 亲和性功能由两种类型的亲和性组成：
 
-* **节点亲和性**功能类似于 `nodeSelector` 字段，但它的表达能力更强，并且允许你指定软规则。
-* Pod 间亲和性/反亲和性允许你根据其他 Pod 的标签来约束 Pod。
+- **节点亲和性**功能类似于 `nodeSelector` 字段，但它的表达能力更强，并且允许你指定软规则。
+- Pod 间亲和性/反亲和性允许你根据其他 Pod 的标签来约束 Pod。
 
 <!--
 ### Node affinity
@@ -204,17 +204,17 @@ affinity:
 节点亲和性有两种：
 
 <!--
-* `requiredDuringSchedulingIgnoredDuringExecution`: The scheduler can't
+- `requiredDuringSchedulingIgnoredDuringExecution`: The scheduler can't
   schedule the Pod unless the rule is met. This functions like `nodeSelector`,
   but with a more expressive syntax.
-* `preferredDuringSchedulingIgnoredDuringExecution`: The scheduler tries to
+- `preferredDuringSchedulingIgnoredDuringExecution`: The scheduler tries to
   find a node that meets the rule. If a matching node is not available, the
   scheduler still schedules the Pod.
 -->
-* `requiredDuringSchedulingIgnoredDuringExecution`：
+- `requiredDuringSchedulingIgnoredDuringExecution`：
   调度器只有在规则被满足的时候才能执行调度。此功能类似于 `nodeSelector`，
   但其语法表达能力更强。
-* `preferredDuringSchedulingIgnoredDuringExecution`：
+- `preferredDuringSchedulingIgnoredDuringExecution`：
   调度器会尝试寻找满足对应规则的节点。如果找不到匹配的节点，调度器仍然会调度该 Pod。
 
 {{<note>}}
@@ -240,16 +240,16 @@ For example, consider the following Pod spec:
 <!--
 In this example, the following rules apply:
 
-* The node *must* have a label with the key `topology.kubernetes.io/zone` and
+- The node *must* have a label with the key `topology.kubernetes.io/zone` and
   the value of that label *must* be either `antarctica-east1` or `antarctica-west1`.
-* The node *preferably* has a label with the key `another-node-label-key` and
+- The node *preferably* has a label with the key `another-node-label-key` and
   the value `another-node-label-value`.
 -->
 在这一示例中，所应用的规则如下：
 
-* 节点**必须**包含一个键名为 `topology.kubernetes.io/zone` 的标签，
+- 节点**必须**包含一个键名为 `topology.kubernetes.io/zone` 的标签，
   并且该标签的取值**必须**为 `antarctica-east1` 或 `antarctica-west1`。
-* 节点**最好**具有一个键名为 `another-node-label-key` 且取值为
+- 节点**最好**具有一个键名为 `another-node-label-key` 且取值为
   `another-node-label-value` 的标签。
 
 <!--
@@ -499,8 +499,8 @@ anti-affinity as follows:
 
 与[节点亲和性](#node-affinity)类似，Pod 的亲和性与反亲和性也有两种类型：
 
-* `requiredDuringSchedulingIgnoredDuringExecution`
-* `preferredDuringSchedulingIgnoredDuringExecution`
+- `requiredDuringSchedulingIgnoredDuringExecution`
+- `preferredDuringSchedulingIgnoredDuringExecution`
 
 <!--
 For example, you could use
@@ -590,17 +590,17 @@ exceptions for performance and security reasons:
 有一些限制：
 
 <!--
-* For Pod affinity and anti-affinity, an empty `topologyKey` field is not allowed in both `requiredDuringSchedulingIgnoredDuringExecution`
+- For Pod affinity and anti-affinity, an empty `topologyKey` field is not allowed in both `requiredDuringSchedulingIgnoredDuringExecution`
   and `preferredDuringSchedulingIgnoredDuringExecution`.
-* For `requiredDuringSchedulingIgnoredDuringExecution` Pod anti-affinity rules,
+- For `requiredDuringSchedulingIgnoredDuringExecution` Pod anti-affinity rules,
   the admission controller `LimitPodHardAntiAffinityTopology` limits
   `topologyKey` to `kubernetes.io/hostname`. You can modify or disable the
   admission controller if you want to allow custom topologies.
 -->
-* 对于 Pod 亲和性而言，在 `requiredDuringSchedulingIgnoredDuringExecution`
+- 对于 Pod 亲和性而言，在 `requiredDuringSchedulingIgnoredDuringExecution`
   和 `preferredDuringSchedulingIgnoredDuringExecution` 中，`topologyKey`
   不允许为空。
-* 对于 `requiredDuringSchedulingIgnoredDuringExecution` 要求的 Pod 反亲和性，
+- 对于 `requiredDuringSchedulingIgnoredDuringExecution` 要求的 Pod 反亲和性，
   准入控制器 `LimitPodHardAntiAffinityTopology` 要求 `topologyKey` 只能是
   `kubernetes.io/hostname`。如果你希望使用其他定制拓扑逻辑，
   你可以更改准入控制器或者禁用之。
@@ -758,10 +758,10 @@ where each web server is co-located with a cache, on three separate nodes.
 创建前面两个 Deployment 会产生如下的集群布局，每个 Web 服务器与一个缓存实例并置，
 并分别运行在三个独立的节点上。
 
-|       node-1         |       node-2        |       node-3       |
-|:--------------------:|:-------------------:|:------------------:|
-| *webserver-1*        |   *webserver-2*     |    *webserver-3*   |
-|  *cache-1*           |     *cache-2*       |     *cache-3*      |
+|    node-1     |    node-2     |    node-3     |
+|:-------------:|:-------------:|:-------------:|
+| *webserver-1* | *webserver-2* | *webserver-3* |
+|   *cache-1*   |   *cache-2*   |   *cache-3*   |
 
 <!--
 The overall effect is that each cache instance is likely to be accessed by a single client, that
@@ -872,18 +872,18 @@ to learn more about how these work.
 ## {{% heading "whatsnext" %}}
 
 <!--
-* Read more about [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-toleration/) .
-* Read the design docs for [node affinity](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)
+- Read more about [taints and tolerations](/docs/concepts/scheduling-eviction/taint-and-toleration/) .
+- Read the design docs for [node affinity](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)
   and for [inter-pod affinity/anti-affinity](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md).
-* Learn about how the [topology manager](/docs/tasks/administer-cluster/topology-manager/) takes part in node-level
+- Learn about how the [topology manager](/docs/tasks/administer-cluster/topology-manager/) takes part in node-level
   resource allocation decisions.
-* Learn how to use [nodeSelector](/docs/tasks/configure-pod-container/assign-pods-nodes/).
-* Learn how to use [affinity and anti-affinity](/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/).
+- Learn how to use [nodeSelector](/docs/tasks/configure-pod-container/assign-pods-nodes/).
+- Learn how to use [affinity and anti-affinity](/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/).
 -->
-* 进一步阅读[污点与容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)文档。
-* 阅读[节点亲和性](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)
+- 进一步阅读[污点与容忍度](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/)文档。
+- 阅读[节点亲和性](https://git.k8s.io/design-proposals-archive/scheduling/nodeaffinity.md)
   和[Pod 间亲和性与反亲和性](https://git.k8s.io/design-proposals-archive/scheduling/podaffinity.md)
   的设计文档。
-* 了解[拓扑管理器](/zh-cn/docs/tasks/administer-cluster/topology-manager/)如何参与节点层面资源分配决定。
-* 了解如何使用 [nodeSelector](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/)。
+- 了解[拓扑管理器](/zh-cn/docs/tasks/administer-cluster/topology-manager/)如何参与节点层面资源分配决定。
+- 了解如何使用 [nodeSelector](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/)。
 * 了解如何使用[亲和性和反亲和性](/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/)。

From ca92cccf7e0d835d9e3dfe47ee6f985a71548f1e Mon Sep 17 00:00:00 2001
From: ystkfujii <ystk.fujii0731@gmail.com>
Date: Wed, 15 Mar 2023 03:55:55 +0900
Subject: [PATCH 144/215] Remove on-premises-vm section for fr

---
 .../setup/production-environment/on-premises-vm/_index.md     | 4 ----
 1 file changed, 4 deletions(-)
 delete mode 100644 content/fr/docs/setup/production-environment/on-premises-vm/_index.md

diff --git a/content/fr/docs/setup/production-environment/on-premises-vm/_index.md b/content/fr/docs/setup/production-environment/on-premises-vm/_index.md
deleted file mode 100644
index 96054a37cd0d2..0000000000000
--- a/content/fr/docs/setup/production-environment/on-premises-vm/_index.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: On-Premises VMs
-weight: 60
----

From c9c4faa72e2b987264cec21e68f2392bc1963f69 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Wed, 15 Mar 2023 10:06:47 +1300
Subject: [PATCH 145/215] Empty commit


From 669972e872bd39609eb2e88f957e41f7ea489199 Mon Sep 17 00:00:00 2001
From: Craig Box <craigb@armosec.io>
Date: Wed, 15 Mar 2023 11:34:36 +1300
Subject: [PATCH 146/215] Empty commit


From d171342339a8916ee5078c7e197241b352c78571 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Wed, 15 Mar 2023 00:47:59 +0200
Subject: [PATCH 147/215] [zh] Removed spec.Replicas

---
 content/zh-cn/examples/application/php-apache.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/content/zh-cn/examples/application/php-apache.yaml b/content/zh-cn/examples/application/php-apache.yaml
index d29d2b91593f3..a194dce6f958a 100644
--- a/content/zh-cn/examples/application/php-apache.yaml
+++ b/content/zh-cn/examples/application/php-apache.yaml
@@ -6,7 +6,6 @@ spec:
   selector:
     matchLabels:
       run: php-apache
-  replicas: 1
   template:
     metadata:
       labels:

From 88c68b4811dbcc4313a6d7ddaaf58cb8bf0af91c Mon Sep 17 00:00:00 2001
From: s-kawamura-w664 <s-kawamura_p@nec.com>
Date: Tue, 14 Mar 2023 23:33:46 +0000
Subject: [PATCH 148/215] [ja] change punctuation mark

---
 .../ja/docs/tasks/administer-cluster/use-cascading-deletion.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md b/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md
index 9c4394c120038..e9af802f5a757 100644
--- a/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md
+++ b/content/ja/docs/tasks/administer-cluster/use-cascading-deletion.md
@@ -90,7 +90,7 @@ kubectl delete deployment nginx-deployment --cascade=foreground
 
 ## バッググラウンドカスケード削除を使用する {#use-background-cascading-deletion}
 
-1. [サンプルのDeploymentを作成する](/ja/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment).
+1. [サンプルのDeploymentを作成する](/ja/docs/tasks/run-application/run-stateless-application-deployment/#creating-and-exploring-an-nginx-deployment)。
 1. クラスターが動作しているKubernetesのバージョンに応じて、`kubectl`またはKubernetes APIのいずれかを使用してDeploymentを削除します。{{<version-check>}}
 
 `kubectl`またはKubernetes APIを使用して、バックグラウンドカスケード削除を使用してオブジェクトを削除できます。

From 8b527bab7e78782f4effd452ccaed31bd7617c65 Mon Sep 17 00:00:00 2001
From: Michael <cloudyonspring@126.com>
Date: Tue, 14 Mar 2023 20:12:58 +0800
Subject: [PATCH 149/215] Tweak line wrappings in run-application

---
 .../tasks/run-application/configure-pdb.md    | 69 +++++++++++--------
 .../run-application/delete-stateful-set.md    | 32 ++++++---
 .../run-application/scale-stateful-set.md     | 19 +++--
 3 files changed, 77 insertions(+), 43 deletions(-)

diff --git a/content/en/docs/tasks/run-application/configure-pdb.md b/content/en/docs/tasks/run-application/configure-pdb.md
index 99ab27ab5db84..ed3eebe62704e 100644
--- a/content/en/docs/tasks/run-application/configure-pdb.md
+++ b/content/en/docs/tasks/run-application/configure-pdb.md
@@ -50,7 +50,9 @@ specified by one of the built-in Kubernetes controllers:
 In this case, make a note of the controller's `.spec.selector`; the same
 selector goes into the PDBs `.spec.selector`.
 
-From version 1.15 PDBs support custom controllers where the [scale subresource](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource) is enabled.
+From version 1.15 PDBs support custom controllers where the
+[scale subresource](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)
+is enabled.
 
 You can also use PDBs with pods which are not controlled by one of the above
 controllers, or arbitrary groups of pods, but there are some restrictions,
@@ -74,7 +76,8 @@ due to a voluntary disruption.
 - Multiple-instance Stateful application such as Consul, ZooKeeper, or etcd:
   - Concern: Do not reduce number of instances below quorum, otherwise writes fail.
     - Possible Solution 1: set maxUnavailable to 1 (works with varying scale of application).
-    - Possible Solution 2: set minAvailable to quorum-size (e.g. 3 when scale is 5). (Allows more disruptions at once).
+    - Possible Solution 2: set minAvailable to quorum-size (e.g. 3 when scale is 5).
+      (Allows more disruptions at once).
 - Restartable Batch Job:
   - Concern: Job needs to complete in case of voluntary disruption.
     - Possible solution: Do not create a PDB. The Job controller will create a replacement pod.
@@ -83,17 +86,20 @@ due to a voluntary disruption.
 
 Values for `minAvailable` or `maxUnavailable` can be expressed as integers or as a percentage.
 
-- When you specify an integer, it represents a number of Pods. For instance, if you set `minAvailable` to 10, then 10
-  Pods must always be available, even during a disruption.
-- When you specify a percentage by setting the value to a string representation of a percentage (eg. `"50%"`), it represents a percentage of
-  total Pods. For instance, if you set `minAvailable` to `"50%"`, then at least 50% of the Pods remain available during a
-  disruption.
-
-When you specify the value as a percentage, it may not map to an exact number of Pods. For example, if you have 7 Pods and
-you set `minAvailable` to `"50%"`, it's not immediately obvious whether that means 3 Pods or 4 Pods must be available.
-Kubernetes rounds up to the nearest integer, so in this case, 4 Pods must be available. When you specify the value 
-`maxUnavailable` as a percentage, Kubernetes rounds up the number of Pods that may be disrupted. Thereby a disruption 
-can exceed your defined `maxUnavailable` percentage. You can examine the
+- When you specify an integer, it represents a number of Pods. For instance, if you set
+  `minAvailable` to 10, then 10 Pods must always be available, even during a disruption.
+- When you specify a percentage by setting the value to a string representation of a
+  percentage (eg. `"50%"`), it represents a percentage of total Pods. For instance, if
+  you set `minAvailable` to `"50%"`, then at least 50% of the Pods remain available
+  during a disruption.
+
+When you specify the value as a percentage, it may not map to an exact number of Pods.
+For example, if you have 7 Pods and you set `minAvailable` to `"50%"`, it's not
+immediately obvious whether that means 3 Pods or 4 Pods must be available. Kubernetes
+rounds up to the nearest integer, so in this case, 4 Pods must be available. When you
+specify the value `maxUnavailable` as a percentage, Kubernetes rounds up the number of
+Pods that may be disrupted. Thereby a disruption can exceed your defined
+`maxUnavailable` percentage. You can examine the
 [code](https://github.com/kubernetes/kubernetes/blob/23be9587a0f8677eb8091464098881df939c44a9/pkg/controller/disruption/disruption.go#L539)
 that controls this behavior.
 
@@ -151,8 +157,8 @@ voluntary evictions, not all causes of unavailability.
 If you set `maxUnavailable` to 0% or 0, or you set `minAvailable` to 100% or the number of replicas,
 you are requiring zero voluntary evictions. When you set zero voluntary evictions for a workload
 object such as ReplicaSet, then you cannot successfully drain a Node running one of those Pods.
-If you try to drain a Node where an unevictable Pod is running, the drain never completes. This is permitted as per the
-semantics of `PodDisruptionBudget`.
+If you try to drain a Node where an unevictable Pod is running, the drain never completes.
+This is permitted as per the semantics of `PodDisruptionBudget`.
 
 You can find examples of pod disruption budgets defined below. They match pods with the label
 `app: zookeeper`.
@@ -229,7 +235,8 @@ status:
 
 ### Healthiness of a Pod
 
-The current implementation considers healthy pods, as pods that have `.status.conditions` item with `type="Ready"` and `status="True"`.
+The current implementation considers healthy pods, as pods that have `.status.conditions`
+item with `type="Ready"` and `status="True"`.
 These pods are tracked via `.status.currentHealthy` field in the PDB status.
 
 ## Unhealthy Pod Eviction Policy
@@ -251,22 +258,26 @@ to the `IfHealthyBudget` policy.
 Policies:
 
 `IfHealthyBudget`
-: Running pods (`.status.phase="Running"`), but not yet healthy can be evicted only if the guarded application is not
-disrupted (`.status.currentHealthy` is at least equal to `.status.desiredHealthy`).
+: Running pods (`.status.phase="Running"`), but not yet healthy can be evicted only
+  if the guarded application is not disrupted (`.status.currentHealthy` is at least
+  equal to `.status.desiredHealthy`).
 
-: This policy ensures that running pods of an already disrupted application have the best chance to become healthy.
-This has negative implications for draining nodes, which can be blocked by misbehaving applications that are guarded by a PDB.
-More specifically applications with pods in `CrashLoopBackOff` state (due to a bug or misconfiguration),
-or pods that are just failing to report the `Ready` condition.
+: This policy ensures that running pods of an already disrupted application have
+  the best chance to become healthy. This has negative implications for draining
+  nodes, which can be blocked by misbehaving applications that are guarded by a PDB.
+  More specifically applications with pods in `CrashLoopBackOff` state
+  (due to a bug or misconfiguration), or pods that are just failing to report the
+  `Ready` condition.
 
 `AlwaysAllow`
-: Running pods (`.status.phase="Running"`), but not yet healthy are considered disrupted and can be evicted
-regardless of whether the criteria in a PDB is met.
-
-: This means prospective running pods of a disrupted application might not get a chance to become healthy.
-By using this policy, cluster managers can easily evict misbehaving applications that are guarded by a PDB.
-More specifically applications with pods in `CrashLoopBackOff` state (due to a bug or misconfiguration),
-or pods that are just failing to report the `Ready` condition.
+: Running pods (`.status.phase="Running"`), but not yet healthy are considered
+  disrupted and can be evicted regardless of whether the criteria in a PDB is met.
+
+: This means prospective running pods of a disrupted application might not get a
+  chance to become healthy. By using this policy, cluster managers can easily evict
+  misbehaving applications that are guarded by a PDB. More specifically applications
+  with pods in `CrashLoopBackOff` state (due to a bug or misconfiguration), or pods
+  that are just failing to report the `Ready` condition.
 
 {{< note >}}
 Pods in `Pending`, `Succeeded` or `Failed` phase are always considered for eviction.
diff --git a/content/en/docs/tasks/run-application/delete-stateful-set.md b/content/en/docs/tasks/run-application/delete-stateful-set.md
index 41e6ddd9702d5..e8cd5c3398d16 100644
--- a/content/en/docs/tasks/run-application/delete-stateful-set.md
+++ b/content/en/docs/tasks/run-application/delete-stateful-set.md
@@ -22,7 +22,8 @@ This task shows you how to delete a {{< glossary_tooltip term_id="StatefulSet" >
 
 ## Deleting a StatefulSet
 
-You can delete a StatefulSet in the same way you delete other resources in Kubernetes: use the `kubectl delete` command, and specify the StatefulSet either by file or by name.
+You can delete a StatefulSet in the same way you delete other resources in Kubernetes:
+use the `kubectl delete` command, and specify the StatefulSet either by file or by name.
 
 ```shell
 kubectl delete -f <file.yaml>
@@ -38,14 +39,17 @@ You may need to delete the associated headless service separately after the Stat
 kubectl delete service <service-name>
 ```
 
-When deleting a StatefulSet through `kubectl`, the StatefulSet scales down to 0. All Pods that are part of this workload are also deleted. If you want to delete only the StatefulSet and not the Pods, use `--cascade=orphan`.
-For example:
+When deleting a StatefulSet through `kubectl`, the StatefulSet scales down to 0.
+All Pods that are part of this workload are also deleted. If you want to delete
+only the StatefulSet and not the Pods, use `--cascade=orphan`. For example:
 
 ```shell
 kubectl delete -f <file.yaml> --cascade=orphan
 ```
 
-By passing `--cascade=orphan` to `kubectl delete`, the Pods managed by the StatefulSet are left behind even after the StatefulSet object itself is deleted. If the pods have a label `app.kubernetes.io/name=MyApp`, you can then delete them as follows:
+By passing `--cascade=orphan` to `kubectl delete`, the Pods managed by the StatefulSet
+are left behind even after the StatefulSet object itself is deleted. If the pods have
+a label `app.kubernetes.io/name=MyApp`, you can then delete them as follows:
 
 ```shell
 kubectl delete pods -l app.kubernetes.io/name=MyApp
@@ -53,7 +57,12 @@ kubectl delete pods -l app.kubernetes.io/name=MyApp
 
 ### Persistent Volumes
 
-Deleting the Pods in a StatefulSet will not delete the associated volumes. This is to ensure that you have the chance to copy data off the volume before deleting it. Deleting the PVC after the pods have terminated might trigger deletion of the backing Persistent Volumes depending on the storage class and reclaim policy. You should never assume ability to access a volume after claim deletion.
+Deleting the Pods in a StatefulSet will not delete the associated volumes.
+This is to ensure that you have the chance to copy data off the volume before
+deleting it. Deleting the PVC after the pods have terminated might trigger
+deletion of the backing Persistent Volumes depending on the storage class
+and reclaim policy. You should never assume ability to access a volume
+after claim deletion.
 
 {{< note >}}
 Use caution when deleting a PVC, as it may lead to data loss.
@@ -61,7 +70,8 @@ Use caution when deleting a PVC, as it may lead to data loss.
 
 ### Complete deletion of a StatefulSet
 
-To delete everything in a StatefulSet, including the associated pods, you can run a series of commands similar to the following:
+To delete everything in a StatefulSet, including the associated pods,
+you can run a series of commands similar to the following:
 
 ```shell
 grace=$(kubectl get pods <stateful-set-pod> --template '{{.spec.terminationGracePeriodSeconds}}')
@@ -71,11 +81,17 @@ kubectl delete pvc -l app.kubernetes.io/name=MyApp
 
 ```
 
-In the example above, the Pods have the label `app.kubernetes.io/name=MyApp`; substitute your own label as appropriate.
+In the example above, the Pods have the label `app.kubernetes.io/name=MyApp`;
+substitute your own label as appropriate.
 
 ### Force deletion of StatefulSet pods
 
-If you find that some pods in your StatefulSet are stuck in the 'Terminating' or 'Unknown' states for an extended period of time, you may need to manually intervene to forcefully delete the pods from the apiserver. This is a potentially dangerous task. Refer to [Force Delete StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/) for details.
+If you find that some pods in your StatefulSet are stuck in the 'Terminating'
+or 'Unknown' states for an extended period of time, you may need to manually
+intervene to forcefully delete the pods from the apiserver.
+This is a potentially dangerous task. Refer to
+[Force Delete StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/)
+for details.
 
 ## {{% heading "whatsnext" %}}
 
diff --git a/content/en/docs/tasks/run-application/scale-stateful-set.md b/content/en/docs/tasks/run-application/scale-stateful-set.md
index 51ae43ccfdd78..025eb47a44027 100644
--- a/content/en/docs/tasks/run-application/scale-stateful-set.md
+++ b/content/en/docs/tasks/run-application/scale-stateful-set.md
@@ -14,14 +14,17 @@ weight: 50
 
 <!-- overview -->
 
-This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to increasing or decreasing the number of replicas.
+This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to
+increasing or decreasing the number of replicas.
 
 ## {{% heading "prerequisites" %}}
 
 - StatefulSets are only available in Kubernetes version 1.5 or later.
   To check your version of Kubernetes, run `kubectl version`.
 
-- Not all stateful applications scale nicely. If you are unsure about whether to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/) or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information.
+- Not all stateful applications scale nicely. If you are unsure about whether
+  to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/)
+  or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information.
 
 - You should perform scaling only when you are confident that your stateful application
   cluster is completely healthy.
@@ -46,7 +49,9 @@ kubectl scale statefulsets <stateful-set-name> --replicas=<new-replicas>
 
 ### Make in-place updates on your StatefulSets
 
-Alternatively, you can do [in-place updates](/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources) on your StatefulSets.
+Alternatively, you can do
+[in-place updates](/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources)
+on your StatefulSets.
 
 If your StatefulSet was initially created with `kubectl apply`,
 update `.spec.replicas` of the StatefulSet manifests, and then do a `kubectl apply`:
@@ -71,10 +76,12 @@ kubectl patch statefulsets <stateful-set-name> -p '{"spec":{"replicas":<new-repl
 
 ### Scaling down does not work right
 
-You cannot scale down a StatefulSet when any of the stateful Pods it manages is unhealthy. Scaling down only takes place
-after those stateful Pods become running and ready.
+You cannot scale down a StatefulSet when any of the stateful Pods it manages is
+unhealthy. Scaling down only takes place after those stateful Pods become running and ready.
 
-If spec.replicas > 1, Kubernetes cannot determine the reason for an unhealthy Pod. It might be the result of a permanent fault or of a transient fault. A transient fault can be caused by a restart required by upgrading or maintenance.
+If spec.replicas > 1, Kubernetes cannot determine the reason for an unhealthy Pod.
+It might be the result of a permanent fault or of a transient fault. A transient
+fault can be caused by a restart required by upgrading or maintenance.
 
 If the Pod is unhealthy due to a permanent fault, scaling
 without correcting the fault may lead to a state where the StatefulSet membership

From 1075d2bb595846a55da0bf3d3fa66e41c588b3c8 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Wed, 15 Mar 2023 10:39:03 +0800
Subject: [PATCH 150/215] Update pod-priority-preemption.md

---
 .../scheduling-eviction/pod-priority-preemption.md     | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md b/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
index a1550733a2057..f1e1cc3b4257d 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
@@ -108,9 +108,10 @@ PriorityClass 对象的名称必须是有效的
 
 <!--  
 A PriorityClass object can have any 32-bit integer value smaller than or equal
-to 1 billion. Larger numbers are reserved for critical system Pods that should
-not normally be preempted or evicted. A cluster admin should create one
-PriorityClass object for each such mapping that they want.
+to 1 billion. This means that the range of values for a PriorityClass object is
+from -2147483648 to 1000000000 inclusive. Larger numbers are reserved for 
+built-in PriorityClasses that represent critical system Pods. A cluster
+admin should create one PriorityClass object for each such mapping that they want.
 
 PriorityClass also has two optional fields: `globalDefault` and `description`.
 The `globalDefault` field indicates that the value of this PriorityClass should
@@ -123,7 +124,8 @@ The `description` field is an arbitrary string. It is meant to tell users of the
 cluster when they should use this PriorityClass.
 -->
 PriorityClass 对象可以设置任何小于或等于 10 亿的 32 位整数值。
-较大的数字是为通常不应被抢占或驱逐的关键的系统 Pod 所保留的。
+这意味着 PriorityClass 对象的值范围是 从 -2147483648 到 1000000000（含）。
+较大的数字保留用于代表关键系统 Pod 的内置 PriorityClasses。
 集群管理员应该为这类映射分别创建独立的 PriorityClass 对象。
 
 PriorityClass 还有两个可选字段：`globalDefault` 和 `description`。

From 1f494930508aeadf2bbef2d22ab2ce520f2e4972 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Wed, 15 Mar 2023 10:51:05 +0800
Subject: [PATCH 151/215] Update pod-priority-preemption.md

---
 .../concepts/scheduling-eviction/pod-priority-preemption.md   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md b/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
index f1e1cc3b4257d..1e5568579d5fa 100644
--- a/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption.md
@@ -124,8 +124,8 @@ The `description` field is an arbitrary string. It is meant to tell users of the
 cluster when they should use this PriorityClass.
 -->
 PriorityClass 对象可以设置任何小于或等于 10 亿的 32 位整数值。
-这意味着 PriorityClass 对象的值范围是 从 -2147483648 到 1000000000（含）。
-较大的数字保留用于代表关键系统 Pod 的内置 PriorityClasses。
+这意味着 PriorityClass 对象的值范围是从 -2,147,483,648 到 1,000,000,000（含）。
+保留更大的数字，用于表示关键系统 Pod 的内置 PriorityClass。
 集群管理员应该为这类映射分别创建独立的 PriorityClass 对象。
 
 PriorityClass 还有两个可选字段：`globalDefault` 和 `description`。

From db902399b34fa43a9fd44db180280b5c47be7de9 Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Wed, 15 Mar 2023 11:14:45 +0800
Subject: [PATCH 152/215] [zh-cn]sync task files under configure-pod-container/

---
 .../attach-handler-lifecycle-event.md                       | 6 +++---
 .../configure-persistent-volume-storage.md                  | 5 ++---
 .../configure-pod-container/configure-volume-storage.md     | 2 +-
 .../docs/tasks/configure-pod-container/migrate-from-psp.md  | 1 +
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md b/content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
index 41a64482bbc74..933dc8bd83051 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event.md
@@ -1,12 +1,12 @@
 ---
 title: 为容器的生命周期事件设置处理函数
 content_type: task
-weight: 140
+weight: 180
 ---
 <!--
 title: Attach Handlers to Container Lifecycle Events
 content_type: task
-weight: 140
+weight: 180
 -->
 
 <!-- overview -->
@@ -15,7 +15,7 @@ weight: 140
 This page shows how to attach handlers to Container lifecycle events. Kubernetes supports
 the postStart and preStop events. Kubernetes sends the postStart event immediately
 after a Container is started, and it sends the preStop event immediately before the
-Container is terminated.A Container may specify one handler per event.
+Container is terminated. A Container may specify one handler per event.
 -->
 这个页面将演示如何为容器的生命周期事件挂接处理函数。Kubernetes 支持 postStart 和 preStop 事件。
 当一个容器启动后，Kubernetes 将立即发送 postStart 事件；在容器被终结之前，
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
index d2fc135403649..d33586ddf0ad7 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage.md
@@ -419,8 +419,8 @@ You can now close the shell to your Node.
 <!--
 You can perform 2 volume mounts on your nginx container:
 
-`/usr/share/nginx/html` for the static website
-`/etc/nginx/nginx.conf` for the default config
+- `/usr/share/nginx/html` for the static website
+- `/etc/nginx/nginx.conf` for the default config
 -->
 你可以在 nginx 容器上执行两个卷挂载:
 
@@ -452,7 +452,6 @@ GID 不匹配或缺失将会导致无权访问错误。
 ```yaml
 apiVersion: v1
 kind: PersistentVolume
-apiVersion: v1
 metadata:
   name: pv1
   annotations:
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md
index 2065d4ef37897..dbb06d4775845 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage.md
@@ -1,7 +1,7 @@
 ---
 title: 配置 Pod 以使用卷进行存储
 content_type: task
-weight: 50
+weight: 80
 ---
 <!--
 title: Configure a Pod to Use a Volume for Storage
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
index 99d03c80e6b54..e99a2c04b1bfd 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp.md
@@ -2,6 +2,7 @@
 title: 从 PodSecurityPolicy 迁移到内置的 PodSecurity 准入控制器
 content_type: task
 min-kubernetes-server-version: v1.22
+weight: 260
 ---
 
 <!--

From a34b874dbfd2bb2127d4b5c6fdcc47a07caee0f7 Mon Sep 17 00:00:00 2001
From: Michael <cloudyonspring@126.com>
Date: Sat, 11 Mar 2023 06:17:18 +0800
Subject: [PATCH 153/215] [zh] sync /reference/using-api/cel.md

---
 content/zh-cn/docs/reference/using-api/cel.md | 581 ++++++++++++++++++
 1 file changed, 581 insertions(+)
 create mode 100644 content/zh-cn/docs/reference/using-api/cel.md

diff --git a/content/zh-cn/docs/reference/using-api/cel.md b/content/zh-cn/docs/reference/using-api/cel.md
new file mode 100644
index 0000000000000..75278292b615a
--- /dev/null
+++ b/content/zh-cn/docs/reference/using-api/cel.md
@@ -0,0 +1,581 @@
+---
+title: Kubernetes 中的通用表达式语言
+content_type: concept
+weight: 35
+min-kubernetes-server-version: 1.25
+---
+<!--
+title: Common Expression Language in Kubernetes
+reviewers:
+- jpbetz
+- cici37
+content_type: concept
+weight: 35
+min-kubernetes-server-version: 1.25
+-->
+
+<!-- overview -->
+
+<!--
+The [Common Expression Language (CEL)](https://github.com/google/cel-go) is used
+in the Kubernetes API to declare validation rules, policy rules, and other
+constraints or conditions.
+
+CEL expressions are evaluated directly in the
+{{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}, making CEL a
+convenient alternative to out-of-process mechanisms, such as webhooks, for many
+extensibility use cases. Your CEL expressions continue to execute so long as the
+control plane's API server component remains available.
+-->
+[通用表达式语言 (Common Expression Language, CEL)](https://github.com/google/cel-go)
+用于声明 Kubernetes API 的验证规则、策略规则和其他限制或条件。
+
+CEL 表达式在{{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}中直接进行评估，
+这使得 CEL 成为许多可扩展性用例的便捷替代方案，而无需使用类似 Webhook 这种进程外机制。
+只要控制平面的 API 服务器组件保持可用状态，你的 CEL 表达式就会继续执行。
+
+<!-- body -->
+
+<!--
+## Language overview
+
+The [CEL
+language](https://github.com/google/cel-spec/blob/master/doc/langdef.md) has a
+straightforward syntax that is similar to the expressions in C, C++, Java,
+JavaScript and Go.
+
+CEL was designed to be embedded into applications. Each CEL "program" is a
+single expression that evaluates to a single value. CEL expressions are
+typically short "one-liners" that inline well into the string fields of Kubernetes
+API resources.
+-->
+## 语言概述 {#language-overview}
+
+[CEL 语言](https://github.com/google/cel-spec/blob/master/doc/langdef.md)的语法直观简单，
+类似于 C、C++、Java、JavaScript 和 Go 中的表达式。
+
+CEL 的设计目的是嵌入应用程序中。每个 CEL "程序" 都是一个单独的表达式，其评估结果为单个值。
+CEL 表达式通常是短小的 "一行式"，可以轻松嵌入到 Kubernetes API 资源的字符串字段中。
+
+<!--
+Inputs to a CEL program are "variables". Each Kubernetes API field that contains
+CEL declares in the API documentation which variables are available to use for
+that field. For example, in the `x-kubernetes-validations[i].rules` field of
+CustomResourceDefinitions, the `self` and `oldSelf` variables are available and
+refer to the previous and current state of the custom resource data to be
+validated by the CEL expression. Other Kubernetes API fields may declare
+different variables. See the API documentation of the API fields to learn which
+variables are available for that field.
+-->
+对 CEL 程序的输入是各种 “变量”。包含 CEL 的每个 Kubernetes API 字段都在 API
+文档中声明了字段可使用哪些变量。例如，在 CustomResourceDefinitions 的
+`x-kubernetes-validations[i].rules` 字段中，`self` 和 `oldSelf` 变量可用，
+并且分别指代要由 CEL 表达式验证的自定义资源数据的前一个状态和当前状态。
+其他 Kubernetes API 字段可能声明不同的变量。请查阅 API 字段的 API 文档以了解该字段可使用哪些变量。
+
+<!--
+Example CEL expressions:
+-->
+CEL 表达式示例：
+
+<!--
+{{< table caption="Examples of CEL expressions and the purpose of each" >}}
+| Rule                                                                               | Purpose                                                                           |
+|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
+| `self.minReplicas <= self.replicas && self.replicas <= self.maxReplicas`           | Validate that the three fields defining replicas are ordered appropriately        |
+| `'Available' in self.stateCounts`                                                  | Validate that an entry with the 'Available' key exists in a map                   |
+| `(self.list1.size() == 0) != (self.list2.size() == 0)`                             | Validate that one of two lists is non-empty, but not both                         |
+| `self.envars.filter(e, e.name = 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')`   | Validate the 'value' field of a listMap entry where key field 'name' is 'MY_ENV'  |
+| `has(self.expired) && self.created + self.ttl < self.expired`                      | Validate that 'expired' date is after a 'create' date plus a 'ttl' duration       |
+| `self.health.startsWith('ok')`                                                     | Validate a 'health' string field has the prefix 'ok'                              |
+| `self.widgets.exists(w, w.key == 'x' && w.foo < 10)`                               | Validate that the 'foo' property of a listMap item with a key 'x' is less than 10 |
+| `type(self) == string ? self == '99%' : self == 42`                                | Validate an int-or-string field for both the the int and string cases             |
+| `self.metadata.name == 'singleton'`                                                | Validate that an object's name matches a specific value (making it a singleton)   |
+| `self.set1.all(e, !(e in self.set2))`                                              | Validate that two listSets are disjoint                                           |
+| `self.names.size() == self.details.size() && self.names.all(n, n in self.details)` | Validate the 'details' map is keyed by the items in the 'names' listSet           |
+{{< /table >}}
+-->
+{{< table caption="CEL 表达式例子和每个表达式的用途" >}}
+| 规则 | 用途 |
+|---------------------------------------------------------------------------|--------------------------------------------------------------|
+| `self.minReplicas <= self.replicas && self.replicas <= self.maxReplicas`  | 验证定义副本的三个字段被正确排序                                   |
+| `'Available' in self.stateCounts`                                         | 验证映射中存在主键为 'Available' 的条目                           |
+| `(self.list1.size() == 0) != (self.list2.size() == 0)`                    | 验证两个列表中有一个非空，但不是两个都非空                           |
+| `self.envars.filter(e, e.name = 'MY_ENV').all(e, e.value.matches('^[a-zA-Z]*$')` | 验证 listMap 条目的 'value' 字段，其主键字段 'name' 是 'MY_ENV' |
+| `has(self.expired) && self.created + self.ttl < self.expired`             | 验证 'expired' 日期在 'create' 日期加上 'ttl' 持续时间之后         |
+| `self.health.startsWith('ok')`                                            | 验证 'health' 字符串字段具有前缀 'ok'                             |
+| `self.widgets.exists(w, w.key == 'x' && w.foo < 10)`                      | 验证具有键 'x' 的 listMap 项的 'foo' 属性小于 10                  |
+| `type(self) == string ? self == '99%' : self == 42`                       | 验证 int-or-string 字段是否同时具备 int 和 string 的属性           |
+| `self.metadata.name == 'singleton'`                                       | 验证某对象的名称与特定的值匹配（使其成为一个特例）                     |
+| `self.set1.all(e, !(e in self.set2))`                                     | 验证两个 listSet 不相交                                          |
+| `self.names.size() == self.details.size() && self.names.all(n, n in self.details)` | 验证 'details' 映射是由 'names' listSet 中的各项键入的 |
+{{< /table >}}
+
+<!--
+## CEL community libraries
+
+Kubernetes CEL expressions have access to the following CEL community libraries:
+-->
+## CEL 社区库 {#cel-community-libraries}
+
+Kubernetes CEL 表达式能够访问以下 CEL 社区库：
+
+<!--
+- CEL standard functions, defined in the [list of standard definitions](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions)
+- CEL standard [macros](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
+- CEL [extended string function library](https://pkg.go.dev/github.com/google/cel-go/ext#Strings)
+-->
+- [标准定义列表](https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions)中定义的
+  CEL 标准函数
+- CEL 标准[宏](https://github.com/google/cel-spec/blob/v0.7.0/doc/langdef.md#macros)
+- CEL [扩展字符串函数库](https://pkg.go.dev/github.com/google/cel-go/ext#Strings)
+
+<!--
+## Kubernetes CEL libraries
+
+In additional to the CEL community libraries, Kubernetes includes CEL libraries
+that are available everywhere CEL is used in Kubernetes.
+-->
+## Kubernetes CEL 库 {#kubernetes-cel-libraries}
+
+除了 CEL 社区库之外，Kubernetes 还包括在 Kubernetes 中使用 CEL 时所有可用的 CEL 库。
+
+<!--
+### Kubernetes list library
+
+The list library includes `indexOf` and `lastIndexOf`, which work similar to the
+strings functions of the same names. These functions either the first or last
+positional index of the provided element in the list.
+
+The list library also includes `min`, `max` and `sum`. Sum is supported on all
+number types as well as the duration type. Min and max are supported on all
+comparable types.
+-->
+### Kubernetes 列表库 {#kubernetes-list-library}
+
+列表库包括 `indexOf` 和 `lastIndexOf`，这两个函数的功能类似于同名的字符串函数。
+这些函数返回提供的元素在列表中的第一个或最后一个位置索引。
+
+列表库还包括 `min`、`max` 和 `sum`。
+`sum` 可以用于所有数字类型以及持续时间类型。
+`min` 和 `max` 可用于所有可比较的类型。
+
+<!--
+`isSorted` is also provided as a convenience function and is supported on all
+comparable types.
+
+Examples:
+-->
+`isSorted` 也作为一个便捷的函数提供，并且支持所有可比较的类型。
+
+例如：
+
+<!--
+{{< table caption="Examples of CEL expressions using list library functions" >}}
+| CEL Expression                                                                     | Purpose                                                   |
+|------------------------------------------------------------------------------------|-----------------------------------------------------------|
+| `names.isSorted()`                                                                 | Verify that a list of names is kept in alphabetical order |
+| `items.map(x, x.weight).sum() == 1.0`                                              | Verify that the "weights" of a list of objects sum to 1.0 |
+| `lowPriorities.map(x, x.priority).max() < highPriorities.map(x, x.priority).min()` | Verify that two sets of priorities do not overlap         |
+| `names.indexOf('should-be-first') == 1`                                            | Require that the first name in a list if a specific value |
+{{< /table >}}
+-->
+{{< table caption="使用列表库函数的 CEL 表达式例子" >}}
+| CEL 表达式                                                                          | 用途 |
+|------------------------------------------------------------------------------------|-----------------------------------|
+| `names.isSorted()`                                                                 | 验证名称列表是否按字母顺序排列         |
+| `items.map(x, x.weight).sum() == 1.0`                                              | 验证对象列表的 “weight” 总和为 1.0   |
+| `lowPriorities.map(x, x.priority).max() < highPriorities.map(x, x.priority).min()` | 验证两组优先级不重叠                 |
+| `names.indexOf('should-be-first') == 1`                                            | 如果是特定值，则使用列表中的第一个名称  |
+
+更多信息请查阅 Go 文档：
+[Kubernetes 列表库](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Lists)。
+{{< /table >}}
+
+<!--
+### Kubernetes regex library
+
+In addition to the `matches` function provided by the CEL standard library, the
+regex library provides `find` and `findAll`, enabling a much wider range of
+regex operations.
+
+Examples:
+-->
+### Kubernetes 正则表达式库 {#kubernete-regex-library}
+
+除了 CEL 标准库提供的 `matches` 函数外，正则表达式库还提供了 `find` 和 `findAll`，
+使得更多种类的正则表达式运算成为可能。
+
+例如：
+
+<!--
+{{< table caption="Examples of CEL expressions using regex library functions" >}}
+| CEL Expression                                              | Purpose                                                  |
+|-------------------------------------------------------------|----------------------------------------------------------|
+| `"abc 123".find('[0-9]*')`                                  | Find the first number in a string                        |
+| `"1, 2, 3, 4".findAll('[0-9]*').map(x, int(x)).sum() < 100` | Verify that the numbers in a string sum to less than 100 |
+{{< /table >}}
+-->
+{{< table caption="使用正则表达式库函数的 CEL 表达式例子" >}}
+| CEL 表达式                                                   | 用途                       |
+|-------------------------------------------------------------|----------------------------|
+| `"abc 123".find('[0-9]*')`                                  | 找到字符串中的第一个数字       |
+| `"1, 2, 3, 4".findAll('[0-9]*').map(x, int(x)).sum() < 100` | 验证字符串中的数字之和小于 100 |
+{{< /table >}}
+
+<!--
+See the [Kubernetes regex library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Regex)
+godoc for more information.
+-->
+更多信息请查阅 Go 文档：
+[Kubernetes 正则表达式库](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#Regex)。
+
+<!--
+### Kubernetes URL library
+
+To make it easier and safer to process URLs, the following functions have been added:
+
+- `isURL(string)` checks if a string is a valid URL according to the [Go's
+  net/url](https://pkg.go.dev/net/url#URL) package. The string must be an
+  absolute URL.
+- `url(string) URL` converts a string to a URL or results in an error if the
+  string is not a valid URL.
+-->
+### Kubernetes URL 库 {#kubernetes-url-library}
+
+为了更轻松、更安全地处理 URL，添加了以下函数：
+
+- `isURL(string)` 按照
+  [Go 的 net/url](https://pkg.go.dev/net/url#URL)
+  检查字符串是否是一个有效的 URL。该字符串必须是一个绝对 URL。
+- `url(string) URL` 将字符串转换为 URL，如果字符串不是一个有效的 URL，则返回错误。
+
+<!--
+Once parsed via the `url` function, the resulting URL object has `getScheme`,
+`getHost`, `getHostname`, `getPort`, `getEscapedPath` and `getQuery` accessors.
+
+Examples:
+-->
+一旦通过 `url` 函数解析，所得到的 URL 对象就具有
+`getScheme`、`getHost`、`getHostname`、`getPort`、`getEscapedPath` 和 `getQuery` 访问器。
+
+例如：
+
+<!--
+{{< table caption="Examples of CEL expressions using URL library functions" >}}
+| CEL Expression                                                  | Purpose                                        |
+|-----------------------------------------------------------------|------------------------------------------------|
+| `url('https://example.com:80/').getHost()`                      | Get the 'example.com:80' host part of the URL. |
+| `url('https://example.com/path with spaces/').getEscapedPath()` | Returns '/path%20with%20spaces/'               |
+{{< /table >}}
+-->
+{{< table caption="使用 URL 库函数的 CEL 表达式例子" >}}
+| CEL 表达式                                                       | 用途                                |
+|-----------------------------------------------------------------|------------------------------------|
+| `url('https://example.com:80/').getHost()`                      | 获取 URL 的 'example.com:80' 主机部分 |
+| `url('https://example.com/path with spaces/').getEscapedPath()` | 返回 '/path%20with%20spaces/'       |
+{{< /table >}}
+
+<!--
+See the [Kubernetes URL library](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#URLs)
+godoc for more information.
+-->
+更多信息请查阅 Go 文档：
+[Kubernetes URL 库](https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/library#URLs)。
+
+<!--
+## Type checking
+
+CEL is a [gradually typed language](https://github.com/google/cel-spec/blob/master/doc/langdef.md#gradual-type-checking).
+
+Some Kubernetes API fields contain fully type checked CEL expressions. For
+example, [CustomResourceDefinitions Validation
+Rules](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules)
+are fully type checked.
+-->
+## 类型检查 {#type-checking}
+
+CEL 是一种[逐渐类型化的语言](https://github.com/google/cel-spec/blob/master/doc/langdef.md#gradual-type-checking)。
+
+一些 Kubernetes API 字段包含完全经过类型检查的 CEL 表达式。
+例如，[CustomResourceDefinitions 验证规则](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules)就是完全经过类型检查的。
+
+<!--
+Some Kubernetes API fields contain partially type checked CEL expressions. A
+partially type checked expression is an experessions where some of the variables
+are statically typed but others are dynamically typed. For example, in the CEL
+expressions of
+[ValidatingAdmissionPolicies](/docs/reference/access-authn-authz/validating-admission-policy/)
+the `request` variable is typed, but the `object` variable is dynamically typed.
+As a result, an expression containing `request.namex` would fail type checking
+because the `namex` field is not defined. However, `object.namex` would pass
+type checking even when the `namex` field is not defined for the resource kinds
+that `object` refers to, because `object` is dynamically typed.
+-->
+一些 Kubernetes API 字段包含部分经过类型检查的 CEL 表达式。
+部分经过类型检查的表达式是指一些变量是静态类型，而另一些变量是动态类型的表达式。
+例如在 [ValidatingAdmissionPolicies](/zh-cn/docs/reference/access-authn-authz/validating-admission-policy/)
+的 CEL 表达式中，`request` 变量是有类型的，但 `object` 变量是动态类型的。
+因此，包含 `request.namex` 的表达式将无法通过类型检查，因为 `namex` 字段未定义。
+然而，即使对于 `object` 所引用的资源种类没有定义 `namex` 字段，
+`object.namex` 也会通过类型检查，因为 `object` 是动态类型。
+
+<!--
+The `has()` macro in CEL may be used in CEL expressions to check if a field of a
+dynamically typed variable is accessable before attempting to access the field's
+value. For example:
+-->
+在 CEL 中，`has()` 宏可用于检查动态类型变量的字段是否可访问，然后再尝试访问该字段的值。
+例如：
+
+```cel
+has(object.namex) ? object.namex == 'special' : request.name == 'special'
+```
+
+<!--
+## Type system integration
+-->
+## 类型系统集成 {#type-system-integration}
+
+<!--
+{{< table caption="Table showing the relationship between OpenAPIv3 types and CEL types" >}}
+| OpenAPIv3 type                                     | CEL type                                                                                                                     |
+|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
+| 'object' with Properties                           | object / "message type" (`type(<object>)` evaluates to `selfType<uniqueNumber>.path.to.object.from.self`                     |
+| 'object' with AdditionalProperties                 | map                                                                                                                          |
+| 'object' with x-kubernetes-embedded-type           | object / "message type", 'apiVersion', 'kind', 'metadata.name' and 'metadata.generateName' are implicitly included in schema |
+| 'object' with x-kubernetes-preserve-unknown-fields | object / "message type", unknown fields are NOT accessible in CEL expression                                                 |
+| x-kubernetes-int-or-string                         | union of int or string,  `self.intOrString < 100 \|\| self.intOrString == '50%'` evaluates to true for both `50` and `"50%"` |
+| 'array                                             | list                                                                                                                         |
+| 'array' with x-kubernetes-list-type=map            | list with map based Equality & unique key guarantees                                                                         |
+| 'array' with x-kubernetes-list-type=set            | list with set based Equality & unique entry guarantees                                                                       |
+| 'boolean'                                          | boolean                                                                                                                      |
+| 'number' (all formats)                             | double                                                                                                                       |
+| 'integer' (all formats)                            | int (64)                                                                                                                     |
+| _no equivalent_                                    | uint (64)                                                                                                                    |
+| 'null'                                             | null_type                                                                                                                    |
+| 'string'                                           | string                                                                                                                       |
+| 'string' with format=byte (base64 encoded)         | bytes                                                                                                                        |
+| 'string' with format=date                          | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 'string' with format=datetime                      | timestamp (google.protobuf.Timestamp)                                                                                        |
+| 'string' with format=duration                      | duration (google.protobuf.Duration)                                                                                          |
+{{< /table >}}
+-->
+{{< table caption="表格显示了 OpenAPIv3 类型和 CEL 类型之间的关系" >}}
+| OpenAPIv3 类型                                      | CEL 类型                                                                                          |
+|----------------------------------------------------|---------------------------------------------------------------------------------------------------|
+| 设置了 properties 的 'object'                       | object / "message type" (`type(<object>)` 评估为 `selfType<uniqueNumber>.path.to.object.from.self` |
+| 设置了 AdditionalProperties 的 'object'             | map                                                                                               |
+| 设置了 x-kubernetes-embedded-type 的 'object'       | object / "message type"，'apiVersion'、'kind'、'metadata.name' 和 'metadata.generateName' 被隐式包含在模式中 |
+| 设置了 x-kubernetes-preserve-unknown-fields 的 'object' | object / "message type"，CEL 表达式中不可访问的未知字段                                            |
+| x-kubernetes-int-or-string                      | int 或 string 的并集，`self.intOrString < 100 \|\| self.intOrString == '50%'` 对于 `50` 和 `"50%"`都评估为 true |
+| 'array'                                        | list                                                                                                 |
+| 设置了 x-kubernetes-list-type=map 的 'array'    | list，具有基于 Equality 和唯一键保证的 map                                                               |
+| 设置了 x-kubernetes-list-type=set 的 'array'    | list，具有基于 Equality 和唯一条目保证的 set                                                             |
+| 'boolean'                                     | boolean                                                                                              |
+| 'number' (所有格式)                            | double                                                                                                |
+| 'integer' (所有格式)                           | int (64)                                                                                              |
+| **非等价 **                                    | uint (64)                                                                                             |
+| 'null'                                        | null_type                                                                                             |
+| 'string'                                      | string                                                                                                |
+| 设置了 format=byte 的 'string'（以 base64 编码） | bytes                                                                                                 |
+| 设置了 format=date 的 'string'                 | timestamp (google.protobuf.Timestamp)                                                                 |
+| 设置了 format=datetime 的 'string'             | timestamp (google.protobuf.Timestamp)                                                                 |
+| 设置了 format=duration 的 'string'             | duration (google.protobuf.Duration)                                                                   |
+{{< /table >}}
+
+<!--
+Also see: [CEL types](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values),
+[OpenAPI types](https://swagger.io/specification/#data-types),
+[Kubernetes Structural Schemas](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
+-->
+另见：[CEL 类型](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#values)、
+[OpenAPI 类型](https://swagger.io/specification/#data-types)、
+[Kubernetes 结构化模式](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema)。
+
+<!--
+Equality comparison for arrays with `x-kubernetes-list-type` of `set` or `map` ignores element
+order. For example `[1, 2] == [2, 1]` if the arrays represent Kubernetes `set` values.
+
+Concatenation on arrays with `x-kubernetes-list-type` use the semantics of the
+list type:
+-->
+`x-kubernetes-list-type` 为 `set` 或 `map` 的数组进行相等比较时会忽略元素顺序。
+例如，如果这些数组代表 Kubernetes 的 `set` 值，则 `[1, 2] == [2, 1]`。
+
+使用 `x-kubernetes-list-type` 的数组进行串接时，使用 list 类型的语义：
+
+<!--
+- `set`: `X + Y` performs a union where the array positions of all elements in
+  `X` are preserved and non-intersecting elements in `Y` are appended, retaining
+  their partial order.
+- `map`: `X + Y` performs a merge where the array positions of all keys in `X`
+  are preserved but the values are overwritten by values in `Y` when the key
+  sets of `X` and `Y` intersect. Elements in `Y` with non-intersecting keys are
+  appended, retaining their partial order.
+-->
+- `set`：`X + Y` 执行并集操作，保留 `X` 中所有元素的数组位置，
+  将 `Y` 中非交集元素追加到 `X` 中，保留它们的部分顺序。
+- `map`：`X + Y` 执行合并操作，保留 `X` 中所有键的数组位置，
+  但是当 `X` 和 `Y` 的键集相交时，将 `Y` 中的值覆盖 `X` 中的值。
+  将 `Y` 中非交集键的元素附加到 `X` 中，保留它们的部分顺序。
+
+<!--
+## Escaping
+
+Only Kubernetes resource property names of the form
+`[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible from CEL. Accessible property
+names are escaped according to the following rules when accessed in the
+expression:
+-->
+## 转义 {#escaping}
+
+仅形如 `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` 的 Kubernetes 资源属性名可以从 CEL 中访问。
+当在表达式中访问可访问的属性名时，会根据以下规则进行转义：
+
+<!--
+{{< table caption="Table of CEL identifier escaping rules" >}}
+| escape sequence   | property name equivalent                                                                     |
+|-------------------|----------------------------------------------------------------------------------------------|
+| `__underscores__` | `__`                                                                                         |
+| `__dot__`         | `.`                                                                                          |
+| `__dash__`        | `-`                                                                                          |
+| `__slash__`       | `/`                                                                                          |
+| `__{keyword}__`   | [CEL **RESERVED** keyword](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax) |
+{{< /table >}}
+-->
+{{< table caption="CEL 标识符转义规则表" >}}
+| 转义序列            | 等价的属性名                                                                              |
+|-------------------|------------------------------------------------------------------------------------------|
+| `__underscores__` | `__`                                                                                     |
+| `__dot__`         | `.`                                                                                      |
+| `__dash__`        | `-`                                                                                      |
+| `__slash__`       | `/`                                                                                      |
+| `__{keyword}__` | [CEL **保留的** 关键字](https://github.com/google/cel-spec/blob/v0.6.0/doc/langdef.md#syntax) |
+{{< /table >}}
+
+<!--
+When you escape any of CEL's **RESERVED** keywords you need to match the exact property name
+use the underscore escaping
+(for example, `int` in the word `sprint` would not be escaped and nor would it need to be).
+
+Examples on escaping:
+-->
+当你需要转义 CEL 的任一 **保留的** 关键字时，你需要使用下划线转义来完全匹配属性名
+（例如，`sprint` 这个单词中的 `int` 不会被转义，也不需要被转义）。
+
+转义示例：
+
+<!--
+{{< table caption="Examples escaped CEL identifiers" >}}
+| property name | rule with escaped property name   |
+|---------------|-----------------------------------|
+| `namespace`   | `self.__namespace__ > 0`          |
+| `x-prop`      | `self.x__dash__prop > 0`          |
+| `redact__d`   | `self.redact__underscores__d > 0` |
+| `string`      | `self.startsWith('kube')`         |
+{{< /table >}}
+-->
+{{< table caption="转义的 CEL 标识符例子" >}}
+| 属性名称       | 带有转义的属性名称的规则              |
+|---------------|-----------------------------------|
+| `namespace`   | `self.__namespace__ > 0`          |
+| `x-prop`      | `self.x__dash__prop > 0`          |
+| `redact__d`   | `self.redact__underscores__d > 0` |
+| `string`      | `self.startsWith('kube')`         |
+{{< /table >}}
+
+<!--
+## Resource constraints
+
+CEL is non-Turing complete and offers a variety of production safety controls to
+limit execution time. CEL's _resource constraint_ features provide feedback to
+developers about expression complexity and help protect the API server from
+excessive resource consumption during evaluation. CEL's resource constraint
+features are used to prevent CEL evaluation from consuming excessive API server
+resources.
+-->
+## 资源约束 {#resource-constraints}
+
+CEL 不是图灵完备的，提供了多种生产安全控制手段来限制执行时间。
+CEL 的**资源约束**特性提供了关于表达式复杂性的反馈，并帮助保护 API 服务器免受过度的资源消耗。
+CEL 的资源约束特性用于防止 CEL 评估消耗过多的 API 服务器资源。
+
+<!--
+A key element of the resource constraint features is a _cost unit_ that CEL
+defines as a way of tracking CPU utilization. Cost units are independant of
+system load and hardware. Cost units are also deterministic; for any given CEL
+expression and input data, evaluation of the expression by the CEL interpreter
+will always result in the same cost.
+-->
+资源约束特性的一个关键要素是 CEL 定义的**成本单位**，它是一种跟踪 CPU 利用率的方式。
+成本单位独立于系统负载和硬件。成本单位也是确定性的；对于任何给定的 CEL 表达式和输入数据，
+由 CEL 解释器评估表达式将始终产生相同的成本。
+
+<!--
+Many of CEL's core operations have fixed costs. The simplest operations, such as
+comparisons (e.g. `<`) have a cost of 1. Some have a higher fixed cost, for
+example list literal declarations have a fixed base cost of 40 cost units.
+-->
+CEL 的许多核心运算具有固定成本。例如比较（例如 `<`）这类最简单的运算成本为 1。
+有些运算具有更高的固定成本，例如列表字面声明具有 40 个成本单位的固定基础成本。
+
+<!--
+Calls to functions implemented in native code approximate cost based on the time
+complexity of the operation. For example: operations that use regular
+expressions, such as `match` and `find`, are estimated using an approximated
+cost of `length(regexString)*length(inputString)`. The approximated cost
+reflects the worst case time complexity of Go's RE2 implementation.
+-->
+调用本地代码实现的函数时，基于运算的时间复杂度估算其成本。
+举例而言：`match` 和 `find` 这类使用正则表达式的运算使用
+`length(regexString)*length(inputString)` 的近似成本进行估算。
+这个近似的成本反映了 Go 的 RE2 实现的最坏情况的时间复杂度。
+
+<!--
+### Runtime cost budget
+
+All CEL expressions evaluated by Kubernetes are constrained by a runtime cost
+budget. The runtime cost budget is an estimate of actual CPU utilization
+computed by incrementing a cost unit counter while interpreting a CEL
+expression. If the CEL interpreter executes too many instructions, the runtime
+cost budget will be exceeded, execution of the expressions will be halted, and
+an error will result.
+-->
+### 运行时成本预算 {#runtime-cost-budget}
+
+所有由 Kubernetes 评估的 CEL 表达式都受到运行时成本预算的限制。
+运行时成本预算是通过在解释 CEL 表达式时增加成本单元计数器来计算实际 CPU 利用率的估算值。
+如果 CEL 解释器执行的指令太多，将超出运行时成本预算，表达式的执行将停止，并将出现错误。
+
+<!--
+Some Kubernetes resources define an additional runtime cost budget that bounds
+the execution of multiple expressions. If the sum total of the cost of
+expressions exceed the budget, execution of the expressions will be halted, and
+an error will result. For example the validation of a custom resource has a
+_per-validation_ runtime cost budget for all [Validation
+Rules](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules)
+evaluated to validate the custom resource.
+-->
+一些 Kubernetes 资源定义了额外的运行时成本预算，用于限制多个表达式的执行。
+如果所有表达式的成本总和超过预算，表达式的执行将停止，并将出现错误。
+例如，自定义资源的验证具有针对验证自定义资源所评估的所有
+[验证规则](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules)的
+**每个验证** 运行时成本预算。
+
+<!--
+### Estimated cost limits
+
+For some Kubernetes resources, the API server may also check if worst case
+estimated running time of CEL expressions would be prohibitively expensive to
+execute. If so, the API server prevent the CEL expression from being written to
+API resources by rejecting create or update operations containing the CEL
+expression to the API resources. This feature offers a stronger assurance that
+CEL expressions written to the API resource will be evaluate at runtime without
+exceeding the runtime cost budget.
+-->
+### 估算的成本限制 {#estimated-cost-limits}
+
+对于某些 Kubernetes 资源，API 服务器还可能检查 CEL 表达式的最坏情况估计运行时间是否过于昂贵而无法执行。
+如果是，则 API 服务器会拒绝包含 CEL 表达式的创建或更新操作，以防止 CEL 表达式被写入 API 资源。
+此特性提供了更强的保证，即写入 API 资源的 CEL 表达式将在运行时进行评估，而不会超过运行时成本预算。

From 1ab93da49098aa1c57401a75078613efb59c193e Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Tue, 14 Mar 2023 09:57:00 +0800
Subject: [PATCH 154/215] [zh] sync create-hostprocess-pod.md

---
 .../create-hostprocess-pod.md                 | 206 ++++++++++++++----
 1 file changed, 162 insertions(+), 44 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index abc3896e70248..f52ec6697939e 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -1,20 +1,19 @@
 ---
 title: 创建 Windows HostProcess Pod
 content_type: task
-weight: 20
+weight: 50
 min-kubernetes-server-version: 1.23
 ---
-
 <!--
 title: Create a Windows HostProcess Pod
 content_type: task
-weight: 20
+weight: 50
 min-kubernetes-server-version: 1.23
 -->
 
 <!-- overview -->
 
-{{< feature-state for_k8s_version="v1.23" state="beta" >}}
+{{< feature-state for_k8s_version="v1.26" state="stable" >}}
 
 <!--
 Windows HostProcess containers enable you to run containerized
@@ -49,8 +48,8 @@ images taking up space on the node. HostProcess containers also support
 [volume mounts](#volume-mounts) within the container volume.
 -->
 类似于安装安全补丁、事件日志收集等这类管理性质的任务可以在不需要集群操作员登录到每个
-Windows 节点的前提下执行。HostProcess 容器可以以主机上存在的任何用户账户来运行，
-也可以以主机所在域中的用户账户运行，这样管理员可以通过用户许可权限来限制资源访问。
+Windows 节点的前提下执行。HostProcess 容器可以以主机上存在的任何用户账号来运行，
+也可以以主机所在域中的用户账号运行，这样管理员可以通过用户许可权限来限制资源访问。
 尽管文件系统和进程隔离都不支持，在启动容器时会在主机上创建一个新的卷，
 为其提供一个干净的、整合的工作空间。HostProcess 容器也可以基于现有的 Windows
 基础镜像来制作，并且不再有 Windows 服务器容器所带有的那些
@@ -102,23 +101,6 @@ kubelet 会直接与 containerd 通信，通过 CRI 将主机进程标志传递
 你可以使用 containerd 的最新版本（v1.6+）来运行 HostProcess 容器。
 参阅[如何安装 containerd](/zh-cn/docs/setup/production-environment/container-runtimes/#containerd)。
 
-<!--
-To *disable* HostProcess containers you need to pass the following feature gate flag to the
-**kubelet** and **kube-apiserver**:
--->
-要 *禁用* HostProcess 容器特性，你需要为 **kubelet** 和 **kube-apiserver**
-设置下面的特性门控标志：
-
-```powershell
---feature-gates=WindowsHostProcessContainers=false
-```
-
-<!--
-See [Features Gates](/docs/reference/command-line-tools-reference/feature-gates/#overview)
-documentation for more details.
--->
-进一步的细节可参阅[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/#overview)文档。
-
 <!--
 ## Limitations
 
@@ -130,7 +112,8 @@ These limitations are relevant for Kubernetes v{{< skew currentVersion >}}:
 
 <!--
 - HostProcess containers require containerd 1.6 or higher
-  {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
+  {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} and
+  containerd 1.7 is recommended.
 - HostProcess pods can only contain HostProcess containers. This is a current limitation
   of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
 - HostProcess containers run as a process on the host and do not have any degree of
@@ -138,9 +121,10 @@ These limitations are relevant for Kubernetes v{{< skew currentVersion >}}:
   filesystem or Hyper-V isolation are supported for HostProcess containers.
 -->
 - HostProcess 容器需要 containerd 1.6 或更高版本的
-  {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}。
+  {{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}，
+  推荐 containerd 1.7。
 - HostProcess Pods 只能包含 HostProcess 容器。这是在 Windows 操作系统上的约束；
-  非特权的 Windows 容器不能与主机 IP 名字空间共享虚拟网卡（vNIC）。 
+  非特权的 Windows 容器不能与主机 IP 名字空间共享虚拟网卡（vNIC）。
 - HostProcess 在主机上以一个进程的形式运行，除了通过 HostProcess
   用户账号所实施的资源约束外，不提供任何形式的隔离。HostProcess 容器不支持文件系统或
   Hyper-V 隔离。
@@ -155,7 +139,7 @@ These limitations are relevant for Kubernetes v{{< skew currentVersion >}}:
   be accessed via their path on the host (e.g. \\\\.\\pipe\\\*)
 -->
 - 卷挂载是被支持的，并且要花在到容器卷下。参见[卷挂载](#volume-mounts)。
-- 默认情况下有一组主机用户账户可供 HostProcess 容器使用。
+- 默认情况下有一组主机用户账号可供 HostProcess 容器使用。
   参见[选择用户账号](#choosing-a-user-account)。
 - 对资源约束（磁盘、内存、CPU 个数）的支持与主机上进程相同。
 - **不支持**命名管道或者 UNIX 域套接字形式的挂载，需要使用主机上的路径名来访问
@@ -208,10 +192,8 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
     <tr>
       <td style="white-space: nowrap"><a href="/zh-cn/docs/concepts/security/pod-security-standards"><tt>hostNetwork</tt></a></td>
       <td>
-        <p><!--Will be in host network by default initially. Support
-        to set network to a different compartment may be desirable in
-        the future.-->
-        初始时将默认位于主机网络中。在未来可能会希望将网络设置到不同的隔离环境中。
+        <p><!--Pods container HostProcess containers must use the host's network namespace.-->
+        Pod 容器 HostProcess 容器必须使用主机的网络名字空间。
         </p>
         <p><strong><!--Allowed Values-->可选值</strong></p>
         <ul>
@@ -220,7 +202,7 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
       </td>
     </tr>
     <tr>
-      <td style="white-space: nowrap"><a href="/zh-cn/docs/tasks/configure-pod-container/configure-runasusername/"><tt>securityContext.windowsOptions.runAsUsername</tt></a></td>
+      <td style="white-space: nowrap"><a href="/zh-cn/docs/tasks/configure-pod-container/configure-runasusername/"><tt>securityContext.windowsOptions.runAsUserName</tt></a></td>
       <td>
         <p><!--Specification of which user the HostProcess container should run as is required for the pod spec.-->
         关于 HostProcess 容器所要使用的用户的规约，需要设置在 Pod 的规约中。
@@ -230,6 +212,10 @@ HostProcess 运行在与 privileged 模式相看齐的策略下。
           <li><code>NT AUTHORITY\SYSTEM</code></li>
           <li><code>NT AUTHORITY\Local service</code></li>
           <li><code>NT AUTHORITY\NetworkService</code></li>
+          <li>
+          <!-- Local usergroup names (see below) -->
+          本地用户组名称（参见下文）
+          </li>
         </ul>
       </td>
     </tr>
@@ -276,30 +262,57 @@ spec:
 ## Volume mounts
 
 HostProcess containers support the ability to mount volumes within the container volume space.
+Volume mount behavior differs depending on the version of containerd runtime used by on the node.
+-->
+## 卷挂载    {#volume-mounts}
+
+HostProcess 容器支持在容器卷空间中挂载卷的能力。
+卷挂载行为将因节点所使用的 containerd 运行时版本而异。
+
+<!--
+### Containerd v1.6
+
 Applications running inside the container can access volume mounts directly via relative or
 absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT` is set upon container
 creation and provides the absolute host path to the container volume. Relative paths are based
 upon the `.spec.containers.volumeMounts.mountPath` configuration.
+
+To access service account tokens (for example) the following path structures are supported within the container:
 -->
-## 卷挂载    {#volume-mounts}
+### containerd v1.6
 
-HostProcess 容器支持在容器卷空间中挂载卷的能力。
 在容器内运行的应用能够通过相对或者绝对路径直接访问卷挂载。
 环境变量 `$CONTAINER_SANDBOX_MOUNT_POINT` 在容器创建时被设置为指向容器卷的绝对主机路径。
 相对路径是基于 `.spec.containers.volumeMounts.mountPath` 配置来推导的。
 
+容器内支持通过下面的路径结构来访问服务账号令牌：
+
+- `.\var\run\secrets\kubernetes.io\serviceaccount\`
+- `$CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\`
+
 <!--
-### Example {#volume-mount-example}
+### Containerd v1.7 (and greater)
 
-To access service account tokens the following path structures are supported within the container:
+Applications running inside the container can access volume mounts directly via the volumeMount's
+specified `mountPath` (just like Linux and non-HostProcess Windows containers).
 -->
-### 示例    {#volume-mount-example}
+### containerd v1.7（及更高版本）   {#containerd-v1.7-and-greater}
 
-容器内支持通过下面的路径结构来访问服务账好令牌：
+容器内运行的应用可以通过 volumeMount 指定的 `mountPath` 直接访问卷挂载
+（就像 Linux 和非 HostProcess Windows 容器一样）。
 
-`.\var\run\secrets\kubernetes.io\serviceaccount\`
+<!--
+For backwards compatibility volumes can also be accessed via using the same relative paths configured by containerd v1.6.
 
-`$CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\`
+As an example, to access service account tokens within the container you would use one of the following paths:
+-->
+为了向后兼容性，卷也可以通过使用由 containerd v1.6 配置的相同相对路径进行访问。
+
+例如，要在容器中访问服务帐户令牌，你将使用以下路径之一：
+
+- `c:\var\run\secrets\kubernetes.io\serviceaccount`
+- `/var/run/secrets/kubernetes.io/serviceaccount/`
+- `$CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\`
 
 <!--
 ## Resource limits
@@ -311,9 +324,9 @@ These limits would be specified the same way they are currently for whatever orc
 or runtime is being used. The only difference is in the disk resource usage calculation
 used for resource tracking due to the difference in how HostProcess containers are bootstrapped.
 -->
-## 资源约束    {#resource-limits}
+## 资源限制    {#resource-limits}
 
-资源约束（磁盘、内存、CPU 个数）作用到任务之上，并在整个任务上起作用。
+资源限制（磁盘、内存、CPU 个数）作用到任务之上，并在整个任务上起作用。
 例如，如果内存限制设置为 10MB，任何 HostProcess 任务对象所分配的内存不会超过 10MB。
 这一行为与其他 Windows 容器类型相同。资源限制的设置方式与编排系统或容器运行时无关。
 唯一的区别是用来跟踪资源所进行的磁盘资源用量的计算，出现差异的原因是因为
@@ -322,11 +335,15 @@ HostProcess 容器启动引导的方式造成的。
 <!--
 ## Choosing a user account
 
-HostProcess containers support the ability to run as one of three supported Windows service accounts:
+### System accounts
+
+By default, HostProcess containers support the ability to run as one of three supported Windows service accounts:
 -->
 ## 选择用户账号  {#choosing-a-user-account}
 
-HostProcess 容器支持以三种被支持的 Windows 服务账号之一来运行：
+### 系统账号   {#system-accounts}
+
+默认情况下，HostProcess 容器支持以三种被支持的 Windows 服务账号之一来运行：
 
 - **[LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account)**
 - **[LocalService](https://docs.microsoft.com/windows/win32/services/localservice-account)**
@@ -344,3 +361,104 @@ use the LocalService service account as it is the least privileged of the three
 在三者之中最高，只有在绝对需要的时候才应该使用。只要可能，应该使用
 LocalService 服务账号，因为该账号在三者中特权最低。
 
+<!--
+### Local accounts {#local-accounts}
+
+If configured, HostProcess containers can also run as local user accounts which allows for node operators to give
+fine-grained access to workloads.
+-->
+### 本地账号   {#local-accounts}
+
+取决于配置，HostProcess 容器也能够以本地用户账号运行，
+从而允许节点操作员为工作负载提供细粒度的访问权限。
+
+<!--
+To run HostProcess containers as a local user; A local usergroup must first be created on the node
+and the name of that local usergroup must be specified in the `runAsUserName` field in the deployment.
+Prior to initializing the HostProcess container, a new **ephemeral** local user account to be created and joined to the specified usergroup, from which the container is run.
+This provides a number a benefits including eliminating the need to manage passwords for local user accounts.
+An initial HostProcess container running as a service account can be used to
+prepare the user groups for later HostProcess containers.
+-->
+要以本地用户运行 HostProcess 容器，必须首先在节点上创建一个本地用户组，
+并在部署中在 `runAsUserName` 字段中指定该本地用户组的名称。
+在初始化 HostProcess 容器之前，将创建一个新的**临时**本地用户账号，并加入到指定的用户组中，
+使用这个账号来运行容器。这样做有许多好处，包括不再需要管理本地用户账号的密码。
+作为服务账号运行的初始 HostProcess 容器可用于准备用户组，以供后续的 HostProcess 容器使用。
+
+{{< note >}}
+<!--
+Running HostProcess containers as local user accounts requires containerd v1.7+
+-->
+以本地用户账号运行 HostProcess 容器需要 containerd v1.7+。
+{{< /note >}}
+
+<!--
+Example:
+
+1. Create a local user group on the node (this can be done in another HostProcess container).
+-->
+例如：
+
+1. 在节点上创建本地用户组（这可以在另一个 HostProcess 容器中完成）。
+
+   ```cmd
+   net localgroup hpc-localgroup /add
+   ```
+
+<!--
+1. Grant access to desired resources on the node to the local usergroup.
+   This can be done with tools like [icacls](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls).
+-->
+2. 为本地用户组授予访问所需资源的权限。这可以通过使用
+   [icacls](https://learn.microsoft.com/zh-cn/windows-server/administration/windows-commands/icacls)
+   这类工具达成。
+
+<!--
+1. Set `runAsUserName` to the name of the local usergroup for the pod or individual containers.
+-->
+3. 针对 Pod 或个别容器，将 `runAsUserName` 设置为本地用户组的名称。
+
+   ```yaml
+   securityContext:
+     windowsOptions:
+       hostProcess: true
+       runAsUserName: hpc-localgroup
+   ```
+
+<!--
+1. Schedule the pod!
+-->
+4. 调度 Pod！
+
+<!--
+## Base Image for HostProcess Containers
+
+HostProcess containers can be built from any of the existing [Windows Container base images](https://learn.microsoft.com/virtualization/windowscontainers/manage-containers/container-base-images).
+
+Additionally a new base mage has been created just for HostProcess containers!
+For more information please check out the [windows-host-process-containers-base-image github project](https://github.com/microsoft/windows-host-process-containers-base-image#overview).
+-->
+## HostProcess 容器的基础镜像   {#base-image-for-hostprocess-containers}
+
+HostProcess 容器可以基于任何现有的
+[Windows Container 基础镜像](https://learn.microsoft.com/zh-cn/virtualization/windowscontainers/manage-containers/container-base-images)进行构建。
+
+此外，还专为 HostProcess 容器创建了一个新的基础镜像！有关更多信息，请查看
+[windows-host-process-containers-base-image github 项目](https://github.com/microsoft/windows-host-process-containers-base-image#overview)。
+
+<!--
+## Troubleshooting HostProcess containers
+
+- HostProcess containers fail to start with `failed to create user process token: failed to logon user: Access is denied.: unknown`
+
+  Ensure containerd is running as `LocalSystem` or `LocalService` service accounts. User accounts (even Administrator accounts) do not have permissions to create logon tokens for any of the supported [user accounts](#choosing-a-user-account).
+-->
+## HostProcess 容器的故障排查   {#troubleshooting-hostprocess-containers}
+
+- HostProcess 容器因
+  `failed to create user process token: failed to logon user: Access is denied.: unknown`
+  启动失败。
+
+  确保 containerd 以 `LocalSystem` 或 `LocalService` 服务帐户运行。
+  用户账号（即使是管理员账号）没有权限为任何支持的[用户账号](#choosing-a-user-account)创建登录令牌。

From bd386e838556f4ea8291b00061cb17c62dac1b3d Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Wed, 15 Mar 2023 14:58:49 +0800
Subject: [PATCH 155/215] [zh-cn]sync
 content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md

---
 .../tasks/configure-pod-container/create-hostprocess-pod.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index f52ec6697939e..49366e3a8ef70 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -296,7 +296,7 @@ To access service account tokens (for example) the following path structures are
 Applications running inside the container can access volume mounts directly via the volumeMount's
 specified `mountPath` (just like Linux and non-HostProcess Windows containers).
 -->
-### containerd v1.7（及更高版本）   {#containerd-v1.7-and-greater}
+### containerd v1.7（及更高版本）   {#containerd-v1-7-and-greater}
 
 容器内运行的应用可以通过 volumeMount 指定的 `mountPath` 直接访问卷挂载
 （就像 Linux 和非 HostProcess Windows 容器一样）。

From 1ee40c20bddf886f12957b34d1acb265220be31d Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Thu, 16 Mar 2023 01:59:16 +0800
Subject: [PATCH 156/215] Fix typos in cel.md

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 content/en/docs/reference/using-api/cel.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/reference/using-api/cel.md b/content/en/docs/reference/using-api/cel.md
index 532a214f009fc..eb5d696de9aa3 100644
--- a/content/en/docs/reference/using-api/cel.md
+++ b/content/en/docs/reference/using-api/cel.md
@@ -165,7 +165,7 @@ type checking even when the `namex` field is not defined for the resource kinds
 that `object` refers to, because `object` is dynamically typed.
 
 The `has()` macro in CEL may be used in CEL expressions to check if a field of a
-dynamically typed variable is accessable before attempting to access the field's
+dynamically typed variable is accessible before attempting to access the field's
 value. For example:
 
 ```cel
@@ -257,7 +257,7 @@ features are used to prevent CEL evaluation from consuming excessive API server
 resources.
 
 A key element of the resource constraint features is a _cost unit_ that CEL
-defines as a way of tracking CPU utilization. Cost units are independant of
+defines as a way of tracking CPU utilization. Cost units are independent of
 system load and hardware. Cost units are also deterministic; for any given CEL
 expression and input data, evaluation of the expression by the CEL interpreter
 will always result in the same cost.

From ae17e46f735955ee8e8e2329acd3c4029a8e36fd Mon Sep 17 00:00:00 2001
From: Sergey Kanzhelev <S.Kanzhelev@live.com>
Date: Wed, 15 Mar 2023 08:32:17 -0700
Subject: [PATCH 157/215] Document behavior of endpoints with the feature
 EndpointSliceTerminatingCondition (#36791)

* new behavior of endpoints with the feature gate EndpointSliceTerminatingCondition

* Update content/en/docs/concepts/workloads/pods/pod-lifecycle.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* Update content/en/docs/concepts/workloads/pods/pod-lifecycle.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* Update content/en/docs/concepts/workloads/pods/pod-lifecycle.md

Co-authored-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>

* fixing feature gate versions

---------

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
---
 .../concepts/workloads/pods/pod-lifecycle.md  |  28 ++-
 .../pods-and-endpoint-termination-flow.md     | 221 ++++++++++++++++++
 .../pod-with-graceful-termination.yaml        |  32 +++
 3 files changed, 276 insertions(+), 5 deletions(-)
 create mode 100644 content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md
 create mode 100644 content/en/examples/service/pod-with-graceful-termination.yaml

diff --git a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md
index 43f9c70ccf399..9e599d23e71b7 100644
--- a/content/en/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/en/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -296,7 +296,7 @@ Each probe must define exactly one of these four mechanisms:
   The target should implement
   [gRPC health checks](https://grpc.io/grpc/core/md_doc_health-checking.html).
   The diagnostic is considered successful if the `status`
-  of the response is `SERVING`.  
+  of the response is `SERVING`.
   gRPC probes are an alpha feature and are only available if you
   enable the `GRPCContainerProbe`
   [feature gate](/docs/reference/command-line-tools-reference/feature-gates/).
@@ -465,14 +465,32 @@ An example flow:
       The containers in the Pod receive the TERM signal at different times and in an arbitrary
       order. If the order of shutdowns matters, consider using a `preStop` hook to synchronize.
       {{< /note >}}
-1. At the same time as the kubelet is starting graceful shutdown, the control plane removes that
-   shutting-down Pod from EndpointSlice (and Endpoints) objects where these represent
+1. At the same time as the kubelet is starting graceful shutdown of the Pod, the control plane evaluates whether to remove that shutting-down Pod from EndpointSlice (and Endpoints) objects, where those objects represent
    a {{< glossary_tooltip term_id="service" text="Service" >}} with a configured
    {{< glossary_tooltip text="selector" term_id="selector" >}}.
    {{< glossary_tooltip text="ReplicaSets" term_id="replica-set" >}} and other workload resources
    no longer treat the shutting-down Pod as a valid, in-service replica. Pods that shut down slowly
-   cannot continue to serve traffic as load balancers (like the service proxy) remove the Pod from
-   the list of endpoints as soon as the termination grace period _begins_.
+   should not continue to serve regular traffic and should start terminating and finish processing open connections.
+   Some applications need to go beyond finishing open connections and need more graceful termination -
+   for example: session draining and completion. Any endpoints that represent the terminating pods
+   are not immediately removed from EndpointSlices,
+   and a status indicating [terminating state](/docs/concepts/services-networking/endpoint-slices/#conditions)
+   is exposed from the EndpointSlice API (and the legacy Endpoints API). Terminating
+   endpoints always have their `ready` status
+   as `false` (for backward compatibility with versions before 1.26),
+   so load balancers will not use it for regular traffic.
+   If traffic draining on terminating pod is needed, the actual readiness can be checked as a condition `serving`.
+   You can find more details on how to implement connections draining
+   in the tutorial [Pods And Endpoints Termination Flow](/docs/tutorials/services/pods-and-endpoint-termination-flow/)
+
+{{<note>}}
+If you don't have the `EndpointSliceTerminatingCondition` feature gate enabled
+in your cluster (the gate is on by default from Kubernetes 1.22, and locked to default in 1.26), then the Kubernetes control
+plane removes a Pod from any relevant EndpointSlices as soon as the Pod's
+termination grace period _begins_. The behavior above is described when the
+feature gate `EndpointSliceTerminatingCondition` is enabled.
+{{</note>}}
+
 1. When the grace period expires, the kubelet triggers forcible shutdown. The container runtime sends
    `SIGKILL` to any processes still running in any container in the Pod.
    The kubelet also cleans up a hidden `pause` container if that container runtime uses one.
diff --git a/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md b/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md
new file mode 100644
index 0000000000000..3ff7e2d987d92
--- /dev/null
+++ b/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md
@@ -0,0 +1,221 @@
+---
+title: Explore Termination Behavior for Pods And Their Endpoints
+content_type: tutorial
+weight: 60
+---
+
+
+<!-- overview -->
+
+Once you connected your Application with Service following steps
+like those outlined in [Connecting Applications with Services](/docs/tutorials/services/connect-applications-service/),
+you have a continuously running, replicated application, that is exposed on a network.
+This tutorial helps you look at the termination flow for Pods and to explore ways to implement
+graceful connection draining.
+
+<!-- body -->
+
+## Termination process for Pods and their endpoints
+
+There are often cases when you need to terminate a Pod - be it for upgrade or scale down.
+In order to improve application availability, it may be important to implement
+a proper active connections draining. This tutorial explains the flow of
+Pod termination in connection with the corresponding endpoint state and removal.
+
+This tutorial explains the flow of Pod termination in connection with the
+corresponding endpoint state and removal by using
+a simple nginx web server to demonstrate the concept.
+
+<!-- body -->
+
+## Example flow with endpoint termination
+
+The following is the example of the flow described in the
+[Termination of Pods](/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)
+document.
+
+Let's say you have a Deployment containing of a single `nginx` replica
+(just for demonstration purposes) and a Service:
+
+{{< codenew file="service/pod-with-graceful-termination.yaml" >}}
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      terminationGracePeriodSeconds: 120 # extra long grace period
+      containers:
+      - name: nginx
+        image: nginx:latest
+        ports:
+        - containerPort: 80
+        lifecycle:
+          preStop:
+            exec:
+              # Real life termination may take any time up to terminationGracePeriodSeconds.
+              # In this example - just hang around for at least the duration of terminationGracePeriodSeconds,
+              # at 120 seconds container will be forcibly terminated.
+              # Note, all this time nginx will keep processing requests.
+              command: [
+                "/bin/sh", "-c", "sleep 180"
+              ]
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-service
+spec:
+  selector:
+    app: nginx
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+```
+
+Once the Pod and Service are running, you can get the name of any associated EndpointSlices:
+
+```shell
+kubectl get endpointslice
+```
+
+The output is similar to this:
+
+```none
+NAME                  ADDRESSTYPE   PORTS   ENDPOINTS                 AGE
+nginx-service-6tjbr   IPv4          80      10.12.1.199,10.12.1.201   22m
+```
+
+You can see its status, and validate that there is one endpoint registered:
+
+```shell
+kubectl get endpointslices -o json -l kubernetes.io/service-name=nginx-service
+```
+
+The output is similar to this:
+
+```none
+{
+    "addressType": "IPv4",
+    "apiVersion": "discovery.k8s.io/v1",
+    "endpoints": [
+        {
+            "addresses": [
+                "10.12.1.201"
+            ],
+            "conditions": {
+                "ready": true,
+                "serving": true,
+                "terminating": false
+```
+
+Now let's terminate the Pod and validate that the Pod is being terminated
+respecting the graceful termination period configuration:
+
+```shell
+kubectl delete pod nginx-deployment-7768647bf9-b4b9s
+```
+
+All pods:
+
+```shell
+kubectl get pods
+```
+
+The output is similar to this:
+
+```none
+NAME                                READY   STATUS        RESTARTS      AGE
+nginx-deployment-7768647bf9-b4b9s   1/1     Terminating   0             4m1s
+nginx-deployment-7768647bf9-rkxlw   1/1     Running       0             8s
+```
+
+You can see that the new pod got scheduled.
+
+While the new endpoint is being created for the new Pod, the old endpoint is
+still around in the terminating state:
+
+```shell
+kubectl get endpointslice -o json nginx-service-6tjbr
+```
+
+The output is similar to this:
+
+```none
+{
+    "addressType": "IPv4",
+    "apiVersion": "discovery.k8s.io/v1",
+    "endpoints": [
+        {
+            "addresses": [
+                "10.12.1.201"
+            ],
+            "conditions": {
+                "ready": false,
+                "serving": true,
+                "terminating": true
+            },
+            "nodeName": "gke-main-default-pool-dca1511c-d17b",
+            "targetRef": {
+                "kind": "Pod",
+                "name": "nginx-deployment-7768647bf9-b4b9s",
+                "namespace": "default",
+                "uid": "66fa831c-7eb2-407f-bd2c-f96dfe841478"
+            },
+            "zone": "us-central1-c"
+        },
+        {
+            "addresses": [
+                "10.12.1.202"
+            ],
+            "conditions": {
+                "ready": true,
+                "serving": true,
+                "terminating": false
+            },
+            "nodeName": "gke-main-default-pool-dca1511c-d17b",
+            "targetRef": {
+                "kind": "Pod",
+                "name": "nginx-deployment-7768647bf9-rkxlw",
+                "namespace": "default",
+                "uid": "722b1cbe-dcd7-4ed4-8928-4a4d0e2bbe35"
+            },
+            "zone": "us-central1-c"
+```
+
+This allows applications to communicate their state during termination
+and clients (such as load balancers) to implement a connections draining functionality.
+These clients may detect terminating endpoints and implement a special logic for them.
+
+In Kubernetes, endpoints that are terminating always have their `ready` status set as as `false`.
+This needs to happen for backward
+compatibility, so existing load balancers will not use it for regular traffic.
+If traffic draining on terminating pod is needed, the actual readiness can be
+checked as a condition `serving`.
+
+When Pod is deleted, the old endpoint will also be deleted.
+
+
+## {{% heading "whatsnext" %}}
+
+
+* Learn how to [Connect Applications with Services](/docs/tutorials/services/connect-applications-service/)
+* Learn more about [Using a Service to Access an Application in a Cluster](/docs/tasks/access-application-cluster/service-access-application-cluster/)
+* Learn more about [Connecting a Front End to a Back End Using a Service](/docs/tasks/access-application-cluster/connecting-frontend-backend/)
+* Learn more about [Creating an External Load Balancer](/docs/tasks/access-application-cluster/create-external-load-balancer/)
+
diff --git a/content/en/examples/service/pod-with-graceful-termination.yaml b/content/en/examples/service/pod-with-graceful-termination.yaml
new file mode 100644
index 0000000000000..4a39d2d368a94
--- /dev/null
+++ b/content/en/examples/service/pod-with-graceful-termination.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      terminationGracePeriodSeconds: 120 # extra long grace period
+      containers:
+      - name: nginx
+        image: nginx:latest
+        ports:
+        - containerPort: 80
+        lifecycle:
+          preStop:
+            exec:
+              # Real life termination may take any time up to terminationGracePeriodSeconds.
+              # In this example - just hang around for at least the duration of terminationGracePeriodSeconds,
+              # at 120 seconds container will be forcibly terminated.
+              # Note, all this time nginx will keep processing requests.
+              command: [
+                "/bin/sh", "-c", "sleep 180"
+              ]

From 58cf159471acd8fedaa652a7c559edcdb91a6e46 Mon Sep 17 00:00:00 2001
From: Yoshitaka Fujii <76274657+ystkfujii@users.noreply.github.com>
Date: Thu, 16 Mar 2023 00:48:51 +0900
Subject: [PATCH 158/215] Apply suggestions from code review

Co-authored-by: Toshiaki Inukai <82919057+t-inu@users.noreply.github.com>
---
 content/ja/docs/concepts/overview/kubernetes-api.md | 8 ++++----
 content/ja/docs/reference/using-api/_index.md       | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/content/ja/docs/concepts/overview/kubernetes-api.md b/content/ja/docs/concepts/overview/kubernetes-api.md
index 4fb0b6ec5a3da..982331d2f1a43 100644
--- a/content/ja/docs/concepts/overview/kubernetes-api.md
+++ b/content/ja/docs/concepts/overview/kubernetes-api.md
@@ -147,7 +147,7 @@ APIリソースは、APIグループ、リソースタイプ、ネームスペ
 
 例えば、同じリソースで`v1`と`v1beta1`の2つのバージョンが有ることを考えてみます。
 `v1beta1`バージョンのAPIを利用しオブジェクトを最初に作成したとして、`v1beta1`バージョンが非推奨となり削除されるまで、`v1beta1`もしくは`v1`どちらのAPIバージョンを利用してもオブジェクトのread、update、deleteができます。
-その時点では `v1` APIを使用してオブジェクトの修正やアクセスを継続することが可能です。
+その時点では、`v1` APIを使用してオブジェクトの修正やアクセスを継続することが可能です。
 
 ## APIの変更
 
@@ -158,18 +158,18 @@ Kubernetesプロジェクトは、既存のクライアントとの互換性を
 基本的に、新しいAPIリソースと新しいリソースフィールドは追加することができます。
 リソースまたはフィールドを削除するには、[API非推奨ポリシー](/docs/reference/using-api/deprecation-policy/)に従ってください。
 
-Kubernetesは、公式のKubernetes APIが一度一般提供（GA）に達した場合、通常は`v1`APIバージョンです、互換性を維持することを強い責任があります。
+Kubernetesは、通常はAPIバージョン`v1`として、公式のKubernetes APIが一度一般提供(GA)に達した場合、互換性を維持することを強く確約します。
 さらに、Kubernetesは、公式Kubernetes APIの _beta_ APIバージョン経由で永続化されたデータとの互換性を維持します。
 そして、機能が安定したときにGA APIバージョン経由でデータを変換してアクセスできることを保証します。
 
 beta APIを採用した場合、APIが卒業(Graduate)したら、後続のbetaまたはstable APIに移行する必要があります。
-これを行うのに最適な時期は、オブジェクトが両方のAPIバージョンから同時にアクセスできるbeta APIが非推奨期間です。
+これを行うのに最適な時期は、オブジェクトが両方のAPIバージョンから同時にアクセスできるbeta APIの非推奨期間中です。
 beta APIが非推奨期間を終えて提供されなくなったら、代替APIバージョンを使用する必要があります。
 
 {{< note >}}
 Kubernetesは、 _alpha_ APIバージョンについても互換性の維持に注力しますが、いくつかの事情により不可である場合もあります。
 alpha APIバージョンを使っている場合、クラスターをアップグレードする時にKubernetesのリリースノートを確認してください。
-アップグレードのために既存のalphaオブジェクトをすべて削除する必要がある互換性の無い方法でAPIが変更される場合があります。
+APIが互換性のない方法で変更された場合は、アップグレードをする前に既存のalphaオブジェクトをすべて削除する必要があります。
 {{< /note >}}
 
 APIバージョンレベルの定義に関する詳細は[APIバージョンのリファレンス](/docs/reference/using-api/#api-versioning)を参照してください。
diff --git a/content/ja/docs/reference/using-api/_index.md b/content/ja/docs/reference/using-api/_index.md
index caad234abbd01..dd2a237834fd9 100644
--- a/content/ja/docs/reference/using-api/_index.md
+++ b/content/ja/docs/reference/using-api/_index.md
@@ -38,7 +38,7 @@ APIのバージョンが異なると、安定性やサポートのレベルも
 各レベルの概要は以下の通りです:
 
 - Alpha:
-  - バージョン名に`alpha`が含まれています（例：`v1alpha1`）。
+  - バージョン名に`alpha`が含まれています(例：`v1alpha1`)。
   - 組み込みのalpha APIバージョンはデフォルトで無効化されており、使用するためには`kube-apiserver`の設定で明示的に有効にする必要があります。
   - バグが含まれている可能性があります。
     機能を有効にするとバグが露呈する可能性があります。
@@ -50,7 +50,7 @@ APIのバージョンが異なると、安定性やサポートのレベルも
   - バージョン名には `beta` が含まれています(例：`v2beta3`)。
   - 組み込みのbeta APIバージョンはデフォルトで無効化されており、使用するためには`kube-apiserver`の設定で明示的に有効にする必要があります。
     (**例外として**Kubernetes 1.22以前に導入されたAPIのbetaバージョンはデフォルトで有効化されています)
-  - 組み込みのbeta APIバージョンは、導入から非推奨となるまでが9ヶ月または3マイナーリリース（どちらかの長い期間）、そして非推奨から削除まで9ヶ月または3マイナーリリース（どちらかの長い期間）の最大存続期間を持ちます。
+  - 組み込みのbeta APIバージョンは、導入から非推奨となるまでが9ヶ月または3マイナーリリース(どちらかの長い期間)、そして非推奨から削除まで9ヶ月または3マイナーリリース(どちらかの長い期間)の最大存続期間を持ちます。
   - ソフトウェアは十分にテストされています。
     機能を有効にすることは安全であると考えられています。
   - 機能のサポートが打ち切られることはありませんが、詳細は変更される可能性があります。
@@ -62,7 +62,7 @@ APIのバージョンが異なると、安定性やサポートのレベルも
 
   - 本番環境での使用は推奨しません。
     後続のリリースは、互換性のない変更を導入する可能性があります。
-    beta APIが非推奨となり提供されなくなった際には、後続のbetaまたはstable APIバージョンに移行するためにbeta APIバージョンを使用する必要があります。
+    beta APIを使用する場合、そのbeta APIが非推奨となり提供されなくなった際には、後続のbetaまたはstable APIバージョンに移行する必要があります。
 
   {{< note >}}
 ベータ版の機能をお試しいただき、ご意見をお寄せください。
@@ -71,7 +71,7 @@ APIのバージョンが異なると、安定性やサポートのレベルも
 
 - Stable:
   - バージョン名は `vX` であり、`X` は整数である。
-  - stable APIバージョンはKubernetesのメジャーバージョン内の全てのリリースで利用可能であり、stable APIを削除したKubernetesのメジャーバージョンリビジョンの計画は現在ありません。
+  - stable APIバージョンはKubernetesのメジャーバージョン内の全てのリリースで利用可能であり、stable APIを削除するようなKubernetesのメジャーバージョンの修正は、現在計画されていません。
 
 ## APIグループ
 

From 499e6ffc2a7fe88ad790e1ee2b63c75336f04549 Mon Sep 17 00:00:00 2001
From: ystkfujii <ystk.fujii0731@gmail.com>
Date: Thu, 16 Mar 2023 01:39:54 +0900
Subject: [PATCH 159/215] Remove service catalog reference for fr

---
 content/fr/docs/tasks/service-catalog/_index.md | 4 ----
 1 file changed, 4 deletions(-)
 delete mode 100644 content/fr/docs/tasks/service-catalog/_index.md

diff --git a/content/fr/docs/tasks/service-catalog/_index.md b/content/fr/docs/tasks/service-catalog/_index.md
deleted file mode 100644
index 4b055cc49ac46..0000000000000
--- a/content/fr/docs/tasks/service-catalog/_index.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Installation du catalogue de services
-weight: 150
----

From e214a03ed1c86cb791a1730834888db333662efc Mon Sep 17 00:00:00 2001
From: ystkfujii <ystk.fujii0731@gmail.com>
Date: Thu, 16 Mar 2023 01:42:43 +0900
Subject: [PATCH 160/215] Remove service catalog reference for de

---
 content/de/docs/tasks/service-catalog/_index.md | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 content/de/docs/tasks/service-catalog/_index.md

diff --git a/content/de/docs/tasks/service-catalog/_index.md b/content/de/docs/tasks/service-catalog/_index.md
deleted file mode 100644
index 0f63c1df82474..0000000000000
--- a/content/de/docs/tasks/service-catalog/_index.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: "Service Catalog installieren"
-weight: 150
----
-

From 8956a9b4a9314689783f9c0aaff18be67cab9123 Mon Sep 17 00:00:00 2001
From: "xin.li" <xin.li@daocloud.io>
Date: Thu, 9 Mar 2023 21:22:37 +0800
Subject: [PATCH 161/215] [zh-cn]sync doc/contribute

Signed-off-by: xin.li <xin.li@daocloud.io>
---
 .../docs/concepts/configuration/overview.md   |  2 +-
 .../contribute/generate-ref-docs/_index.md    |  4 +-
 content/zh-cn/docs/contribute/localization.md | 57 ++++++++++++-------
 .../contribute/style/hugo-shortcodes/index.md | 57 +++++++++++++++++++
 .../docs/contribute/style/style-guide.md      | 10 ++--
 5 files changed, 102 insertions(+), 28 deletions(-)

diff --git a/content/zh-cn/docs/concepts/configuration/overview.md b/content/zh-cn/docs/concepts/configuration/overview.md
index e7e263e49ca6f..92f20d95dc7a6 100644
--- a/content/zh-cn/docs/concepts/configuration/overview.md
+++ b/content/zh-cn/docs/concepts/configuration/overview.md
@@ -211,7 +211,7 @@ to others, please don't hesitate to file an issue or submit a PR.
   rate.
 -->
 - 定义并使用[标签](/zh-cn/docs/concepts/overview/working-with-objects/labels/)来识别应用程序
-  或 Deployment 的 **语义属性**，例如 `{ app.kubernetes.io/name: MyApp, tier: frontend, phase: test, deployment: v3 }`。
+  或 Deployment 的**语义属性**，例如 `{ app.kubernetes.io/name: MyApp, tier: frontend, phase: test, deployment: v3 }`。
   你可以使用这些标签为其他资源选择合适的 Pod；
   例如，一个选择所有 `tier: frontend` Pod 的服务，或者 `app.kubernetes.io/name: MyApp` 的所有 `phase: test` 组件。
   有关此方法的示例，请参阅 [guestbook](https://github.com/kubernetes/examples/tree/master/guestbook/) 。
diff --git a/content/zh-cn/docs/contribute/generate-ref-docs/_index.md b/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
index 87f08c5f6d75a..9a4d18bcbc5ca 100644
--- a/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
+++ b/content/zh-cn/docs/contribute/generate-ref-docs/_index.md
@@ -1,11 +1,11 @@
 ---
-title: 参考文档概述
+title: 更新参考文档
 main_menu: true
 weight: 80
 ---
 
 <!--
-title: Reference docs overview
+title: Updating Reference Documentation
 main_menu: true
 weight: 80
 -->
diff --git a/content/zh-cn/docs/contribute/localization.md b/content/zh-cn/docs/contribute/localization.md
index 3a896113a9733..c29f6fc87a027 100644
--- a/content/zh-cn/docs/contribute/localization.md
+++ b/content/zh-cn/docs/contribute/localization.md
@@ -64,11 +64,9 @@ standard](https://www.loc.gov/standards/iso639-2/php/code_list.php) to find your
 localization's two-letter language code. For example, the two-letter code for
 Korean is `ko`.
 
-### Fork and clone the repo
-
-First, [create your own
-fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the
-[kubernetes/website](https://github.com/kubernetes/website) repository.
+Some languages use a lowercase version of the country code as defined by the
+ISO-3166 along with their language codes. For example, the Brazilian Portuguese
+language code is `pt-br`.
 -->
 ### 找到两个字母的语言代码 {#find-your-two-letter-language-code}
 
@@ -76,6 +74,17 @@ fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the
 [ISO 639-1 标准](https://www.loc.gov/standards/iso639-2/php/code_list.php)。
 例如，韩语的两个字母代码是 `ko`。
 
+一些语言使用 ISO-3166 定义的国家代码的小写版本及其语言代码。
+例如，巴西葡萄牙语代码是 `pt-br`。
+
+
+<!--
+### Fork and clone the repo
+
+First, [create your own
+fork](/docs/contribute/new-content/open-a-pr/#fork-the-repo) of the
+[kubernetes/website](https://github.com/kubernetes/website) repository.
+-->
 ### 派生（fork）并且克隆仓库 {#fork-and-clone-the-repo}
 
 首先，为 [kubernetes/website](https://github.com/kubernetes/website) 仓库
@@ -155,6 +164,20 @@ You'll need to know the two-letter language code for your language. Consult the
 to find your localization's two-letter language code. For example, the
 two-letter code for Korean is `ko`.
 
+If the language you are starting a localization for is spoken in various places
+with significant differences between the variants, it might make sense to
+combine the lowercased ISO-3166 country code with the language two-letter code.
+For example, Brazilian Portuguese is localized as `pt-br`.
+-->
+你需要知道你的语言的两个字母的语言代码。
+请查阅 [ISO 639-1 标准](https://www.loc.gov/standards/iso639-2/php/code_list.php)
+以查找你的本地化的两字母语言代码。例如，韩语的两字母代码是 `ko`。
+
+如果你开始本地化的语言在不同地方使用，并且变体之间存在显着差异，
+则将小写的 ISO-3166 国家/地区代码与语言双字母代码结合起来可能是有意义的。
+例如，巴西葡萄牙语被本地化为 `pt-br`。
+
+<!--
 When you start a new localization, you must localize all the
 [minimum required content](#minimum-required-content) before
 the Kubernetes project can publish your changes to the live
@@ -163,10 +186,6 @@ website.
 SIG Docs can help you work on a separate branch so that you
 can incrementally work towards that goal.
 -->
-你需要知道你的语言的两个字母的语言代码。
-请查阅 [ISO 639-1 标准](https://www.loc.gov/standards/iso639-2/php/code_list.php)
-以查找你的本地化的两字母语言代码。例如，韩语的两字母代码是`ko`。
-
 当你开始新的本地化时，你必须先本地化所有[最少要求的内容](#minimum-required-content)，
 Kubernetes 项目才能将你的更改发布到当前网站。
 
@@ -633,11 +652,11 @@ To find source files for your target version:
 1. Navigate to the Kubernetes website repository at https://github.com/kubernetes/website.
 2. Select a branch for your target version from the following table:
 
-   Target version | Branch
-   -----|-----
-   Latest version | [`main`](https://github.com/kubernetes/website/tree/main)
-   Previous version | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
-   Next version | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
+Target version | Branch
+-----|-----
+Latest version | [`main`](https://github.com/kubernetes/website/tree/main)
+Previous version | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
+Next version | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
 
 The `main` branch holds content for the current release `{{< latest-version >}}`. 
 The release team creates a `{{< release-branch >}}` branch before the next
@@ -653,11 +672,11 @@ release: v{{< skew nextMinorVersion >}}.
 1. 导航到 Kubernetes website 仓库，网址为 https://github.com/kubernetes/website。
 2. 从下面的表格中选择你的目标版本分支：
 
-   目标版本 | 分支
-   -----|-----
-   最新版本 | [`main`](https://github.com/kubernetes/website/tree/main)
-   上一个版本 | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
-   下一个版本 | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
+目标版本 | 分支
+-----|-----
+最新版本 | [`main`](https://github.com/kubernetes/website/tree/main)
+上一个版本 | [`release-{{< skew prevMinorVersion >}}`](https://github.com/kubernetes/website/tree/release-{{< skew prevMinorVersion >}})
+下一个版本 | [`dev-{{< skew nextMinorVersion >}}`](https://github.com/kubernetes/website/tree/dev-{{< skew nextMinorVersion >}})
 
 `main` 分支中保存的是当前发行版本 `{{< latest-version >}}` 的内容。
 发行团队会在下一个发行版本 v{{< skew nextMinorVersion >}} 出现之前创建
diff --git a/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md b/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
index 20a1ba6b7262c..b54b7de0e028c 100644
--- a/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
+++ b/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
@@ -448,6 +448,63 @@ Renders to:
 {{< tab name="JSON File" include="podtemplate.json" />}}
 {{< /tabs >}}
 
+<!--
+### Source code files
+You can use the `{{</* codenew */>}}` shortcode to embed the contents of file
+in a code block to allow users to download or copy its content to their clipboard.
+This shortcode is used when the contents of the sample file is generic and reusable, 
+and you want the users to try it out themselves.
+-->
+你可以使用 `{{</* codenew */>}}` 短代码将文件内容嵌入代码块中，
+以允许用户下载或复制其内容到他们的剪贴板。
+当示例文件的内容是通用的、可复用的，并且希望用户自己尝试使用示例文件时，
+可以使用此短代码。
+
+<!--
+This shortcode takes in two named parameters: `language` and `file`. 
+The mandatory parameter `file` is used to specify the path to the file
+being displayed. The optional parameter `language` is used to specify
+the programming language of the file. If the `language` parameter is not provided,
+the shortcode will attempt to guess the language based on the file extension.
+
+For example:
+-->
+这个短代码有两个命名参数：`language` 和 `file`，
+必选参数 `file` 用于指定要显示的文件的路径，
+可选参数 `language` 用于指定文件的编程语言。
+如果未提供 `language` 参数，短代码将尝试根据文件扩展名推测编程语言。
+
+```none
+{{</* codenew language="yaml" file="application/deployment-scale.yaml" */>}}
+```
+
+<!--
+The output is:
+-->
+输出是：
+
+{{< codenew language="yaml" file="application/deployment-scale.yaml" >}}
+
+<!--
+When adding a new sample file, such as a YAML file, create the file in one
+of the `<LANG>/examples/` subdirectories where `<LANG>` is the language for
+the page. In the markdown of your page, use the `codenew` shortcode:
+-->
+添加新的示例文件（例如 YAML 文件）时，在 `<LANG>/examples/`
+子目录之一中创建该文件，其中 `<LANG>` 是页面的语言。
+在你的页面的 markdown 文本中，使用 `codenew` 短代码：
+
+```none
+{{</* codenew file="<RELATIVE-PATH>/example-yaml>" */>}}
+```
+
+其中 `<RELATIVE-PATH>` 是要包含的示例文件的路径，相对于 `examples` 目录。
+以下短代码引用位于 `/content/en/examples/configmap/configmaps.yaml` 的 YAML 文件。
+
+```none
+{{</* codenew file="configmap/configmaps.yaml" */>}}
+```
+
 <!--
 ## Third party content marker
 -->
diff --git a/content/zh-cn/docs/contribute/style/style-guide.md b/content/zh-cn/docs/contribute/style/style-guide.md
index fdebcba4e2e7c..29ebb4f1e96aa 100644
--- a/content/zh-cn/docs/contribute/style/style-guide.md
+++ b/content/zh-cn/docs/contribute/style/style-guide.md
@@ -974,12 +974,8 @@ Do | Don't
 Update the title in the front matter of the page or blog post. | Use first level heading, as Hugo automatically converts the title in the front matter of the page into a first-level heading.
 Use ordered headings to provide a meaningful high-level outline of your content. | Use headings level 4 through 6, unless it is absolutely necessary. If your content is that detailed, it may need to be broken into separate articles.
 Use pound or hash signs (`#`) for non-blog post content. | Use underlines (`---` or `===`) to designate first-level headings.
-Use sentence case for headings in the page body. For example,
-**Extend kubectl with plugins** | Use title case for headings in the page body. For example, **Extend Kubectl With Plugins**
-Use title case for the page title in the front matter. For example,
-`title: Kubernetes API Server Bypass Risks` | Use sentence case for page titles
-in the front matter. For example, don't use
-`title: Kubernetes API server bypass risks`
+Use sentence case for headings in the page body. For example, **Extend kubectl with plugins** | Use title case for headings in the page body. For example, **Extend Kubectl With Plugins**
+Use title case for the page title in the front matter. For example, `title: Kubernetes API Server Bypass Risks` | Use sentence case for page titles in the front matter. For example, don't use `title: Kubernetes API server bypass risks`
 {{< /table >}}
 -->
 {{< table caption = "标题约定" >}}
@@ -1342,9 +1338,11 @@ These steps ... | These simple steps ...
 <!--
 * Learn about [writing a new topic](/docs/contribute/style/write-new-topic/).
 * Learn about [using page templates](/docs/contribute/style/page-content-types/).
+* Learn about [custom hugo shortcodes](/docs/contribute/style/hugo-shortcodes/).
 * Learn about [creating a pull request](/docs/contribute/new-content/open-a-pr/).
 -->
 * 了解[编写新主题](/zh-cn/docs/contribute/style/write-new-topic/)。
 * 了解[页面内容类型](/zh-cn/docs/contribute/style/page-content-types/)。
+* 了解[定制 Hugo 短代码](/zh-cn/docs/contribute/style/hugo-shortcodes/)。
 * 了解[发起 PR](/zh-cn/docs/contribute/new-content/open-a-pr/)。
 

From 1970dd99833e4851417f2329e492b549693a75e5 Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Thu, 16 Mar 2023 18:53:18 +0800
Subject: [PATCH 162/215] [zh-cn] sync tutorials files

---
 content/zh-cn/docs/tutorials/_index.md                      | 2 ++
 content/zh-cn/docs/tutorials/hello-minikube.md              | 6 +++---
 .../zh-cn/docs/tutorials/stateful-application/zookeeper.md  | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/tutorials/_index.md b/content/zh-cn/docs/tutorials/_index.md
index 0c77f56652122..fe1f7661732c6 100644
--- a/content/zh-cn/docs/tutorials/_index.md
+++ b/content/zh-cn/docs/tutorials/_index.md
@@ -90,10 +90,12 @@ Kubernetes 文档的这一部分包含教程。
 <!--
 ## Services
 
+* [Connecting Applications with Services](/docs/tutorials/services/connect-applications-service/)
 * [Using Source IP](/docs/tutorials/services/source-ip/)
 -->
 ## 服务  {#services}
 
+* [使用 Service 连接到应用](/zh-cn/docs/tutorials/services/connect-applications-service/)
 * [使用源 IP](/zh-cn/docs/tutorials/services/source-ip/)
 
 <!--
diff --git a/content/zh-cn/docs/tutorials/hello-minikube.md b/content/zh-cn/docs/tutorials/hello-minikube.md
index 1462ecd49ec5d..fa5c9d8cd9d6c 100644
--- a/content/zh-cn/docs/tutorials/hello-minikube.md
+++ b/content/zh-cn/docs/tutorials/hello-minikube.md
@@ -69,7 +69,7 @@ This tutorial provides a container image that uses NGINX to echo back all the re
 <!--
 ## Create a minikube cluster
 
-1. Click **Launch Terminal**
+1. Click **Launch Terminal**.
 -->
 ## 创建 Minikube 集群  {#create-a-minikube-cluster}
 
@@ -166,9 +166,9 @@ Kubernetes [**Deployment**](/zh-cn/docs/concepts/workloads/controllers/deploymen
 Deployment 是管理 Pod 创建和扩展的推荐方法。
 
 <!--
-1. Katacoda environment only: At the top of the terminal pane, click the plus sign, and then click open a new terminal.
+1. Katacoda environment only: At the top of the terminal pane, click the plus sign, and then **Open New Terminal**.
 -->
-1. 仅 Katacoda 环境：在终端窗格的顶部，点击加号，然后点击 **Open a new terminal**。
+1. 仅 Katacoda 环境：在终端窗格的顶部，点击加号，然后点击 **Open New Terminal**。
 
 <!--
 1. Use the `kubectl create` command to create a Deployment that manages a Pod. The
diff --git a/content/zh-cn/docs/tutorials/stateful-application/zookeeper.md b/content/zh-cn/docs/tutorials/stateful-application/zookeeper.md
index 0aa40f42144e9..940c58953e193 100644
--- a/content/zh-cn/docs/tutorials/stateful-application/zookeeper.md
+++ b/content/zh-cn/docs/tutorials/stateful-application/zookeeper.md
@@ -1537,7 +1537,7 @@ pod/zk-2
 ```
 
 <!--
-Use `CTRL-C` to terminate to kubectl.
+Use `CTRL-C` to terminate kubectl.
 
 You cannot drain the third node because evicting `zk-2` would violate `zk-budget`. However, the node will remain cordoned.
 

From ce61ab5d0eddf73ad5e98e51dfa1a7f700f4451b Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Thu, 16 Mar 2023 20:39:09 +0800
Subject: [PATCH 163/215] [zh-cn] sync concepts files of task-5

---
 content/zh-cn/docs/concepts/architecture/cgroups.md          | 4 ++++
 content/zh-cn/docs/concepts/cluster-administration/addons.md | 4 ++--
 content/zh-cn/docs/concepts/windows/intro.md                 | 4 ++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/concepts/architecture/cgroups.md b/content/zh-cn/docs/concepts/architecture/cgroups.md
index 54e85e7e88aff..ed6e900d6ff9a 100644
--- a/content/zh-cn/docs/concepts/architecture/cgroups.md
+++ b/content/zh-cn/docs/concepts/architecture/cgroups.md
@@ -194,12 +194,16 @@ cgroup v2 使用一个与 cgroup v1 不同的 API，因此如果有任何应用
 * If you run [cAdvisor](https://github.com/google/cadvisor) as a stand-alone
  DaemonSet for monitoring pods and containers, update it to v0.43.0 or later.
 * If you use JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which [fully support cgroup v2](https://bugs.openjdk.org/browse/JDK-8230305).
+* If you are using the [uber-go/automaxprocs](https://github.com/uber-go/automaxprocs) package, make sure
+  the version you use is v1.5.1 or higher.
 -->
 * 一些第三方监控和安全代理可能依赖于 cgroup 文件系统。你要将这些代理更新到支持 cgroup v2 的版本。
 * 如果以独立的 DaemonSet 的形式运行 [cAdvisor](https://github.com/google/cadvisor) 以监控 Pod 和容器，
   需将其更新到 v0.43.0 或更高版本。
 * 如果你使用 JDK，推荐使用 JDK 11.0.16 及更高版本或 JDK 15 及更高版本，
   以便[完全支持 cgroup v2](https://bugs.openjdk.org/browse/JDK-8230305)。
+* 如果你正在使用 [uber-go/automaxprocs](https://github.com/uber-go/automaxprocs) 包，
+  确保你使用的版本是 v1.5.1 或者更高。
 
 <!--
 ## Identify the cgroup version on Linux Nodes  {#check-cgroup-version}
diff --git a/content/zh-cn/docs/concepts/cluster-administration/addons.md b/content/zh-cn/docs/concepts/cluster-administration/addons.md
index 2312f487614ce..a892078f712ea 100644
--- a/content/zh-cn/docs/concepts/cluster-administration/addons.md
+++ b/content/zh-cn/docs/concepts/cluster-administration/addons.md
@@ -24,7 +24,7 @@ Add-ons 扩展了 Kubernetes 的功能。
 
 * [ACI](https://www.github.com/noironetworks/aci-containers) provides integrated container networking and network security with Cisco ACI.
 * [Antrea](https://antrea.io/) operates at Layer 3/4 to provide networking and security services for Kubernetes, leveraging Open vSwitch as the networking data plane. Antrea is a [CNCF project at the Sandbox level](https://www.cncf.io/projects/antrea/).
-* [Calico](https://docs.projectcalico.org/latest/introduction/) is a networking and network policy provider. Calico supports a flexible set of networking options so you can choose the most efficient option for your situation, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio & Envoy) applications at the service mesh layer.
+* [Calico](https://www.tigera.io/project-calico/) is a networking and network policy provider. Calico supports a flexible set of networking options so you can choose the most efficient option for your situation, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio & Envoy) applications at the service mesh layer.
 * [Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel) unites Flannel and Calico, providing networking and network policy.
 * [Cilium](https://github.com/cilium/cilium) is a networking, observability, and security solution with an eBPF-based data plane. Cilium provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay/encapsulation mode, and can enforce network policies on L3-L7 using an identity-based security model that is decoupled from network addressing. Cilium can act as a replacement for kube-proxy; it also offers additional, opt-in observability and security features. Cilium is a [CNCF project at the Incubation level](https://www.cncf.io/projects/cilium/).
 -->
@@ -34,7 +34,7 @@ Add-ons 扩展了 Kubernetes 的功能。
 * [Antrea](https://antrea.io/) 在第 3/4 层执行操作，为 Kubernetes
   提供网络连接和安全服务。Antrea 利用 Open vSwitch 作为网络的数据面。
   Antrea 是一个[沙箱级的 CNCF 项目](https://www.cncf.io/projects/antrea/)。
-* [Calico](https://docs.projectcalico.org/latest/introduction/) 是一个联网和网络策略供应商。
+* [Calico](https://www.tigera.io/project-calico/) 是一个联网和网络策略供应商。
   Calico 支持一套灵活的网络选项，因此你可以根据自己的情况选择最有效的选项，包括非覆盖和覆盖网络，带或不带 BGP。
   Calico 使用相同的引擎为主机、Pod 和（如果使用 Istio 和 Envoy）应用程序在服务网格层执行网络策略。
 * [Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel) 结合 Flannel 和 Calico，提供联网和网络策略。
diff --git a/content/zh-cn/docs/concepts/windows/intro.md b/content/zh-cn/docs/concepts/windows/intro.md
index c9dde2cafa218..189c66c6b6d8b 100644
--- a/content/zh-cn/docs/concepts/windows/intro.md
+++ b/content/zh-cn/docs/concepts/windows/intro.md
@@ -435,11 +435,11 @@ work between Windows and Linux:
 The following list documents differences between how Pod specifications work between Windows and Linux:
 
 * `hostIPC` and `hostpid` - host namespace sharing is not possible on Windows
-* `hostNetwork` - [see below](/docs/concepts/windows/intro#compatibility-v1-pod-spec-containers-hostnetwork)
+* `hostNetwork` - [see below](#compatibility-v1-pod-spec-containers-hostnetwork)
 * `dnsPolicy` - setting the Pod `dnsPolicy` to `ClusterFirstWithHostNet` is
    not supported on Windows because host networking is not provided. Pods always
    run with a container network.
-* `podSecurityContext` [see below](/docs/concepts/windows/intro#compatibility-v1-pod-spec-containers-securitycontext)
+* `podSecurityContext` [see below](#compatibility-v1-pod-spec-containers-securitycontext)
 * `shareProcessNamespace` - this is a beta feature, and depends on Linux namespaces
   which are not implemented on Windows. Windows cannot share process namespaces or
   the container's root filesystem. Only the network can be shared.

From f13f8e3a299a0192669e1dfbcc7e485656d2056e Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Thu, 16 Mar 2023 20:46:30 +0800
Subject: [PATCH 164/215] [zh-cn] sync concepts files of workloads

---
 content/zh-cn/docs/concepts/workloads/_index.md           | 4 ++--
 .../docs/concepts/workloads/controllers/cron-jobs.md      | 2 +-
 content/zh-cn/docs/concepts/workloads/controllers/job.md  | 2 +-
 content/zh-cn/docs/concepts/workloads/pods/_index.md      | 8 ++++----
 .../zh-cn/docs/concepts/workloads/pods/user-namespaces.md | 6 +++---
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/_index.md b/content/zh-cn/docs/concepts/workloads/_index.md
index fa4368d7be6e4..4b60e9737ad74 100644
--- a/content/zh-cn/docs/concepts/workloads/_index.md
+++ b/content/zh-cn/docs/concepts/workloads/_index.md
@@ -1,12 +1,12 @@
 ---
 title: "工作负载"
-weight: 50
+weight: 55
 description: 理解 Pods，Kubernetes 中可部署的最小计算对象，以及辅助它运行它们的高层抽象对象。
 ---
 
 <!--
 title: "Workloads"
-weight: 50
+weight: 55
 description: >
   Understand Pods, the smallest deployable compute object in Kubernetes, and the higher-level abstractions that help you to run them.
 no_list: true
diff --git a/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md b/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
index c6a2aaf114c68..b15ebb56b50b9 100644
--- a/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/cron-jobs.md
@@ -398,7 +398,7 @@ That is, the CronJob does _not_ update existing Jobs, even if those remain runni
 A CronJob creates a Job object approximately once per execution time of its schedule.
 The scheduling is approximate because there
 are certain circumstances where two Jobs might be created, or no Job might be created.
-Kubernetes tries to avoid those situations, but do not completely prevent them. Therefore,
+Kubernetes tries to avoid those situations, but does not completely prevent them. Therefore,
 the Jobs that you define should be _idempotent_.
 -->
 ### Job 创建  {#job-creation}
diff --git a/content/zh-cn/docs/concepts/workloads/controllers/job.md b/content/zh-cn/docs/concepts/workloads/controllers/job.md
index e2e46f9d9b969..5cc2c44388ba3 100644
--- a/content/zh-cn/docs/concepts/workloads/controllers/job.md
+++ b/content/zh-cn/docs/concepts/workloads/controllers/job.md
@@ -1353,7 +1353,7 @@ These are some requirements and semantics of the API:
   are evaluated in order. Once a rule matches a Pod failure, the remaining rules
   are ignored. When no rule matches the Pod failure, the default
   handling applies.
-- you may want to restrict a rule to a specific container by specifing its name
+- you may want to restrict a rule to a specific container by specifying its name
   in`spec.podFailurePolicy.rules[*].containerName`. When not specified the rule
   applies to all containers. When specified, it should match one the container
   or `initContainer` names in the Pod template.
diff --git a/content/zh-cn/docs/concepts/workloads/pods/_index.md b/content/zh-cn/docs/concepts/workloads/pods/_index.md
index 139aa8eb9ea75..6ba47aa228a45 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/_index.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/_index.md
@@ -555,14 +555,14 @@ Pod 中的所有容器都可以在特权模式下运行，以使用原本无法
 此模式同时适用于 Windows 和 Linux。
 
 <!--
-### Linux priviledged containers
+### Linux privileged containers
 
 In Linux, any container in a Pod can enable privileged mode using the `privileged` (Linux) flag
 on the [security context](/docs/tasks/configure-pod-container/security-context/) of the
 container spec. This is useful for containers that want to use operating system administrative
 capabilities such as manipulating the network stack or accessing hardware devices.
 -->
-### Linux 特权容器   {#linux-priviledged-containers}
+### Linux 特权容器   {#linux-privileged-containers}
 
 在 Linux 中，Pod 中的所有容器都可以使用容器规约中的
 [安全性上下文](/zh-cn/docs/tasks/configure-pod-container/security-context/)中的
@@ -570,9 +570,9 @@ capabilities such as manipulating the network stack or accessing hardware device
 这对于想要使用操作系统管理权能（Capabilities，如操纵网络堆栈和访问硬件设备）的容器很有用。
 
 <!--
-### Windows priviledged containers
+### Windows privileged containers
 -->
-### Windows 特权容器   {#windows-priviledged-containers}
+### Windows 特权容器   {#windows-privileged-containers}
 
 {{< feature-state for_k8s_version="v1.26" state="stable" >}}
 
diff --git a/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md b/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
index 3cda1c0bf9ab6..a376529b5871d 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md
@@ -16,7 +16,7 @@ min-kubernetes-server-version: v1.25
 {{< feature-state for_k8s_version="v1.25" state="alpha" >}}
 <!--
 This page explains how user namespaces are used in Kubernetes pods. A user
-namespace allows to isolate the user running inside the container from the one
+namespace isolates the user running inside the container from the one
 in the host.
 
 A process running as root in a container can run as a different (non-root) user
@@ -24,8 +24,8 @@ in the host; in other words, the process has full privileges for operations
 inside the user namespace, but is unprivileged for operations outside the
 namespace.
 -->
-本页解释了在 Kubernetes pods 中如何使用用户命名空间。
-用户命名空间允许将容器内运行的用户与主机内的用户隔离开来。
+本页解释了在 Kubernetes Pod 中如何使用用户命名空间。
+用户命名空间将容器内运行的用户与主机中的用户隔离开来。
 
 在容器中以 root 身份运行的进程可以在主机中以不同的（非 root）用户身份运行；
 换句话说，该进程在用户命名空间内的操作具有完全的权限，

From 115f9e78c5293eb3820918f5f87afa692b0a6078 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Thu, 9 Mar 2023 14:50:45 +0800
Subject: [PATCH 165/215] squash commit

---
 .../docs/concepts/services-networking/endpoint-slices.md    | 6 +++---
 .../concepts/services-networking/topology-aware-hints.md    | 4 ++--
 content/zh-cn/docs/concepts/storage/persistent-volumes.md   | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/content/zh-cn/docs/concepts/services-networking/endpoint-slices.md b/content/zh-cn/docs/concepts/services-networking/endpoint-slices.md
index ec47a4954ed4e..fa3610cafcea4 100644
--- a/content/zh-cn/docs/concepts/services-networking/endpoint-slices.md
+++ b/content/zh-cn/docs/concepts/services-networking/endpoint-slices.md
@@ -176,7 +176,7 @@ the pod is also terminating.
 
 {{< note >}}
 <!--
-Although `serving` is almost identical to `ready`, it was added to prevent break the existing meaning
+Although `serving` is almost identical to `ready`, it was added to prevent breaking the existing meaning
 of `ready`. It may be unexpected for existing clients if `ready` could be `true` for terminating
 endpoints, since historically terminating endpoints were never included in the Endpoints or
 EndpointSlice API to begin with. For this reason, `ready` is _always_ `false` for terminating
@@ -433,13 +433,13 @@ at different times.
 <!--
 Clients of the EndpointSlice API must iterate through all the existing EndpointSlices
 associated to a Service and build a complete list of unique network endpoints. It is
-important to mention that endpoints may be duplicated in different EndointSlices.
+important to mention that endpoints may be duplicated in different EndpointSlices.
 
 You can find a reference implementation for how to perform this endpoint aggregation
 and deduplication as part of the `EndpointSliceCache` code within `kube-proxy`.
 -->
 EndpointSlice API 的客户端必须遍历与 Service 关联的所有现有 EndpointSlices，
-并构建唯一网络端点的完整列表。值得一提的是端点可能在不同的 EndointSlices 中重复。
+并构建唯一网络端点的完整列表。值得一提的是端点可能在不同的 EndpointSlices 中重复。
 
 你可以在 `kube-proxy` 中的 `EndpointSliceCache` 代码中找到有关如何执行此端点聚合和重复数据删除的参考实现。
 {{< /note >}}
diff --git a/content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md b/content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md
index eeae6dbbac318..879886969aafb 100644
--- a/content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md
+++ b/content/zh-cn/docs/concepts/services-networking/topology-aware-hints.md
@@ -218,11 +218,11 @@ Kubernetes 控制平面和每个节点上的 kube-proxy，在使用拓扑感知
 <!-- 
 5. **A zone is not represented in hints:** If the kube-proxy is unable to find
    at least one endpoint with a hint targeting the zone it is running in, it falls
-   to using endpoints from all zones. This is most likely to happen as you add
+   back to using endpoints from all zones. This is most likely to happen as you add
    a new zone into your existing cluster.
 -->
 5. **不在提示中的区域：** 如果 kube-proxy 不能根据一个指示在它所在的区域中发现一个端点，
-   它回撤为使用所有节点的端点。当你的集群新增一个新的区域时，这种情况发生概率很高。
+   它将回退到使用来自所有区域的端点。当你的集群新增一个新的区域时，这种情况发生概率很高。
 
 <!-- 
 ## Constraints
diff --git a/content/zh-cn/docs/concepts/storage/persistent-volumes.md b/content/zh-cn/docs/concepts/storage/persistent-volumes.md
index 4522f0e6fcdd9..c5ad768185ec9 100644
--- a/content/zh-cn/docs/concepts/storage/persistent-volumes.md
+++ b/content/zh-cn/docs/concepts/storage/persistent-volumes.md
@@ -150,7 +150,7 @@ needs to enable the `DefaultStorageClass`
 on the API server. This can be done, for example, by ensuring that `DefaultStorageClass` is
 among the comma-delimited, ordered list of values for the `--enable-admission-plugins` flag of
 the API server component. For more information on API server command-line flags,
-check [kube-apiserver](/docs/admin/kube-apiserver/) documentation.
+check [kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/) documentation.
 -->
 为了基于存储类完成动态的存储制备，集群管理员需要在 API 服务器上启用 `DefaultStorageClass`
 [准入控制器](/zh-cn/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass)。
@@ -1897,7 +1897,7 @@ and `CrossNamespaceVolumeDataSource`
 the kube-apiserver, kube-controller-manager.
 Also, you must enable the `CrossNamespaceVolumeDataSource` feature gate for the csi-provisioner.
 
-Enabling the `CrossNamespaceVolumeDataSource` feature gate allow you to specify
+Enabling the `CrossNamespaceVolumeDataSource` feature gate allows you to specify
 a namespace in the dataSourceRef field.
 -->
 Kubernetes 支持跨名字空间卷数据源。
@@ -1927,7 +1927,7 @@ ReferenceGrant 是 `gateway.networking.k8s.io` 扩展 API 的一部分。更多
 <!--
 ## Data source references
 
-The `dataSourceRef` field behaves almost the same as the `dataSource` field. If either one is
+The `dataSourceRef` field behaves almost the same as the `dataSource` field. If one is
 specified while the other is not, the API server will give both fields the same value. Neither
 field can be changed after creation, and attempting to specify different values for the two
 fields will result in a validation error. Therefore the two fields will always have the same

From 6e4d32834f53fb87e51a0ffa5f87e6b1f86e1e00 Mon Sep 17 00:00:00 2001
From: donghui <977675308@qq.com>
Date: Thu, 16 Mar 2023 23:44:32 +0800
Subject: [PATCH 166/215] =?UTF-8?q?[zh]=20=E8=BF=9E=E7=BB=AD-->=E6=8C=81?=
 =?UTF-8?q?=E7=BB=AD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 content/zh-cn/docs/concepts/overview/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/concepts/overview/_index.md b/content/zh-cn/docs/concepts/overview/_index.md
index 68e8e6246cb9d..ac3cfd23ec68a 100644
--- a/content/zh-cn/docs/concepts/overview/_index.md
+++ b/content/zh-cn/docs/concepts/overview/_index.md
@@ -339,7 +339,7 @@ Kubernetes：
 * 不提供也不采用任何全面的机器配置、维护、管理或自我修复系统。
 * 此外，Kubernetes 不仅仅是一个编排系统，实际上它消除了编排的需要。
   编排的技术定义是执行已定义的工作流程：首先执行 A，然后执行 B，再执行 C。
-  而 Kubernetes 包含了一组独立可组合的控制过程，可以连续地将当前状态驱动到所提供的预期状态。
+  而 Kubernetes 包含了一组独立可组合的控制过程，可以持续地将当前状态驱动到所提供的预期状态。
   你不需要在乎如何从 A 移动到 C，也不需要集中控制，这使得系统更易于使用且功能更强大、
   系统更健壮，更为弹性和可扩展。
 

From 41ce47ff35b18eda8f7f8d1c8d54dc282b18dfb6 Mon Sep 17 00:00:00 2001
From: harshitasao <harshitasao@gmail.com>
Date: Fri, 17 Mar 2023 00:38:35 +0530
Subject: [PATCH 167/215] added deprecations and removals blog for 1.27

---
 ...bernetes-1.27-deprecations-and-removals.md | 138 ++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md

diff --git a/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
new file mode 100644
index 0000000000000..3acb505befcee
--- /dev/null
+++ b/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
@@ -0,0 +1,138 @@
+---
+layout: blog
+title: "Kubernetes Removals and Major Changes In v1.27"
+date: 2023-03-16
+slug: upcoming-changes-in-kubernetes-v1-27
+---
+
+**Author**: Harshita Sao (Independent)
+
+As Kubernetes develops and matures, features may be deprecated, removed, or replaced with better ones for the project's overall health. Based on the information available at this mid-cycle point in the v1.27 release process, which is still ongoing and can introduce additional changes, this article identifies and describes some of the planned changes for the Kubernetes v1.27 release.
+
+## A note about k8s.gcr.io Redirect to registry.k8s.io
+
+To host its container images, the Kubernetes project uses a community-owned image registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date [k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io). On the 3rd of April 2023, the old registry k8s.gcr.io will be frozen, and no further images for Kubernetes and related subprojects will be pushed to the old registry**. The deprecated k8s.gcr.io registry will eventually be phased out.
+
+### What does this change mean?
+
+- If you are a subproject maintainer, you must update your manifests and Helm charts to use the new registry.
+
+- The v1.27 Kubernetes release will not be published to the old registry.
+
+- From April, patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry.
+
+We have a [blog post](https://kubernetes.io/blog/2023/03/10/image-registry-redirect/) with all the information about this change and what to do if it impacts you.
+
+## The Kubernetes API Removal and Deprecation process
+
+The Kubernetes project has a well-documented [deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) for features. This policy states that stable APIs may only be deprecated when a newer, stable version of that same API is available and that APIs have a minimum lifetime for each stability level. A deprecated API has been marked for removal in a future Kubernetes release, it will continue to function until removal (at least one year from the deprecation), but usage will result in a warning being displayed. Removed APIs are no longer available in the current version, at which point you must migrate to using the replacement.
+
+- Generally available (GA) or stable API versions may be marked as deprecated but must not be removed within a major version of Kubernetes.
+
+- Beta or pre-release API versions must be supported for 3 releases after the deprecation. 
+
+- Alpha or experimental API versions may be removed in any release without prior deprecation notice. 
+
+Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation.
+
+## API removals, and other changes for Kubernetes v1.27
+
+In addition to the above, Kubernetes v1.27 is targeted to include several additional removals.
+
+### Removal of storage.k8s.io/v1beta1 from [CSIStorageCapacity](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/)
+
+The CSIStorageCapacity API supports exposing currently available storage capacity via CSIStorageCapacity objects and enhances the scheduling of pods that use CSI volumes with late binding. The `storage.k8s.io/v1beta1` API version of CSIStorageCapacity was deprecated in v1.24, and it will no longer be served in v1.27. 
+
+Migrate manifests and API clients to use the `storage.k8s.io/v1` API version, available since v1.24. All existing persisted objects are accessible via the new API.
+
+Refer to the [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking) for more information.
+
+### Removal of seccomp annotations
+
+In Kubernetes v1.19, the [seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp) (secure computing mode) support graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or single containers.
+
+The support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io` were deprecated since v1.19, now have been completely removed. The seccomp fields are no longer auto-populated when pods with seccomp annotations are created. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead.
+
+### Removal of feature gates for [volume expansion](https://github.com/kubernetes/enhancements/issues/284)
+
+The following feature gates for volume expansion GA features will be removed and must no longer be referenced in `--feature-gates` flags:
+
+- `ExpandCSIVolumes`: Enable expanding of CSI volumes.
+
+- `ExpandInUsePersistentVolumes`: Enable expanding in-use PVCs.
+
+- `ExpandPersistentVolumes`: Enable expanding of persistent volumes.
+
+### Removal of [masterServiceNamespace](https://github.com/kubernetes/kubernetes/pull/114446) flag
+
+The namespace from which Kubernetes master services should be injected into pods is `masterServiceNamespace`. This release removes this flag, which has been deprecated since v1.6.
+
+### Removal of [ControllerManagerLeaderMigration](https://github.com/kubernetes/kubernetes/pull/113534) feature gate
+
+[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436) provides a mechanism in which HA clusters can safely migrate "cloud-specific" controllers between the `kube-controller-manager` and the `cloud-controller-manager` via a shared resource lock between the two components while upgrading the replicated control plane. 
+
+The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditionally enabled hence the feature gate option will be removed.
+
+### Removal of [enable-taint-manager](https://github.com/kubernetes/kubernetes/pull/111411)  and [pod-eviction-timeout](https://github.com/kubernetes/kubernetes/pull/113710) CLI flag
+
+The command line flag `enable-taint-manager` for kube-controller-manager is deprecated and will be removed in v1.27. The feature that it supports, taint based eviction, is enabled by default and will continue to be implicitly enabled when the flag is removed. The CLI flag `pod-eviction-timeout` is deprecated and will also be removed together with enable-taint-manager.
+
+### Removal of [CSI Migration](https://github.com/kubernetes/kubernetes/pull/110410) feature gate 
+
+Moving the in-tree volume plugins to out-of-tree CSI drivers. As [CSIMigration](https://github.com/kubernetes/enhancements/issues/625) is GA now. The feature gate will be removed in v1.27.
+
+### Removal of CSIInlineVolume feature gate
+
+The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258) feature allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. They can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume. This feature has graduated to GA in v1.25. Hence the feature gate `CSIInlineVolume` will be removed in this release.
+
+### Removal of EphemeralContainers feature gate
+
+[Emphemeral containers](https://github.com/kubernetes/kubernetes/pull/111402) graduated to GA in v1.25. These are containers with a temporary duration that executes within namespaces of an existing pod. Ephemeral Containers are initiated by a user and intended to observe the state of other pods and containers for troubleshooting and debugging purposes. Hence the `EphemeralContainers` feature gate is always enabled and will be removed from the `--feature-gates` flag on the kube-apiserver and the kubelet command lines.
+
+### Removal of LocalStorageCapacityIsolation  feature gate
+
+The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513) feature moved to GA in v1.25. It provides support for capacity isolation of local ephemeral storage between pods, such as EmptyDir, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit. Hence the feature gate `LocalStorageCapacityIsolation` will be removed in this release.
+
+### Removal of [NetworkPolicyEndPort](https://github.com/kubernetes/kubernetes/pull/110868) feature gate
+
+`endPort` in Network Policy promoted to GA in v1.25. Network Policy providers that support `endPort` field that can be used to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port. So the feature gate `NetworkPolicyEndPort` will be removed in this release.
+
+Please be aware that `endPort` field must be supported by the Network Policy provider. If your provider does not support endPort, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port)
+
+### Removal of StatefulSetMinReadySeconds feature gate
+
+StatefulSet Controller honoring [minReadySeconds](https://github.com/kubernetes/kubernetes/pull/110896) and mark Pod ready only if Pod is available for the given time mentioned in minReadySeconds. With Promotion of StatefulSet minReadySeconds to GA in v1.25, means `--feature-gates=StatefulSetMinReadySeconds=true` are not needed on kube-apiserver and kube-controller-manager binaries so they'll be removed in this release.
+
+### Removal of [IdentifyPodOS](https://github.com/kubernetes/kubernetes/pull/111229) feature gate
+
+Addition of a new field to the pod spec called os to identify the OS of the containers specified in the pod. From v1.25, the IdentifyPodOS feature is in GA stage and defaults to be enabled hence the `IdentifyPodOS` feature gate will no longer be accepted as a `--feature-gates` parameter in v1.27.
+
+### Removal of [DaemonSetUpdateSurge](https://github.com/kubernetes/kubernetes/pull/111194) feature gate
+
+Surge support in order to minimize DaemonSet downtime on nodes. This will allow daemonset workloads to implement zero-downtime upgrades. As DaemonSet MaxSurge was graduated to GA in v1.25. This means `--feature-gates=DaemonSetUpdateSurge=true` are not needed on kube-apiserver and kube-controller-manager binaries so they'll be removed in v1.27.
+
+## Looking ahead
+
+The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29) planned for Kubernetes v1.29 includes:
+
+- The `flowcontrol.apiserver.k8s.io/v1beta2` API version of FlowSchema and PriorityLevelConfiguration will no longer be served in v1.29.
+
+## Want to know more?
+
+Deprecations are announced in the Kubernetes release notes. You can see the announcements of pending deprecations in the release notes for:
+
+- [Kubernetes v1.21](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#deprecation)
+
+- [Kubernetes v1.22](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md#deprecation)
+
+- [Kubernetes v1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation)
+
+- [Kubernetes v1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation)
+
+- [Kubernetes v1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation)
+
+- [Kubernetes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation)
+
+We will formally announce the deprecations that come with [Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation) as part of the CHANGELOG for that release.
+
+For information on the process of deprecation and removal, check out the official Kubernetes [deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.
\ No newline at end of file

From 96db6ffd67cfccf4c969b1a976904144c038a2d8 Mon Sep 17 00:00:00 2001
From: harshitasao <harshitasao@gmail.com>
Date: Fri, 17 Mar 2023 00:56:15 +0530
Subject: [PATCH 168/215] added mid-cycle-blog 1.27

---
 .../2023-03-16-kubernetes-1.27-deprecations-and-removals.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
index 3acb505befcee..89571ddd322f9 100644
--- a/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
+++ b/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
@@ -11,7 +11,7 @@ As Kubernetes develops and matures, features may be deprecated, removed, or repl
 
 ## A note about k8s.gcr.io Redirect to registry.k8s.io
 
-To host its container images, the Kubernetes project uses a community-owned image registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date [k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io). On the 3rd of April 2023, the old registry k8s.gcr.io will be frozen, and no further images for Kubernetes and related subprojects will be pushed to the old registry**. The deprecated k8s.gcr.io registry will eventually be phased out.
+To host its container images, the Kubernetes project uses a community-owned image registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date [k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io). The deprecated k8s.gcr.io registry will eventually be phased out.
 
 ### What does this change mean?
 

From 5db47862eb92944be1b4a607a4a07d71c0d56cb1 Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Fri, 17 Mar 2023 13:46:27 +0800
Subject: [PATCH 169/215] Fix a minor typo in scheduling-gpus.md

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 content/en/docs/tasks/manage-gpus/scheduling-gpus.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/tasks/manage-gpus/scheduling-gpus.md b/content/en/docs/tasks/manage-gpus/scheduling-gpus.md
index 7549ebb46af25..d02a20577e7f4 100644
--- a/content/en/docs/tasks/manage-gpus/scheduling-gpus.md
+++ b/content/en/docs/tasks/manage-gpus/scheduling-gpus.md
@@ -88,5 +88,5 @@ If you're using AMD GPU devices, you can deploy
 Node Labeller is a {{< glossary_tooltip text="controller" term_id="controller" >}} that automatically
 labels your nodes with GPU device properties.
 
-Similar functionality for NVIDIA is provied by
+Similar functionality for NVIDIA is provided by
 [GPU feature discovery](https://github.com/NVIDIA/gpu-feature-discovery/blob/main/README.md).

From 6b8198b2209a9828b5b9b4b92bbd990e4d0afd8e Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Fri, 17 Mar 2023 15:09:45 +0800
Subject: [PATCH 170/215] [zh-cn] sync task files of task-7

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 .../enforce-standards-admission-controller.md |  2 +
 .../enforce-standards-namespace-labels.md     |  2 +
 .../extended-resource.md                      |  6 +--
 .../security-context.md                       | 50 ++++++++++++-------
 .../configure-pod-container/static-pod.md     |  4 +-
 5 files changed, 40 insertions(+), 24 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
index f526c26b25348..e367d2571fa7c 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller.md
@@ -1,6 +1,7 @@
 ---
 title: 通过配置内置准入控制器实施 Pod 安全标准
 content_type: task
+weight: 240
 ---
 <!--
 title: Enforce Pod Security Standards by Configuring the Built-in Admission Controller
@@ -8,6 +9,7 @@ reviewers:
 - tallclair
 - liggitt
 content_type: task
+weight: 240
 -->
 
 <!--
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
index 124bbf16bd2d0..decafc212ed7c 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels.md
@@ -1,6 +1,7 @@
 ---
 title: 使用名字空间标签来实施 Pod 安全性标准
 content_type: task
+weight: 250
 ---
 <!--
 title: Enforce Pod Security Standards with Namespace Labels
@@ -8,6 +9,7 @@ reviewers:
 - tallclair
 - liggitt
 content_type: task
+weight: 250
 -->
 
 <!--
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md b/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
index 3abc19fb120fd..b2e6dda32e58c 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/extended-resource.md
@@ -1,13 +1,13 @@
 ---
 title: 为容器分派扩展资源 
 content_type: task
-weight: 40
+weight: 70
 ---
 
 <!--
 title: Assign Extended Resources to a Container
 content_type: task
-weight: 40
+weight: 70
 -->
 
 <!-- overview -->
@@ -166,7 +166,7 @@ It has a status of Pending:
 -->
 输出结果表明 Pod 虽然被创建了，但没有被调度到节点上正常运行。Pod 的状态为 Pending：
 
-```
+```yaml
 NAME                       READY     STATUS    RESTARTS   AGE
 extended-resource-demo-2   0/1       Pending   0          6m
 ```
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/security-context.md b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
index 61ebea4ae424e..fdd0c68044759 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/security-context.md
@@ -1,7 +1,7 @@
 ---
 title: 为 Pod 或容器配置安全上下文
 content_type: task
-weight: 80
+weight: 110
 ---
 <!--
 reviewers:
@@ -10,7 +10,7 @@ reviewers:
 - thockin
 title: Configure a Security Context for a Pod or Container
 content_type: task
-weight: 80
+weight: 110
 -->
 
 <!-- overview -->
@@ -21,11 +21,15 @@ a Pod or Container. Security context settings include, but are not limited to:
 
 * Discretionary Access Control: Permission to access an object, like a file, is based on
   [user ID (UID) and group ID (GID)](https://wiki.archlinux.org/index.php/users_and_groups).
+
 * [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux):
   Objects are assigned security labels.
+
 * Running as privileged or unprivileged.
-* [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): 
+
+* [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/):
   Give a process some privileges, but not all the privileges of the root user.
+
 -->
 安全上下文（Security Context）定义 Pod 或 Container 的特权与访问控制设置。
 安全上下文包括但不限于：
@@ -33,29 +37,36 @@ a Pod or Container. Security context settings include, but are not limited to:
 * 自主访问控制（Discretionary Access Control）：
   基于[用户 ID（UID）和组 ID（GID）](https://wiki.archlinux.org/index.php/users_and_groups)
   来判定对对象（例如文件）的访问权限。
+
 * [安全性增强的 Linux（SELinux）](https://zh.wikipedia.org/wiki/%E5%AE%89%E5%85%A8%E5%A2%9E%E5%BC%BA%E5%BC%8FLinux)：
   为对象赋予安全性标签。
+
 * 以特权模式或者非特权模式运行。
+
 * [Linux 权能](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): 
   为进程赋予 root 用户的部分特权而非全部特权。
+
 <!--
 * [AppArmor](/docs/tutorials/security/apparmor/):
   Use program profiles to restrict the capabilities of individual programs.
+
 * [Seccomp](/docs/tutorials/security/seccomp/): Filter a process's system calls.
+
 * `allowPrivilegeEscalation`: Controls whether a process can gain more privileges than
   its parent process. This bool directly controls whether the
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
   flag gets set on the container process.
-  `allowPrivilegeEscalation` is always true
-  when the container:
+  `allowPrivilegeEscalation` is always true when the container:
 
   - is run as privileged, or
   - has `CAP_SYS_ADMIN`
 
-* readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
+* `readOnlyRootFilesystem`: Mounts the container's root filesystem as read-only.
 -->
 * [AppArmor](/zh-cn/docs/tutorials/security/apparmor/)：使用程序配置来限制个别程序的权能。
+
 * [Seccomp](/zh-cn/docs/tutorials/security/seccomp/)：过滤进程的系统调用。
+
 * `allowPrivilegeEscalation`：控制进程是否可以获得超出其父进程的特权。
   此布尔值直接控制是否为容器进程设置
   [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)标志。
@@ -64,10 +75,10 @@ a Pod or Container. Security context settings include, but are not limited to:
   - 以特权模式运行，或者
   - 具有 `CAP_SYS_ADMIN` 权能
 
-* readOnlyRootFilesystem：以只读方式加载容器的根文件系统。
+* `readOnlyRootFilesystem`：以只读方式加载容器的根文件系统。
 
 <!--
-The above bullets are not a complete set of security context settings - please see
+The above bullets are not a complete set of security context settings -- please see
 [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core)
 for a comprehensive list.
 -->
@@ -702,7 +713,7 @@ To assign SELinux labels, the SELinux security module must be loaded on the host
 {{< feature-state for_k8s_version="v1.25" state="alpha" >}}
 
 <!--
-By default, the contrainer runtime recursively assigns SELinux label to all
+By default, the container runtime recursively assigns SELinux label to all
 files on all Pod volumes. To speed up this process, Kubernetes can change the
 SELinux label of a volume instantly by using a mount option
 `-o context=<label>`.
@@ -804,15 +815,15 @@ Pod 的安全上下文适用于 Pod 中的容器，也适用于 Pod 所挂载的
   该部分设置的是赋予 Pod 中所有容器及卷的
   [多类别安全性（Multi-Category Security，MCS)](https://selinuxproject.org/page/NB_MLS)标签。
 
-  <!--
-  After you specify an MCS label for a Pod, all Pods with the same label can
-  access the Volume. If you need inter-Pod protection, you must assign a unique
-  MCS label to each Pod.
-  -->
-  {{< warning >}}
-  在为 Pod 设置 MCS 标签之后，所有带有相同标签的 Pod 可以访问该卷。
-  如果你需要跨 Pod 的保护，你必须为每个 Pod 赋予独特的 MCS 标签。
-  {{< /warning >}}
+<!--
+After you specify an MCS label for a Pod, all Pods with the same label can
+access the Volume. If you need inter-Pod protection, you must assign a unique
+MCS label to each Pod.
+-->
+{{< warning >}}
+在为 Pod 设置 MCS 标签之后，所有带有相同标签的 Pod 可以访问该卷。
+如果你需要跨 Pod 的保护，你必须为每个 Pod 赋予独特的 MCS 标签。
+{{< /warning >}}
 
 <!--
 ## Clean up
@@ -842,7 +853,8 @@ kubectl delete pod security-context-demo-4
 * [AllowPrivilegeEscalation design
   document](https://git.k8s.io/design-proposals-archive/auth/no-new-privs.md)
 * For more information about security mechanisms in Linux, see
-  [Overview of Linux Kernel Security Features](https://www.linux.com/learn/overview-linux-kernel-security-features) (Note: Some information is out of date)
+  [Overview of Linux Kernel Security Features](https://www.linux.com/learn/overview-linux-kernel-security-features)
+  (Note: Some information is out of date)
 -->
 * [PodSecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritycontext-v1-core) API 定义
 * [SecurityContext](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#securitycontext-v1-core) API 定义
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
index 9969a4daa2ec1..19be159063e3c 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/static-pod.md
@@ -1,13 +1,13 @@
 ---
 title: 创建静态 Pod
-weight: 170
+weight: 220
 content_type: task
 ---
 <!--
 reviewers:
 - jsafrane
 title: Create static Pods
-weight: 170
+weight: 220
 content_type: task
 -->
 

From c9971ae8c4bdba2ae239bfc7347ef85ac69e504d Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Fri, 17 Mar 2023 15:20:38 +0800
Subject: [PATCH 171/215] Reference files to sync  task 1

Reference files to sync  task 1
---
 .../authorization-resources/cluster-role-binding-v1.md        | 4 ++--
 .../kubernetes-api/authorization-resources/cluster-role-v1.md | 4 ++--
 .../kubernetes-api/authorization-resources/role-binding-v1.md | 4 ++--
 .../kubernetes-api/authorization-resources/role-v1.md         | 4 ++--
 .../kubernetes-api/workload-resources/priority-class-v1.md    | 4 ++--
 .../kubernetes-api/workload-resources/replica-set-v1.md       | 2 +-
 .../workload-resources/replication-controller-v1.md           | 2 +-
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
index fbfa9dd428a06..073d526cf1c5d 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1.md
@@ -6,7 +6,7 @@ api_metadata:
 content_type: "api_reference"
 description: "ClusterRoleBinding 引用 ClusterRole，但不包含它。"
 title: "ClusterRoleBinding"
-weight: 6
+weight: 7
 auto_generated: false
 ---
 <!-- 
@@ -18,7 +18,7 @@ api_metadata:
 content_type: "api_reference"
 description: "ClusterRoleBinding references a ClusterRole, but not contain it."
 title: "ClusterRoleBinding"
-weight: 6
+weight: 7
 auto_generated: true
 ---
 -->
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
index 2160bbe2ed5f3..75da4d51382a3 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
@@ -6,7 +6,7 @@ api_metadata:
 content_type: "api_reference"
 description: "ClusterRole 是一个集群级别的 PolicyRule 逻辑分组，可以被 RoleBinding 或 ClusterRoleBinding 作为一个单元引用。"  
 title: "ClusterRole" 
-weight: 5  
+weight: 6  
 ---
 <!--
 api_metadata:
@@ -16,7 +16,7 @@ api_metadata:
 content_type: "api_reference"
 description: "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding."
 title: "ClusterRole"
-weight: 5
+weight: 6
 auto_generated: true
 -->
 
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
index 38abf1da14b39..4eb718543566f 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1.md
@@ -6,7 +6,7 @@ api_metadata:
 content_type: "api_reference"
 description: "RoleBinding 引用一个角色，但不包含它。"
 title: "RoleBinding"
-weight: 8
+weight: 9
 auto_generated: false
 ---
 <!--
@@ -18,7 +18,7 @@ api_metadata:
 content_type: "api_reference"
 description: "RoleBinding references a role, but does not contain it."
 title: "RoleBinding"
-weight: 8
+weight: 9
 auto_generated: true
 ---
 -->
diff --git a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md
index cb1f1f183cee8..0b591d1c4aeba 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1.md
@@ -6,7 +6,7 @@ api_metadata:
 content_type: "api_reference"
 description: "Role 是一个按命名空间划分的 PolicyRule 逻辑分组，可以被 RoleBinding 作为一个单元引用。"
 title: "Role"
-weight: 7
+weight: 8
 ---
 <!--
 api_metadata:
@@ -16,7 +16,7 @@ api_metadata:
 content_type: "api_reference"
 description: "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding."
 title: "Role"
-weight: 7
+weight: 8
 auto_generated: true
 -->
 
diff --git a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
index dd9fd1137320e..8fecfe9c54d2e 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1.md
@@ -6,7 +6,7 @@ api_metadata:
 content_type: "api_reference"
 description: "PriorityClass 定义了从优先级类名到优先级数值的映射。"
 title: "PriorityClass"
-weight: 14
+weight: 13
 auto_generated: false
 ---
 
@@ -18,7 +18,7 @@ api_metadata:
 content_type: "api_reference"
 description: "PriorityClass defines mapping from a priority class name to the priority integer value."
 title: "PriorityClass"
-weight: 14
+weight: 13
 auto_generated: true
 -->
 
diff --git a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md
index 8a07eaac44150..93be803394b23 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1.md
@@ -128,7 +128,7 @@ ReplicaSetStatus 表示 ReplicaSet 的当前状态。
 <!--
 - **replicas** (int32), required
 
-  Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+  Replicas is the most recently observed number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
 
 - **availableReplicas** (int32)
 
diff --git a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md
index ba4baaccb9498..0a0f3dc34a8d1 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1.md
@@ -131,7 +131,7 @@ ReplicationControllerStatus 表示一个副本控制器的当前状态。
 <!--
 - **replicas** (int32), required
 
-  Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+  Replicas is the most recently observed number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
 
 - **availableReplicas** (int32)
 

From 82bc0cc187b24effe47da85eea7b7d345aaf8637 Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Fri, 17 Mar 2023 16:38:37 +0800
Subject: [PATCH 172/215] [zh-cn] sync task files of task-9

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 .../tasks/administer-cluster/manage-resources/_index.md   | 4 ++--
 .../change-runtime-containerd.md                          | 4 ++--
 .../check-if-dockershim-removal-affects-you.md            | 8 ++++----
 .../migrate-dockershim-dockerd.md                         | 4 ++--
 .../troubleshooting-cni-plugin-related-errors.md          | 6 ++++--
 5 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/content/zh-cn/docs/tasks/administer-cluster/manage-resources/_index.md b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/_index.md
index 92e723eb216c8..339a66364c213 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/manage-resources/_index.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/manage-resources/_index.md
@@ -1,9 +1,9 @@
 ---
 title: 管理内存、CPU 和 API 资源
-weight: 20
+weight: 40
 ---
 
 <!--
 title: Manage Memory, CPU, and API Resources
-weight: 20
+weight: 40
 -->
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
index 05ca03663cdab..1052ba0d64d7e 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd.md
@@ -1,12 +1,12 @@
 ---
 title: 将节点上的容器运行时从 Docker Engine 改为 containerd
-weight: 8
+weight: 10
 content_type: task 
 ---
 
 <!--
 title: "Changing the Container Runtime on a Node from Docker Engine to containerd"
-weight: 8
+weight: 10
 content_type: task 
 -->
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md
index 3a9b66d4963ea..45051f7065605 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you.md
@@ -14,7 +14,7 @@ weight: 50
 <!-- overview -->
 
 <!-- 
-The `dockershim` component of Kubernetes allows to use Docker as a Kubernetes's
+The `dockershim` component of Kubernetes allows the use of Docker as a Kubernetes's
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
 Kubernetes' built-in `dockershim` component was removed in release v1.24.
 -->
@@ -80,11 +80,11 @@ dependency on Docker:
 1. Third-party tools that perform above mentioned privileged operations. See
    [Migrating telemetry and security agents from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents)
    for more information.
-1. Make sure there is no indirect dependencies on dockershim behavior.
+1. Make sure there are no indirect dependencies on dockershim behavior.
    This is an edge case and unlikely to affect your application. Some tooling may be configured
    to react to Docker-specific behaviors, for example, raise alert on specific metrics or search for
    a specific log message as part of troubleshooting instructions.
-   If you have such tooling configured, test the behavior on test
+   If you have such tooling configured, test the behavior on a test
    cluster before migration.
 -->
 4. 检查执行上述特权操作的第三方工具。
@@ -151,7 +151,7 @@ before to check on these containers is no longer available.
 <!-- 
 You cannot get container information using `docker ps` or `docker inspect`
 commands. As you cannot list containers, you cannot get logs, stop containers,
-or execute something inside container using `docker exec`.
+or execute something inside a container using `docker exec`.
 -->
 你不能再使用 `docker ps` 或 `docker inspect` 命令来获取容器信息。
 由于你不能列出容器，因此你不能获取日志、停止容器，甚至不能通过 `docker exec` 在容器中执行命令。
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md
index 15cc99a7cecaa..5ee5496dd14a2 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrate-dockershim-dockerd.md
@@ -1,12 +1,12 @@
 ---
 title: 将 Docker Engine 节点从 dockershim 迁移到 cri-dockerd
-weight: 9
+weight: 20
 content_type: task 
 ---
 
 <!--
 title: "Migrate Docker Engine nodes from dockershim to cri-dockerd"
-weight: 9
+weight: 20
 content_type: task 
 -->
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md
index f064d0bfc9db4..a266233b8c506 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors.md
@@ -1,7 +1,7 @@
 ---
 title: 排查 CNI 插件相关的错误
 content_type: task
-weight: 10
+weight: 40
 ---
 <!--
 title: Troubleshooting CNI plugin-related errors
@@ -9,7 +9,7 @@ content_type: task
 reviewers:
 - mikebrow
 - divya-mohan0209
-weight: 10
+weight: 40
 -->
 
 <!-- overview -->
@@ -33,6 +33,7 @@ Kubernetes.
 Service issues exist for pod CNI network setup and tear down in containerd
 v1.6.0-v1.6.3 when the CNI plugins have not been upgraded and/or the CNI config
 version is not declared in the CNI config files. The containerd team reports, "these issues are resolved in containerd v1.6.4."
+
 With containerd v1.6.0-v1.6.3, if you do not upgrade the CNI plugins and/or
 declare the CNI config version, you might encounter the following "Incompatible
 CNI versions" or "Failed to destroy network for sandbox" error conditions.
@@ -169,6 +170,7 @@ and kubelet. Uncordon the node (`kubectl uncordon <nodename>`).
 <!--
 The following example shows a configuration for `containerd` runtime v1.6.x,
 which supports a recent version of the CNI specification (v1.0.0).
+
 Please see the documentation from your plugin and networking provider for
 further instructions on configuring your system.
 -->

From e79e5c51beb4ec6d57cb66f6642bac9b94014f5f Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Fri, 17 Mar 2023 16:42:02 +0800
Subject: [PATCH 173/215] [zh-cn] sync task files of task-6

---
 .../assign-pods-nodes-using-node-affinity.md  | 67 +++++++++++--------
 ...igure-liveness-readiness-startup-probes.md |  4 +-
 .../configure-pod-initialization.md           |  9 ++-
 .../translate-compose-kubernetes.md           |  4 +-
 4 files changed, 46 insertions(+), 38 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
index 856286b1ea35d..de297dc1aba27 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity.md
@@ -1,14 +1,14 @@
 ---
-title: 用节点亲和性把 Pods 分配到节点
+title: 用节点亲和性把 Pod 分配到节点
 min-kubernetes-server-version: v1.10
 content_type: task
-weight: 120
+weight: 160
 ---
 <!--
 title: Assign Pods to Nodes using Node Affinity
 min-kubernetes-server-version: v1.10
 content_type: task
-weight: 120
+weight: 160
 -->
 
 <!-- overview -->
@@ -29,19 +29,22 @@ Kubernetes cluster.
 
 <!--
 ## Add a label to a node
-
-1. List the nodes in your cluster, along with their labels:
 -->
 ## 给节点添加标签
 
+<!-- 
+1. List the nodes in your cluster, along with their labels:
+-->
 1. 列出集群中的节点及其标签：
 
     ```shell
     kubectl get nodes --show-labels
     ```
+    
     <!--
     The output is similar to this:
     -->
+
     输出类似于此：
 
     ```
@@ -50,23 +53,26 @@ Kubernetes cluster.
     worker1   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker1
     worker2   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker2
     ```
-    <!--
-    1. Chose one of your nodes, and add a label to it:
-    -->
-1. 选择一个节点，给它添加一个标签：
+
+<!--
+1. Choose one of your nodes, and add a label to it:
+-->
+2. 选择一个节点，给它添加一个标签：
 
     ```shell
     kubectl label nodes <your-node-name> disktype=ssd
     ```
-    <!--
-        where `<your-node-name>` is the name of your chosen node.
 
-    1. Verify that your chosen node has a `disktype=ssd` label:
+    <!--
+    where `<your-node-name>` is the name of your chosen node.
     -->
 
     其中 `<your-node-name>` 是你所选节点的名称。
 
-2. 验证你所选节点具有 `disktype=ssd` 标签：
+<!-- 
+1. Verify that your chosen node has a `disktype=ssd` label:
+-->
+3. 验证你所选节点具有 `disktype=ssd` 标签：
 
     ```shell
     kubectl get nodes --show-labels
@@ -75,6 +81,7 @@ Kubernetes cluster.
     <!--
     The output is similar to this:
     -->
+
     输出类似于此：
 
     ```
@@ -85,9 +92,10 @@ Kubernetes cluster.
     ```
 
     <!--
-        In the preceding output, you can see that the `worker0` node has a
-        `disktype=ssd` label.
+    In the preceding output, you can see that the `worker0` node has a
+    `disktype=ssd` label.
     -->
+
     在前面的输出中，可以看到 `worker0` 节点有一个 `disktype=ssd` 标签。
 
 <!--
@@ -113,18 +121,19 @@ This means that the pod will get scheduled only on a node that has a `disktype=s
     kubectl apply -f https://k8s.io/examples/pods/pod-nginx-required-affinity.yaml
     ```
 
-    <!--
-    1. Verify that the pod is running on your chosen node:
-    -->
-1. 验证 pod 已经在所选节点上运行：
+<!--
+1. Verify that the pod is running on your chosen node:
+-->
+2. 验证 Pod 已经在所选节点上运行：
 
     ```shell
     kubectl get pods --output=wide
     ```
 
-    <!--
+   <!--
     The output is similar to this:
-    -->
+   -->
+
     输出类似于此：
 
     ```
@@ -140,8 +149,8 @@ This means that the pod will prefer a node that has a `disktype=ssd` label.
 -->
 ## 使用首选的节点亲和性调度 Pod {#schedule-a-Pod-using-preferred-node-affinity}
 
-本清单描述了一个Pod，它有一个节点亲和性设置 `preferredDuringSchedulingIgnoredDuringExecution`，`disktype: ssd`。
-这意味着 pod 将首选具有 `disktype=ssd` 标签的节点。
+本清单描述了一个 Pod，它有一个节点亲和性设置 `preferredDuringSchedulingIgnoredDuringExecution`，`disktype: ssd`。
+这意味着 Pod 将首选具有 `disktype=ssd` 标签的节点。
 
 {{< codenew file="pods/pod-nginx-preferred-affinity.yaml" >}}
 
@@ -155,10 +164,10 @@ This means that the pod will prefer a node that has a `disktype=ssd` label.
     kubectl apply -f https://k8s.io/examples/pods/pod-nginx-preferred-affinity.yaml
     ```
 
-    <!--
-    1. Verify that the pod is running on your chosen node:
-    -->
-1. 验证 pod 是否在所选节点上运行：
+<!--
+1. Verify that the pod is running on your chosen node:
+-->
+2. 验证 Pod 是否在所选节点上运行：
    
     ```shell
     kubectl get pods --output=wide
@@ -167,6 +176,7 @@ This means that the pod will prefer a node that has a `disktype=ssd` label.
     <!--
     The output is similar to this:
     -->
+
     输出类似于此：
     
     ```
@@ -182,5 +192,4 @@ This means that the pod will prefer a node that has a `disktype=ssd` label.
 Learn more about
 [Node Affinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
 -->
-进一步了解
-[节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
+进一步了解[节点亲和性](/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)。
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
index 685f28f563fe8..20ad485c7e76d 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.md
@@ -1,12 +1,12 @@
 ---
 title: 配置存活、就绪和启动探针
 content_type: task
-weight: 110
+weight: 140
 ---
 <!--
 title: Configure Liveness, Readiness and Startup Probes
 content_type: task
-weight: 110
+weight: 140
 -->
 
 <!-- overview -->
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md
index 65166ce246b32..bfe618f816fd8 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization.md
@@ -1,13 +1,13 @@
 ---
 title: 配置 Pod 初始化
 content_type: task
-weight: 130
+weight: 170
 ---
 
 <!--
 title: Configure Pod Initialization
 content_type: task
-weight: 130
+weight: 170
 -->
 
 <!-- overview -->
@@ -69,7 +69,7 @@ Create the Pod:
 创建 Pod：
 
 ```shell
-kubectl create -f https://k8s.io/examples/pods/init-containers.yaml
+kubectl apply -f https://k8s.io/examples/pods/init-containers.yaml
 ```
 
 <!--
@@ -132,7 +132,7 @@ The output shows that nginx is serving the web page that was written by the init
 
 <!--
 * Learn more about
-[communicating between Containers running in the same Pod](/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/).
+  [communicating between Containers running in the same Pod](/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/).
 * Learn more about [Init Containers](/docs/concepts/workloads/pods/init-containers/).
 * Learn more about [Volumes](/docs/concepts/storage/volumes/).
 * Learn more about [Debugging Init Containers](/docs/tasks/debug/debug-application/debug-init-containers/)
@@ -142,4 +142,3 @@ The output shows that nginx is serving the web page that was written by the init
 * 进一步了解 [Init 容器](/zh-cn/docs/concepts/workloads/pods/init-containers/)。
 * 进一步了解[卷](/zh-cn/docs/concepts/storage/volumes/)。
 * 进一步了解 [Init 容器排错](/zh-cn/docs/tasks/debug/debug-application/debug-init-containers/)。
-
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md b/content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
index 7b10d43e5c1be..ddd4f65db64d1 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes.md
@@ -1,14 +1,14 @@
 ---
 title: 将 Docker Compose 文件转换为 Kubernetes 资源
 content_type: task
-weight: 200
+weight: 230
 ---
 <!--
 reviewers:
 - cdrage
 title: Translate a Docker Compose File to Kubernetes Resources
 content_type: task
-weight: 200
+weight: 230
 -->
 
 <!-- overview -->

From abcba5ce5767bfec6c3f820bf48f01feac6dc330 Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Fri, 17 Mar 2023 15:49:04 +0800
Subject: [PATCH 174/215] [zh-cn] sync task files of task-8

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 .../zh-cn/docs/tasks/configure-pod-container/_index.md |  8 +++++++-
 .../tasks/configure-pod-container/assign-pods-nodes.md | 10 +++++-----
 .../configure-pod-container/configure-runasusername.md |  4 ++--
 .../configure-pod-container/share-process-namespace.md |  4 ++--
 4 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/_index.md b/content/zh-cn/docs/tasks/configure-pod-container/_index.md
index 4c71a44d896fa..fba45f28453d8 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/_index.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/_index.md
@@ -1,5 +1,11 @@
 ---
 title: "配置 Pods 和容器"
-weight: 20
+weight: 30
 description: 对 Pod 和容器执行常见的配置任务。
 ---
+
+<!--
+title: "Configure Pods and Containers"
+description: Perform common configuration tasks for Pods and containers.
+weight: 30
+-->
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md
index 418db6611e7a4..98dffd4d144ea 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes.md
@@ -1,12 +1,12 @@
 ---
 title: 将 Pod 分配给节点
 content_type: task
-weight: 120
+weight: 150
 ---
 <!--
 title: Assign Pods to Nodes
 content_type: task
-weight: 120
+weight: 150
 -->
 
 <!-- overview -->
@@ -41,7 +41,7 @@ Kubernetes cluster.
    -->
    输出类似如下：
 
-   ```
+   ```shell
    NAME      STATUS    ROLES    AGE     VERSION        LABELS
    worker0   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker0
    worker1   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker1
@@ -76,7 +76,7 @@ Kubernetes cluster.
    -->
    输出类似如下：
 
-   ```
+   ```shell
    NAME      STATUS    ROLES    AGE     VERSION        LABELS
    worker0   Ready     <none>   1d      v1.13.0        ...,disktype=ssd,kubernetes.io/hostname=worker0
    worker1   Ready     <none>   1d      v1.13.0        ...,kubernetes.io/hostname=worker1
@@ -126,7 +126,7 @@ a `disktype=ssd` label.
    -->
    输出类似如下：
 
-   ```
+   ```shell
    NAME     READY     STATUS    RESTARTS   AGE    IP           NODE
    nginx    1/1       Running   0          13s    10.200.0.4   worker0
    ```
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md
index 65df06ff344a6..80554e3b9607b 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-runasusername.md
@@ -1,13 +1,13 @@
 ---
 title: 为 Windows 的 Pod 和容器配置 RunAsUserName
 content_type: task
-weight: 20
+weight: 40
 ---
 
 <!--
 title: Configure RunAsUserName for Windows pods and containers
 content_type: task
-weight: 20
+weight: 40
 -->
 
 <!-- overview -->
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md b/content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md
index fe3fa6f81e0d6..1358defcfb2a8 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/share-process-namespace.md
@@ -1,7 +1,7 @@
 ---
 title: 在 Pod 中的容器之间共享进程命名空间
 content_type: task
-weight: 160
+weight: 200
 ---
 <!--
 ---
@@ -11,7 +11,7 @@ reviewers:
 - yujuhong
 - dchen1107
 content_type: task
-weight: 160
+weight: 200
 ---
 -->
 

From 02fc808499fbb72a15bdf4cc353f9dce5a7e1a6e Mon Sep 17 00:00:00 2001
From: niranjandarshann <niranjan.darshan@india.nec.com>
Date: Fri, 17 Mar 2023 14:38:03 +0530
Subject: [PATCH 175/215]  Fixes the Broken link in blog: k8s.gcr.io Redirect
 to registry.k8s.io - What You Need to Know

---
 content/en/blog/_posts/2023-03-10-image-registry-change.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-03-10-image-registry-change.md b/content/en/blog/_posts/2023-03-10-image-registry-change.md
index 2d33b22db9931..39a03283ce52e 100644
--- a/content/en/blog/_posts/2023-03-10-image-registry-change.md
+++ b/content/en/blog/_posts/2023-03-10-image-registry-change.md
@@ -111,7 +111,7 @@ kubectl community-images
 ```
 
 For alternate methods of install and example output, check out the repo:
-[kubernetes-sigs/community-images](https://github.com/kubernetes-sigs/community-image).
+[kubernetes-sigs/community-images](https://github.com/kubernetes-sigs/community-images).
 
 **Option 3**: If you do not have access to a cluster directly, or manage many clusters - the best
 way is to run a search over your manifests and charts for _"k8s.gcr.io"_.

From a3165dfa219976e3018b7322b94d94d9af69b71a Mon Sep 17 00:00:00 2001
From: harshitasao <harshitasao@gmail.com>
Date: Fri, 17 Mar 2023 14:47:39 +0530
Subject: [PATCH 176/215] made the required changes

---
 ...bernetes-1.27-deprecations-and-removals.md | 138 ----------------
 ...bernetes-1.27-deprecations-and-removals.md | 148 ++++++++++++++++++
 2 files changed, 148 insertions(+), 138 deletions(-)
 delete mode 100644 content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
 create mode 100644 content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md

diff --git a/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
deleted file mode 100644
index 89571ddd322f9..0000000000000
--- a/content/en/blog/_posts/2023-03-16-kubernetes-1.27-deprecations-and-removals.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-layout: blog
-title: "Kubernetes Removals and Major Changes In v1.27"
-date: 2023-03-16
-slug: upcoming-changes-in-kubernetes-v1-27
----
-
-**Author**: Harshita Sao (Independent)
-
-As Kubernetes develops and matures, features may be deprecated, removed, or replaced with better ones for the project's overall health. Based on the information available at this mid-cycle point in the v1.27 release process, which is still ongoing and can introduce additional changes, this article identifies and describes some of the planned changes for the Kubernetes v1.27 release.
-
-## A note about k8s.gcr.io Redirect to registry.k8s.io
-
-To host its container images, the Kubernetes project uses a community-owned image registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date [k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io). The deprecated k8s.gcr.io registry will eventually be phased out.
-
-### What does this change mean?
-
-- If you are a subproject maintainer, you must update your manifests and Helm charts to use the new registry.
-
-- The v1.27 Kubernetes release will not be published to the old registry.
-
-- From April, patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry.
-
-We have a [blog post](https://kubernetes.io/blog/2023/03/10/image-registry-redirect/) with all the information about this change and what to do if it impacts you.
-
-## The Kubernetes API Removal and Deprecation process
-
-The Kubernetes project has a well-documented [deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) for features. This policy states that stable APIs may only be deprecated when a newer, stable version of that same API is available and that APIs have a minimum lifetime for each stability level. A deprecated API has been marked for removal in a future Kubernetes release, it will continue to function until removal (at least one year from the deprecation), but usage will result in a warning being displayed. Removed APIs are no longer available in the current version, at which point you must migrate to using the replacement.
-
-- Generally available (GA) or stable API versions may be marked as deprecated but must not be removed within a major version of Kubernetes.
-
-- Beta or pre-release API versions must be supported for 3 releases after the deprecation. 
-
-- Alpha or experimental API versions may be removed in any release without prior deprecation notice. 
-
-Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation.
-
-## API removals, and other changes for Kubernetes v1.27
-
-In addition to the above, Kubernetes v1.27 is targeted to include several additional removals.
-
-### Removal of storage.k8s.io/v1beta1 from [CSIStorageCapacity](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/)
-
-The CSIStorageCapacity API supports exposing currently available storage capacity via CSIStorageCapacity objects and enhances the scheduling of pods that use CSI volumes with late binding. The `storage.k8s.io/v1beta1` API version of CSIStorageCapacity was deprecated in v1.24, and it will no longer be served in v1.27. 
-
-Migrate manifests and API clients to use the `storage.k8s.io/v1` API version, available since v1.24. All existing persisted objects are accessible via the new API.
-
-Refer to the [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking) for more information.
-
-### Removal of seccomp annotations
-
-In Kubernetes v1.19, the [seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp) (secure computing mode) support graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or single containers.
-
-The support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io` were deprecated since v1.19, now have been completely removed. The seccomp fields are no longer auto-populated when pods with seccomp annotations are created. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead.
-
-### Removal of feature gates for [volume expansion](https://github.com/kubernetes/enhancements/issues/284)
-
-The following feature gates for volume expansion GA features will be removed and must no longer be referenced in `--feature-gates` flags:
-
-- `ExpandCSIVolumes`: Enable expanding of CSI volumes.
-
-- `ExpandInUsePersistentVolumes`: Enable expanding in-use PVCs.
-
-- `ExpandPersistentVolumes`: Enable expanding of persistent volumes.
-
-### Removal of [masterServiceNamespace](https://github.com/kubernetes/kubernetes/pull/114446) flag
-
-The namespace from which Kubernetes master services should be injected into pods is `masterServiceNamespace`. This release removes this flag, which has been deprecated since v1.6.
-
-### Removal of [ControllerManagerLeaderMigration](https://github.com/kubernetes/kubernetes/pull/113534) feature gate
-
-[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436) provides a mechanism in which HA clusters can safely migrate "cloud-specific" controllers between the `kube-controller-manager` and the `cloud-controller-manager` via a shared resource lock between the two components while upgrading the replicated control plane. 
-
-The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditionally enabled hence the feature gate option will be removed.
-
-### Removal of [enable-taint-manager](https://github.com/kubernetes/kubernetes/pull/111411)  and [pod-eviction-timeout](https://github.com/kubernetes/kubernetes/pull/113710) CLI flag
-
-The command line flag `enable-taint-manager` for kube-controller-manager is deprecated and will be removed in v1.27. The feature that it supports, taint based eviction, is enabled by default and will continue to be implicitly enabled when the flag is removed. The CLI flag `pod-eviction-timeout` is deprecated and will also be removed together with enable-taint-manager.
-
-### Removal of [CSI Migration](https://github.com/kubernetes/kubernetes/pull/110410) feature gate 
-
-Moving the in-tree volume plugins to out-of-tree CSI drivers. As [CSIMigration](https://github.com/kubernetes/enhancements/issues/625) is GA now. The feature gate will be removed in v1.27.
-
-### Removal of CSIInlineVolume feature gate
-
-The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258) feature allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. They can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume. This feature has graduated to GA in v1.25. Hence the feature gate `CSIInlineVolume` will be removed in this release.
-
-### Removal of EphemeralContainers feature gate
-
-[Emphemeral containers](https://github.com/kubernetes/kubernetes/pull/111402) graduated to GA in v1.25. These are containers with a temporary duration that executes within namespaces of an existing pod. Ephemeral Containers are initiated by a user and intended to observe the state of other pods and containers for troubleshooting and debugging purposes. Hence the `EphemeralContainers` feature gate is always enabled and will be removed from the `--feature-gates` flag on the kube-apiserver and the kubelet command lines.
-
-### Removal of LocalStorageCapacityIsolation  feature gate
-
-The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513) feature moved to GA in v1.25. It provides support for capacity isolation of local ephemeral storage between pods, such as EmptyDir, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit. Hence the feature gate `LocalStorageCapacityIsolation` will be removed in this release.
-
-### Removal of [NetworkPolicyEndPort](https://github.com/kubernetes/kubernetes/pull/110868) feature gate
-
-`endPort` in Network Policy promoted to GA in v1.25. Network Policy providers that support `endPort` field that can be used to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port. So the feature gate `NetworkPolicyEndPort` will be removed in this release.
-
-Please be aware that `endPort` field must be supported by the Network Policy provider. If your provider does not support endPort, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port)
-
-### Removal of StatefulSetMinReadySeconds feature gate
-
-StatefulSet Controller honoring [minReadySeconds](https://github.com/kubernetes/kubernetes/pull/110896) and mark Pod ready only if Pod is available for the given time mentioned in minReadySeconds. With Promotion of StatefulSet minReadySeconds to GA in v1.25, means `--feature-gates=StatefulSetMinReadySeconds=true` are not needed on kube-apiserver and kube-controller-manager binaries so they'll be removed in this release.
-
-### Removal of [IdentifyPodOS](https://github.com/kubernetes/kubernetes/pull/111229) feature gate
-
-Addition of a new field to the pod spec called os to identify the OS of the containers specified in the pod. From v1.25, the IdentifyPodOS feature is in GA stage and defaults to be enabled hence the `IdentifyPodOS` feature gate will no longer be accepted as a `--feature-gates` parameter in v1.27.
-
-### Removal of [DaemonSetUpdateSurge](https://github.com/kubernetes/kubernetes/pull/111194) feature gate
-
-Surge support in order to minimize DaemonSet downtime on nodes. This will allow daemonset workloads to implement zero-downtime upgrades. As DaemonSet MaxSurge was graduated to GA in v1.25. This means `--feature-gates=DaemonSetUpdateSurge=true` are not needed on kube-apiserver and kube-controller-manager binaries so they'll be removed in v1.27.
-
-## Looking ahead
-
-The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29) planned for Kubernetes v1.29 includes:
-
-- The `flowcontrol.apiserver.k8s.io/v1beta2` API version of FlowSchema and PriorityLevelConfiguration will no longer be served in v1.29.
-
-## Want to know more?
-
-Deprecations are announced in the Kubernetes release notes. You can see the announcements of pending deprecations in the release notes for:
-
-- [Kubernetes v1.21](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md#deprecation)
-
-- [Kubernetes v1.22](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md#deprecation)
-
-- [Kubernetes v1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation)
-
-- [Kubernetes v1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation)
-
-- [Kubernetes v1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation)
-
-- [Kubernetes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation)
-
-We will formally announce the deprecations that come with [Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation) as part of the CHANGELOG for that release.
-
-For information on the process of deprecation and removal, check out the official Kubernetes [deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.
\ No newline at end of file
diff --git a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
new file mode 100644
index 0000000000000..e68399df49b60
--- /dev/null
+++ b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
@@ -0,0 +1,148 @@
+---
+layout: blog
+title: "Kubernetes Removals and Major Changes In v1.27"
+date: 2023-03-17
+slug: upcoming-changes-in-kubernetes-v1-27
+---
+
+**Author**: Harshita Sao
+
+As Kubernetes develops and matures, features may be deprecated, removed, or replaced with better ones for the project's overall health. Based on the information available at this point in the v1.27 release process, which is still ongoing and can introduce additional changes, this article identifies and describes some of the planned changes for the Kubernetes v1.27 release.
+
+## A note about the k8s.gcr.io redirect to registry.k8s.io
+
+To host its container images, the Kubernetes project uses a community-owned image registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date [k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io)**. The deprecated k8s.gcr.io registry will eventually be phased out.
+
+### What does this change mean?
+
+- If you are a subproject maintainer, you must update your manifests and Helm charts to use the new registry.
+
+- The v1.27 Kubernetes release will not be published to the old registry.
+
+- From April, patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry.
+
+We have a [blog post](/blog/2023/03/10/image-registry-redirect/) with all the information about this change and what to do if it impacts you.
+
+## The Kubernetes API Removal and Deprecation process
+
+The Kubernetes project has a well-documented [deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) for features. This policy states that stable APIs may only be deprecated when a newer, stable version of that same API is available and that APIs have a minimum lifetime for each stability level. A deprecated API has been marked for removal in a future Kubernetes release, it will continue to function until removal (at least one year from the deprecation), but usage will result in a warning being displayed. Removed APIs are no longer available in the current version, at which point you must migrate to using the replacement.
+
+- Generally available (GA) or stable API versions may be marked as deprecated but must not be removed within a major version of Kubernetes.
+
+- Beta or pre-release API versions must be supported for 3 releases after the deprecation. 
+
+- Alpha or experimental API versions may be removed in any release without prior deprecation notice. 
+
+Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation.
+
+## API removals, and other changes for Kubernetes v1.27
+
+### Removal of `storage.k8s.io/v1beta1` from `CSIStorageCapacity`
+
+The [CSIStorageCapacity](/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/) API supports exposing currently available storage capacity via CSIStorageCapacity objects and enhances the scheduling of pods that use CSI volumes with late binding. The `storage.k8s.io/v1beta1` API version of CSIStorageCapacity was deprecated in v1.24, and it will no longer be served in v1.27. 
+
+Migrate manifests and API clients to use the `storage.k8s.io/v1` API version, available since v1.24. All existing persisted objects are accessible via the new API.
+
+Refer to the [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking) for more information.
+
+Kubernetes v1.27 is not removing any other APIs; however several other aspects are going 
+to be removed. Read on for details.
+
+### Support for deprecated seccomp annotations
+
+In Kubernetes v1.19, the [seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp) (secure computing mode) support graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or single containers.
+
+The support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io` were deprecated since v1.19, now have been completely removed. The seccomp fields are no longer auto-populated when pods with seccomp annotations are created. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead.
+
+### Removal of several feature gates for volume expansion
+
+The following feature gates for [volume expansion](https://github.com/kubernetes/enhancements/issues/284) GA features will be removed and must no longer be referenced in `--feature-gates` flags:
+
+`ExpandCSIVolumes`
+: Enable expanding of CSI volumes.
+
+`ExpandInUsePersistentVolumes`
+: Enable expanding in-use PVCs.
+
+`ExpandPersistentVolumes`
+: Enable expanding of persistent volumes.
+
+### Removal of `--master-service-namespace` command line argument
+
+The kube-apiserver accepts a deprecated command line argument,  `--master-service-namespace`, that specified where to create the Service named `kubernetes`
+to represent the API server.
+Kubernetes v1.27 will remove that argument, which has been deprecated since the v1.6
+release.
+
+### Removal of the `ControllerManagerLeaderMigration` feature gate
+
+[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436) provides a mechanism in which HA clusters can safely migrate "cloud-specific" controllers between the `kube-controller-manager` and the `cloud-controller-manager` via a shared resource lock between the two components while upgrading the replicated control plane. 
+
+The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditionally enabled and for the v1.27 release the feature gate option will be removed. If you're setting this feature gate explicitly, you'll need to remove that from command line arguments or configuration files.
+
+### Removal of `--enable-taint-manager` command line argument
+
+The kube-controller-manager command line argument `--enable-taint-manager` is deprecated, and will be removed in Kubernetes v1.27. The feature that it supports, [taint based eviction](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions),
+is already enabled by default and will continue to be implicitly enabled when the flag is removed.
+    
+### Removal of `--pod-eviction-timeout` command line argument
+	
+The deprecated command line argument `--pod-eviction-timeout` will be removed from the
+kube-controller-manager.
+
+### Removal of the `CSI Migration` feature gate 
+
+The [CSI migration](https://github.com/kubernetes/enhancements/issues/625) programme allows
+moving from in-tree volume plugins to out-of-tree CSI drivers. CSI migration is generally available since Kubernetes v1.16, and the associated `CSIMigration` feature gate will be removed in v1.27.
+
+### Removal of `CSIInlineVolume` feature gate
+
+The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258) feature allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. They can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume. This feature graduated to GA in v1.25. Hence, the feature gate `CSIInlineVolume` will be removed in the v1.27 release.
+
+### Removal of `EphemeralContainers` feature gate
+
+[Ephemeral containers](/docs/concepts/workloads/pods/ephemeral-containers/) graduated to GA in v1.25. These are containers with a temporary duration that executes within namespaces of an existing pod. Ephemeral containers are typically initiated by a user in order to observe the state of other pods and containers for troubleshooting and debugging purposes. For Kubernetes v1.27, API support for ephemeral containers is unconditionally enabled; the `EphemeralContainers` feature gate will be removed.
+
+### Removal of `LocalStorageCapacityIsolation`  feature gate
+
+The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513) feature moved to GA in v1.25. The feature provides support for capacity isolation of local ephemeral storage between pods, such as `emptyDir` volumes, so that a pod can be hard limited in its consumption of shared resources. The kubelet will evicting Pods if consumption of local ephemeral storage exceeds the configured limit. The feature gate, `LocalStorageCapacityIsolation`, will be removed in the v.127 release.
+
+### Removal of `NetworkPolicyEndPort` feature gate
+
+The v1.25 release of Kubernetes promoted `endPort` in NetworkPolicy to GA. NetworkPolicy providers that support the `endPort` field that can be used to specify a range of ports to apply a NetworkPolicy. Previously, each NetworkPolicy could only target a single port. So the feature gate `NetworkPolicyEndPort` will be removed in this release.
+
+Please be aware that `endPort` field must be supported by the Network Policy provider. If your provider does not support endPort, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port)
+
+### Removal of `StatefulSetMinReadySeconds` feature gate
+
+For a pod that is part of a StatefulSet, Kubernetes can mark the Pod ready only if Pod is available (and passing checks) for at least the period you specify in [`minReadySeconds`](/docs/concepts/workloads/controllers/statefulset/#minimum-ready-seconds). The feature became generally available in Kubernetes v1.25, and the `StatefulSetMinReadySeconds` feature gate will be locked to true and removed in the v1.27 release.
+
+### Removal of `IdentifyPodOS` feature gate
+
+You can specify the operating system for a Pod, and the feature support for that is stable since the v1.25 release. The `IdentifyPodOS` feature gate will be removed for Kubernetes v1.27.
+
+### Removal of `DaemonSetUpdateSurge` feature gate
+
+The v1.25 release of Kubernetes also stabilised surge support for DaemonSet pods, implemented in order to minimize DaemonSet downtime during rollouts. The `DaemonSetUpdateSurge` feature gate will be removed in Kubernetes v1.27.
+
+## Looking ahead
+
+The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29) planned for Kubernetes v1.29 includes:
+
+- The `flowcontrol.apiserver.k8s.io/v1beta2` API version of FlowSchema and PriorityLevelConfiguration will no longer be served in v1.29.
+
+## Want to know more?
+
+Deprecations are announced in the Kubernetes release notes. You can see the announcements of pending deprecations in the release notes for:
+
+- [Kubernetes v1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation)
+
+- [Kubernetes v1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation)
+
+- [Kubernetes v1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation)
+
+- [Kubernetes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation)
+
+We will formally announce the deprecations that come with [Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation) as part of the CHANGELOG for that release.
+
+For information on the process of deprecation and removal, check out the official Kubernetes [deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.
\ No newline at end of file

From 97a74213440df066824c6e45ed237ee3a49b7e85 Mon Sep 17 00:00:00 2001
From: howieyuen <howieyuen@outlook.com>
Date: Fri, 17 Mar 2023 17:18:27 +0800
Subject: [PATCH 177/215] [zh-cn] sync storage-classes.md in concepts

---
 .../docs/concepts/storage/storage-classes.md  | 35 ++++++++++---------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/content/zh-cn/docs/concepts/storage/storage-classes.md b/content/zh-cn/docs/concepts/storage/storage-classes.md
index c67f589dfbe68..25e1d6d1eabad 100644
--- a/content/zh-cn/docs/concepts/storage/storage-classes.md
+++ b/content/zh-cn/docs/concepts/storage/storage-classes.md
@@ -100,25 +100,25 @@ for provisioning PVs. This field must be specified.
 该字段必须指定。
 
 <!--
-| Volume Plugin        | Internal Provisioner| Config Example                       |
+| Volume Plugin        | Internal Provisioner |            Config Example             |
 -->
 
-| 卷插件               | 内置制备器 |               配置例子                |
-| :------------------- | :--------: | :-----------------------------------: |
-| AWSElasticBlockStore |  &#x2713;  |          [AWS EBS](#aws-ebs)          |
-| AzureFile            |  &#x2713;  |       [Azure File](#azure-文件)       |
-| AzureDisk            |  &#x2713;  |       [Azure Disk](#azure-磁盘)       |
-| CephFS               |     -      |                   -                   |
-| Cinder               |  &#x2713;  | [OpenStack Cinder](#openstack-cinder) |
-| FC                   |     -      |                   -                   |
-| FlexVolume           |     -      |                   -                   |
-| GCEPersistentDisk    |  &#x2713;  |           [GCE PD](#gce-pd)           |
-| iSCSI                |     -      |                   -                   |
-| NFS                  |     -      |              [NFS](#nfs)              |
-| RBD                  |  &#x2713;  |         [Ceph RBD](#ceph-rbd)         |
-| VsphereVolume        |  &#x2713;  |          [vSphere](#vsphere)          |
-| PortworxVolume       |  &#x2713;  |    [Portworx Volume](#portworx-卷)    |
-| Local                |     -      |            [Local](#本地)             |
+| 卷插件                | 内置制备器             |               配置示例                 |
+| :------------------- | :------------------: | :-----------------------------------: |
+| AWSElasticBlockStore |       &#x2713;       |          [AWS EBS](#aws-ebs)          |
+| AzureFile            |       &#x2713;       |       [Azure File](#azure-file)       |
+| AzureDisk            |       &#x2713;       |       [Azure Disk](#azure-disk)       |
+| CephFS               |          -           |                   -                   |
+| Cinder               |       &#x2713;       | [OpenStack Cinder](#openstack-cinder) |
+| FC                   |          -           |                   -                   |
+| FlexVolume           |          -           |                   -                   |
+| GCEPersistentDisk    |       &#x2713;       |           [GCE PD](#gce-pd)           |
+| iSCSI                |          -           |                   -                   |
+| NFS                  |          -           |              [NFS](#nfs)              |
+| RBD                  |       &#x2713;       |         [Ceph RBD](#ceph-rbd)         |
+| VsphereVolume        |       &#x2713;       |          [vSphere](#vsphere)          |
+| PortworxVolume       |       &#x2713;       |  [Portworx Volume](#portworx-volume)  |
+| Local                |          -           |            [Local](#local)            |
 
 <!--
 You are not restricted to specifying the "internal" provisioners
@@ -563,6 +563,7 @@ parameters:
 <!--
 Kubernetes doesn't include an internal NFS provisioner. You need to use an external provisioner to create a StorageClass for NFS.
 Here are some examples:
+
 * [NFS Ganesha server and external provisioner](https://github.com/kubernetes-sigs/nfs-ganesha-server-and-external-provisioner)
 * [NFS subdir external provisioner](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner)
 -->

From 4ee76685bb9c4a4ad50007e4923c07bf2a7a140a Mon Sep 17 00:00:00 2001
From: SSmallMonster <mingming.zhou@daocloud.io>
Date: Fri, 17 Mar 2023 19:24:51 +0800
Subject: [PATCH 178/215] [zh] sync scheduling-gpus.md

Signed-off-by: SSmallMonster <mingming.zhou@daocloud.io>
---
 .../docs/tasks/manage-gpus/scheduling-gpus.md | 86 +------------------
 1 file changed, 3 insertions(+), 83 deletions(-)

diff --git a/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md b/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
index a6096153ac533..434ca71c48317 100644
--- a/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
+++ b/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
@@ -145,87 +145,7 @@ At the moment, that controller can add labels for:
 如果你在使用 AMD GPU，你可以部署
 [Node Labeller](https://github.com/RadeonOpenCompute/k8s-device-plugin/tree/master/cmd/k8s-node-labeller)，
 它是一个 {{< glossary_tooltip text="控制器" term_id="controller" >}}，
-会自动给节点打上 GPU 设备属性标签。目前支持的属性：
-
-<!--
-* Device ID (-device-id)
-* VRAM Size (-vram)
-* Number of SIMD (-simd-count)
-* Number of Compute Unit (-cu-count)
-* Firmware and Feature Versions (-firmware)
-* GPU Family, in two letters acronym (-family)
-  * SI - Southern Islands
-  * CI - Sea Islands
-  * KV - Kaveri
-  * VI - Volcanic Islands
-  * CZ - Carrizo
-  * AI - Arctic Islands
-  * RV - Raven
---->
-* 设备 ID (-device-id)
-* VRAM 大小 (-vram)
-* SIMD 数量(-simd-count)
-* 计算单位数量(-cu-count)
-* 固件和特性版本 (-firmware)
-* GPU 系列，两个字母的首字母缩写(-family)
-  * SI - Southern Islands
-  * CI - Sea Islands
-  * KV - Kaveri
-  * VI - Volcanic Islands
-  * CZ - Carrizo
-  * AI - Arctic Islands
-  * RV - Raven
-
-```shell
-kubectl describe node cluster-node-23
-```
-
-```
-Name:               cluster-node-23
-Roles:              <none>
-Labels:             beta.amd.com/gpu.cu-count.64=1
-                    beta.amd.com/gpu.device-id.6860=1
-                    beta.amd.com/gpu.family.AI=1
-                    beta.amd.com/gpu.simd-count.256=1
-                    beta.amd.com/gpu.vram.16G=1
-                    kubernetes.io/arch=amd64
-                    kubernetes.io/os=linux
-                    kubernetes.io/hostname=cluster-node-23
-Annotations:        node.alpha.kubernetes.io/ttl: 0
-…
-```
-
-<!--
-With the Node Labeller in use, you can specify the GPU type in the Pod spec:
--->
-使用了 Node Labeller 的时候，你可以在 Pod 的规约中指定 GPU 的类型：
-
-```yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: cuda-vector-add
-spec:
-  restartPolicy: OnFailure
-  containers:
-    - name: cuda-vector-add
-      # https://github.com/kubernetes/kubernetes/blob/v1.7.11/test/images/nvidia-cuda/Dockerfile
-      image: "registry.k8s.io/cuda-vector-add:v0.1"
-      resources:
-        limits:
-          nvidia.com/gpu: 1
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-        – matchExpressions:
-          – key: beta.amd.com/gpu.family.AI # Arctic Islands GPU 系列
-            operator: Exist
-```
-
-<!--
-This ensures that the Pod will be scheduled to a node that has the GPU type
-you specified.
--->
-这能够保证 Pod 能够被调度到你所指定类型的 GPU 的节点上去。
+会自动给节点打上 GPU 设备属性标签。
 
+对于 NVIDIA GPU，[GPU feature discovery](https://github.com/NVIDIA/gpu-feature-discovery/blob/main/README.md)
+提供了类似功能。

From 33661d986e46b2c31f90690722066b7127aa0f6b Mon Sep 17 00:00:00 2001
From: SSmallMonster <mingming.zhou@daocloud.io>
Date: Fri, 17 Mar 2023 20:52:06 +0800
Subject: [PATCH 179/215] [zh-cn] sync distribute-credentials-secure.md

Signed-off-by: SSmallMonster <mingming.zhou@daocloud.io>
---
 .../distribute-credentials-secure.md          | 82 +++++++++----------
 1 file changed, 41 insertions(+), 41 deletions(-)

diff --git a/content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md b/content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md
index f7da3953ba371..4ec2aa6864818 100644
--- a/content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure.md
@@ -269,13 +269,13 @@ When you deploy this Pod, the following happens:
 当你部署此 Pod 时，会发生以下情况：
 
 <!--
-* The `username` key from `mysecret` is available to the container at the path
+- The `username` key from `mysecret` is available to the container at the path
   `/etc/foo/my-group/my-username` instead of at `/etc/foo/username`.
-* The `password` key from that Secret object is not projected.
+- The `password` key from that Secret object is not projected.
 -->
-* 来自 `mysecret` 的键 `username` 可以在路径 `/etc/foo/my-group/my-username`
+- 来自 `mysecret` 的键 `username` 可以在路径 `/etc/foo/my-group/my-username`
   下供容器使用，而不是路径 `/etc/foo/username`。
-* 来自该 Secret 的键 `password` 没有映射到任何路径。
+- 来自该 Secret 的键 `password` 没有映射到任何路径。
 
 <!--
 If you list keys explicitly using `.spec.volumes[].secret.items`, consider the
@@ -285,15 +285,15 @@ following:
 如果你使用 `.spec.volumes[].secret.items` 明确地列出键，请考虑以下事项：
 
 <!--
-* Only keys specified in `items` are projected.
-* To consume all keys from the Secret, all of them must be listed in the
+- Only keys specified in `items` are projected.
+- To consume all keys from the Secret, all of them must be listed in the
   `items` field.
-* All listed keys must exist in the corresponding Secret. Otherwise, the volume
+- All listed keys must exist in the corresponding Secret. Otherwise, the volume
   is not created.
 -->
-* 只有在 `items` 字段中指定的键才会被映射。
-* 要使用 Secret 中全部的键，那么全部的键都必须列在 `items` 字段中。
-* 所有列出的键必须存在于相应的 Secret 中。否则，该卷不被创建。
+- 只有在 `items` 字段中指定的键才会被映射。
+- 要使用 Secret 中全部的键，那么全部的键都必须列在 `items` 字段中。
+- 所有列出的键必须存在于相应的 Secret 中。否则，该卷不被创建。
 
 <!--
 ### Set POSIX permissions for Secret keys
@@ -379,34 +379,34 @@ secrets change.
 ### 使用来自 Secret 中的数据定义容器变量   {#define-a-container-env-var-with-data-from-a-single-secret}
 
 <!--
-* Define an environment variable as a key-value pair in a Secret:
+- Define an environment variable as a key-value pair in a Secret:
 -->
-* 定义环境变量为 Secret 中的键值偶对：
+- 定义环境变量为 Secret 中的键值偶对：
 
   ```shell
   kubectl create secret generic backend-user --from-literal=backend-username='backend-admin'
   ```
 
 <!--
-*  Assign the `backend-username` value defined in the Secret to the `SECRET_USERNAME` environment variable in the Pod specification.
+- Assign the `backend-username` value defined in the Secret to the `SECRET_USERNAME` environment variable in the Pod specification.
 -->
-* 在 Pod 规约中，将 Secret 中定义的值 `backend-username` 赋给 `SECRET_USERNAME` 环境变量。
+- 在 Pod 规约中，将 Secret 中定义的值 `backend-username` 赋给 `SECRET_USERNAME` 环境变量。
 
   {{< codenew file="pods/inject/pod-single-secret-env-variable.yaml" >}}
 
 <!--
-*  Create the Pod:
+- Create the Pod:
 -->
-* 创建 Pod：
+- 创建 Pod：
 
   ```shell
   kubectl create -f https://k8s.io/examples/pods/inject/pod-single-secret-env-variable.yaml
   ```
 
 <!--
-*  In your shell, display the content of `SECRET_USERNAME` container environment variable
+- In your shell, display the content of `SECRET_USERNAME` container environment variable
 -->
-* 在 Shell 中，显示容器环境变量 `SECRET_USERNAME` 的内容：
+- 在 Shell 中，显示容器环境变量 `SECRET_USERNAME` 的内容：
 
   ```shell
   kubectl exec -i -t env-single-secret -- /bin/sh -c 'echo $SECRET_USERNAME'
@@ -426,9 +426,9 @@ secrets change.
 ### 使用来自多个 Secret 的数据定义环境变量   {#define-container-env-var-with-data-from-multi-secrets}
 
 <!--
-*  As with the previous example, create the Secrets first.
+- As with the previous example, create the Secrets first.
 -->
-* 和前面的例子一样，先创建 Secret：
+- 和前面的例子一样，先创建 Secret：
 
   ```shell
   kubectl create secret generic backend-user --from-literal=backend-username='backend-admin'
@@ -436,25 +436,25 @@ secrets change.
   ```
 
 <!--
-*  Define the environment variables in the Pod specification.
+- Define the environment variables in the Pod specification.
 -->
-* 在 Pod 规约中定义环境变量：
+- 在 Pod 规约中定义环境变量：
 
   {{< codenew file="pods/inject/pod-multiple-secret-env-variable.yaml" >}}
 
 <!--
-*  Create the Pod:
+- Create the Pod:
 -->
-* 创建 Pod：
+- 创建 Pod：
 
   ```shell
   kubectl create -f https://k8s.io/examples/pods/inject/pod-multiple-secret-env-variable.yaml
   ```
 
 <!--
-*  In your shell, display the container environment variables
+- In your shell, display the container environment variables
 -->
-* 在你的 Shell 中，显示容器环境变量的内容：
+- 在你的 Shell 中，显示容器环境变量的内容：
 
   ```shell
   kubectl exec -i -t envvars-multiple-secrets -- /bin/sh -c 'env | grep _USERNAME'
@@ -481,35 +481,35 @@ This functionality is available in Kubernetes v1.6 and later.
 {{< /note >}}
 
 <!--
-*  Create a Secret containing multiple key-value pairs
+- Create a Secret containing multiple key-value pairs
 -->
-* 创建包含多个键值偶对的 Secret：
+- 创建包含多个键值偶对的 Secret：
 
   ```shell
   kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'
   ```
 
 <!--
-*  Use envFrom to define all of the Secret's data as container environment variables. The key from the Secret becomes the environment variable name in the Pod.
+- Use envFrom to define all of the Secret's data as container environment variables. The key from the Secret becomes the environment variable name in the Pod.
 -->
-* 使用 `envFrom` 来将 Secret 中的所有数据定义为环境变量。
+- 使用 `envFrom` 来将 Secret 中的所有数据定义为环境变量。
   Secret 中的键名成为容器中的环境变量名：
 
   {{< codenew file="pods/inject/pod-secret-envFrom.yaml" >}}
 
 <!--
-*  Create the Pod:
+- Create the Pod:
 -->
-* 创建 Pod：
+- 创建 Pod：
 
   ```shell
   kubectl create -f https://k8s.io/examples/pods/inject/pod-secret-envFrom.yaml
   ```
 
 <!--
-* In your shell, display `username` and `password` container environment variables
+- In your shell, display `username` and `password` container environment variables
 -->
-* 在 Shell 中，显示环境变量 `username` 和 `password` 的内容：
+- 在 Shell 中，显示环境变量 `username` 和 `password` 的内容：
 
   ```shell
   kubectl exec -i -t envfrom-secret -- /bin/sh -c 'echo "username: $username\npassword: $password\n"'
@@ -530,15 +530,15 @@ This functionality is available in Kubernetes v1.6 and later.
 -->
 ### 参考   {#references}
 
-* [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
-* [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
-* [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
+- [Secret](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#secret-v1-core)
+- [Volume](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#volume-v1-core)
+- [Pod](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#pod-v1-core)
 
 ## {{% heading "whatsnext" %}}
 
 <!--
-* Learn more about [Secrets](/docs/concepts/configuration/secret/).
-* Learn about [Volumes](/docs/concepts/storage/volumes/).
+- Learn more about [Secrets](/docs/concepts/configuration/secret/).
+- Learn about [Volumes](/docs/concepts/storage/volumes/).
 -->
-* 进一步了解 [Secret](/zh-cn/docs/concepts/configuration/secret/)。
-* 了解[卷](/zh-cn/docs/concepts/storage/volumes/)。
+- 进一步了解 [Secret](/zh-cn/docs/concepts/configuration/secret/)。
+- 了解[卷](/zh-cn/docs/concepts/storage/volumes/)。

From 7a44ed71dda71cc391de45a30df0514d7417db9b Mon Sep 17 00:00:00 2001
From: Benedikt Rollik <brollik@online.net>
Date: Fri, 17 Mar 2023 14:47:39 +0100
Subject: [PATCH 180/215] updated kubecon dates

---
 content/de/_index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/de/_index.html b/content/de/_index.html
index b1bc57459cdbf..1a52e47fb5cb7 100644
--- a/content/de/_index.html
+++ b/content/de/_index.html
@@ -42,12 +42,12 @@ <h2>Die Herausforderungen bei der Migration von über 150 Microservices auf Kube
         <button id="desktopShowVideoButton" onclick="kub.showVideo()">Video ansehen</button>
         <br>
         <br>
-        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/" button id="desktopKCButton">Besuchen die KubeCon North America vom 24. bis 28. Oktober 2022</a>
+        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/" button id="desktopKCButton">Besuche die KubeCon Europe vom 18. bis 21. April 2023</a>
         <br>
         <br>
         <br>
         <br>
-        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/" button id="desktopKCButton">Besuche die KubeCon Europe vom 17. bis 21. April 2023</a>
+        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/" button id="desktopKCButton">Besuchen die KubeCon North America vom 6. bis 9. November 2023</a>
 </div>
 <div id="videoPlayer">
     <iframe data-url="https://www.youtube.com/embed/H06qrNmGqyE?autoplay=1" frameborder="0" allowfullscreen></iframe>

From 4d97e89b29d193e9d62c4e492e6c8508de392ca2 Mon Sep 17 00:00:00 2001
From: Benedikt Rollik <brollik@scaleway.com>
Date: Fri, 17 Mar 2023 14:53:26 +0100
Subject: [PATCH 181/215] Update content/de/_index.html

---
 content/de/_index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/de/_index.html b/content/de/_index.html
index 1a52e47fb5cb7..ab7427938fafa 100644
--- a/content/de/_index.html
+++ b/content/de/_index.html
@@ -47,7 +47,7 @@ <h2>Die Herausforderungen bei der Migration von über 150 Microservices auf Kube
         <br>
         <br>
         <br>
-        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/" button id="desktopKCButton">Besuchen die KubeCon North America vom 6. bis 9. November 2023</a>
+        <a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/" button id="desktopKCButton">Besuche die KubeCon North America vom 6. bis 9. November 2023</a>
 </div>
 <div id="videoPlayer">
     <iframe data-url="https://www.youtube.com/embed/H06qrNmGqyE?autoplay=1" frameborder="0" allowfullscreen></iframe>

From ccbdf735ad7fa254292334c40ab50256546b9823 Mon Sep 17 00:00:00 2001
From: Tim Bannister <tim@scalefactory.com>
Date: Fri, 17 Mar 2023 14:00:57 +0000
Subject: [PATCH 182/215] Adjust publication date / time

---
 .../2023-03-17-kubernetes-1.27-deprecations-and-removals.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
index e68399df49b60..56d2c4ede9dcc 100644
--- a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
+++ b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
@@ -1,7 +1,7 @@
 ---
 layout: blog
 title: "Kubernetes Removals and Major Changes In v1.27"
-date: 2023-03-17
+date: 2023-03-17T14:00:00+0000
 slug: upcoming-changes-in-kubernetes-v1-27
 ---
 

From cbc6a8a1f1ae1bdc9e8c8a56d2dc32a21d320fb8 Mon Sep 17 00:00:00 2001
From: ydFu <ader.ydfu@gmail.com>
Date: Fri, 17 Mar 2023 22:47:03 +0800
Subject: [PATCH 183/215] Update Kubernetes version information to the
 corrected

Signed-off-by: ydFu <ader.ydfu@gmail.com>
---
 ...7-kubernetes-1.27-deprecations-and-removals.md | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
index 56d2c4ede9dcc..abfb226abe276 100644
--- a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
+++ b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
@@ -69,10 +69,9 @@ The following feature gates for [volume expansion](https://github.com/kubernetes
 
 ### Removal of `--master-service-namespace` command line argument
 
-The kube-apiserver accepts a deprecated command line argument,  `--master-service-namespace`, that specified where to create the Service named `kubernetes`
+The kube-apiserver accepts a deprecated command line argument, `--master-service-namespace`, that specified where to create the Service named `kubernetes`
 to represent the API server.
-Kubernetes v1.27 will remove that argument, which has been deprecated since the v1.6
-release.
+Kubernetes v1.27 will remove that argument, which has been deprecated since the v1.26 release.
 
 ### Removal of the `ControllerManagerLeaderMigration` feature gate
 
@@ -84,7 +83,7 @@ The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditional
 
 The kube-controller-manager command line argument `--enable-taint-manager` is deprecated, and will be removed in Kubernetes v1.27. The feature that it supports, [taint based eviction](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions),
 is already enabled by default and will continue to be implicitly enabled when the flag is removed.
-    
+
 ### Removal of `--pod-eviction-timeout` command line argument
 	
 The deprecated command line argument `--pod-eviction-timeout` will be removed from the
@@ -103,15 +102,15 @@ The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258)
 
 [Ephemeral containers](/docs/concepts/workloads/pods/ephemeral-containers/) graduated to GA in v1.25. These are containers with a temporary duration that executes within namespaces of an existing pod. Ephemeral containers are typically initiated by a user in order to observe the state of other pods and containers for troubleshooting and debugging purposes. For Kubernetes v1.27, API support for ephemeral containers is unconditionally enabled; the `EphemeralContainers` feature gate will be removed.
 
-### Removal of `LocalStorageCapacityIsolation`  feature gate
+### Removal of `LocalStorageCapacityIsolation` feature gate
 
-The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513) feature moved to GA in v1.25. The feature provides support for capacity isolation of local ephemeral storage between pods, such as `emptyDir` volumes, so that a pod can be hard limited in its consumption of shared resources. The kubelet will evicting Pods if consumption of local ephemeral storage exceeds the configured limit. The feature gate, `LocalStorageCapacityIsolation`, will be removed in the v.127 release.
+The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513) feature moved to GA in v1.25. The feature provides support for capacity isolation of local ephemeral storage between pods, such as `emptyDir` volumes, so that a pod can be hard limited in its consumption of shared resources. The kubelet will evicting Pods if consumption of local ephemeral storage exceeds the configured limit. The feature gate, `LocalStorageCapacityIsolation`, will be removed in the v1.27 release.
 
 ### Removal of `NetworkPolicyEndPort` feature gate
 
 The v1.25 release of Kubernetes promoted `endPort` in NetworkPolicy to GA. NetworkPolicy providers that support the `endPort` field that can be used to specify a range of ports to apply a NetworkPolicy. Previously, each NetworkPolicy could only target a single port. So the feature gate `NetworkPolicyEndPort` will be removed in this release.
 
-Please be aware that `endPort` field must be supported by the Network Policy provider. If your provider does not support endPort, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port)
+Please be aware that `endPort` field must be supported by the Network Policy provider. If your provider does not support `endPort`, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port).
 
 ### Removal of `StatefulSetMinReadySeconds` feature gate
 
@@ -145,4 +144,4 @@ Deprecations are announced in the Kubernetes release notes. You can see the anno
 
 We will formally announce the deprecations that come with [Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation) as part of the CHANGELOG for that release.
 
-For information on the process of deprecation and removal, check out the official Kubernetes [deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.
\ No newline at end of file
+For information on the process of deprecation and removal, check out the official Kubernetes [deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.

From dc82455d8d33e827af0d5073c68f4aecce23ba03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= <mudrinic.mare@gmail.com>
Date: Fri, 17 Mar 2023 21:46:44 +0100
Subject: [PATCH 184/215] Add March patch releases to the releases calendar
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
---
 content/en/releases/patch-releases.md |  1 -
 data/releases/schedule.yaml           | 27 ++++++++++++++++++---------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/content/en/releases/patch-releases.md b/content/en/releases/patch-releases.md
index 874193f3283e9..1347042d686da 100644
--- a/content/en/releases/patch-releases.md
+++ b/content/en/releases/patch-releases.md
@@ -78,7 +78,6 @@ releases may also occur in between these.
 
 | Monthly Patch Release | Cherry Pick Deadline | Target date |
 | --------------------- | -------------------- | ----------- |
-| March 2023            | 2023-03-10           | 2023-03-15  |
 | April 2023            | 2023-04-07           | 2023-04-12  |
 | May 2023              | 2023-05-12           | 2023-05-17  |
 | June 2023             | 2023-06-09           | 2023-06-14  |
diff --git a/data/releases/schedule.yaml b/data/releases/schedule.yaml
index c1cc1a8af052d..16f1526065f8f 100644
--- a/data/releases/schedule.yaml
+++ b/data/releases/schedule.yaml
@@ -4,10 +4,13 @@ schedules:
   maintenanceModeStartDate: 2023-12-28
   endOfLifeDate: 2024-02-28
   next:
-    release: 1.26.3
-    cherryPickDeadline: 2023-03-10
-    targetDate: 2023-03-15
+    release: 1.26.4
+    cherryPickDeadline: 2023-04-07
+    targetDate: 2023-04-12
   previousPatches:
+    - release: 1.26.3
+      cherryPickDeadline: 2023-03-10
+      targetDate: 2023-03-15
     - release: 1.26.2
       cherryPickDeadline: 2023-02-10
       targetDate: 2023-02-15
@@ -24,10 +27,13 @@ schedules:
   maintenanceModeStartDate: 2023-08-28
   endOfLifeDate: 2023-10-28
   next:
-    release: 1.25.8
-    cherryPickDeadline: 2023-03-10
-    targetDate: 2023-03-15
+    release: 1.25.9
+    cherryPickDeadline: 2023-04-07
+    targetDate: 2023-04-12
   previousPatches:
+    - release: 1.25.8
+      cherryPickDeadline: 2023-03-10
+      targetDate: 2023-03-15
     - release: 1.25.7
       cherryPickDeadline: 2023-02-10
       targetDate: 2023-02-15
@@ -63,10 +69,13 @@ schedules:
   maintenanceModeStartDate: 2023-05-28
   endOfLifeDate: 2023-07-28
   next:
-    release: 1.24.12
-    cherryPickDeadline: 2023-03-10
-    targetDate: 2023-03-15
+    release: 1.24.13
+    cherryPickDeadline: 2023-04-07
+    targetDate: 2023-04-12
   previousPatches:
+    - release: 1.24.12
+      cherryPickDeadline: 2023-03-10
+      targetDate: 2023-03-15
     - release: 1.24.11
       cherryPickDeadline: 2023-02-10
       targetDate: 2023-02-15

From 8f3b767fcc74aceb6aa3e0f032ffb9538207b5b7 Mon Sep 17 00:00:00 2001
From: k0rventen <corentin.farque@axians.com>
Date: Fri, 17 Mar 2023 21:54:18 +0100
Subject: [PATCH 185/215] add french translation for task 'Define Dependent
 Environment Variables'

---
 ...ne-interdependent-environment-variables.md | 83 +++++++++++++++++++
 .../pods/inject/dependent-envars.yaml         | 26 ++++++
 2 files changed, 109 insertions(+)
 create mode 100644 content/fr/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
 create mode 100644 content/fr/examples/pods/inject/dependent-envars.yaml

diff --git a/content/fr/docs/tasks/inject-data-application/define-interdependent-environment-variables.md b/content/fr/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
new file mode 100644
index 0000000000000..73bf9afa94801
--- /dev/null
+++ b/content/fr/docs/tasks/inject-data-application/define-interdependent-environment-variables.md
@@ -0,0 +1,83 @@
+---
+title: Définir des variables d'environnement dépendantes
+content_type: task
+weight: 20
+---
+
+<!-- overview -->
+
+Cette page montre comment définir des variables d'environnement 
+interdépendantes pour un container dans un Pod Kubernetes.
+
+
+## {{% heading "prerequisites" %}}
+
+
+{{< include "task-tutorial-prereqs.md" >}}
+
+
+<!-- steps -->
+
+## Définir une variable d'environnement dépendante pour un container
+
+Lorsque vous créez un Pod, vous pouvez configurer des variables d'environnement interdépendantes pour les containers exécutés dans un Pod.
+Pour définir une variable d'environnement dépendante, vous pouvez utiliser le format $(VAR_NAME) dans le champ `value` de la spécification `env` dans le fichier de configuration.
+
+Dans cette exercice, vous allez créer un Pod qui exécute un container. Le fichier de configuration de ce Pod définit des variables d'environnement interdépendantes avec une ré-utilisation entre les différentes variables. Voici le fichier de configuration de ce Pod:
+
+{{< codenew file="pods/inject/dependent-envars.yaml" >}}
+
+1. Créez un Pod en utilisant ce fichier de configuration:
+
+   ```shell
+   kubectl apply -f https://k8s.io/examples/pods/inject/dependent-envars.yaml
+   ```
+   ```
+   pod/dependent-envars-demo created
+   ```
+
+2. Listez le Pod:
+
+   ```shell
+   kubectl get pods dependent-envars-demo
+   ```
+   ```
+   NAME                      READY     STATUS    RESTARTS   AGE
+   dependent-envars-demo     1/1       Running   0          9s
+   ```
+
+3. Affichez les logs pour le container exécuté dans votre Pod:
+
+   ```shell
+   kubectl logs pod/dependent-envars-demo
+   ```
+   ```
+
+   UNCHANGED_REFERENCE=$(PROTOCOL)://172.17.0.1:80
+   SERVICE_ADDRESS=https://172.17.0.1:80
+   ESCAPED_REFERENCE=$(PROTOCOL)://172.17.0.1:80
+   ```
+
+Comme montré ci-dessus, vous avez défini une dépendance correcte pour `SERVICE_ADDRESS`, une dépendance manquante pour `UNCHANGED_REFERENCE`, et avez ignoré la dépendance pour `ESCAPED_REFERENCE`.
+
+Lorsqu'une variable d'environnement est déja définie alors 
+qu'elle est référencée par une autre variable, la référence s'effectue
+correctement, comme dans l'exemple de `SERVICE_ADDRESS`.
+
+Il est important de noter que l'ordre dans la liste `env` est important. 
+Une variable d'environnement ne sera pas considérée comme "définie" 
+si elle est spécifiée plus bas dans la liste. C'est pourquoi
+`UNCHANGED_REFERENCE` ne résout pas correctement `$(PROTOCOL)` dans l'exemple précédent.
+
+Lorsque la variable d'environnement n'est pas définie, ou n'inclut qu'une partie des variables, la variable non définie sera traitée comme une chaine de caractères, par exemple `UNCHANGED_REFERENCE`. Notez que les variables d'environnement malformées n'empêcheront généralement pas le démarrage du conteneur.
+
+La syntaxe `$(VAR_NAME)` peut être échappée avec un double `$`, par exemple `$$(VAR_NAME)`.
+Les références échappées ne sont jamais développées, que la variable référencée
+soit définie ou non. C'est le cas pour l'exemple `ESCAPED_REFERENCE` ci-dessus.
+
+## {{% heading "whatsnext" %}}
+
+
+* En savoir plus sur les [variables d'environnement](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/).
+* Lire la documentation pour [EnvVarSource](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#envvarsource-v1-core).
+
diff --git a/content/fr/examples/pods/inject/dependent-envars.yaml b/content/fr/examples/pods/inject/dependent-envars.yaml
new file mode 100644
index 0000000000000..67d07098baec6
--- /dev/null
+++ b/content/fr/examples/pods/inject/dependent-envars.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dependent-envars-demo
+spec:
+  containers:
+    - name: dependent-envars-demo
+      args:
+        - while true; do echo -en '\n'; printf UNCHANGED_REFERENCE=$UNCHANGED_REFERENCE'\n'; printf SERVICE_ADDRESS=$SERVICE_ADDRESS'\n';printf ESCAPED_REFERENCE=$ESCAPED_REFERENCE'\n'; sleep 30; done;
+      command:
+        - sh
+        - -c
+      image: busybox:1.28
+      env:
+        - name: SERVICE_PORT
+          value: "80"
+        - name: SERVICE_IP
+          value: "172.17.0.1"
+        - name: UNCHANGED_REFERENCE
+          value: "$(PROTOCOL)://$(SERVICE_IP):$(SERVICE_PORT)"
+        - name: PROTOCOL
+          value: "https"
+        - name: SERVICE_ADDRESS
+          value: "$(PROTOCOL)://$(SERVICE_IP):$(SERVICE_PORT)"
+        - name: ESCAPED_REFERENCE
+          value: "$$(PROTOCOL)://$(SERVICE_IP):$(SERVICE_PORT)"

From dd089f44e89fc22b2036c9f8f8a82c5c5dd2c5e0 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Sat, 18 Mar 2023 19:31:39 +0800
Subject: [PATCH 186/215] [zh] sync files in /tasks/run-application/

---
 .../tasks/run-application/configure-pdb.md    | 67 +++++++++++--------
 .../run-application/delete-stateful-set.md    | 31 ++++++---
 .../run-application/scale-stateful-set.md     | 19 ++++--
 3 files changed, 75 insertions(+), 42 deletions(-)

diff --git a/content/zh-cn/docs/tasks/run-application/configure-pdb.md b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
index 5feb2d58ca6d0..6b2da2697c265 100644
--- a/content/zh-cn/docs/tasks/run-application/configure-pdb.md
+++ b/content/zh-cn/docs/tasks/run-application/configure-pdb.md
@@ -84,7 +84,9 @@ selector goes into the PDBs `.spec.selector`.
 `.spec.selector` 字段中加入同样的选择算符。
 
 <!--
-From version 1.15 PDBs support custom controllers where the [scale subresource](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource) is enabled.
+From version 1.15 PDBs support custom controllers where the
+[scale subresource](/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)
+is enabled.
 -->
 从 1.15 版本开始，PDB 支持启用
 [Scale 子资源](/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#scale-subresource)
@@ -122,7 +124,8 @@ due to a voluntary disruption.
 - Multiple-instance Stateful application such as Consul, ZooKeeper, or etcd:
   - Concern: Do not reduce number of instances below quorum, otherwise writes fail.
     - Possible Solution 1: set maxUnavailable to 1 (works with varying scale of application).
-    - Possible Solution 2: set minAvailable to quorum-size (e.g. 3 when scale is 5). (Allows more disruptions at once).
+    - Possible Solution 2: set minAvailable to quorum-size (e.g. 3 when scale is 5).
+      (Allows more disruptions at once).
 - Restartable Batch Job:
   - Concern: Job needs to complete in case of voluntary disruption.
     - Possible solution: Do not create a PDB. The Job controller will create a replacement pod.
@@ -155,11 +158,12 @@ Values for `minAvailable` or `maxUnavailable` can be expressed as integers or as
 `minAvailable` 或 `maxUnavailable` 的值可以表示为整数或百分比。
 
 <!--
-- When you specify an integer, it represents a number of Pods. For instance, if you set `minAvailable` to 10, then 10
-  Pods must always be available, even during a disruption.
-- When you specify a percentage by setting the value to a string representation of a percentage (eg. `"50%"`), it represents a percentage of
-  total Pods. For instance, if you set `minAvailable` to `"50%"`, then at least 50% of the Pods remain available during a
-  disruption.
+- When you specify an integer, it represents a number of Pods. For instance, if you set
+  `minAvailable` to 10, then 10 Pods must always be available, even during a disruption.
+- When you specify a percentage by setting the value to a string representation of a
+  percentage (eg. `"50%"`), it represents a percentage of total Pods. For instance, if
+  you set `minAvailable` to `"50%"`, then at least 50% of the Pods remain available
+  during a disruption.
 -->
 - 指定整数值时，它表示 Pod 个数。例如，如果将 `minAvailable` 设置为 10，
   那么即使在干扰期间，也必须始终有 10 个 Pod 可用。
@@ -167,11 +171,13 @@ Values for `minAvailable` or `maxUnavailable` can be expressed as integers or as
   例如，如果将 `minAvailable` 设置为 `"50％"`，则干扰期间至少 50％ 的 Pod 保持可用。
 
 <!--
-When you specify the value as a percentage, it may not map to an exact number of Pods. For example, if you have 7 Pods and
-you set `minAvailable` to `"50%"`, it's not immediately obvious whether that means 3 Pods or 4 Pods must be available.
-Kubernetes rounds up to the nearest integer, so in this case, 4 Pods must be available. When you specify the value 
-`maxUnavailable` as a percentage, Kubernetes rounds up the number of Pods that may be disrupted. Thereby a disruption 
-can exceed your defined `maxUnavailable` percentage. You can examine the
+When you specify the value as a percentage, it may not map to an exact number of Pods.
+For example, if you have 7 Pods and you set `minAvailable` to `"50%"`, it's not
+immediately obvious whether that means 3 Pods or 4 Pods must be available. Kubernetes
+rounds up to the nearest integer, so in this case, 4 Pods must be available. When you
+specify the value `maxUnavailable` as a percentage, Kubernetes rounds up the number of
+Pods that may be disrupted. Thereby a disruption can exceed your defined
+`maxUnavailable` percentage. You can examine the
 [code](https://github.com/kubernetes/kubernetes/blob/23be9587a0f8677eb8091464098881df939c44a9/pkg/controller/disruption/disruption.go#L539)
 that controls this behavior.
 -->
@@ -285,8 +291,8 @@ Pod 的数量低于预算指定值。预算只能够针对自发的驱逐提供
 If you set `maxUnavailable` to 0% or 0, or you set `minAvailable` to 100% or the number of replicas,
 you are requiring zero voluntary evictions. When you set zero voluntary evictions for a workload
 object such as ReplicaSet, then you cannot successfully drain a Node running one of those Pods.
-If you try to drain a Node where an unevictable Pod is running, the drain never completes. This is permitted as per the
-semantics of `PodDisruptionBudget`.
+If you try to drain a Node where an unevictable Pod is running, the drain never completes.
+This is permitted as per the semantics of `PodDisruptionBudget`.
 -->
 如果你将 `maxUnavailable` 的值设置为 0%（或 0）或设置 `minAvailable` 值为 100%（或等于副本数）
 则会阻止所有的自愿驱逐。
@@ -409,7 +415,8 @@ status:
 <!--
 ### Healthiness of a Pod
 
-The current implementation considers healthy pods, as pods that have `.status.conditions` item with `type="Ready"` and `status="True"`.
+The current implementation considers healthy pods, as pods that have `.status.conditions`
+item with `type="Ready"` and `status="True"`.
 These pods are tracked via `.status.currentHealthy` field in the PDB status.
 -->
 ### Pod 的健康  {#healthiness-of-a-pod}
@@ -454,13 +461,16 @@ Policies:
 
 <!--
 `IfHealthyBudget`
-: Running pods (`.status.phase="Running"`), but not yet healthy can be evicted only if the guarded application is not
-disrupted (`.status.currentHealthy` is at least equal to `.status.desiredHealthy`).
+: Running pods (`.status.phase="Running"`), but not yet healthy can be evicted only
+  if the guarded application is not disrupted (`.status.currentHealthy` is at least
+  equal to `.status.desiredHealthy`).
 
-: This policy ensures that running pods of an already disrupted application have the best chance to become healthy.
-This has negative implications for draining nodes, which can be blocked by misbehaving applications that are guarded by a PDB.
-More specifically applications with pods in `CrashLoopBackOff` state (due to a bug or misconfiguration),
-or pods that are just failing to report the `Ready` condition.
+: This policy ensures that running pods of an already disrupted application have
+  the best chance to become healthy. This has negative implications for draining
+  nodes, which can be blocked by misbehaving applications that are guarded by a PDB.
+  More specifically applications with pods in `CrashLoopBackOff` state
+  (due to a bug or misconfiguration), or pods that are just failing to report the
+  `Ready` condition.
 -->
 `IfHealthyBudget`
 : 对于运行中但还不健康的 Pod（`.status.phase="Running"`），只有所守护的应用程序不受干扰
@@ -473,13 +483,14 @@ or pods that are just failing to report the `Ready` condition.
 
 <!--
 `AlwaysAllow`
-: Running pods (`.status.phase="Running"`), but not yet healthy are considered disrupted and can be evicted
-regardless of whether the criteria in a PDB is met.
-
-: This means prospective running pods of a disrupted application might not get a chance to become healthy.
-By using this policy, cluster managers can easily evict misbehaving applications that are guarded by a PDB.
-More specifically applications with pods in `CrashLoopBackOff` state (due to a bug or misconfiguration),
-or pods that are just failing to report the `Ready` condition.
+: Running pods (`.status.phase="Running"`), but not yet healthy are considered
+  disrupted and can be evicted regardless of whether the criteria in a PDB is met.
+
+: This means prospective running pods of a disrupted application might not get a
+  chance to become healthy. By using this policy, cluster managers can easily evict
+  misbehaving applications that are guarded by a PDB. More specifically applications
+  with pods in `CrashLoopBackOff` state (due to a bug or misconfiguration), or pods
+  that are just failing to report the `Ready` condition.
 -->
 `AlwaysAllow`
 : 运行中但还不健康的 Pod（`.status.phase="Running"`）将被视为已受干扰且可以被驱逐，
diff --git a/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md b/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
index 8a61b54c7ae28..b70bdb350b218 100644
--- a/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
+++ b/content/zh-cn/docs/tasks/run-application/delete-stateful-set.md
@@ -34,7 +34,8 @@ This task shows you how to delete a {{< glossary_tooltip term_id="StatefulSet" >
 <!--
 ## Deleting a StatefulSet
 
-You can delete a StatefulSet in the same way you delete other resources in Kubernetes: use the `kubectl delete` command, and specify the StatefulSet either by file or by name.
+You can delete a StatefulSet in the same way you delete other resources in Kubernetes:
+use the `kubectl delete` command, and specify the StatefulSet either by file or by name.
 -->
 ## 删除 StatefulSet   {#deleting-a-statefulset}
 
@@ -68,8 +69,9 @@ kubectl delete service <服务名称>
 ```
 
 <!--
-When deleting a StatefulSet through `kubectl`, the StatefulSet scales down to 0. All Pods that are part of this workload are also deleted. If you want to delete only the StatefulSet and not the Pods, use `--cascade=orphan`.
-For example:
+When deleting a StatefulSet through `kubectl`, the StatefulSet scales down to 0.
+All Pods that are part of this workload are also deleted. If you want to delete
+only the StatefulSet and not the Pods, use `--cascade=orphan`. For example:
 --->
 当通过 `kubectl` 删除 StatefulSet 时，StatefulSet 会被缩容为 0。
 属于该 StatefulSet 的所有 Pod 也被删除。
@@ -80,7 +82,9 @@ kubectl delete -f <file.yaml> --cascade=orphan
 ```
 
 <!--
-By passing `--cascade=orphan` to `kubectl delete`, the Pods managed by the StatefulSet are left behind even after the StatefulSet object itself is deleted. If the pods have a label `app.kubernetes.io/name=MyApp`, you can then delete them as follows:
+By passing `--cascade=orphan` to `kubectl delete`, the Pods managed by the StatefulSet
+are left behind even after the StatefulSet object itself is deleted. If the pods have
+a label `app.kubernetes.io/name=MyApp`, you can then delete them as follows:
 --->
 通过将 `--cascade=orphan` 传递给 `kubectl delete`，在删除 StatefulSet 对象之后，
 StatefulSet 管理的 Pod 会被保留下来。如果 Pod 具有标签 `app.kubernetes.io/name=MyApp`，
@@ -93,7 +97,12 @@ kubectl delete pods -l app.kubernetes.io/name=MyApp
 <!--
 ### Persistent Volumes
 
-Deleting the Pods in a StatefulSet will not delete the associated volumes. This is to ensure that you have the chance to copy data off the volume before deleting it. Deleting the PVC after the pods have terminated might trigger deletion of the backing Persistent Volumes depending on the storage class and reclaim policy. You should never assume ability to access a volume after claim deletion.
+Deleting the Pods in a StatefulSet will not delete the associated volumes.
+This is to ensure that you have the chance to copy data off the volume before
+deleting it. Deleting the PVC after the pods have terminated might trigger
+deletion of the backing Persistent Volumes depending on the storage class
+and reclaim policy. You should never assume ability to access a volume
+after claim deletion.
 -->
 ### 持久卷  {#persistent-volumes}
 
@@ -111,7 +120,8 @@ Use caution when deleting a PVC, as it may lead to data loss.
 <!--
 ### Complete deletion of a StatefulSet
 
-To delete everything in a StatefulSet, including the associated pods, you can run a series of commands similar to the following:
+To delete everything in a StatefulSet, including the associated pods,
+you can run a series of commands similar to the following:
 -->
 ### 完全删除 StatefulSet  {#complete-deletion-of-a-statefulset}
 
@@ -126,14 +136,19 @@ kubectl delete pvc -l app.kubernetes.io/name=MyApp
 ```
 
 <!--
-In the example above, the Pods have the label `app.kubernetes.io/name=MyApp`; substitute your own label as appropriate.
+In the example above, the Pods have the label `app.kubernetes.io/name=MyApp`;
+substitute your own label as appropriate.
 -->
 在上面的例子中，Pod 的标签为 `app.kubernetes.io/name=MyApp`；适当地替换你自己的标签。
 
 <!--
 ### Force deletion of StatefulSet pods
 
-If you find that some pods in your StatefulSet are stuck in the 'Terminating' or 'Unknown' states for an extended period of time, you may need to manually intervene to forcefully delete the pods from the apiserver. This is a potentially dangerous task. Refer to [Force Delete StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/) for details.
+If you find that some pods in your StatefulSet are stuck in the 'Terminating'
+or 'Unknown' states for an extended period of time, you may need to manually
+intervene to forcefully delete the pods from the apiserver.
+This is a potentially dangerous task. Refer to
+[Force Delete StatefulSet Pods](/docs/tasks/run-application/force-delete-stateful-set-pod/)
 -->
 ### 强制删除 StatefulSet 的 Pod   {#force-deletion-of-statefulset-pods}
 
diff --git a/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md b/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
index 4354689635980..5e7917460162a 100644
--- a/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
+++ b/content/zh-cn/docs/tasks/run-application/scale-stateful-set.md
@@ -19,7 +19,8 @@ weight: 50
 
 <!-- overview -->
 <!--
-This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to increasing or decreasing the number of replicas.
+This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to
+increasing or decreasing the number of replicas.
 -->
 本文介绍如何扩缩 StatefulSet。StatefulSet 的扩缩指的是增加或者减少副本个数。
 
@@ -29,7 +30,9 @@ This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to incr
 - StatefulSets are only available in Kubernetes version 1.5 or later.
   To check your version of Kubernetes, run `kubectl version`.
 
-- Not all stateful applications scale nicely. If you are unsure about whether to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/) or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information.
+- Not all stateful applications scale nicely. If you are unsure about whether
+  to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/)
+  or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information.
 
 - You should perform scaling only when you are confident that your stateful application
   cluster is completely healthy.
@@ -82,7 +85,9 @@ kubectl scale statefulsets <statefulset 名称> --replicas=<新的副本数>
 <!--
 ### Make in-place updates on your StatefulSets
 
-Alternatively, you can do [in-place updates](/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources) on your StatefulSets.
+Alternatively, you can do
+[in-place updates](/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources)
+on your StatefulSets.
 
 If your StatefulSet was initially created with `kubectl apply`,
 update `.spec.replicas` of the StatefulSet manifests, and then do a `kubectl apply`:
@@ -137,10 +142,12 @@ kubectl patch statefulsets <statefulset 名称> -p '{"spec":{"replicas":<new-rep
 ### 缩容操作无法正常工作   {#scaling-down-does-not-work}
 
 <!--
-You cannot scale down a StatefulSet when any of the stateful Pods it manages is unhealthy. Scaling down only takes place
-after those stateful Pods become running and ready.
+You cannot scale down a StatefulSet when any of the stateful Pods it manages is
+unhealthy. Scaling down only takes place after those stateful Pods become running and ready.
 
-If spec.replicas > 1, Kubernetes cannot determine the reason for an unhealthy Pod. It might be the result of a permanent fault or of a transient fault. A transient fault can be caused by a restart required by upgrading or maintenance.
+If spec.replicas > 1, Kubernetes cannot determine the reason for an unhealthy Pod.
+It might be the result of a permanent fault or of a transient fault. A transient
+fault can be caused by a restart required by upgrading or maintenance.
 -->
 当 Stateful 所管理的任何 Pod 不健康时，你不能对该 StatefulSet 执行缩容操作。
 仅当 StatefulSet 的所有 Pod 都处于运行状态和 Ready 状况后才可缩容。

From 73bfd0ec56cc516f55c2b70ab5aaf271b9df54d0 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Sun, 19 Mar 2023 00:56:47 +0200
Subject: [PATCH 187/215] [en] update hugo config file

---
 content/en/docs/contribute/localization.md                | 6 +++---
 content/en/docs/contribute/style/hugo-shortcodes/index.md | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/en/docs/contribute/localization.md b/content/en/docs/contribute/localization.md
index 2832e72900c8a..39f435e135154 100644
--- a/content/en/docs/contribute/localization.md
+++ b/content/en/docs/contribute/localization.md
@@ -162,10 +162,10 @@ For an example of adding a label, see the PR for adding the
 
 The Kubernetes website uses Hugo as its web framework. The website's Hugo
 configuration resides in the
-[`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml)
-file. You'll need to modify `config.toml` to support a new localization.
+[`hugo.toml`](https://github.com/kubernetes/website/tree/main/hugo.toml)
+file. You'll need to modify `hugo.toml` to support a new localization.
 
-Add a configuration block for the new language to `config.toml` under the
+Add a configuration block for the new language to `hugo.toml` under the
 existing `[languages]` block. The German block, for example, looks like:
 
 ```toml
diff --git a/content/en/docs/contribute/style/hugo-shortcodes/index.md b/content/en/docs/contribute/style/hugo-shortcodes/index.md
index a6ba992ee785b..4551e728bb78a 100644
--- a/content/en/docs/contribute/style/hugo-shortcodes/index.md
+++ b/content/en/docs/contribute/style/hugo-shortcodes/index.md
@@ -338,7 +338,7 @@ before the item, or just below the heading for the specific item.
 
 To generate a version string for inclusion in the documentation, you can choose from
 several version shortcodes. Each version shortcode displays a version string derived from
-the value of a version parameter found in the site configuration file, `config.toml`.
+the value of a version parameter found in the site configuration file, `hugo.toml`.
 The two most commonly used version parameters are `latest` and `version`.
 
 ### `{{</* param "version" */>}}`

From a5b75b47c3c7df3844434032c2d04d4515955b63 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Sun, 19 Mar 2023 12:11:22 +0800
Subject: [PATCH 188/215] Tweak line wrappings in blog 03-17

---
 ...bernetes-1.27-deprecations-and-removals.md | 166 ++++++++++++++----
 1 file changed, 127 insertions(+), 39 deletions(-)

diff --git a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
index abfb226abe276..befcfd4edf849 100644
--- a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
+++ b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
@@ -7,56 +7,96 @@ slug: upcoming-changes-in-kubernetes-v1-27
 
 **Author**: Harshita Sao
 
-As Kubernetes develops and matures, features may be deprecated, removed, or replaced with better ones for the project's overall health. Based on the information available at this point in the v1.27 release process, which is still ongoing and can introduce additional changes, this article identifies and describes some of the planned changes for the Kubernetes v1.27 release.
+As Kubernetes develops and matures, features may be deprecated, removed, or replaced
+with better ones for the project's overall health. Based on the information available
+at this point in the v1.27 release process, which is still ongoing and can introduce
+additional changes, this article identifies and describes some of the planned changes
+for the Kubernetes v1.27 release.
 
 ## A note about the k8s.gcr.io redirect to registry.k8s.io
 
-To host its container images, the Kubernetes project uses a community-owned image registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date [k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io)**. The deprecated k8s.gcr.io registry will eventually be phased out.
+To host its container images, the Kubernetes project uses a community-owned image
+registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date
+[k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected
+to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io)**. The deprecated
+k8s.gcr.io registry will eventually be phased out.
 
 ### What does this change mean?
 
-- If you are a subproject maintainer, you must update your manifests and Helm charts to use the new registry.
+- If you are a subproject maintainer, you must update your manifests and Helm
+  charts to use the new registry.
 
 - The v1.27 Kubernetes release will not be published to the old registry.
 
-- From April, patch releases for v1.24, v1.25, and v1.26 will no longer be published to the old registry.
+- From April, patch releases for v1.24, v1.25, and v1.26 will no longer be
+  published to the old registry.
 
-We have a [blog post](/blog/2023/03/10/image-registry-redirect/) with all the information about this change and what to do if it impacts you.
+We have a [blog post](/blog/2023/03/10/image-registry-redirect/) with all
+the information about this change and what to do if it impacts you.
 
 ## The Kubernetes API Removal and Deprecation process
 
-The Kubernetes project has a well-documented [deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) for features. This policy states that stable APIs may only be deprecated when a newer, stable version of that same API is available and that APIs have a minimum lifetime for each stability level. A deprecated API has been marked for removal in a future Kubernetes release, it will continue to function until removal (at least one year from the deprecation), but usage will result in a warning being displayed. Removed APIs are no longer available in the current version, at which point you must migrate to using the replacement.
+The Kubernetes project has a well-documented
+[deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/)
+for features. This policy states that stable APIs may only be deprecated when
+a newer, stable version of that same API is available and that APIs have a
+minimum lifetime for each stability level. A deprecated API has been marked
+for removal in a future Kubernetes release, it will continue to function until
+removal (at least one year from the deprecation), but usage will result in a
+warning being displayed. Removed APIs are no longer available in the current
+version, at which point you must migrate to using the replacement.
 
-- Generally available (GA) or stable API versions may be marked as deprecated but must not be removed within a major version of Kubernetes.
+- Generally available (GA) or stable API versions may be marked as deprecated
+  but must not be removed within a major version of Kubernetes.
 
-- Beta or pre-release API versions must be supported for 3 releases after the deprecation. 
+- Beta or pre-release API versions must be supported for 3 releases after the deprecation.
 
-- Alpha or experimental API versions may be removed in any release without prior deprecation notice. 
+- Alpha or experimental API versions may be removed in any release without prior deprecation notice.
 
-Whether an API is removed as a result of a feature graduating from beta to stable or because that API simply did not succeed, all removals comply with this deprecation policy. Whenever an API is removed, migration options are communicated in the documentation.
+Whether an API is removed as a result of a feature graduating from beta to stable
+or because that API simply did not succeed, all removals comply with this
+deprecation policy. Whenever an API is removed, migration options are communicated
+in the documentation.
 
 ## API removals, and other changes for Kubernetes v1.27
 
 ### Removal of `storage.k8s.io/v1beta1` from `CSIStorageCapacity`
 
-The [CSIStorageCapacity](/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/) API supports exposing currently available storage capacity via CSIStorageCapacity objects and enhances the scheduling of pods that use CSI volumes with late binding. The `storage.k8s.io/v1beta1` API version of CSIStorageCapacity was deprecated in v1.24, and it will no longer be served in v1.27. 
+The [CSIStorageCapacity](/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/)
+API supports exposing currently available storage capacity via CSIStorageCapacity
+objects and enhances the scheduling of pods that use CSI volumes with late binding.
+The `storage.k8s.io/v1beta1` API version of CSIStorageCapacity was deprecated in v1.24,
+and it will no longer be served in v1.27.
 
-Migrate manifests and API clients to use the `storage.k8s.io/v1` API version, available since v1.24. All existing persisted objects are accessible via the new API.
+Migrate manifests and API clients to use the `storage.k8s.io/v1` API version,
+available since v1.24. All existing persisted objects are accessible via the new API.
 
-Refer to the [Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking) for more information.
+Refer to the
+[Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking)
+for more information.
 
-Kubernetes v1.27 is not removing any other APIs; however several other aspects are going 
+Kubernetes v1.27 is not removing any other APIs; however several other aspects are going
 to be removed. Read on for details.
 
 ### Support for deprecated seccomp annotations
 
-In Kubernetes v1.19, the [seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp) (secure computing mode) support graduated to General Availability (GA). This feature can be used to increase the workload security by restricting the system calls for a Pod (applies to all containers) or single containers.
+In Kubernetes v1.19, the
+[seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp)
+(secure computing mode) support graduated to General Availability (GA).
+This feature can be used to increase the workload security by restricting
+the system calls for a Pod (applies to all containers) or single containers.
 
-The support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io` were deprecated since v1.19, now have been completely removed. The seccomp fields are no longer auto-populated when pods with seccomp annotations are created. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead.
+The support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod`
+and `container.seccomp.security.alpha.kubernetes.io` were deprecated since v1.19, now
+have been completely removed. The seccomp fields are no longer auto-populated when pods
+with seccomp annotations are created. Pods should use the corresponding pod or container
+`securityContext.seccompProfile` field instead.
 
 ### Removal of several feature gates for volume expansion
 
-The following feature gates for [volume expansion](https://github.com/kubernetes/enhancements/issues/284) GA features will be removed and must no longer be referenced in `--feature-gates` flags:
+The following feature gates for
+[volume expansion](https://github.com/kubernetes/enhancements/issues/284) GA features
+will be removed and must no longer be referenced in `--feature-gates` flags:
 
 `ExpandCSIVolumes`
 : Enable expanding of CSI volumes.
@@ -69,70 +109,115 @@ The following feature gates for [volume expansion](https://github.com/kubernetes
 
 ### Removal of `--master-service-namespace` command line argument
 
-The kube-apiserver accepts a deprecated command line argument, `--master-service-namespace`, that specified where to create the Service named `kubernetes`
-to represent the API server.
+The kube-apiserver accepts a deprecated command line argument, `--master-service-namespace`,
+that specified where to create the Service named `kubernetes` to represent the API server.
 Kubernetes v1.27 will remove that argument, which has been deprecated since the v1.26 release.
 
 ### Removal of the `ControllerManagerLeaderMigration` feature gate
 
-[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436) provides a mechanism in which HA clusters can safely migrate "cloud-specific" controllers between the `kube-controller-manager` and the `cloud-controller-manager` via a shared resource lock between the two components while upgrading the replicated control plane. 
+[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436) provides
+a mechanism in which HA clusters can safely migrate "cloud-specific" controllers
+between the `kube-controller-manager` and the `cloud-controller-manager` via a shared
+resource lock between the two components while upgrading the replicated control plane.
 
-The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditionally enabled and for the v1.27 release the feature gate option will be removed. If you're setting this feature gate explicitly, you'll need to remove that from command line arguments or configuration files.
+The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditionally
+enabled and for the v1.27 release the feature gate option will be removed. If you're
+setting this feature gate explicitly, you'll need to remove that from command line
+arguments or configuration files.
 
 ### Removal of `--enable-taint-manager` command line argument
 
-The kube-controller-manager command line argument `--enable-taint-manager` is deprecated, and will be removed in Kubernetes v1.27. The feature that it supports, [taint based eviction](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions),
+The kube-controller-manager command line argument `--enable-taint-manager` is
+deprecated, and will be removed in Kubernetes v1.27. The feature that it supports,
+[taint based eviction](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions),
 is already enabled by default and will continue to be implicitly enabled when the flag is removed.
 
 ### Removal of `--pod-eviction-timeout` command line argument
-	
+
 The deprecated command line argument `--pod-eviction-timeout` will be removed from the
 kube-controller-manager.
 
-### Removal of the `CSI Migration` feature gate 
+### Removal of the `CSI Migration` feature gate
 
-The [CSI migration](https://github.com/kubernetes/enhancements/issues/625) programme allows
-moving from in-tree volume plugins to out-of-tree CSI drivers. CSI migration is generally available since Kubernetes v1.16, and the associated `CSIMigration` feature gate will be removed in v1.27.
+The [CSI migration](https://github.com/kubernetes/enhancements/issues/625)
+programme allows moving from in-tree volume plugins to out-of-tree CSI drivers.
+CSI migration is generally available since Kubernetes v1.16, and the associated
+`CSIMigration` feature gate will be removed in v1.27.
 
 ### Removal of `CSIInlineVolume` feature gate
 
-The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258) feature allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. They can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume. This feature graduated to GA in v1.25. Hence, the feature gate `CSIInlineVolume` will be removed in the v1.27 release.
+The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258)
+feature allows CSI volumes to be specified directly in the pod specification for
+ephemeral use cases. They can be used to inject arbitrary states, such as
+configuration, secrets, identity, variables or similar information, directly
+inside pods using a mounted volume. This feature graduated to GA in v1.25.
+Hence, the feature gate `CSIInlineVolume` will be removed in the v1.27 release.
 
 ### Removal of `EphemeralContainers` feature gate
 
-[Ephemeral containers](/docs/concepts/workloads/pods/ephemeral-containers/) graduated to GA in v1.25. These are containers with a temporary duration that executes within namespaces of an existing pod. Ephemeral containers are typically initiated by a user in order to observe the state of other pods and containers for troubleshooting and debugging purposes. For Kubernetes v1.27, API support for ephemeral containers is unconditionally enabled; the `EphemeralContainers` feature gate will be removed.
+[Ephemeral containers](/docs/concepts/workloads/pods/ephemeral-containers/)
+graduated to GA in v1.25. These are containers with a temporary duration that
+executes within namespaces of an existing pod. Ephemeral containers are
+typically initiated by a user in order to observe the state of other pods
+and containers for troubleshooting and debugging purposes. For Kubernetes v1.27,
+API support for ephemeral containers is unconditionally enabled; the
+`EphemeralContainers` feature gate will be removed.
 
 ### Removal of `LocalStorageCapacityIsolation` feature gate
 
-The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513) feature moved to GA in v1.25. The feature provides support for capacity isolation of local ephemeral storage between pods, such as `emptyDir` volumes, so that a pod can be hard limited in its consumption of shared resources. The kubelet will evicting Pods if consumption of local ephemeral storage exceeds the configured limit. The feature gate, `LocalStorageCapacityIsolation`, will be removed in the v1.27 release.
+The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513)
+feature moved to GA in v1.25. The feature provides support for capacity isolation
+of local ephemeral storage between pods, such as `emptyDir` volumes, so that a pod
+can be hard limited in its consumption of shared resources. The kubelet will
+evicting Pods if consumption of local ephemeral storage exceeds the configured limit.
+The feature gate, `LocalStorageCapacityIsolation`, will be removed in the v1.27 release.
 
 ### Removal of `NetworkPolicyEndPort` feature gate
 
-The v1.25 release of Kubernetes promoted `endPort` in NetworkPolicy to GA. NetworkPolicy providers that support the `endPort` field that can be used to specify a range of ports to apply a NetworkPolicy. Previously, each NetworkPolicy could only target a single port. So the feature gate `NetworkPolicyEndPort` will be removed in this release.
+The v1.25 release of Kubernetes promoted `endPort` in NetworkPolicy to GA.
+NetworkPolicy providers that support the `endPort` field that can be used to
+specify a range of ports to apply a NetworkPolicy. Previously, each NetworkPolicy
+could only target a single port. So the feature gate `NetworkPolicyEndPort`
+will be removed in this release.
 
-Please be aware that `endPort` field must be supported by the Network Policy provider. If your provider does not support `endPort`, and this field is specified in a Network Policy, the Network Policy will be created covering only the port field (single port).
+Please be aware that `endPort` field must be supported by the Network Policy
+provider. If your provider does not support `endPort`, and this field is
+specified in a Network Policy, the Network Policy will be created covering
+only the port field (single port).
 
 ### Removal of `StatefulSetMinReadySeconds` feature gate
 
-For a pod that is part of a StatefulSet, Kubernetes can mark the Pod ready only if Pod is available (and passing checks) for at least the period you specify in [`minReadySeconds`](/docs/concepts/workloads/controllers/statefulset/#minimum-ready-seconds). The feature became generally available in Kubernetes v1.25, and the `StatefulSetMinReadySeconds` feature gate will be locked to true and removed in the v1.27 release.
+For a pod that is part of a StatefulSet, Kubernetes can mark the Pod ready only
+if Pod is available (and passing checks) for at least the period you specify in
+[`minReadySeconds`](/docs/concepts/workloads/controllers/statefulset/#minimum-ready-seconds).
+The feature became generally available in Kubernetes v1.25, and the `StatefulSetMinReadySeconds`
+feature gate will be locked to true and removed in the v1.27 release.
 
 ### Removal of `IdentifyPodOS` feature gate
 
-You can specify the operating system for a Pod, and the feature support for that is stable since the v1.25 release. The `IdentifyPodOS` feature gate will be removed for Kubernetes v1.27.
+You can specify the operating system for a Pod, and the feature support for that
+is stable since the v1.25 release. The `IdentifyPodOS` feature gate will be
+removed for Kubernetes v1.27.
 
 ### Removal of `DaemonSetUpdateSurge` feature gate
 
-The v1.25 release of Kubernetes also stabilised surge support for DaemonSet pods, implemented in order to minimize DaemonSet downtime during rollouts. The `DaemonSetUpdateSurge` feature gate will be removed in Kubernetes v1.27.
+The v1.25 release of Kubernetes also stabilised surge support for DaemonSet pods,
+implemented in order to minimize DaemonSet downtime during rollouts.
+The `DaemonSetUpdateSurge` feature gate will be removed in Kubernetes v1.27.
 
 ## Looking ahead
 
-The official list of [API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29) planned for Kubernetes v1.29 includes:
+The official list of
+[API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29)
+planned for Kubernetes v1.29 includes:
 
-- The `flowcontrol.apiserver.k8s.io/v1beta2` API version of FlowSchema and PriorityLevelConfiguration will no longer be served in v1.29.
+- The `flowcontrol.apiserver.k8s.io/v1beta2` API version of FlowSchema and
+  PriorityLevelConfiguration will no longer be served in v1.29.
 
 ## Want to know more?
 
-Deprecations are announced in the Kubernetes release notes. You can see the announcements of pending deprecations in the release notes for:
+Deprecations are announced in the Kubernetes release notes. You can see the
+announcements of pending deprecations in the release notes for:
 
 - [Kubernetes v1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation)
 
@@ -142,6 +227,9 @@ Deprecations are announced in the Kubernetes release notes. You can see the anno
 
 - [Kubernetes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation)
 
-We will formally announce the deprecations that come with [Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation) as part of the CHANGELOG for that release.
+We will formally announce the deprecations that come with
+[Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation)
+as part of the CHANGELOG for that release.
 
-For information on the process of deprecation and removal, check out the official Kubernetes [deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.
+For information on the process of deprecation and removal, check out the official Kubernetes
+[deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.

From 2b72413ddb5b23bb1c2def884035c26ff46c3123 Mon Sep 17 00:00:00 2001
From: WanJie <webmaster@wanjie.info>
Date: Sun, 19 Mar 2023 18:48:19 +0800
Subject: [PATCH 189/215] update pod-lifecycle.md

Add  the EndpointSliceTerminatingCondition section
---
 .../concepts/workloads/pods/pod-lifecycle.md  | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
index 1cd444c1e3502..b3e8274791038 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -912,6 +912,23 @@ An example flow:
    和其他工作负载资源不再将关闭进程中的 Pod 视为合法的、能够提供服务的副本。
    关闭动作很慢的 Pod 也无法继续处理请求数据，
    因为负载均衡器（例如服务代理）已经在终止宽限期开始的时候将其从端点列表中移除。
+   
+
+<!--
+{{<note>}}
+If you don't have the `EndpointSliceTerminatingCondition` feature gate enabled
+in your cluster (the gate is on by default from Kubernetes 1.22, and locked to default in 1.26), then the Kubernetes control
+plane removes a Pod from any relevant EndpointSlices as soon as the Pod's
+termination grace period _begins_. The behavior above is described when the
+feature gate `EndpointSliceTerminatingCondition` is enabled.
+{{</note>}}
+-->
+
+{{<note>}} 
+  如果你的集群中没有启用 EndpointSliceTerminatingCondition 功能门
+（该门从 Kubernetes 1.22 开始默认开启，在1.26中锁定为默认），那么一旦 Pod 的终止宽限期开始，Kubernetes 控制平面就会从任何相关EndpointSlices 中移除 Pod。上述行为是在 EndpointSliceTerminatingCondition 功能门被启用时描述的。
+ {{</note>}}
+
 
 <!--
 1. When the grace period expires, the kubelet triggers forcible shutdown. The container runtime sends
@@ -921,14 +938,14 @@ An example flow:
    to 0 (immediate deletion).
 1. The API server deletes the Pod's API object, which is then no longer visible from any client.
 -->
-4. 超出终止宽限期限时，`kubelet` 会触发强制关闭过程。容器运行时会向 Pod
+1. 超出终止宽限期限时，`kubelet` 会触发强制关闭过程。容器运行时会向 Pod
    中所有容器内仍在运行的进程发送 `SIGKILL` 信号。
    `kubelet` 也会清理隐藏的 `pause` 容器，如果容器运行时使用了这种容器的话。
 
-5. `kubelet` 触发强制从 API 服务器上删除 Pod 对象的逻辑，并将体面终止限期设置为 0
+1. `kubelet` 触发强制从 API 服务器上删除 Pod 对象的逻辑，并将体面终止限期设置为 0
    （这意味着马上删除）。
 
-6. API 服务器删除 Pod 的 API 对象，从任何客户端都无法再看到该对象。
+1. API 服务器删除 Pod 的 API 对象，从任何客户端都无法再看到该对象。
 
 <!--
 ### Forced Pod termination {#pod-termination-forced}

From 91fa0c621ceb8ad764db2fe0828862290b4b13aa Mon Sep 17 00:00:00 2001
From: WanJie <webmaster@wanjie.info>
Date: Sun, 19 Mar 2023 20:01:13 +0800
Subject: [PATCH 190/215] Update
 content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md

thank you.

Co-authored-by: Michael <haifeng.yao@daocloud.io>
---
 .../concepts/workloads/pods/pod-lifecycle.md  | 20 ++++++++-----------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
index b3e8274791038..ff67f9b409086 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -912,18 +912,14 @@ An example flow:
    和其他工作负载资源不再将关闭进程中的 Pod 视为合法的、能够提供服务的副本。
    关闭动作很慢的 Pod 也无法继续处理请求数据，
    因为负载均衡器（例如服务代理）已经在终止宽限期开始的时候将其从端点列表中移除。
-   
-
-<!--
-{{<note>}}
-If you don't have the `EndpointSliceTerminatingCondition` feature gate enabled
-in your cluster (the gate is on by default from Kubernetes 1.22, and locked to default in 1.26), then the Kubernetes control
-plane removes a Pod from any relevant EndpointSlices as soon as the Pod's
-termination grace period _begins_. The behavior above is described when the
-feature gate `EndpointSliceTerminatingCondition` is enabled.
-{{</note>}}
--->
-
+   {{<note>}}
+   <!--
+   If you don't have the `EndpointSliceTerminatingCondition` feature gate enabled
+   in your cluster (the gate is on by default from Kubernetes 1.22, and locked to default in 1.26), then the    Kubernetes control
+   plane removes a Pod from any relevant EndpointSlices as soon as the Pod's
+   termination grace period _begins_. The behavior above is described when the
+   feature gate `EndpointSliceTerminatingCondition` is enabled.
+   -->
 {{<note>}} 
   如果你的集群中没有启用 EndpointSliceTerminatingCondition 功能门
 （该门从 Kubernetes 1.22 开始默认开启，在1.26中锁定为默认），那么一旦 Pod 的终止宽限期开始，Kubernetes 控制平面就会从任何相关EndpointSlices 中移除 Pod。上述行为是在 EndpointSliceTerminatingCondition 功能门被启用时描述的。

From 27e3715ca67cdd80739b798a4719bedc7c6390a3 Mon Sep 17 00:00:00 2001
From: WanJie <webmaster@wanjie.info>
Date: Sun, 19 Mar 2023 20:25:38 +0800
Subject: [PATCH 191/215] Update
 content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md

Co-authored-by: Michael <haifeng.yao@daocloud.io>
---
 .../zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
index ff67f9b409086..2c260f70fd859 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -920,10 +920,11 @@ An example flow:
    termination grace period _begins_. The behavior above is described when the
    feature gate `EndpointSliceTerminatingCondition` is enabled.
    -->
-{{<note>}} 
-  如果你的集群中没有启用 EndpointSliceTerminatingCondition 功能门
-（该门从 Kubernetes 1.22 开始默认开启，在1.26中锁定为默认），那么一旦 Pod 的终止宽限期开始，Kubernetes 控制平面就会从任何相关EndpointSlices 中移除 Pod。上述行为是在 EndpointSliceTerminatingCondition 功能门被启用时描述的。
- {{</note>}}
+   如果你的集群中没有启用 EndpointSliceTerminatingCondition 特性门控
+   （该门控从 Kubernetes 1.22 开始默认开启，在 1.26 中锁定为默认），
+   那么一旦 Pod 的终止宽限期开始，Kubernetes 控制平面就会从任何相关 EndpointSlices 中移除 Pod。
+   上述行为是在 EndpointSliceTerminatingCondition 特性门控被启用时描述的。
+   {{</note>}}
 
 
 <!--

From 40a87adc2e0d577483388acc466687f23b3c7918 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Sun, 19 Mar 2023 11:58:35 +0800
Subject: [PATCH 192/215] [zh] sync blog:
 kubernetes-1.27-deprecations-and-removals.md

---
 ...bernetes-1.27-deprecations-and-removals.md | 455 ++++++++++++++++++
 1 file changed, 455 insertions(+)
 create mode 100644 content/zh-cn/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md

diff --git a/content/zh-cn/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md b/content/zh-cn/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
new file mode 100644
index 0000000000000..303f04d41fe02
--- /dev/null
+++ b/content/zh-cn/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
@@ -0,0 +1,455 @@
+---
+layout: blog
+title: "Kubernetes 在 v1.27 中移除的特性和主要变更"
+date: 2023-03-17T14:00:00+0000
+slug: upcoming-changes-in-kubernetes-v1-27
+---
+<!--
+layout: blog
+title: "Kubernetes Removals and Major Changes In v1.27"
+date: 2023-03-17T14:00:00+0000
+slug: upcoming-changes-in-kubernetes-v1-27
+-->
+
+<!--
+**Author**: Harshita Sao
+-->
+**作者**：Harshita Sao
+
+**译者**：Michael Yao (DaoCloud)
+
+<!--
+As Kubernetes develops and matures, features may be deprecated, removed, or replaced
+with better ones for the project's overall health. Based on the information available
+at this point in the v1.27 release process, which is still ongoing and can introduce
+additional changes, this article identifies and describes some of the planned changes
+for the Kubernetes v1.27 release.
+-->
+随着 Kubernetes 发展和成熟，为了此项目的整体健康，某些特性可能会被弃用、移除或替换为优化过的特性。
+基于目前在 v1.27 发布流程中获得的信息，本文将列举并描述一些计划在 Kubernetes v1.27 发布中的变更，
+发布工作目前仍在进行中，可能会引入更多变更。
+
+<!--
+## A note about the k8s.gcr.io redirect to registry.k8s.io
+
+To host its container images, the Kubernetes project uses a community-owned image
+registry called registry.k8s.io. **On March 20th, all traffic from the out-of-date
+[k8s.gcr.io](https://cloud.google.com/container-registry/) registry will be redirected
+to [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io)**. The deprecated
+k8s.gcr.io registry will eventually be phased out.
+-->
+## k8s.gcr.io 重定向到 registry.k8s.io 相关说明   {#note-about-redirect}
+
+Kubernetes 项目为了托管其容器镜像，使用社区拥有的一个名为 registry.k8s.io. 的镜像仓库。
+**从 3 月 20 日起，所有来自过期 [k8s.gcr.io](https://cloud.google.com/container-registry/)
+仓库的流量将被重定向到 [registry.k8s.io](https://github.com/kubernetes/registry.k8s.io)**。
+已弃用的 k8s.gcr.io 仓库最终将被淘汰。
+
+<!--
+### What does this change mean?
+
+- If you are a subproject maintainer, you must update your manifests and Helm
+  charts to use the new registry.
+- The v1.27 Kubernetes release will not be published to the old registry.
+- From April, patch releases for v1.24, v1.25, and v1.26 will no longer be
+  published to the old registry.
+-->
+### 这次变更意味着什么？   {#what-does-this-change-mean}
+
+- 如果你是一个子项目的 Maintainer，你必须更新自己的清单和 Helm Chart 来使用新的仓库。
+- Kubernetes v1.27 版本不会发布到旧的仓库。
+- 从 4 月份起，针对 v1.24、v1.25 和 v1.26 的补丁版本将不再发布到旧的仓库。
+
+<!--
+We have a [blog post](/blog/2023/03/10/image-registry-redirect/) with all
+the information about this change and what to do if it impacts you.
+-->
+我们曾发布了一篇[博文](/blog/2023/03/10/image-registry-redirect/)，
+讲述了此次变更有关的所有信息，以及影响到你时应该采取的措施。
+
+<!--
+## The Kubernetes API Removal and Deprecation process
+
+The Kubernetes project has a well-documented
+[deprecation policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/)
+for features. This policy states that stable APIs may only be deprecated when
+a newer, stable version of that same API is available and that APIs have a
+minimum lifetime for each stability level. A deprecated API has been marked
+for removal in a future Kubernetes release, it will continue to function until
+removal (at least one year from the deprecation), but usage will result in a
+warning being displayed. Removed APIs are no longer available in the current
+version, at which point you must migrate to using the replacement.
+-->
+## Kubernetes API 移除和弃用流程 {#k8s-api-deprecation-process}
+
+Kubernetes 项目对特性有一个[文档完备的弃用策略](/zh-cn/docs/reference/using-api/deprecation-policy/)。
+该策略规定，只有当较新的、稳定的相同 API 可用时，原有的稳定 API 才可以被弃用，
+每个稳定级别的 API 都有一个最短的生命周期。弃用的 API 指的是已标记为将在后续发行某个
+Kubernetes 版本时移除的 API；移除之前该 API 将继续发挥作用（从弃用起至少一年时间），
+但使用时会显示一条警告。被移除的 API 将在当前版本中不再可用，此时你必须迁移以使用替换的 API。
+
+<!--
+- Generally available (GA) or stable API versions may be marked as deprecated
+  but must not be removed within a major version of Kubernetes.
+- Beta or pre-release API versions must be supported for 3 releases after the deprecation.
+- Alpha or experimental API versions may be removed in any release without prior deprecation notice.
+-->
+- 正式发布（GA）或稳定的 API 版本可能被标记为已弃用，但只有在 Kubernetes 大版本更新时才会被移除。
+- 测试版（Beta）或预发布 API 版本在弃用后必须在后续 3 个版本中继续支持。
+- Alpha 或实验性 API 版本可以在任何版本中被移除，不另行通知。
+
+<!--
+Whether an API is removed as a result of a feature graduating from beta to stable
+or because that API simply did not succeed, all removals comply with this
+deprecation policy. Whenever an API is removed, migration options are communicated
+in the documentation.
+-->
+无论一个 API 是因为某特性从 Beta 进阶至稳定阶段而被移除，还是因为该 API 根本没有成功，
+所有移除均遵从上述弃用策略。无论何时移除一个 API，文档中都会列出迁移选项。
+
+<!--
+## API removals, and other changes for Kubernetes v1.27
+
+### Removal of `storage.k8s.io/v1beta1` from `CSIStorageCapacity`
+-->
+## 针对 Kubernetes v1.27 移除的 API 和其他变更   {#api-removals-and-other-changes-in-1.27}
+
+### 从 `CSIStorageCapacity` 移除 `storage.k8s.io/v1beta1`
+
+<!--
+The [CSIStorageCapacity](/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/)
+API supports exposing currently available storage capacity via CSIStorageCapacity
+objects and enhances the scheduling of pods that use CSI volumes with late binding.
+The `storage.k8s.io/v1beta1` API version of CSIStorageCapacity was deprecated in v1.24,
+and it will no longer be served in v1.27.
+-->
+[CSIStorageCapacity](/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/)
+API 支持通过 CSIStorageCapacity 对象来暴露当前可用的存储容量，并增强在后续绑定时使用 CSI 卷的 Pod 的调度。
+CSIStorageCapacity 的 `storage.k8s.io/v1beta1` API 版本在 v1.24 中已被弃用，将在 v1.27 中被移除。
+
+<!--
+Migrate manifests and API clients to use the `storage.k8s.io/v1` API version,
+available since v1.24. All existing persisted objects are accessible via the new API.
+
+Refer to the
+[Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking)
+for more information.
+-->
+迁移清单和 API 客户端以使用自 v1.24 起可用的 `storage.k8s.io/v1` API 版本。
+所有现有的已持久保存的对象都可以通过这个新的 API 进行访问。
+
+更多信息可以参阅
+[Storage Capacity Constraints for Pod Scheduling KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1472-storage-capacity-tracking)。
+
+<!--
+Kubernetes v1.27 is not removing any other APIs; however several other aspects are going
+to be removed. Read on for details.
+-->
+Kubernetes v1.27 没有移除任何其他 API；但还有其他若干特性将被移除。请继续阅读下文。
+
+<!--
+### Support for deprecated seccomp annotations
+
+In Kubernetes v1.19, the
+[seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp)
+(secure computing mode) support graduated to General Availability (GA).
+This feature can be used to increase the workload security by restricting
+the system calls for a Pod (applies to all containers) or single containers.
+-->
+### 对弃用的 seccomp 注解的支持
+
+在 Kubernetes v1.19 中，
+[seccomp](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp)
+（安全计算模式）支持进阶至正式发布 (GA)。
+此特性通过限制 Pod（应用到所有容器）或单个容器可执行的系统调用可以提高工作负载安全性。
+
+<!--
+The support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod`
+and `container.seccomp.security.alpha.kubernetes.io` were deprecated since v1.19, now
+have been completely removed. The seccomp fields are no longer auto-populated when pods
+with seccomp annotations are created. Pods should use the corresponding pod or container
+`securityContext.seccompProfile` field instead.
+-->
+对 Alpha 状态的 seccomp 注解 `seccomp.security.alpha.kubernetes.io/pod` 和
+`container.seccomp.security.alpha.kubernetes.io` 的支持自 v1.19 起被弃用，
+现在已完全移除。当创建具有 seccomp 注解的 Pod 时 seccomp 字段将不再被自动填充。
+Pod 应转为使用相应的 Pod 或容器 `securityContext.seccompProfile` 字段。
+
+<!--
+### Removal of several feature gates for volume expansion
+
+The following feature gates for
+[volume expansion](https://github.com/kubernetes/enhancements/issues/284) GA features
+will be removed and must no longer be referenced in `--feature-gates` flags:
+-->
+### 移除针对卷扩展的若干特性门控
+
+针对[卷扩展](https://github.com/kubernetes/enhancements/issues/284)
+GA 特性的以下特性门控将被移除，且不得再在 `--feature-gates` 标志中引用：
+
+<!--
+`ExpandCSIVolumes`
+: Enable expanding of CSI volumes.
+
+`ExpandInUsePersistentVolumes`
+: Enable expanding in-use PVCs.
+
+`ExpandPersistentVolumes`
+: Enable expanding of persistent volumes.
+-->
+`ExpandCSIVolumes`
+: 启用 CSI 卷的扩展。
+
+`ExpandInUsePersistentVolumes`
+: 启用扩展正使用的 PVC。
+
+`ExpandPersistentVolumes`
+: 启用持久卷的扩展。
+
+<!--
+### Removal of `--master-service-namespace` command line argument
+
+The kube-apiserver accepts a deprecated command line argument, `--master-service-namespace`,
+that specified where to create the Service named `kubernetes` to represent the API server.
+Kubernetes v1.27 will remove that argument, which has been deprecated since the v1.26 release.
+-->
+### 移除 `--master-service-namespace` 命令行参数
+
+kube-apiserver 接受一个已弃用的命令行参数 `--master-service-namespace`，
+该参数指定在何处创建名为 `kubernetes` 的 Service 来表示 API 服务器。
+Kubernetes v1.27 将移除自 v1.26 版本已被弃用的该参数。
+
+<!--
+### Removal of the `ControllerManagerLeaderMigration` feature gate
+
+[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436) provides
+a mechanism in which HA clusters can safely migrate "cloud-specific" controllers
+between the `kube-controller-manager` and the `cloud-controller-manager` via a shared
+resource lock between the two components while upgrading the replicated control plane.
+-->
+### 移除 `ControllerManagerLeaderMigration` 特性门控
+
+[Leader Migration](https://github.com/kubernetes/enhancements/issues/2436)
+提供了一种机制，让 HA 集群在升级多副本的控制平面时通过在 `kube-controller-manager` 和
+`cloud-controller-manager` 这两个组件之间共享的资源锁，安全地迁移“特定于云平台”的控制器。
+
+<!--
+The `ControllerManagerLeaderMigration` feature, GA since v1.24, is unconditionally
+enabled and for the v1.27 release the feature gate option will be removed. If you're
+setting this feature gate explicitly, you'll need to remove that from command line
+arguments or configuration files.
+-->
+`ControllerManagerLeaderMigration` 特性自 v1.24 正式发布，被无条件启用，
+在 v1.27 版本中此特性门控选项将被移除。
+如果你显式设置此特性门控，你将需要从命令行参数或配置文件中将其移除。
+
+<!--
+### Removal of `--enable-taint-manager` command line argument
+
+The kube-controller-manager command line argument `--enable-taint-manager` is
+deprecated, and will be removed in Kubernetes v1.27. The feature that it supports,
+[taint based eviction](/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions),
+is already enabled by default and will continue to be implicitly enabled when the flag is removed.
+-->
+### 移除 `--enable-taint-manager` 命令行参数
+
+kube-controller-manager 命令行参数 `--enable-taint-manager` 已被弃用，
+将在 Kubernetes v1.27 中被移除。
+该参数支持的特性[基于污点的驱逐](/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/#taint-based-evictions)已被默认启用，
+且在标志被移除时也将继续被隐式启用。
+
+<!--
+### Removal of `--pod-eviction-timeout` command line argument
+
+The deprecated command line argument `--pod-eviction-timeout` will be removed from the
+kube-controller-manager.
+
+-->
+### 移除 `--pod-eviction-timeout` 命令行参数
+
+弃用的命令行参数 `--pod-eviction-timeout` 将被从 kube-controller-manager 中移除。
+
+<!--
+### Removal of the `CSI Migration` feature gate
+
+The [CSI migration](https://github.com/kubernetes/enhancements/issues/625)
+programme allows moving from in-tree volume plugins to out-of-tree CSI drivers.
+CSI migration is generally available since Kubernetes v1.16, and the associated
+`CSIMigration` feature gate will be removed in v1.27.
+-->
+### 移除 `CSI Migration` 特性门控
+
+[CSI migration](https://github.com/kubernetes/enhancements/issues/625)
+程序允许从树内卷插件移动到树外 CSI 驱动程序。
+CSI 迁移自 Kubernetes v1.16 起正式发布，关联的 `CSIMigration` 特性门控将在 v1.27 中被移除。
+
+<!--
+### Removal of `CSIInlineVolume` feature gate
+
+The [CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258)
+feature allows CSI volumes to be specified directly in the pod specification for
+ephemeral use cases. They can be used to inject arbitrary states, such as
+configuration, secrets, identity, variables or similar information, directly
+inside pods using a mounted volume. This feature graduated to GA in v1.25.
+Hence, the feature gate `CSIInlineVolume` will be removed in the v1.27 release.
+-->
+### 移除 `CSIInlineVolume` 特性门控
+
+[CSI Ephemeral Volume](https://github.com/kubernetes/kubernetes/pull/111258)
+特性允许在 Pod 规约中直接指定 CSI 卷作为临时使用场景。这些 CSI 卷可用于使用挂载的卷直接在
+Pod 内注入任意状态，例如配置、Secret、身份、变量或类似信息。
+此特性在 v1.25 中进阶至正式发布。因此，此特性门控 `CSIInlineVolume` 将在 v1.27 版本中移除。
+
+<!--
+### Removal of `EphemeralContainers` feature gate
+
+[Ephemeral containers](/docs/concepts/workloads/pods/ephemeral-containers/)
+graduated to GA in v1.25. These are containers with a temporary duration that
+executes within namespaces of an existing pod. Ephemeral containers are
+typically initiated by a user in order to observe the state of other pods
+and containers for troubleshooting and debugging purposes. For Kubernetes v1.27,
+API support for ephemeral containers is unconditionally enabled; the
+`EphemeralContainers` feature gate will be removed.
+-->
+### 移除 `EphemeralContainers` 特性门控
+
+[临时容器](/zh-cn/docs/concepts/workloads/pods/ephemeral-containers/)在 v1.25 中进阶至正式发布。
+这些是具有临时持续周期的容器，在现有 Pod 的命名空间内执行。
+临时容器通常由用户发起，以观察其他 Pod 和容器的状态进行故障排查和调试。
+对于 Kubernetes v1.27，对临时容器的 API 支持被无条件启用；`EphemeralContainers` 特性门控将被移除。
+
+<!--
+### Removal of `LocalStorageCapacityIsolation` feature gate
+
+The [Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513)
+feature moved to GA in v1.25. The feature provides support for capacity isolation
+of local ephemeral storage between pods, such as `emptyDir` volumes, so that a pod
+can be hard limited in its consumption of shared resources. The kubelet will
+evicting Pods if consumption of local ephemeral storage exceeds the configured limit.
+The feature gate, `LocalStorageCapacityIsolation`, will be removed in the v1.27 release.
+-->
+### 移除 `LocalStorageCapacityIsolation` 特性门控
+
+[Local Ephemeral Storage Capacity Isolation](https://github.com/kubernetes/kubernetes/pull/111513)
+特性在 v1.25 中进阶至正式发布。此特性支持 `emptyDir` 卷这类 Pod 之间本地临时存储的容量隔离，
+因此可以硬性限制 Pod 对共享资源的消耗。如果本地临时存储的消耗超过了配置的限制，kubelet 将驱逐 Pod。
+特性门控 `LocalStorageCapacityIsolation` 将在 v1.27 版本中被移除。
+
+<!--
+### Removal of `NetworkPolicyEndPort` feature gate
+
+The v1.25 release of Kubernetes promoted `endPort` in NetworkPolicy to GA.
+NetworkPolicy providers that support the `endPort` field that can be used to
+specify a range of ports to apply a NetworkPolicy. Previously, each NetworkPolicy
+could only target a single port. So the feature gate `NetworkPolicyEndPort`
+will be removed in this release.
+-->
+### 移除 `NetworkPolicyEndPort` 特性门控
+
+Kubernetes v1.25 版本将 NetworkPolicy 中的 `endPort` 进阶至正式发布。
+支持 `endPort` 字段的 NetworkPolicy 提供程序可用于指定一系列端口以应用 NetworkPolicy。
+以前每个 NetworkPolicy 只能针对一个端口。因此，此特性门控 `NetworkPolicyEndPort` 将在此版本中被移除。
+
+<!--
+Please be aware that `endPort` field must be supported by the Network Policy
+provider. If your provider does not support `endPort`, and this field is
+specified in a Network Policy, the Network Policy will be created covering
+only the port field (single port).
+-->
+请注意，`endPort` 字段必须得到 NetworkPolicy 提供程序的支持。
+如果你的提供程序不支持 `endPort`，并且此字段在 NetworkPolicy 中指定，
+则将创建仅涵盖端口字段（单个端口）的 NetworkPolicy。
+
+<!--
+### Removal of `StatefulSetMinReadySeconds` feature gate
+
+For a pod that is part of a StatefulSet, Kubernetes can mark the Pod ready only
+if Pod is available (and passing checks) for at least the period you specify in
+[`minReadySeconds`](/docs/concepts/workloads/controllers/statefulset/#minimum-ready-seconds).
+The feature became generally available in Kubernetes v1.25, and the `StatefulSetMinReadySeconds`
+feature gate will be locked to true and removed in the v1.27 release.
+-->
+### 移除 `StatefulSetMinReadySeconds` 特性门控
+
+对于作为 StatefulSet 一部分的 Pod，只有当 Pod 至少在
+[`minReadySeconds`](/zh-cn/docs/concepts/workloads/controllers/statefulset/#minimum-ready-seconds)
+中指定的持续期内可用（并通过检查）时，Kubernetes 才会将此 Pod 标记为只读。
+该特性在 Kubernetes v1.25 中正式发布，`StatefulSetMinReadySeconds`
+特性门控将锁定为 true，并在 v1.27 版本中被移除。
+
+<!--
+### Removal of `IdentifyPodOS` feature gate
+
+You can specify the operating system for a Pod, and the feature support for that
+is stable since the v1.25 release. The `IdentifyPodOS` feature gate will be
+removed for Kubernetes v1.27.
+-->
+### 移除 `IdentifyPodOS` 特性门控
+
+你可以为 Pod 指定操作系统，此项特性支持自 v1.25 版本进入稳定。
+`IdentifyPodOS` 特性门控将在 Kubernetes v1.27 中被移除。
+
+<!--
+### Removal of `DaemonSetUpdateSurge` feature gate
+
+The v1.25 release of Kubernetes also stabilised surge support for DaemonSet pods,
+implemented in order to minimize DaemonSet downtime during rollouts.
+The `DaemonSetUpdateSurge` feature gate will be removed in Kubernetes v1.27.
+-->
+### 移除 `DaemonSetUpdateSurge` 特性门控
+
+Kubernetes v1.25 版本还稳定了对 DaemonSet Pod 的浪涌支持，
+其实现是为了最大限度地减少部署期间 DaemonSet 的停机时间。
+`DaemonSetUpdateSurge` 特性门控将在 Kubernetes v1.27 中被移除。
+
+<!--
+## Looking ahead
+
+The official list of
+[API removals](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-29)
+planned for Kubernetes v1.29 includes:
+-->
+## 前瞻   {#looking-ahead}
+
+Kubernetes 1.29 计划[移除的 API 官方列表](/zh-cn/docs/reference/using-api/deprecation-guide/#v1-29)包括：
+
+<!--
+- The `flowcontrol.apiserver.k8s.io/v1beta2` API version of FlowSchema and
+  PriorityLevelConfiguration will no longer be served in v1.29.
+-->
+- FlowSchema 和 PriorityLevelConfiguration 的 `flowcontrol.apiserver.k8s.io/v1beta2`
+  API 版本将不再在 v1.29 中提供。
+
+<!--
+## Want to know more?
+
+Deprecations are announced in the Kubernetes release notes. You can see the
+announcements of pending deprecations in the release notes for:
+-->
+## 了解更多   {#want-to-know-more}
+
+Kubernetes 发行说明中宣告了弃用信息。你可以在以下版本的发行说明中看到待弃用的公告：
+
+- [Kubernetes v1.23](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation)
+
+- [Kubernetes v1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#deprecation)
+
+- [Kubernetes v1.25](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#deprecation)
+
+- [Kubernetes v1.26](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#deprecation)
+
+<!--
+We will formally announce the deprecations that come with
+[Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation)
+as part of the CHANGELOG for that release.
+-->
+我们将在
+[Kubernetes v1.27](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#deprecation)
+的 CHANGELOG 中正式宣布该版本的弃用信息。
+
+<!--
+For information on the process of deprecation and removal, check out the official Kubernetes
+[deprecation policy](/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api) document.
+-->
+有关弃用和移除流程信息，请查阅正式的
+[Kubernetes 弃用策略](/zh-cn/docs/reference/using-api/deprecation-policy/#deprecating-parts-of-the-api)文档。

From f3a1ba53a4f578e0ce9cebc8fcc63d46c04e28b7 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Mon, 20 Mar 2023 01:45:59 +0200
Subject: [PATCH 193/215] [de] update hugo config file

---
 content/de/docs/contribute/localization.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/de/docs/contribute/localization.md b/content/de/docs/contribute/localization.md
index 828865d5f59ad..64a68ef22b42d 100644
--- a/content/de/docs/contribute/localization.md
+++ b/content/de/docs/contribute/localization.md
@@ -81,9 +81,9 @@ Du kannst auch einen Slack-Kanal für deine Lokalisierung im `kubernetes/communi
 
 ### Ändere die Website-Konfiguration
 
-Die Kubernetes-Website  verwendet Hugo als Web-Framework. Die Hugo-Konfiguration der Website befindet sich in der Datei [`config.toml`](https://github.com/kubernetes/website/tree/master/config.toml). Um eine neue Lokalisierung zu unterstützen, musst du die Datei `config.toml` modifizieren.
+Die Kubernetes-Website  verwendet Hugo als Web-Framework. Die Hugo-Konfiguration der Website befindet sich in der Datei [`hugo.toml`](https://github.com/kubernetes/website/tree/master/hugo.toml). Um eine neue Lokalisierung zu unterstützen, musst du die Datei `hugo.toml` modifizieren.
 
-Dazu fügst du einen neuen Block für die neue Sprache unter den bereits existierenden `[languages]` Block in das `config.toml` ein, wie folgendes Beispiel zeigt:
+Dazu fügst du einen neuen Block für die neue Sprache unter den bereits existierenden `[languages]` Block in das `hugo.toml` ein, wie folgendes Beispiel zeigt:
 
 ```toml
 [languages.de]

From 8f83ccd807ce8454c28b4316fab0beba71e143c7 Mon Sep 17 00:00:00 2001
From: WanJie <webmaster@wanjie.info>
Date: Mon, 20 Mar 2023 09:12:12 +0800
Subject: [PATCH 194/215] Update
 content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md

Co-authored-by: Qiming Teng <tengqm@outlook.com>
---
 content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
index 2c260f70fd859..b944e99b70975 100644
--- a/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
+++ b/content/zh-cn/docs/concepts/workloads/pods/pod-lifecycle.md
@@ -922,7 +922,7 @@ An example flow:
    -->
    如果你的集群中没有启用 EndpointSliceTerminatingCondition 特性门控
    （该门控从 Kubernetes 1.22 开始默认开启，在 1.26 中锁定为默认），
-   那么一旦 Pod 的终止宽限期开始，Kubernetes 控制平面就会从任何相关 EndpointSlices 中移除 Pod。
+   那么一旦 Pod 的终止宽限期开始，Kubernetes 控制平面就会从所有的相关 EndpointSlices 中移除 Pod。
    上述行为是在 EndpointSliceTerminatingCondition 特性门控被启用时描述的。
    {{</note>}}
 

From 434469c0848f193f88aacffdd12d18f50e5ec25e Mon Sep 17 00:00:00 2001
From: Yash Pimple <97302447+YashPimple@users.noreply.github.com>
Date: Mon, 20 Mar 2023 07:57:16 +0530
Subject: [PATCH 195/215] Updated docs for EndpointSliceTerminatingCondition
 (#38701)

* Rebased issue #38390

* Updated endpoint-slices.md

Resolved issue #38701

* Updated endpoint-slice.md

* endpoint-slice.md

* New endpoint-slice.md file

* Updated endpoint-slice.md
---
 .../en/docs/concepts/services-networking/endpoint-slices.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/en/docs/concepts/services-networking/endpoint-slices.md b/content/en/docs/concepts/services-networking/endpoint-slices.md
index 30fbb4ae5bf1d..985e9e6c81e6c 100644
--- a/content/en/docs/concepts/services-networking/endpoint-slices.md
+++ b/content/en/docs/concepts/services-networking/endpoint-slices.md
@@ -96,10 +96,10 @@ Services will always have the `ready` condition set to `true`.
 
 #### Serving
 
-{{< feature-state for_k8s_version="v1.22" state="beta" >}}
+{{< feature-state for_k8s_version="v1.26" state="stable" >}}
 
-`serving` is identical to the `ready` condition, except it does not account for terminating states.
-Consumers of the EndpointSlice API should check this condition if they care about pod readiness while
+The `serving` condition is almost identical to the `ready` condition. The difference is that
+consumers of the EndpointSlice API should check the `serving` condition if they care about pod readiness while
 the pod is also terminating.
 
 {{< note >}}

From c1562e566ed8ce7948229f62477fffd7b5933ff2 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Mon, 20 Mar 2023 10:08:40 +0800
Subject: [PATCH 196/215] [zh] sync
 /command-line-tools-reference/kube-apiserver.md

---
 .../kube-apiserver.md                         | 227 ++++++++++--------
 1 file changed, 129 insertions(+), 98 deletions(-)

diff --git a/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md b/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
index 03e73de4ac877..e3ac50b7ccf2a 100644
--- a/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver.md
@@ -75,6 +75,20 @@ the host's default interface will be used.
 </td>
 </tr>
 
+<tr>
+<td colspan="2">--aggregator-reject-forwarding-redirect&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td>
+</tr>
+<tr>
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Aggregator reject forwarding redirect response back to client.
+-->
+<p>聚合器拒绝将重定向响应转发回客户端。</p>
+</td>
+</tr>
+
 <tr>
 <td colspan="2">--allow-metric-labels stringToString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：[]</td>
 </tr>
@@ -833,15 +847,21 @@ Number of workers spawned for DeleteCollection call. These are used to speed up
 <tr>
 <td colspan="2">--disable-admission-plugins strings</td>
 </tr>
-<tr>
 
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<tr>
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
 <!--
-<p>admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.</p>
+admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota).
+Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook.
+The order of plugins in this flag does not matter.
 -->
-<p>尽管位于默认启用的插件列表中（NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionWebhook、ResourceQuota）仍须被禁用的插件。
-<br/>取值为逗号分隔的准入插件列表：AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionWebhook。
-<br/>该标志中插件的顺序无关紧要。</p>
+<p>
+尽管位于默认启用的插件列表中，仍须被禁用的准入插件（NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook、ResourceQuota）。
+取值为逗号分隔的准入插件列表：AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。
+该标志中插件的顺序无关紧要。
+</p>
 </td>
 </tr>
 
@@ -874,14 +894,18 @@ File with apiserver egress selector configuration.
 <tr>
 <td colspan="2">--enable-admission-plugins strings</td>
 </tr>
+
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
 <!--
-<p>admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.</p>
+admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, PodSecurity, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodSecurity, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
 -->
-<p>除了默认启用的插件（NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionWebhook、ResourceQuota）之外要启用的插件
-</br>取值为逗号分隔的准入插件列表：AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionWebhook</p>
-<br/>该标志中插件的顺序无关紧要。
+<p>
+除了默认启用的插件（NamespaceLifecycle、LimitRanger、ServiceAccount、TaintNodesByCondition、PodSecurity、Priority、DefaultTolerationSeconds、DefaultStorageClass、StorageObjectInUseProtection、PersistentVolumeClaimResize、RuntimeClass、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、MutatingAdmissionWebhook、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook、ResourceQuota）之外要启用的准入插件。
+取值为逗号分隔的准入插件列表：AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、CertificateSigning、CertificateSubjectRestriction、DefaultIngressClass、DefaultStorageClass、DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、LimitRanger、MutatingAdmissionWebhook、NamespaceAutoProvision、NamespaceExists、NamespaceLifecycle、NodeRestriction、OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PersistentVolumeLabel、PodNodeSelector、PodSecurity、PodTolerationRestriction、Priority、ResourceQuota、RuntimeClass、SecurityContextDeny、ServiceAccount、StorageObjectInUseProtection、TaintNodesByCondition、ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。该标志中插件的顺序无关紧要。
+</p>
 </td>
 </tr>
 
@@ -951,6 +975,23 @@ The file containing configuration for encryption providers to be used for storin
 </td>
 </tr>
 
+<tr>
+<td colspan="2">--encryption-provider-config-automatic-reload</td>
+</tr>
+<tr>
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
+<!--
+Determines if the file set by --encryption-provider-config should be automatically reloaded if the disk contents change. Setting this to true disables the ability to uniquely identify distinct KMS plugins via the API server healthz endpoints.
+-->
+<p>
+确定由 --encryption-provider-config 设置的文件是否应在磁盘内容更改时自动重新加载。
+将此标志设置为 true 将禁用通过 API 服务器 healthz 端点来唯一地标识不同 KMS 插件的能力。
+</p>
+</td>
+</tr>
+
 <tr>
 <td colspan="2">--endpoint-reconciler-type string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："lease"</td>
 </tr>
@@ -1140,44 +1181,47 @@ comma-separated 'key=True|False' pairs
 -->
 逗号分隔的 'key=True|False' 键值对&gt;</td>
 </tr>
+
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br>
+A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:<br/>
 APIListChunking=true|false (BETA - default=true)<br/>
 APIPriorityAndFairness=true|false (BETA - default=true)<br/>
 APIResponseCompression=true|false (BETA - default=true)<br/>
-APIServerIdentity=true|false (ALPHA - default=false)<br/>
+APISelfSubjectReview=true|false (ALPHA - default=false)<br/>
+APIServerIdentity=true|false (BETA - default=true)<br/>
 APIServerTracing=true|false (ALPHA - default=false)<br/>
+AggregatedDiscoveryEndpoint=true|false (ALPHA - default=false)<br/>
 AllAlpha=true|false (ALPHA - default=false)<br/>
 AllBeta=true|false (BETA - default=false)<br/>
 AnyVolumeDataSource=true|false (BETA - default=true)<br/>
 AppArmor=true|false (BETA - default=true)<br/>
-CPUManager=true|false (BETA - default=true)<br/>
 CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
 CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>
 CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>
-CSIMigrationAzureFile=true|false (BETA - default=true)<br/>
 CSIMigrationPortworx=true|false (BETA - default=false)<br/>
 CSIMigrationRBD=true|false (ALPHA - default=false)<br/>
-CSIMigrationvSphere=true|false (BETA - default=true)<br/>
 CSINodeExpandSecret=true|false (ALPHA - default=false)<br/>
 CSIVolumeHealth=true|false (ALPHA - default=false)<br/>
+ComponentSLIs=true|false (ALPHA - default=false)<br/>
 ContainerCheckpoint=true|false (ALPHA - default=false)<br/>
 ContextualLogging=true|false (ALPHA - default=false)<br/>
 CronJobTimeZone=true|false (BETA - default=true)<br/>
+CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>
 CustomResourceValidationExpressions=true|false (BETA - default=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>
-DevicePlugins=true|false (BETA - default=true)<br/>
 DisableCloudProviders=true|false (ALPHA - default=false)<br/>
 DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>
 DownwardAPIHugePages=true|false (BETA - default=true)<br/>
-EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>
-ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>
+DynamicResourceAllocation=true|false (ALPHA - default=false)<br/>
+EventedPLEG=true|false (ALPHA - default=false)<br/>
+ExpandedDNSConfig=true|false (BETA - default=true)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>
 GRPCContainerProbe=true|false (BETA - default=true)<br/>
-GracefulNodeShutdown=true|false (BETA - default=true)<br/>
+GracefulNodeShutdown=true|false (BETA - default=true)
 GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - default=false)<br/>
 HPAScaleToZero=true|false (ALPHA - default=false)<br/>
@@ -1192,17 +1236,15 @@ InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>
 JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>
-JobPodFailurePolicy=true|false (ALPHA - default=false)<br/>
+JobPodFailurePolicy=true|false (BETA - default=true)<br/>
 JobReadyPods=true|false (BETA - default=true)<br/>
-JobTrackingWithFinalizers=true|false (BETA - default=true)<br/>
 KMSv2=true|false (ALPHA - default=false)<br/>
-KubeletCredentialProviders=true|false (BETA - default=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>
 KubeletPodResources=true|false (BETA - default=true)<br/>
 KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>
 KubeletTracing=true|false (ALPHA - default=false)<br/>
-LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>
-LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (BETA - default=true)<br/>
+LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)<br/>
+LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>
 LogarithmicScaleDown=true|false (BETA - default=true)<br/>
 LoggingAlphaOptions=true|false (ALPHA - default=false)<br/>
 LoggingBetaOptions=true|false (BETA - default=true)<br/>
@@ -1211,79 +1253,85 @@ MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>
 MemoryManager=true|false (BETA - default=true)<br/>
 MemoryQoS=true|false (ALPHA - default=false)<br/>
 MinDomainsInPodTopologySpread=true|false (BETA - default=false)<br/>
-MixedProtocolLBService=true|false (BETA - default=true)<br/>
+MinimizeIPTablesRestore=true|false (ALPHA - default=false)<br/>
 MultiCIDRRangeAllocator=true|false (ALPHA - default=false)<br/>
 NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>
-NodeInclusionPolicyInPodTopologySpread=true|false (ALPHA - default=false)<br/>
-NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>
+NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)<br/>
+NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)<br/>
 NodeSwap=true|false (ALPHA - default=false)<br/>
 OpenAPIEnums=true|false (BETA - default=true)<br/>
 OpenAPIV3=true|false (BETA - default=true)<br/>
+PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - default=false)<br/>
 PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>
 PodDeletionCost=true|false (BETA - default=true)<br/>
-PodDisruptionConditions=true|false (ALPHA - default=false)<br/>
+PodDisruptionConditions=true|false (BETA - default=true)<br/>
 PodHasNetworkCondition=true|false (ALPHA - default=false)<br/>
+PodSchedulingReadiness=true|false (ALPHA - default=false)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - default=true)<br/>
 ProcMountType=true|false (ALPHA - default=false)<br/>
-ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>
+ProxyTerminatingEndpoints=true|false (BETA - default=true)<br/>
 QOSReserved=true|false (ALPHA - default=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - default=false)<br/>
 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>
 RemainingItemCount=true|false (BETA - default=true)<br/>
-RetroactiveDefaultStorageClass=true|false (ALPHA - default=false)<br/>
+RetroactiveDefaultStorageClass=true|false (BETA - default=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>
 SELinuxMountReadWriteOncePod=true|false (ALPHA - default=false)<br/>
 SeccompDefault=true|false (BETA - default=true)<br/>
 ServerSideFieldValidation=true|false (BETA - default=true)<br/>
-ServiceIPStaticSubrange=true|false (BETA - default=true)<br/>
-ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>
 StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>
+StatefulSetStartOrdinal=true|false (ALPHA - default=false)<br/>
 StorageVersionAPI=true|false (ALPHA - default=false)<br/>
 StorageVersionHash=true|false (BETA - default=true)<br/>
 TopologyAwareHints=true|false (BETA - default=true)<br/>
 TopologyManager=true|false (BETA - default=true)<br/>
+TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
+TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)<br/>
+TopologyManagerPolicyOptions=true|false (ALPHA - default=false)<br/>
 UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)<br/>
+ValidatingAdmissionPolicy=true|false (ALPHA - default=false)<br/>
 VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>
 WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
-WindowsHostProcessContainers=true|false (BETA - default=true)
+WindowsHostNetwork=true|false (ALPHA - default=true)
 -->
-<p>一组 key=value 对，用来描述测试性/试验性功能的特性门控。可选项有：<br/>
+<p>
+一组 key=value 对，用来描述测试性/试验性功能的特性门控。可选项有：<br/>
 APIListChunking=true|false (BETA - 默认值=true)<br/>
 APIPriorityAndFairness=true|false (BETA - 默认值=true)<br/>
 APIResponseCompression=true|false (BETA - 默认值=true)<br/>
-APIServerIdentity=true|false (ALPHA - 默认值=false)<br/>
+APISelfSubjectReview=true|false (ALPHA - 默认值=false)<br/>
+APIServerIdentity=true|false (BETA - 默认值=true)<br/>
 APIServerTracing=true|false (ALPHA - 默认值=false)<br/>
+AggregatedDiscoveryEndpoint=true|false (ALPHA - 默认值=false)<br/>
 AllAlpha=true|false (ALPHA - 默认值=false)<br/>
 AllBeta=true|false (BETA - 默认值=false)<br/>
 AnyVolumeDataSource=true|false (BETA - 默认值=true)<br/>
 AppArmor=true|false (BETA - 默认值=true)<br/>
-CPUManager=true|false (BETA - 默认值=true)<br/>
 CPUManagerPolicyAlphaOptions=true|false (ALPHA - 默认值=false)<br/>
 CPUManagerPolicyBetaOptions=true|false (BETA - 默认值=true)<br/>
 CPUManagerPolicyOptions=true|false (BETA - 默认值=true)<br/>
-CSIMigrationAzureFile=true|false (BETA - 默认值=true)<br/>
 CSIMigrationPortworx=true|false (BETA - 默认值=false)<br/>
 CSIMigrationRBD=true|false (ALPHA - 默认值=false)<br/>
-CSIMigrationvSphere=true|false (BETA - 默认值=true)<br/>
 CSINodeExpandSecret=true|false (ALPHA - 默认值=false)<br/>
 CSIVolumeHealth=true|false (ALPHA - 默认值=false)<br/>
+ComponentSLIs=true|false (ALPHA - 默认值=false)<br/>
 ContainerCheckpoint=true|false (ALPHA - 默认值=false)<br/>
 ContextualLogging=true|false (ALPHA - 默认值=false)<br/>
 CronJobTimeZone=true|false (BETA - 默认值=true)<br/>
+CrossNamespaceVolumeDataSource=true|false (ALPHA - 默认值=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值=false)<br/>
 CustomResourceValidationExpressions=true|false (BETA - 默认值=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (BETA - 默认值=true)<br/>
-DevicePlugins=true|false (BETA - 默认值=true)<br/>
 DisableCloudProviders=true|false (ALPHA - 默认值=false)<br/>
 DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值=false)<br/>
 DownwardAPIHugePages=true|false (BETA - 默认值=true)<br/>
-EndpointSliceTerminatingCondition=true|false (BETA - 默认值=true)<br/>
-ExpandedDNSConfig=true|false (ALPHA - 默认值=false)<br/>
-ExperimentalHostUserNamespace默认值ing=true|false (BETA - 默认值=false)<br/>
+DynamicResourceAllocation=true|false (ALPHA - 默认值=false)<br/>
+EventedPLEG=true|false (ALPHA - 默认值=false)<br/>
+ExpandedDNSConfig=true|false (BETA - 默认值=true)<br/>
+ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值=false)<br/>
 GRPCContainerProbe=true|false (BETA - 默认值=true)<br/>
-GracefulNodeShutdown=true|false (BETA - 默认值=true)<br/>
+GracefulNodeShutdown=true|false (BETA - 默认值=true)
 GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - 默认值=false)<br/>
 HPAScaleToZero=true|false (ALPHA - 默认值=false)<br/>
@@ -1298,17 +1346,15 @@ InTreePluginPortworxUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginRBDUnregister=true|false (ALPHA - 默认值=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - 默认值=false)<br/>
 JobMutableNodeSchedulingDirectives=true|false (BETA - 默认值=true)<br/>
-JobPodFailurePolicy=true|false (ALPHA - 默认值=false)<br/>
+JobPodFailurePolicy=true|false (BETA - 默认值=true)<br/>
 JobReadyPods=true|false (BETA - 默认值=true)<br/>
-JobTrackingWithFinalizers=true|false (BETA - 默认值=true)<br/>
 KMSv2=true|false (ALPHA - 默认值=false)<br/>
-KubeletCredentialProviders=true|false (BETA - 默认值=true)<br/>
 KubeletInUserNamespace=true|false (ALPHA - 默认值=false)<br/>
 KubeletPodResources=true|false (BETA - 默认值=true)<br/>
 KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值=true)<br/>
 KubeletTracing=true|false (ALPHA - 默认值=false)<br/>
-LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - 默认值=true)<br/>
-LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (BETA - 默认值=true)<br/>
+LegacyServiceAccountTokenTracking=true|false (ALPHA - 默认值=false)<br/>
+LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值=false)<br/>
 LogarithmicScaleDown=true|false (BETA - 默认值=true)<br/>
 LoggingAlphaOptions=true|false (ALPHA - 默认值=false)<br/>
 LoggingBetaOptions=true|false (BETA - 默认值=true)<br/>
@@ -1317,43 +1363,49 @@ MaxUnavailableStatefulSet=true|false (ALPHA - 默认值=false)<br/>
 MemoryManager=true|false (BETA - 默认值=true)<br/>
 MemoryQoS=true|false (ALPHA - 默认值=false)<br/>
 MinDomainsInPodTopologySpread=true|false (BETA - 默认值=false)<br/>
-MixedProtocolLBService=true|false (BETA - 默认值=true)<br/>
+MinimizeIPTablesRestore=true|false (ALPHA - 默认值=false)<br/>
 MultiCIDRRangeAllocator=true|false (ALPHA - 默认值=false)<br/>
 NetworkPolicyStatus=true|false (ALPHA - 默认值=false)<br/>
-NodeInclusionPolicyInPodTopologySpread=true|false (ALPHA - 默认值=false)<br/>
-NodeOutOfServiceVolumeDetach=true|false (ALPHA - 默认值=false)<br/>
+NodeInclusionPolicyInPodTopologySpread=true|false (BETA - 默认值=true)<br/>
+NodeOutOfServiceVolumeDetach=true|false (BETA - 默认值=true)<br/>
 NodeSwap=true|false (ALPHA - 默认值=false)<br/>
 OpenAPIEnums=true|false (BETA - 默认值=true)<br/>
 OpenAPIV3=true|false (BETA - 默认值=true)<br/>
+PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - 默认值=false)<br/>
 PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值=false)<br/>
 PodDeletionCost=true|false (BETA - 默认值=true)<br/>
-PodDisruptionConditions=true|false (ALPHA - 默认值=false)<br/>
+PodDisruptionConditions=true|false (BETA - 默认值=true)<br/>
 PodHasNetworkCondition=true|false (ALPHA - 默认值=false)<br/>
+PodSchedulingReadiness=true|false (ALPHA - 默认值=false)<br/>
 ProbeTerminationGracePeriod=true|false (BETA - 默认值=true)<br/>
 ProcMountType=true|false (ALPHA - 默认值=false)<br/>
-ProxyTerminatingEndpoints=true|false (ALPHA - 默认值=false)<br/>
+ProxyTerminatingEndpoints=true|false (BETA - 默认值=true)<br/>
 QOSReserved=true|false (ALPHA - 默认值=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - 默认值=false)<br/>
 RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值=false)<br/>
 RemainingItemCount=true|false (BETA - 默认值=true)<br/>
-Retroactive默认值StorageClass=true|false (ALPHA - 默认值=false)<br/>
+RetroactiveDefaultStorageClass=true|false (BETA - 默认值=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - 默认值=true)<br/>
 SELinuxMountReadWriteOncePod=true|false (ALPHA - 默认值=false)<br/>
-Seccomp默认值=true|false (BETA - 默认值=true)<br/>
+SeccompDefault=true|false (BETA - 默认值=true)<br/>
 ServerSideFieldValidation=true|false (BETA - 默认值=true)<br/>
-ServiceIPStaticSubrange=true|false (BETA - 默认值=true)<br/>
-ServiceInternalTrafficPolicy=true|false (BETA - 默认值=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - 默认值=true)<br/>
 StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值=false)<br/>
+StatefulSetStartOrdinal=true|false (ALPHA - 默认值=false)<br/>
 StorageVersionAPI=true|false (ALPHA - 默认值=false)<br/>
 StorageVersionHash=true|false (BETA - 默认值=true)<br/>
 TopologyAwareHints=true|false (BETA - 默认值=true)<br/>
 TopologyManager=true|false (BETA - 默认值=true)<br/>
+TopologyManagerPolicyAlphaOptions=true|false (ALPHA - 默认值=false)<br/>
+TopologyManagerPolicyBetaOptions=true|false (BETA - 默认值=false)<br/>
+TopologyManagerPolicyOptions=true|false (ALPHA - 默认值=false)<br/>
 UserNamespacesStatelessPodsSupport=true|false (ALPHA - 默认值=false)<br/>
+ValidatingAdmissionPolicy=true|false (ALPHA - 默认值=false)<br/>
 VolumeCapacityPriority=true|false (ALPHA - 默认值=false)<br/>
 WinDSR=true|false (ALPHA - 默认值=false)<br/>
 WinOverlay=true|false (BETA - 默认值=true)<br/>
-WindowsHostProcessContainers=true|false (BETA - 默认值=true)</p>
+WindowsHostNetwork=true|false (ALPHA - 默认值=true)
+</p>
 </td>
 </tr>
 
@@ -1407,32 +1459,6 @@ of streams in an HTTP/2 connection. Zero means to use golang's default.
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--identity-lease-duration-seconds int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：3600</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The duration of kube-apiserver lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.)
--->
-kube-apiserver 租约时长（按秒计），必须是正数。
-（当 APIServerIdentity 特性门控被启用时使用此标志值）
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--identity-lease-renew-interval-seconds int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：10</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-The interval of kube-apiserver renewing its lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.)
--->
-kube-apiserver 对其租约进行续期的时间间隔（按秒计），必须是正数。
-（当 APIServerIdentity 特性门控被启用时使用此标志值）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--kubelet-certificate-authority string</td>
 </tr>
@@ -1556,13 +1582,15 @@ Maximum number of seconds between log flushes
 <td colspan="2">--logging-format string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："text"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Sets the log format. Permitted formats: &quot;text&quot;.<br/>Non-default formats don't honor these flags: --add-dir-header, --alsologtostderr, --log-backtrace-at, --log-dir, --log-file, --log-file-max-size, --logtostderr, --one-output, --skip-headers, --skip-log-headers, --stderrthreshold, --vmodule.<br/>Non-default choices are currently alpha and subject to change without warning.
+Sets the log format. Permitted formats: &quot;text&quot;.
 -->
-设置日志格式。允许的格式：&quot;text&quot;。<br/>
-非默认格式不支持以下标志：<code>--add-dir-header</code>、<code>--alsologtostderr</code>、<code>--log-backtrace-at</code>、<code>--log-dir</code>、<code>--log-file</code>、<code>--log-file-max-size</code>、<code>--logtostderr</code>、<code>--one-output</code>、<code>-skip-headers</code>、<code>-skip-log-headers</code>、<code>--stderrthreshold</code>、<code>-vmodule</code>。<br/>
-当前非默认选择为 alpha，会随时更改而不会发出警告。
+<p>
+设置日志格式。允许的格式：&quot;text&quot;。
+</p>
 </td>
 </tr>
 
@@ -2202,13 +2230,16 @@ The storage backend for persistence. Options: 'etcd3' (default).
 <td colspan="2">--storage-media-type string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值："application/vnd.kubernetes.protobuf"</td>
 </tr>
 <tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<td>
+</td>
+<td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The media type to use to store objects in storage. 
-Some resources or storage backends may only support a specific media type and will ignore this setting.
+The media type to use to store objects in storage. Some resources or storage backends may only support a specific media type and will ignore this setting. Supported media types: [application/json, application/yaml, application/vnd.kubernetes.protobuf]
 -->
-用于在存储中存储对象的媒体类型。
-某些资源或存储后端可能仅支持特定的媒体类型，并且将忽略此设置。
+<p>
+用于在存储中存储对象的媒体类型。某些资源或存储后端可能仅支持特定的媒体类型，并且将忽略此设置。
+支持的媒体类型：[application/json, application/yaml, application/vnd.kubernetes.protobuf]
+</p>
 </td>
 </tr>
 

From 506d2e786c3ca64e7f6d35fbaf8955454e3c69c7 Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Mon, 20 Mar 2023 10:43:06 +0800
Subject: [PATCH 197/215] [zh-cn] sync task files of task-10 (#40084)

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 .../namespaces-walkthrough.md                 | 22 +++++++++++--------
 .../calico-network-policy.md                  |  8 +++----
 .../cilium-network-policy.md                  | 12 +++++-----
 .../kube-router-network-policy.md             | 11 ++++++++--
 4 files changed, 32 insertions(+), 21 deletions(-)

diff --git a/content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md b/content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md
index df1fdcb85ce48..8515de41c066a 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/namespaces-walkthrough.md
@@ -52,16 +52,16 @@ This example demonstrates how to use Kubernetes namespaces to subdivide your clu
 This example assumes the following:
 
 1. You have an [existing Kubernetes cluster](/docs/setup/).
-2. You have a basic understanding of Kubernetes _[Pods](/docs/concepts/workloads/pods/pod/)_, _[Services](/docs/concepts/services-networking/service/)_, and _[Deployments](/docs/concepts/workloads/controllers/deployment/)_.
+2. You have a basic understanding of Kubernetes {{< glossary_tooltip text="Pods" term_id="pod" >}}, {{< glossary_tooltip term_id="service" text="Services" >}}, and {{< glossary_tooltip text="Deployments" term_id="deployment" >}}.
 -->
-## 环境准备
+## 环境准备   {#prerequisites}
 
 此示例作如下假设：
 
 1. 你已拥有一个[配置好的 Kubernetes 集群](/zh-cn/docs/setup/)。
-2. 你已对 Kubernetes 的 _[Pods](/zh-cn/docs/concepts/workloads/pods/)_、
-   _[Services](/zh-cn/docs/concepts/services-networking/service/)_ 和
-   _[Deployments](/zh-cn/docs/concepts/workloads/controllers/deployment/)_
+2. 你已对 Kubernetes 的 {{< glossary_tooltip text="Pod" term_id="pod" >}}、
+   {{< glossary_tooltip text="服务" term_id="service" >}} 和
+   {{< glossary_tooltip text="Deployment" term_id="deployment" >}}
    有基本理解。
 
 <!--
@@ -70,7 +70,7 @@ This example assumes the following:
 By default, a Kubernetes cluster will instantiate a default namespace when provisioning the cluster to hold the default set of Pods,
 Services, and Deployments used by the cluster.
 -->
-## 理解默认名字空间
+## 理解默认名字空间   {#understand-the-default-namespace}
 
 默认情况下，Kubernetes 集群会在配置集群时实例化一个默认名字空间，用以存放集群所使用的默认
 Pod、Service 和 Deployment 集合。
@@ -93,7 +93,7 @@ default   Active    13m
 
 For this exercise, we will create two additional Kubernetes namespaces to hold our content.
 -->
-## 创建新的名字空间
+## 创建新的名字空间   {#create-new-namespaces}
 
 在本练习中，我们将创建两个额外的 Kubernetes 名字空间来保存我们的内容。
 
@@ -187,7 +187,7 @@ Users interacting with one namespace do not see the content in another namespace
 
 To demonstrate this, let's spin up a simple Deployment and Pods in the `development` namespace.
 -->
-## 在每个名字空间中创建 pod
+## 在每个名字空间中创建 Pod   {#create-pods-in-each-namespace}
 
 Kubernetes 名字空间为集群中的 Pod、Service 和 Deployment 提供了作用域。
 
@@ -255,7 +255,7 @@ kubectl config set-context prod --namespace=production \
 ```
 
 <!--
-By default, the above commands adds two contexts that are saved into file
+By default, the above commands add two contexts that are saved into file
 `.kube/config`. You can now view the contexts and alternate against the two
 new request contexts depending on which namespace you wish to work against.
 -->
@@ -346,6 +346,10 @@ Apply the manifest to create a Deployment
 -->
 应用清单文件来创建 Deployment。
 
+```shell
+kubectl apply -f https://k8s.io/examples/admin/snowflake-deployment.yaml
+```
+
 <!--
 We have created a deployment whose replica size is 2 that is running the pod called `snowflake` with a basic container that serves the hostname.
 -->
diff --git a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
index 4c48164322d33..9799a4f95e596 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy.md
@@ -1,14 +1,14 @@
 ---
 title: 使用 Calico 提供 NetworkPolicy
 content_type: task
-weight: 10
+weight: 20
 ---
 <!--
 reviewers:
 - caseydavenport
 title: Use Calico for NetworkPolicy
 content_type: task
-weight: 10
+weight: 20
 -->
 
 <!-- overview -->
@@ -69,12 +69,12 @@ Decide whether you want to deploy a [cloud](#creating-a-calico-cluster-with-goog
 ## Creating a local Calico cluster with kubeadm
 
 To get a local single-host Calico cluster in fifteen minutes using kubeadm, refer to the 
-[Calico Quickstart](https://docs.projectcalico.org/latest/getting-started/kubernetes/).
+[Calico Quickstart](https://projectcalico.docs.tigera.io/getting-started/kubernetes/).
 -->
 ## 使用 kubeadm 创建一个本地 Calico 集群   {#local-cluster}
 
 使用 kubeadm 在 15 分钟内得到一个本地单主机 Calico 集群，请参考
-[Calico 快速入门](https://docs.projectcalico.org/latest/getting-started/kubernetes/)。
+[Calico 快速入门](https://projectcalico.docs.tigera.io/getting-started/kubernetes/)。
 
 ## {{% heading "whatsnext" %}}
 
diff --git a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
index 43e057a911ae4..dfbf41578562b 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md
@@ -1,7 +1,7 @@
 ---
 title: 使用 Cilium 提供 NetworkPolicy
 content_type: task
-weight: 20
+weight: 30
 ---
 
 <!--
@@ -10,18 +10,18 @@ reviewers:
 - aanm
 title: Use Cilium for NetworkPolicy
 content_type: task
-weight: 20
+weight: 30
 -->
 
 <!-- overview -->
 <!--
 This page shows how to use Cilium for NetworkPolicy.
 
-For background on Cilium, read the [Introduction to Cilium](https://docs.cilium.io/en/stable/intro).
+For background on Cilium, read the [Introduction to Cilium](https://docs.cilium.io/en/stable/overview/intro).
 -->
 本页展示如何使用 Cilium 提供 NetworkPolicy。
 
-关于 Cilium 的背景知识，请阅读 [Cilium 介绍](https://docs.cilium.io/en/stable/intro)。
+关于 Cilium 的背景知识，请阅读 [Cilium 介绍](https://docs.cilium.io/en/stable/overview/intro)。
 
 ## {{% heading "prerequisites" %}}
 
@@ -129,14 +129,14 @@ L7 （如 HTTP）的安全策略。
 ## Deploying Cilium for Production Use
 
 For detailed instructions around deploying Cilium for production, see:
-[Cilium Kubernetes Installation Guide](https://docs.cilium.io/en/stable/concepts/kubernetes/intro/)
+[Cilium Kubernetes Installation Guide](https://docs.cilium.io/en/stable/network/kubernetes/concepts/)
 This documentation includes detailed requirements, instructions and example
 production DaemonSet files.
  -->
 ## 部署 Cilium 用于生产用途   {#deployment-cilium-for-production-use}
 
 关于部署 Cilium 用于生产的详细说明，请参见
-[Cilium Kubernetes 安装指南](https://docs.cilium.io/en/stable/concepts/kubernetes/intro/)。
+[Cilium Kubernetes 安装指南](https://docs.cilium.io/en/stable/network/kubernetes/concepts/)。
 此文档包括详细的需求、说明和生产用途 DaemonSet 文件示例。
 
 <!-- discussion -->
diff --git a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
index 0c4cc7a8e1039..1134b9861bbee 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy.md
@@ -1,8 +1,15 @@
 ---
 title: 使用 kube-router 提供 NetworkPolicy
 content_type: task
-weight: 30
+weight: 40
 ---
+<!--
+reviewers:
+- murali-reddy
+title: Use Kube-router for NetworkPolicy
+content_type: task
+weight: 40
+-->
 
 <!-- overview -->
 <!--
@@ -25,7 +32,7 @@ You need to have a Kubernetes cluster running. If you do not already have a clus
 
 The Kube-router Addon comes with a Network Policy Controller that watches Kubernetes API server for any NetworkPolicy and pods updated and configures iptables rules and ipsets to allow or block traffic as directed by the policies. Please follow the [trying Kube-router with cluster installers](https://www.kube-router.io/docs/user-guide/#try-kube-router-with-cluster-installers) guide to install Kube-router addon.
 -->
-## 安装 kube-router 插件
+## 安装 kube-router 插件   {#installing-kube-router-addon}
 
 kube-router 插件自带一个网络策略控制器，监视来自于 Kubernetes API 服务器的
 NetworkPolicy 和 Pod 的变化，根据策略指示配置 iptables 规则和 ipsets 来允许或阻止流量。

From 94ee30ef0e580976447f40a01dddf8060dc9a9d1 Mon Sep 17 00:00:00 2001
From: Hasan Rashid <hasan.j.rashid@gmail.com>
Date: Sun, 19 Mar 2023 23:10:04 -0400
Subject: [PATCH 198/215] Remove duplicate paragraph (Issue 40127)

---
 .../tutorials/services/pods-and-endpoint-termination-flow.md   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md b/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md
index 3ff7e2d987d92..2d812f9ddc11d 100644
--- a/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md
+++ b/content/en/docs/tutorials/services/pods-and-endpoint-termination-flow.md
@@ -19,8 +19,7 @@ graceful connection draining.
 
 There are often cases when you need to terminate a Pod - be it for upgrade or scale down.
 In order to improve application availability, it may be important to implement
-a proper active connections draining. This tutorial explains the flow of
-Pod termination in connection with the corresponding endpoint state and removal.
+a proper active connections draining.
 
 This tutorial explains the flow of Pod termination in connection with the
 corresponding endpoint state and removal by using

From de6f0bc8262813b205a7d29d9e0ee5457cee8d09 Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Mon, 20 Mar 2023 11:24:28 +0800
Subject: [PATCH 199/215] [zh-cn] sync scheduling-gpus.md

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md b/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
index 434ca71c48317..7bd1a4ef99fed 100644
--- a/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
+++ b/content/zh-cn/docs/tasks/manage-gpus/scheduling-gpus.md
@@ -33,7 +33,7 @@ AMD 和 NVIDIA GPU（图形处理单元），目前处于**稳定**状态。
 <!--
 ## Using device plugins
 
-Kubernetes implements device-plugin to let Pods access specialized hardware features such as GPUs.
+Kubernetes implements device plugins to let Pods access specialized hardware features such as GPUs.
 -->
 ## 使用设备插件  {#using-device-plugins}
 
@@ -140,7 +140,8 @@ If you're using AMD GPU devices, you can deploy
 Node Labeller is a {{< glossary_tooltip text="controller" term_id="controller" >}} that automatically
 labels your nodes with GPU device properties.
 
-At the moment, that controller can add labels for:
+Similar functionality for NVIDIA is provided by
+[GPU feature discovery](https://github.com/NVIDIA/gpu-feature-discovery/blob/main/README.md).
 -->
 如果你在使用 AMD GPU，你可以部署
 [Node Labeller](https://github.com/RadeonOpenCompute/k8s-device-plugin/tree/master/cmd/k8s-node-labeller)，

From ba2b40fdc5a3b37872fb7d4ab41a86b192834c1e Mon Sep 17 00:00:00 2001
From: "xin.li" <xin.li@daocloud.io>
Date: Sat, 18 Mar 2023 17:31:51 +0800
Subject: [PATCH 200/215] [zh-cn]sync command-line-tools-reference/kubelet.md

Signed-off-by: xin.li <xin.li@daocloud.io>
---
 .../command-line-tools-reference/kubelet.md   | 445 +++++++-----------
 1 file changed, 160 insertions(+), 285 deletions(-)

diff --git a/content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md b/content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md
index 9be4491b0b9a9..035e450800c12 100644
--- a/content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md
+++ b/content/zh-cn/docs/reference/command-line-tools-reference/kubelet.md
@@ -61,19 +61,6 @@ kubelet [flags]
 </colgroup>
 <tbody>
 
-<tr>
-<td colspan="2">--add-dir-header</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-设置为 true 表示将文件目录添加到日志消息的头部
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--address string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：0.0.0.0</td>
 </tr>
@@ -103,19 +90,6 @@ Comma-separated whitelist of unsafe sysctls or unsafe sysctl patterns (ending in
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--alsologtostderr</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Log to standard error as well as files (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-设置为 true 表示将日志输出到文件的同时输出到 stderr
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--anonymous-auth&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td>
 </tr>
@@ -137,7 +111,7 @@ Enables anonymous requests to the Kubelet server. Requests that are not rejected
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Use the TokenReview API to determine authentication for bearer tokens. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Use the TokenReview API to determine authentication for bearer tokens. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 使用 <code>TokenReview</code> API 对持有者令牌进行身份认证。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -151,7 +125,7 @@ Use the TokenReview API to determine authentication for bearer tokens. (DEPRECAT
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-The duration to cache responses from the webhook token authenticator. (default 2m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+The duration to cache responses from the webhook token authenticator. (default 2m0s) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 对 Webhook 令牌认证组件所返回的响应的缓存时间。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -165,7 +139,7 @@ The duration to cache responses from the webhook token authenticator. (default 2
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Authorization mode for Kubelet server. Valid options are <code>AlwaysAllow</code> or <code>Webhook</code>. <code>Webhook</code> mode uses the <code>SubjectAccessReview</code> API to determine authorization. (default "AlwaysAllow" when <code>--config</code> flag is not provided; "Webhook" when <code>--config</code> flag presents.) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Authorization mode for Kubelet server. Valid options are <code>AlwaysAllow</code> or <code>Webhook</code>. <code>Webhook</code> mode uses the <code>SubjectAccessReview</code> API to determine authorization. (default "AlwaysAllow" when <code>--config</code> flag is not provided; "Webhook" when <code>--config</code> flag presents.) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 kubelet 服务器的鉴权模式。可选值包括：<code>AlwaysAllow</code>、<code>Webhook</code>。<code>Webhook</code> 模式使用 <code>SubjectAccessReview</code> API 鉴权。
 当 <code>--config</code> 参数未被设置时，默认值为 <code>AlwaysAllow</code>，当使用了
@@ -266,7 +240,7 @@ kubelet 用来操作本机 cgroup 时使用的驱动程序。支持的选项包
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Optional root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Default: '', which means use the container runtime default. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 可选的选项，为 Pod 设置根 cgroup。容器运行时会尽可能使用此配置。
 默认值 <code>""</code> 意味着将使用容器运行时的默认设置。
@@ -295,7 +269,7 @@ Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups a
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 如果设置了此参数，则使用对应文件中机构之一检查请求中所携带的客户端证书。
 若客户端证书通过身份认证，则其对应身份为其证书中所设置的 CommonName。
@@ -385,7 +359,7 @@ kubelet 将从此标志所指的文件中加载其初始配置。此路径可以
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Set the maximum number of container log files that can be present for a container. The number must be &ge; 2. This flag can only be used with <code>--container-runtime=remote</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Set the maximum number of container log files that can be present for a container. The number must be &ge; 2. This flag can only be used with <code>--container-runtime=remote</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置容器的日志文件个数上限。此值必须不小于 2。
 此标志只能与 <code>--container-runtime=remote</code> 标志一起使用。
@@ -400,7 +374,7 @@ Set the maximum number of container log files that can be present for a containe
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Set the maximum size (e.g. 10Mi) of container log file before it is rotated. This flag can only be used with <code>--container-runtime=remote</code>.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Set the maximum size (e.g. 10Mi) of container log file before it is rotated. This flag can only be used with <code>--container-runtime=remote</code>.  (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置容器日志文件在轮换生成新文件时之前的最大值（例如，<code>10Mi</code>）。
 此标志只能与 <code>--container-runtime=remote</code> 标志一起使用。
@@ -446,7 +420,7 @@ Windows 系统上的 npipe 和 TCP 端点。例如：
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Enable lock contention profiling, if profiling is enabled (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Enable lock contention profiling, if profiling is enabled (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 当启用了性能分析时，启用锁竞争分析。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -488,7 +462,7 @@ Sets CPU CFS quota period value, <code>cpu.cfs_period_us</code>, defaults to Lin
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (default "none") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (default "none") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 要使用的 CPU 管理器策略。可选值包括：<code>none</code> 和 <code>static</code>。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -497,7 +471,7 @@ CPU Manager policy to use. Possible values: 'none', 'static'. Default: 'none' (d
 </tr>
 
 <tr>
-<td colspan="2">--cpu-manager-policy-options mapStringString</td>
+<td colspan="2">--cpu-manager-policy-options string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -518,7 +492,7 @@ A set of key=value CPU Manager policy options to use, to fine tune their behavio
 <!--
 &lt;Warning: Alpha feature&gt; CPU Manager reconciliation period. Examples: <code>10s</code>, or <code>1m</code>. If not supplied, defaults to node status update frequency. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-&lt;警告：alpha 特性&gt; 设置 CPU 管理器的调和时间。例如：<code>10s</code> 或者 <code>1m</code>。
+&lt;警告：Alpha 特性&gt; 设置 CPU 管理器的调和时间。例如：<code>10s</code> 或者 <code>1m</code>。
 如果未设置，默认使用节点状态更新频率。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
 请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
@@ -573,7 +547,7 @@ Enable the Kubelet's server. (DEPRECATED: This parameter should be set via the c
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are <code>none</code>, <code>pods</code>, <code>system-reserved</code>, and <code>kube-reserved</code>. If the latter two options are specified, <code>--system-reserved-cgroup</code> and <code>--kube-reserved-cgroup</code> must also be set, respectively. If <code>none</code> is specified, no additional options should be set. See https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. Acceptable options are <code>none</code>, <code>pods</code>, <code>system-reserved</code>, and <code>kube-reserved</code>. If the latter two options are specified, <code>--system-reserved-cgroup</code> and <code>--kube-reserved-cgroup</code> must also be set, respectively. If <code>none</code> is specified, no additional options should be set. See https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ for more details. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 用逗号分隔的列表，包含由 kubelet 强制执行的节点可分配资源级别。
 可选配置为：<code>none</code>、<code>pods</code>、<code>system-reserved</code> 和 <code>kube-reserved</code>。
@@ -647,7 +621,7 @@ Maximum allowed grace period (in seconds) to use when terminating pods in respon
 </tr>
 
 <tr>
-<td colspan="2">--eviction-minimum-reclaim mapStringString</td>
+<td colspan="2">--eviction-minimum-reclaim string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -676,7 +650,7 @@ kubelet 在驱逐压力状况解除之前的最长等待时间。
 </tr>
 
 <tr>
-<td colspan="2">--eviction-soft mapStringString</td>
+<td colspan="2">--eviction-soft string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -691,7 +665,7 @@ A set of eviction thresholds (e.g. <code>memory.available>1.5Gi</code>) that if
 </tr>
 
 <tr>
-<td colspan="2">--eviction-soft-grace-period mapStringString</td>
+<td colspan="2">--eviction-soft-grace-period string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -732,22 +706,6 @@ When set to <code>true</code>, Hard eviction thresholds will be ignored while ca
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--experimental-kernel-memcg-notification</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If enabled, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. This flag will be removed in 1.24 or later. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
--->
-设置为 true 表示 kubelet 将会集成内核的 memcg 通知机制而不是使用轮询机制来
-判断是否达到了内存驱逐阈值。
-此标志将在 1.24 或更高版本移除。
-（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--experimental-mounter-path string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>mount</code>-->默认值：<code>mount</code></td>
 </tr>
@@ -785,39 +743,34 @@ A set of <code>key=value</code> pairs that describe feature gates for alpha/expe
 APIListChunking=true|false (BETA - default=true)<br/>
 APIPriorityAndFairness=true|false (BETA - default=true)<br/>
 APIResponseCompression=true|false (BETA - default=true)<br/>
-APIServerIdentity=true|false (ALPHA - default=false)<br/>
+APISelfSubjectReview=true|false (ALPHA - default=false)<br/>
+APIServerIdentity=true|false (BETA - default=true)<br/>
 APIServerTracing=true|false (ALPHA - default=false)<br/>
+AggregatedDiscoveryEndpoint=true|false (ALPHA - default=false)<br/>
 AllAlpha=true|false (ALPHA - default=false)<br/>
 AllBeta=true|false (BETA - default=false)<br/>
 AnyVolumeDataSource=true|false (BETA - default=true)<br/>
 AppArmor=true|false (BETA - default=true)<br/>
-CPUManager=true|false (BETA - default=true)<br/>
 CPUManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
 CPUManagerPolicyBetaOptions=true|false (BETA - default=true)<br/>
 CPUManagerPolicyOptions=true|false (BETA - default=true)<br/>
-CSIInlineVolume=true|false (BETA - default=true)<br/>
-CSIMigration=true|false (BETA - default=true)<br/>
-CSIMigrationAWS=true|false (BETA - default=true)<br/>
-CSIMigrationAzureFile=true|false (BETA - default=true)<br/>
-CSIMigrationGCE=true|false (BETA - default=true)<br/>
-CSIMigrationPortworx=true|false (ALPHA - default=false)<br/>
+CSIMigrationPortworx=true|false (BETA - default=false)<br/>
 CSIMigrationRBD=true|false (ALPHA - default=false)<br/>
-CSIMigrationvSphere=true|false (BETA - default=false)<br/>
+CSINodeExpandSecret=true|false (ALPHA - default=false)<br/>
 CSIVolumeHealth=true|false (ALPHA - default=false)<br/>
+ComponentSLIs=true|false (ALPHA - default=false)<br/>
+ContainerCheckpoint=true|false (ALPHA - default=false)<br/>
 ContextualLogging=true|false (ALPHA - default=false)<br/>
-CronJobTimeZone=true|false (ALPHA - default=false)<br/>
+CronJobTimeZone=true|false (BETA - default=true)<br/>
+CrossNamespaceVolumeDataSource=true|false (ALPHA - default=false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - default=false)<br/>
-CustomResourceValidationExpressions=true|false (ALPHA - default=false)<br/>
-DaemonSetUpdateSurge=true|false (BETA - default=true)<br/>
-DelegateFSGroupToCSIDriver=true|false (BETA - default=true)<br/>
-DevicePlugins=true|false (BETA - default=true)<br/>
-DisableAcceleratorUsageMetrics=true|false (BETA - default=true)<br/>
+CustomResourceValidationExpressions=true|false (BETA - default=true)<br/>
 DisableCloudProviders=true|false (ALPHA - default=false)<br/>
 DisableKubeletCloudCredentialProviders=true|false (ALPHA - default=false)<br/>
 DownwardAPIHugePages=true|false (BETA - default=true)<br/>
-EndpointSliceTerminatingCondition=true|false (BETA - default=true)<br/>
-EphemeralContainers=true|false (BETA - default=true)<br/>
-ExpandedDNSConfig=true|false (ALPHA - default=false)<br/>
+DynamicResourceAllocation=true|false (ALPHA - default=false)<br/>
+EventedPLEG=true|false (ALPHA - default=false)<br/>
+ExpandedDNSConfig=true|false (BETA - default=true)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - default=false)<br/>
 GRPCContainerProbe=true|false (BETA - default=true)<br/>
 GracefulNodeShutdown=true|false (BETA - default=true)<br/>
@@ -825,7 +778,7 @@ GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - default=true)<br/>
 HPAContainerMetrics=true|false (ALPHA - default=false)<br/>
 HPAScaleToZero=true|false (ALPHA - default=false)<br/>
 HonorPVReclaimPolicy=true|false (ALPHA - default=false)<br/>
-IdentifyPodOS=true|false (BETA - default=true)<br/>
+IPTablesOwnershipCleanup=true|false (ALPHA - default=false)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - default=false)<br/>
@@ -835,92 +788,96 @@ InTreePluginPortworxUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginRBDUnregister=true|false (ALPHA - default=false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - default=false)<br/>
 JobMutableNodeSchedulingDirectives=true|false (BETA - default=true)<br/>
+JobPodFailurePolicy=true|false (BETA - default=true)<br/>
 JobReadyPods=true|false (BETA - default=true)<br/>
-JobTrackingWithFinalizers=true|false (BETA - default=false)<br/>
-KubeletCredentialProviders=true|false (BETA - default=true)<br/>
+KMSv2=true|false (ALPHA - default=false)<br/>
 KubeletInUserNamespace=true|false (ALPHA - default=false)<br/>
 KubeletPodResources=true|false (BETA - default=true)<br/>
 KubeletPodResourcesGetAllocatable=true|false (BETA - default=true)<br/>
-LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - default=true)<br/>
-LocalStorageCapacityIsolation=true|false (BETA - default=true)<br/>
+KubeletTracing=true|false (ALPHA - default=false)<br/>
+LegacyServiceAccountTokenTracking=true|false (ALPHA - default=false)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - default=false)<br/>
 LogarithmicScaleDown=true|false (BETA - default=true)<br/>
+LoggingAlphaOptions=true|false (ALPHA - default=false)<br/>
+LoggingBetaOptions=true|false (BETA - default=true)<br/>
+MatchLabelKeysInPodTopologySpread=true|false (ALPHA - default=false)<br/>
 MaxUnavailableStatefulSet=true|false (ALPHA - default=false)<br/>
 MemoryManager=true|false (BETA - default=true)<br/>
 MemoryQoS=true|false (ALPHA - default=false)<br/>
-MinDomainsInPodTopologySpread=true|false (ALPHA - default=false)<br/>
-MixedProtocolLBService=true|false (BETA - default=true)<br/>
-NetworkPolicyEndPort=true|false (BETA - default=true)<br/>
+MinDomainsInPodTopologySpread=true|false (BETA - default=false)<br/>
+MinimizeIPTablesRestore=true|false (ALPHA - default=false)<br/>
+MultiCIDRRangeAllocator=true|false (ALPHA - default=false)<br/>
 NetworkPolicyStatus=true|false (ALPHA - default=false)<br/>
-NodeOutOfServiceVolumeDetach=true|false (ALPHA - default=false)<br/>
+NodeInclusionPolicyInPodTopologySpread=true|false (BETA - default=true)<br/>
+NodeOutOfServiceVolumeDetach=true|false (BETA - default=true)<br/>
 NodeSwap=true|false (ALPHA - default=false)<br/>
 OpenAPIEnums=true|false (BETA - default=true)<br/>
-OpenAPIV3=true|false (BETA - default=true)<br/>
+PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - default=false)<br/>
 PodAndContainerStatsFromCRI=true|false (ALPHA - default=false)<br/>
 PodDeletionCost=true|false (BETA - default=true)<br/>
-PodSecurity=true|false (BETA - default=true)<br/>
-ProbeTerminationGracePeriod=true|false (BETA - default=false)<br/>
+PodDisruptionConditions=true|false (BETA - default=true)<br/>
+PodHasNetworkCondition=true|false (ALPHA - default=false)<br/>
+PodSchedulingReadiness=true|false (ALPHA - default=false)<br/>
+ProbeTerminationGracePeriod=true|false (BETA - default=true)<br/>
 ProcMountType=true|false (ALPHA - default=false)<br/>
-ProxyTerminatingEndpoints=true|false (ALPHA - default=false)<br/>
+ProxyTerminatingEndpoints=true|false (BETA - default=true)<br/>
 QOSReserved=true|false (ALPHA - default=false)<br/>
 ReadWriteOncePod=true|false (ALPHA - default=false)<br/>
 RecoverVolumeExpansionFailure=true|false (ALPHA - default=false)<br/>
 RemainingItemCount=true|false (BETA - default=true)<br/>
+RetroactiveDefaultStorageClass=true|false (BETA - default=true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - default=true)<br/>
-SeccompDefault=true|false (ALPHA - default=false)<br/>
-ServerSideFieldValidation=true|false (ALPHA - default=false)<br/>
-ServiceIPStaticSubrange=true|false (ALPHA - default=false)<br/>
-ServiceInternalTrafficPolicy=true|false (BETA - default=true)<br/>
+SELinuxMountReadWriteOncePod=true|false (ALPHA - default=false)<br/>
+SeccompDefault=true|false (BETA - default=true)<br/>
+ServerSideFieldValidation=true|false (BETA - default=true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - default=true)<br/>
 StatefulSetAutoDeletePVC=true|false (ALPHA - default=false)<br/>
-StatefulSetMinReadySeconds=true|false (BETA - default=true)<br/>
+StatefulSetStartOrdinal=true|false (ALPHA - default=false)<br/>
 StorageVersionAPI=true|false (ALPHA - default=false)<br/>
 StorageVersionHash=true|false (BETA - default=true)<br/>
 TopologyAwareHints=true|false (BETA - default=true)<br/>
 TopologyManager=true|false (BETA - default=true)<br/>
+TopologyManagerPolicyAlphaOptions=true|false (ALPHA - default=false)<br/>
+TopologyManagerPolicyBetaOptions=true|false (BETA - default=false)<br/>
+TopologyManagerPolicyOptions=true|false (ALPHA - default=false)<br/>
+UserNamespacesStatelessPodsSupport=true|false (ALPHA - default=false)<br/>
+ValidatingAdmissionPolicy=true|false (ALPHA - default=false)<br/>
 VolumeCapacityPriority=true|false (ALPHA - default=false)<br/>
 WinDSR=true|false (ALPHA - default=false)<br/>
 WinOverlay=true|false (BETA - default=true)<br/>
-WindowsHostProcessContainers=true|false (BETA - default=true)<br/>
 (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)</td>
 -->
 用于 alpha 实验性特性的特性开关组，每个开关以 key=value 形式表示。当前可用开关包括：</br>
 APIListChunking=true|false (BETA - 默认值为 true)<br/>
 APIPriorityAndFairness=true|false (BETA - 默认值为 true)<br/>
 APIResponseCompression=true|false (BETA - 默认值为 true)<br/>
-APIServerIdentity=true|false (ALPHA - 默认值为 false)<br/>
+APISelfSubjectReview=true|false (ALPHA - 默认值为 false)<br/>
+APIServerIdentity=true|false (BETA - 默认值为 true)<br/>
 APIServerTracing=true|false (ALPHA - 默认值为 false)<br/>
+AggregatedDiscoveryEndpoint=true|false (ALPHA - 默认值为 false)<br/>
 AllAlpha=true|false (ALPHA - 默认值为 false)<br/>
 AllBeta=true|false (BETA - 默认值为 false)<br/>
 AnyVolumeDataSource=true|false (BETA - 默认值为 true)<br/>
 AppArmor=true|false (BETA - 默认值为 true)<br/>
-CPUManager=true|false (BETA - 默认值为 true)<br/>
 CPUManagerPolicyAlphaOptions=true|false (ALPHA - 默认值为 false)<br/>
 CPUManagerPolicyBetaOptions=true|false (BETA - 默认值为 true)<br/>
 CPUManagerPolicyOptions=true|false (BETA - 默认值为 true)<br/>
-CSIInlineVolume=true|false (BETA - 默认值为 true)<br/>
-CSIMigration=true|false (BETA - 默认值为 true)<br/>
-CSIMigrationAWS=true|false (BETA - 默认值为 true)<br/>
-CSIMigrationAzureFile=true|false (BETA - 默认值为 true)<br/>
-CSIMigrationGCE=true|false (BETA - 默认值为 true)<br/>
-CSIMigrationPortworx=true|false (ALPHA - 默认值为 false)<br/>
 CSIMigrationRBD=true|false (ALPHA - 默认值为 false)<br/>
-CSIMigrationvSphere=true|false (BETA - 默认值为 false)<br/>
+CSINodeExpandSecret=true|false (ALPHA - 默认值为 false)<br/>
 CSIVolumeHealth=true|false (ALPHA - 默认值为 false)<br/>
+ComponentSLIs=true|false (ALPHA - 默认值为 false)<br/>
+ContainerCheckpoint=true|false (ALPHA - 默认值为 false)<br/>
 ContextualLogging=true|false (ALPHA - 默认值为 false)<br/>
-CronJobTimeZone=true|false (ALPHA - 默认值为 false)<br/>
+CronJobTimeZone=true|false (BETA - 默认值为 true)<br/>
+CrossNamespaceVolumeDataSource=true|false (ALPHA - 默认值为 false)<br/>
 CustomCPUCFSQuotaPeriod=true|false (ALPHA - 默认值为 false)<br/>
-CustomResourceValidationExpressions=true|false (ALPHA - 默认值为 false)<br/>
-DaemonSetUpdateSurge=true|false (BETA - 默认值为 true)<br/>
-DelegateFSGroupToCSIDriver=true|false (BETA - 默认值为 true)<br/>
-DevicePlugins=true|false (BETA - 默认值为 true)<br/>
-DisableAcceleratorUsageMetrics=true|false (BETA - 默认值为 true)<br/>
+CustomResourceValidationExpressions=true|false (BETA - 默认值为 true)<br/>
 DisableCloudProviders=true|false (ALPHA - 默认值为 false)<br/>
 DisableKubeletCloudCredentialProviders=true|false (ALPHA - 默认值为 false)<br/>
 DownwardAPIHugePages=true|false (BETA - 默认值为 true)<br/>
-EndpointSliceTerminatingCondition=true|false (BETA - 默认值为 true)<br/>
-EphemeralContainers=true|false (BETA - 默认值为 true)<br/>
-ExpandedDNSConfig=true|false (ALPHA - 默认值为 false)<br/>
+DynamicResourceAllocation=true|false (ALPHA - 默认值为 false)<br/>
+EventedPLEG=true|false (ALPHA - 默认值为 false)<br/>
+ExpandedDNSConfig=true|false (BETA - 默认值为 true)<br/>
 ExperimentalHostUserNamespaceDefaulting=true|false (BETA - 默认值为 false)<br/>
 GRPCContainerProbe=true|false (BETA - 默认值为 true)<br/>
 GracefulNodeShutdown=true|false (BETA - 默认值为 true)<br/>
@@ -928,7 +885,7 @@ GracefulNodeShutdownBasedOnPodPriority=true|false (BETA - 默认值为 true)<br/
 HPAContainerMetrics=true|false (ALPHA - 默认值为 false)<br/>
 HPAScaleToZero=true|false (ALPHA - 默认值为 false)<br/>
 HonorPVReclaimPolicy=true|false (ALPHA - 默认值为 false)<br/>
-IdentifyPodOS=true|false (BETA - 默认值为 true)<br/>
+IPTablesOwnershipCleanup=true|false (ALPHA - 默认值为 false)<br/>
 InTreePluginAWSUnregister=true|false (ALPHA - 默认值为 false)<br/>
 InTreePluginAzureDiskUnregister=true|false (ALPHA - 默认值为 false)<br/>
 InTreePluginAzureFileUnregister=true|false (ALPHA - 默认值为 false)<br/>
@@ -938,53 +895,65 @@ InTreePluginPortworxUnregister=true|false (ALPHA - 默认值为 false)<br/>
 InTreePluginRBDUnregister=true|false (ALPHA - 默认值为 false)<br/>
 InTreePluginvSphereUnregister=true|false (ALPHA - 默认值为 false)<br/>
 JobMutableNodeSchedulingDirectives=true|false (BETA - 默认值为 true)<br/>
+JobPodFailurePolicy=true|false (BETA - 默认值为 true)<br/>
 JobReadyPods=true|false (BETA - 默认值为 true)<br/>
-JobTrackingWithFinalizers=true|false (BETA - 默认值为 false)<br/>
-KubeletCredentialProviders=true|false (BETA - 默认值为 true)<br/>
+KMSv2=true|false (ALPHA - 默认值为 false)<br/>
 KubeletInUserNamespace=true|false (ALPHA - 默认值为 false)<br/>
 KubeletPodResources=true|false (BETA - 默认值为 true)<br/>
 KubeletPodResourcesGetAllocatable=true|false (BETA - 默认值为 true)<br/>
-LegacyServiceAccountTokenNoAutoGeneration=true|false (BETA - 默认值为 true)<br/>
-LocalStorageCapacityIsolation=true|false (BETA - 默认值为 true)<br/>
+KubeletTracing=true|false (ALPHA - 默认值为 false)<br/>
+LegacyServiceAccountTokenTracking=true|false (ALPHA - 默认值为 false)<br/>
 LocalStorageCapacityIsolationFSQuotaMonitoring=true|false (ALPHA - 默认值为 false)<br/>
 LogarithmicScaleDown=true|false (BETA - 默认值为 true)<br/>
+LoggingAlphaOptions=true|false (ALPHA - 默认值为 false)<br/>
+LoggingBetaOptions=true|false (BETA - 默认值为 true)<br/>
+MatchLabelKeysInPodTopologySpread=true|false (ALPHA - 默认值为 false)<br/>
 MaxUnavailableStatefulSet=true|false (ALPHA - 默认值为 false)<br/>
 MemoryManager=true|false (BETA - 默认值为 true)<br/>
 MemoryQoS=true|false (ALPHA - 默认值为 false)<br/>
-MinDomainsInPodTopologySpread=true|false (ALPHA - 默认值为 false)<br/>
-MixedProtocolLBService=true|false (BETA - 默认值为 true)<br/>
-NetworkPolicyEndPort=true|false (BETA - 默认值为 true)<br/>
+MinDomainsInPodTopologySpread=true|false (BETA - 默认值为 false)<br/>
+MinimizeIPTablesRestore=true|false (ALPHA - 默认值为 false)<br/>
+MultiCIDRRangeAllocator=true|false (ALPHA - 默认值为 false)<br/>
 NetworkPolicyStatus=true|false (ALPHA - 默认值为 false)<br/>
-NodeOutOfServiceVolumeDetach=true|false (ALPHA - 默认值为 false)<br/>
+NodeInclusionPolicyInPodTopologySpread=true|false (BETA - 默认值为 true)<br/>
+NodeOutOfServiceVolumeDetach=true|false (BETA - 默认值为 true)<br/>
 NodeSwap=true|false (ALPHA - 默认值为 false)<br/>
 OpenAPIEnums=true|false (BETA - 默认值为 true)<br/>
 OpenAPIV3=true|false (BETA - 默认值为 true)<br/>
+PDBUnhealthyPodEvictionPolicy=true|false (ALPHA - 默认值为 false)<br/>
 PodAndContainerStatsFromCRI=true|false (ALPHA - 默认值为 false)<br/>
 PodDeletionCost=true|false (BETA - 默认值为 true)<br/>
-PodSecurity=true|false (BETA - 默认值为 true)<br/>
-ProbeTerminationGracePeriod=true|false (BETA - 默认值为 false)<br/>
+PodDisruptionConditions=true|false (BETA - 默认值为 true)<br/>
+PodHasNetworkCondition=true|false (ALPHA - 默认值为 false)<br/>
+PodSchedulingReadiness=true|false (ALPHA - 默认值为 false)<br/>
+ProbeTerminationGracePeriod=true|false (BETA - 默认值为 true)<br/>
 ProcMountType=true|false (ALPHA - 默认值为 false)<br/>
-ProxyTerminatingEndpoints=true|false (ALPHA - 默认值为 false)<br/>
+ProxyTerminatingEndpoints=true|false (BETA - 默认值为 true)<br/>
 QOSReserved=true|false (ALPHA - 默认值为 false)<br/>
 ReadWriteOncePod=true|false (ALPHA - 默认值为 false)<br/>
 RecoverVolumeExpansionFailure=true|false (ALPHA - 默认值为 false)<br/>
 RemainingItemCount=true|false (BETA - 默认值为 true)<br/>
+RetroactiveDefaultStorageClass=true|false (BETA - 默认值为 true)<br/>
 RotateKubeletServerCertificate=true|false (BETA - 默认值为 true)<br/>
-SeccompDefault=true|false (ALPHA - 默认值为 false)<br/>
-ServerSideFieldValidation=true|false (ALPHA - 默认值为 false)<br/>
-ServiceIPStaticSubrange=true|false (ALPHA - 默认值为 false)<br/>
-ServiceInternalTrafficPolicy=true|false (BETA - 默认值为 true)<br/>
+SELinuxMountReadWriteOncePod=true|false (ALPHA - 默认值为 false)<br/>
+SeccompDefault=true|false (BETA - 默认值为 true)<br/>
+ServerSideFieldValidation=true|false (BETA - 默认值为 true)<br/>
 SizeMemoryBackedVolumes=true|false (BETA - 默认值为 true)<br/>
 StatefulSetAutoDeletePVC=true|false (ALPHA - 默认值为 false)<br/>
-StatefulSetMinReadySeconds=true|false (BETA - 默认值为 true)<br/>
+StatefulSetStartOrdinal=true|false (ALPHA - 默认值为 false)<br/>
 StorageVersionAPI=true|false (ALPHA - 默认值为 false)<br/>
 StorageVersionHash=true|false (BETA - 默认值为 true)<br/>
 TopologyAwareHints=true|false (BETA - 默认值为 true)<br/>
 TopologyManager=true|false (BETA - 默认值为 true)<br/>
+TopologyManagerPolicyAlphaOptions=true|false (ALPHA - 默认值为 false)<br/>
+TopologyManagerPolicyBetaOptions=true|false (BETA - 默认值为 false)<br/>
+TopologyManagerPolicyOptions=true|false (ALPHA - 默认值为 false)<br/>
+UserNamespacesStatelessPodsSupport=true|false (ALPHA - 默认值为 false)<br/>
+ValidatingAdmissionPolicy=true|false (ALPHA - 默认值为 false)<br/>
 VolumeCapacityPriority=true|false (ALPHA - 默认值为 false)<br/>
 WinDSR=true|false (ALPHA - 默认值为 false)<br/>
 WinOverlay=true|false (BETA - 默认值为 true)<br/>
-WindowsHostProcessContainers=true|false (BETA - 默认值为 true)<br/>
+WindowsHostNetwork=true|false (ALPHA - 默认值为 true)<br/>
 已弃用: 应在 <code>--config</code> 所给的配置文件中进行设置。
 （<a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file">进一步了解</a>）
 </td>
@@ -1004,6 +973,21 @@ Duration between checking config files for new data. (DEPRECATED: This parameter
 </td>
 </tr>
 
+<tr>
+<td colspan="2">--topology-manager-policy-options string</td>
+</tr>
+<tr>
+<td></td><td style="line-height: 130%; word-wrap: break-word;">
+<!--
+A set of key=value Topology Manager policy options to use, to fine tune their behaviour. If not supplied, keep the default behaviour. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+-->
+一组 key=value Topology Manager 策略选项，用于微调它们的行为。
+如果未提供，则保持默认行为。（已弃用：此参数应通过 Kubelet 的 <code>--config</code>
+标志指定的配置文件设置。请参阅
+<a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
+</td>
+</tr>
+
 <tr>
 <td colspan="2">--hairpin-mode string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>promiscuous-bridge</code>-->默认值：<code>promiscuous-bridge</code></td>
 </tr>
@@ -1219,7 +1203,7 @@ If enabled, the kubelet will integrate with the kernel memcg notification to det
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Burst to use while talking with kubernetes apiserver. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Burst to use while talking with kubernetes apiserver. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 每秒发送到 apiserver 的突发请求数量上限。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -1233,7 +1217,7 @@ Burst to use while talking with kubernetes apiserver. (DEPRECATED: This paramete
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Content type of requests sent to apiserver. (default "application/vnd.kubernetes.protobuf") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Content type of requests sent to apiserver. (default "application/vnd.kubernetes.protobuf") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 发送到 apiserver 的请求的内容类型。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -1258,7 +1242,7 @@ QPS to use while talking with kubernetes API server. The number must be &gt;= 0.
 </tr>
 
 <tr>
-<td colspan="2">--kube-reserved mapStringString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: &lt;None&gt;-->默认值：&lt;None&gt;</td>
+<td colspan="2">--kube-reserved string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: &lt;None&gt;-->默认值：&lt;None&gt;</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -1317,68 +1301,29 @@ Optional absolute name of cgroups to create and run the Kubelet in. (DEPRECATED:
 </tr>
 
 <tr>
-<td colspan="2">--lock-file string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-<Warning: Alpha feature> The path to file for kubelet to use as a lock file.
--->
-&lt;警告：alpha 特性&gt; kubelet 使用的锁文件的路径。
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-backtrace-at &lt;<!--A string of format 'file:line'-->一个 “文件：行数” 格式的字符串&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-<!--Default: <code>:0</code>-->默认值：<code>:0</code></td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-When logging hits line <code><file>:<N></code>, emit a stack trace. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-形式为 <code>&lt;file&gt;:&lt;N&gt;</code>。
-当日志逻辑执行到命中 &lt;file&gt; 的第 &lt;N&gt; 行时，转储调用堆栈。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-dir string</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If non-empty, write log files in this directory. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-如果此值为非空，则在所指定的目录中写入日志文件。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--log-file string</td>
+<td colspan="2">--local-storage-capacity-isolation&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: <code>true</code></td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If non-empty, use this log file. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
+If true, local ephemeral storage isolation is enabled. Otherwise, local storage isolation feature will be disabled. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
 -->
-如果此值非空，使用所给字符串作为日志文件名。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
+如果此值为 true，将启用本地临时存储隔离。
+否则，本地存储隔离功能特性将被禁用。
+（已弃用：这个参数应该通过 Kubelet 的 <code>--config</code> 标志指定的配置文件来设置。
+有关详细信息，请参阅 https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/）。
 </td>
 </tr>
 
 <tr>
-<td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: 1800-->默认值：1800</td>
+<td colspan="2">--lock-file string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
+&lt;Warning: Alpha feature&gt; The path to file for kubelet to use as a lock file.
 -->
-设置日志文件的最大值。单位为兆字节（M）。如果值为 0，则表示文件大小无限制。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
+&lt;警告：Alpha 特性&gt; kubelet 用作锁文件的文件路径。
 </td>
 </tr>
 
@@ -1400,9 +1345,9 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[Experimental] In JSON format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+[Alpha] In JSON format with split output streams, the info messages can be buffered for a while to increase performance. The default value of zero bytes disables buffering. The size can be specified as number of bytes (512), multiples of 1000 (1K), multiples of 1024 (2Ki), or powers of those (3M, 4G, 5Mi, 6Gi). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-[实验性特性]在具有拆分输出流的 JSON 格式中，可以将信息消息缓冲一段时间以提高性能。
+[Alpha 特性]在具有拆分输出流的 JSON 格式中，可以将信息消息缓冲一段时间以提高性能。
 零字节的默认值禁用缓冲。大小可以指定为字节数（512）、1000 的倍数（1K）、1024 的倍数（2Ki） 或这些（3M、4G、5Mi、6Gi）的幂。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
 请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
@@ -1415,9 +1360,9 @@ Maximum number of seconds between log flushes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-[Experimental] In JSON format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+[Alpha] In JSON format, write error messages to stderr and info messages to stdout. The default is to write a single stream to stdout. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-[实验性特性]以 JSON 格式，将错误消息写入 stderr，将 info 消息写入 stdout。
+[Alpha 特性]以 JSON 格式，将错误消息写入 stderr，将 info 消息写入 stdout。
 默认是将单个流写入标准输出。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
 请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
@@ -1427,21 +1372,6 @@ Maximum number of seconds between log flushes
 <tr>
 <td colspan="2">--logging-format string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>text</code>-->默认值：<code>"text"</code></td>
 </tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br/>Non-default formats don't honor these flags: <code>--add-dir-header</code>, <code>--alsologtostderr</code>, <code>--log-backtrace-at</code>, <code>--log-dir</code>, <code>--log-file</code>, <code>--log-file-max-size</code>, <code>--logtostderr</code>, <code>--skip_headers</code>, <code>--skip_log_headers</code>, <code>--stderrthreshold</code>, <code>--log-flush-frequency</code>.<br/>Non-default choices are currently alpha and subject to change without warning. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
--->
-设置日志文件格式。可以设置的格式有：<code>"text"</code>、<code>"json"</code>。
-非默认的格式不会使用以下标志的配置：<code>--add-dir-header</code>、<code>--alsologtostderr</code>、
-<code>--log-backtrace-at</code>、<code>--log-dir</code>、<code>--log-file</code>,
-<code>--log-file-max-size</code>、<code>--logtostderr</code>、<code>--skip-headers</code>、
-<code>--skip-log-headers</code>、<code>--stderrthreshold</code>、<code>--log-flush-frequency</code>。
-非默认选项的其它值都应视为 Alpha 特性，将来出现更改时不会额外警告。
-（已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
-请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
-</td>
-</tr>
 
 <tr>
 <td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>true</code>-->默认值：<code>true</code></td>
@@ -1449,11 +1379,11 @@ Sets the log format. Permitted formats: <code>text</code>, <code>json</code>.<br
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-log to standard error instead of files. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
+Sets the log format. Permitted formats: <code>text</code>, <code>json</code> (gated by <code>LoggingBetaOptions</code>). (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-日志输出到 stderr 而不是文件。
-（已弃用：将会在未来的版本删除，
-<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
+设置日志格式。允许的格式：<code>text</code>、<code>json</code>（由 <code>LoggingBetaOptions</code> 控制）。
+（已弃用：此参数应通过 Kubelet 的 <code>--config</code> 标志指定的配置文件设置。
+请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
 </tr>
 
@@ -1630,14 +1560,14 @@ IP address (or comma-separated dual-stack IP addresses) of the node. If unset, k
 </tr>
 
 <tr>
-<td colspan="2">--node-labels mapStringString</td>
+<td colspan="2">--node-labels &lt;key=value pairs&gt;</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 &lt;Warning: Alpha feature&gt;Labels to add when registering the node in the cluster. Labels must be <code>key=value pairs</code> separated by <code>','</code>. Labels in the <code>'kubernetes.io'</code> namespace must begin with an allowed prefix (<code>'kubelet.kubernetes.io'</code>, <code>'node.kubernetes.io'</code>) or be in the specifically allowed set (<code>'beta.kubernetes.io/arch'</code>, <code>'beta.kubernetes.io/instance-type'</code>, <code>'beta.kubernetes.io/os'</code>, <code>'failure-domain.beta.kubernetes.io/region'</code>, <code>'failure-domain.beta.kubernetes.io/zone'</code>, <code>'kubernetes.io/arch'</code>, <code>'kubernetes.io/hostname'</code>, <code>'kubernetes.io/os'</code>, <code>'node.kubernetes.io/instance-type'</code>, <code>'topology.kubernetes.io/region'</code>, <code>'topology.kubernetes.io/zone'</code>))
 -->
-&lt;警告：alpha 特性&gt; kubelet 在集群中注册本节点时设置的标签。标签以
+&lt;警告：Alpha 特性&gt; kubelet 在集群中注册本节点时设置的标签。标签以
 <code>key=value</code> 的格式表示，多个标签以逗号分隔。名字空间 <code>kubernetes.io</code>
 中的标签必须以 <code>kubelet.kubernetes.io</code> 或 <code>node.kubernetes.io</code> 为前缀，
 或者在以下明确允许范围内：
@@ -1679,21 +1609,6 @@ Specifies how often kubelet posts node status to master. Note: be cautious when
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--one-output</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If true, only write logs to their native severity level (vs also writing to each lower severity level). (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-如果设置此标志为 <code>true</code>，则仅将日志写入其原来的严重性级别中，
-而不是同时将其写入更低严重性级别中。
-已弃用：将在未来的版本中删除。
-（<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--oom-score-adj int32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: -999-->默认值：-999</td>
 </tr>
@@ -1726,20 +1641,19 @@ The CIDR to use for pod IP addresses, only used in standalone mode. In cluster m
 <tr>
 <td colspan="2">--pod-infra-container-image string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 <!--
-Default: <code>registry.k8s.io/pause:3.6
+Default: <code>registry.k8s.io/pause:3.9
 -->
-默认值: <code>registry.k8s.io/pause:3.6
+默认值: <code>registry.k8s.io/pause:3.9
 </code></td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
- Specified image will not be pruned by the image garbage collector. When container-runtime is set to <code>docker</code>, all containers in each pod will use the network/ipc namespaces from this image. Other CRI implementations have their own configuration to set this image.
+Specified image will not be pruned by the image garbage collector. CRI implementations have their own configuration to set this image. (DEPRECATED: will be removed in 1.27. Image garbage collector will get sandbox image information from CRI.)
 -->
 所指定的镜像不会被镜像垃圾收集器删除。
-当容器运行环境设置为 <code>docker</code> 时，各个 Pod 中的所有容器都会
-使用此镜像中的网络和 IPC 名字空间。
-其他 CRI 实现有自己的配置来设置此镜像。
+CRI 实现有自己的配置来设置此镜像。
+（已弃用：将在 1.27 中删除，镜像垃圾收集器将从 CRI 获取沙箱镜像信息。）
 </td>
 </tr>
 
@@ -1832,14 +1746,14 @@ Unique identifier for identifying the node in a machine database, i.e cloud prov
 </tr>
 
 <tr>
-<td colspan="2">--qos-reserved mapStringString</td>
+<td colspan="2">--qos-reserved string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
 &lt;Warning: Alpha feature&gt; A set of <code>&lt;resource name&gt;=&lt;percentage&gt;</code> (e.g. <code>memory=50%</code>) pairs that describe how pod resource requests are reserved at the QoS level. Currently only <code>memory</code> is supported. Requires the <code>QOSReserved</code> feature gate to be enabled. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-&lt;警告：alpha 特性&gt; 设置在指定的 QoS 级别预留的 Pod 资源请求，以一组
+&lt;警告：Alpha 特性&gt; 设置在指定的 QoS 级别预留的 Pod 资源请求，以一组
 <code>"资源名称=百分比"</code> 的形式进行设置，例如 <code>memory=50%</code>。
 当前仅支持内存（memory）。要求启用 <code>QOSReserved</code> 特性门控。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -1867,7 +1781,7 @@ kubelet 可以在没有身份验证/鉴权的情况下提供只读服务的端
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Register the node with the API server. If <code>--kubeconfig</code> is not provided, this flag is irrelevant, as the Kubelet won't have an API server to register with. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Register the node with the API server. If <code>--kubeconfig</code> is not provided, this flag is irrelevant, as the Kubelet won't have an API server to register with. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 向 API 服务器注册节点，如果未提供 <code>--kubeconfig</code>，此标志无关紧要，
 因为 Kubelet 没有 API 服务器可注册。
@@ -1890,12 +1804,12 @@ Register the node as schedulable. Won't have any effect if <code>--register-node
 </tr>
 
 <tr>
-<td colspan="2">--register-with-taints mapStringString</td>
+<td colspan="2">--register-with-taints string</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Register the node with the given list of taints (comma separated <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>). No-op if <code>--register-node</code> is <code>false</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Register the node with the given list of taints (comma separated <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>). No-op if <code>--register-node</code> is <code>false</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code>  flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 设置本节点的污点标记，格式为 <code>&lt;key&gt;=&lt;value&gt;:&lt;effect&gt;</code>，
 以逗号分隔。当 <code>--register-node</code> 为 false 时此标志无效。
@@ -1997,9 +1911,9 @@ Directory path for managing kubelet files (volume mounts, etc).
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Beta feature&gt; Auto rotate the kubelet client certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Auto rotate the kubelet client certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-&lt;警告：Beta 特性&gt; 设置当客户端证书即将过期时 kubelet 自动从
+设置当客户端证书即将过期时 kubelet 自动从
 <code>kube-apiserver</code> 请求新的证书进行轮换。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
 请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
@@ -2012,9 +1926,9 @@ Directory path for managing kubelet files (volume mounts, etc).
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Auto-request and rotate the kubelet serving certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. Requires the <code>RotateKubeletServerCertificate</code> feature gate to be enabled, and approval of the submitted <code>CertificateSigningRequest</code> objects. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+&lt;Warning: Beta feature&gt; ng certificates by requesting new certificates from the <code>kube-apiserver</code> when the certificate expiration approaches. Requires the <code>RotateKubeletServerCertificate</code> feature gate to be enabled, and approval of the submitted <code>CertificateSigningRequest</code> objects. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
-当 kubelet 的服务证书即将过期时自动从 kube-apiserver 请求新的证书进行轮换。
+&lt;警告：Beta 特性&gt; 当 kubelet 的服务证书即将过期时自动从 kube-apiserver 请求新的证书进行轮换。
 要求启用 <code>RotateKubeletServerCertificate</code> 特性门控，以及对提交的
 <code>CertificateSigningRequest</code> 对象进行批复（Approve）操作。
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
@@ -2028,7 +1942,7 @@ Auto-request and rotate the kubelet serving certificates by requesting new certi
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-If <code>true</code>, exit after spawning pods from local manifests or remote urls. Exclusive with <code>--enable-server</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)<
+If <code>true</code>, exit after spawning pods from local manifests or remote urls. Exclusive with <code>--enable-server</code> (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)<
 -->
 设置为 <code>true</code> 表示从本地清单或远程 URL 创建完 Pod 后立即退出 kubelet 进程。
 与 <code>--enable-server</code> 标志互斥。
@@ -2071,9 +1985,9 @@ Timeout of all runtime requests except long running request - <code>pull</code>,
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-&lt;Warning: Alpha feature&gt; Enable the use of <code>RuntimeDefault</code> as the default seccomp profile for all workloads. The <code>SeccompDefault</code> feature gate must be enabled to allow this flag, which is disabled by default.
+&lt;Warning: Beta feature&gt; Enable the use of <code>RuntimeDefault</code> as the default seccomp profile for all workloads. The <code>SeccompDefault</code> feature gate must be enabled to allow this flag, which is disabled by default.
 -->
-&lt;警告：alpha 特性&gt; 启用 <code>RuntimeDefault</code> 作为所有工作负载的默认 seccomp 配置文件。<code>SeccompDefault</code> 特性门控必须启用以允许此标志，默认情况下禁用。
+&lt;警告：Beta 特性&gt; 启用 <code>RuntimeDefault</code> 作为所有工作负载的默认 seccomp 配置文件。<code>SeccompDefault</code> 特性门控必须启用以允许此标志，默认情况下禁用。
 </td>
 </tr>
 
@@ -2092,45 +2006,6 @@ Pull images one at a time. We recommend *not* changing the default value on node
 </td>
 </tr>
 
-<tr>
-<td colspan="2">--skip-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If <code>true</code>, avoid header prefixes in the log messages. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-设置为 <code>true</code> 时在日志消息中去掉标头前缀。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--skip-log-headers</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-If <code>true</code>, avoid headers when opening log files. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-设置为 <code>true</code>，打开日志文件时去掉标头。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
-<tr>
-<td colspan="2">--stderrthreshold int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: 2-->默认值：2</td>
-</tr>
-<tr>
-<td></td><td style="line-height: 130%; word-wrap: break-word;">
-<!--
-logs at or above this threshold go to stderr. (DEPRECATED: will be removed in a future release, see <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">here</a>.)
--->
-设置严重程度达到或超过此阈值的日志输出到标准错误输出。
-（已弃用：将在未来的版本中删除，<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components">进一步了解</a>。）
-</td>
-</tr>
-
 <tr>
 <td colspan="2">--streaming-connection-idle-timeout duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: <code>4h0m0s</code>-->默认值：<code>4h0m0s</code></td>
 </tr>
@@ -2177,7 +2052,7 @@ Optional absolute name of cgroups in which to place all non-kernel processes tha
 </tr>
 
 <tr>
-<td colspan="2">--system-reserved mapStringString&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: none-->默认值：无</td>
+<td colspan="2">--system-reserved string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: none-->默认值：无</td>
 </tr>
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
@@ -2236,16 +2111,16 @@ kubelet 会为公开地址生成自签名证书和密钥，并将其保存到通
 <!--
 Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.<br/>
 Preferred values:
-`TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`<br/>
+<code>TLS_AES_128_GCM_SHA256</code>, <code>TLS_AES_256_GCM_SHA384</code>, <code>TLS_CHACHA20_POLY1305_SHA256</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code>, <code>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305</code>, <code>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</code>, <code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code>, <code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code>, <code>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code>, <code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code>, <code>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305</code>, <code>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</code>, <code>TLS_RSA_WITH_AES_128_CBC_SHA</code>, <code>TLS_RSA_WITH_AES_128_GCM_SHA256</code>, <code>TLS_RSA_WITH_AES_256_CBC_SHA</code>, <code>TLS_RSA_WITH_AES_256_GCM_SHA384</code><br/>
 Insecure values:
-`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`, `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_RC4_128_SHA`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_RC4_128_SHA`.<br/>
-(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+<code>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</code>, <code>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</code>, <code>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</code>, <code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</code>, <code>TLS_ECDHE_RSA_WITH_RC4_128_SHA</code>, <code>TLS_RSA_WITH_3DES_EDE_CBC_SHA</code>, <code>TLS_RSA_WITH_AES_128_CBC_SHA256</code>, <code>TLS_RSA_WITH_RC4_128_SHA</code>.<br/>
+(DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 服务器端加密算法列表，以逗号分隔。如果不设置，则使用 Go 语言加密包的默认算法列表。<br/>
 首选算法：
-`TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`<br/>
+<code>TLS_AES_128_GCM_SHA256</code>, <code>TLS_AES_256_GCM_SHA384</code>, <code>TLS_CHACHA20_POLY1305_SHA256</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</code>, <code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code>, <code>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305</code>, <code>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</code>, <code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code>, <code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code>, <code>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</code>, <code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code>, <code>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305</code>, <code>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</code>, <code>TLS_RSA_WITH_AES_128_CBC_SHA</code>, <code>TLS_RSA_WITH_AES_128_GCM_SHA256</code>, <code>TLS_RSA_WITH_AES_256_CBC_SHA</code>, <code>TLS_RSA_WITH_AES_256_GCM_SHA384</code><br/>
 不安全算法：
-`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`, `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_RC4_128_SHA`, `TLS_RSA_WITH_3DES_EDE_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_RC4_128_SHA`.<br/>
+<code>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</code>, <code>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</code>, <code>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</code>, <code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</code>, <code>TLS_ECDHE_RSA_WITH_RC4_128_SHA</code>, <code>TLS_RSA_WITH_3DES_EDE_CBC_SHA</code>, <code>TLS_RSA_WITH_AES_128_CBC_SHA256</code>, <code>TLS_RSA_WITH_RC4_128_SHA</code>.<br/>
 （已弃用：应在 <code>--config</code> 所给的配置文件中进行设置。
 请参阅 <a href="https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> 了解更多信息。）
 </td>
@@ -2301,7 +2176,7 @@ Topology Manager policy to use. Possible values: <code>'none'</code>, <code>'bes
 <tr>
 <td></td><td style="line-height: 130%; word-wrap: break-word;">
 <!--
-Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: <code>'container'</code>, <code>'pod'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
+Scope to which topology hints applied. Topology Manager collects hints from Hint Providers and applies them to defined scope to ensure the pod admission. Possible values: <code>'container'</code>, <code>'pod'</code>. (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's <code>--config</code> flag. See <a href="https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/">kubelet-config-file</a> for more information.)
 -->
 拓扑提示信息使用范围。拓扑管理器从提示提供者（Hints Providers）处收集提示信息，
 并将其应用到所定义的范围以确保 Pod 准入。

From 8b731ac69d7e3cc3cd7966263062b66d929f627e Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Mon, 20 Mar 2023 13:40:25 +0800
Subject: [PATCH 201/215] [zh-cn] sync task files of task-11

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 content/zh-cn/docs/tasks/administer-cluster/certificates.md | 2 +-
 .../zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md  | 2 ++
 .../tasks/administer-cluster/kubeadm/kubeadm-upgrade.md     | 6 +++---
 .../administer-cluster/network-policy-provider/_index.md    | 4 ++--
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/content/zh-cn/docs/tasks/administer-cluster/certificates.md b/content/zh-cn/docs/tasks/administer-cluster/certificates.md
index 85350b574d7df..7de4e594e38ed 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/certificates.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/certificates.md
@@ -34,7 +34,7 @@ manually through [`easyrsa`](https://github.com/OpenVPN/easy-rsa), [`openssl`](h
 1. 下载、解压、初始化打过补丁的 `easyrsa3`。
 
    ```shell
-   curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
+   curl -LO https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz
    tar xzf easy-rsa.tar.gz
    cd easy-rsa-master/easyrsa3
    ./easyrsa init-pki
diff --git a/content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md b/content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md
index c3575e273da09..caac130c65a2a 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/cluster-upgrade.md
@@ -1,10 +1,12 @@
 ---
 title: 升级集群
 content_type: task
+weight: 350
 ---
 <!--
 title: Upgrade A Cluster
 content_type: task
+weight: 350
 -->
 
 <!-- overview -->
diff --git a/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
index bca76648eaba5..4b37453bdda81 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
@@ -1,14 +1,14 @@
 ---
 title: 升级 kubeadm 集群
 content_type: task
-weight: 20
+weight: 40
 ---
 <!--
 reviewers:
 - sig-cluster-lifecycle
 title: Upgrading kubeadm clusters
 content_type: task
-weight: 20
+weight: 40
 -->
 
 <!-- overview -->
@@ -476,7 +476,7 @@ without compromising the minimum required capacity for running your workloads.
   ```
 
   {{% /tab %}}
-  {{% tab name="CentOS, RHEL or Fedora" %}}
+  {{% tab name="CentOS、RHEL 或 Fedora" %}}
 
   ```shell
   # 将 {{< skew currentVersion >}}.x-0 x 替换为最新的补丁版本
diff --git a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/_index.md b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/_index.md
index df2232c8dc540..7cf2726e39eca 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/_index.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/network-policy-provider/_index.md
@@ -1,8 +1,8 @@
 ---
 title: 安装网络策略驱动
-weight: 30
+weight: 50
 ---
 <!--
 title: Install a Network Policy Provider
-weight: 30
+weight: 50
 -->

From a246d0ea11561270e86180149da46b7ceafd67de Mon Sep 17 00:00:00 2001
From: SSmallMonster <mingming.zhou@daocloud.io>
Date: Mon, 20 Mar 2023 13:48:33 +0800
Subject: [PATCH 202/215] [zh-cn] sync setup-extension-api-server.md

Signed-off-by: SSmallMonster <mingming.zhou@daocloud.io>
---
 .../docs/tasks/extend-kubernetes/setup-extension-api-server.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md b/content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md
index b234c55855265..768f1013aa3f3 100644
--- a/content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server.md
@@ -36,7 +36,7 @@ Setting up an extension API server to work the aggregation layer allows the Kube
 <!-- steps -->
 
 <!--
-## Setup an extension api-server to work with the aggregation layer
+## Set up an extension api-server to work with the aggregation layer
 
 The following steps describe how to set up an extension-apiserver *at a high level*. These steps apply regardless if you're using YAML configs or using APIs. An attempt is made to specifically identify any differences between the two. For a concrete example of how they can be implemented using YAML configs, you can look at the [sample-apiserver](https://github.com/kubernetes/sample-apiserver/blob/master/README.md) in the Kubernetes repo.
 

From 31075f0751a86c90713f06ba8865e6dc1655b150 Mon Sep 17 00:00:00 2001
From: Paco Xu <paco.xu@daocloud.io>
Date: Mon, 20 Mar 2023 13:50:55 +0800
Subject: [PATCH 203/215] blog update: add removal of --container-runtime of
 kubelet

---
 .../2023-03-17-kubernetes-1.27-deprecations-and-removals.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
index befcfd4edf849..18f4b0329a0fc 100644
--- a/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
+++ b/content/en/blog/_posts/2023-03-17-kubernetes-1.27-deprecations-and-removals.md
@@ -205,6 +205,12 @@ The v1.25 release of Kubernetes also stabilised surge support for DaemonSet pods
 implemented in order to minimize DaemonSet downtime during rollouts.
 The `DaemonSetUpdateSurge` feature gate will be removed in Kubernetes v1.27.
 
+### Removal of `--container-runtime` command line argument
+
+The kubelet accepts a deprecated command line argument, `--container-runtime`, and the only
+valid value would be `remote` after dockershim code is removed. Kubernetes v1.27 will remove
+that argument, which has been deprecated since the v1.24 release.
+
 ## Looking ahead
 
 The official list of

From d9cbc96429e3bb5035b659e71f3508c0783ac789 Mon Sep 17 00:00:00 2001
From: SSmallMonster <mingming.zhou@daocloud.io>
Date: Mon, 20 Mar 2023 14:04:12 +0800
Subject: [PATCH 204/215] [zh-cn] sync _index.md

Signed-off-by: SSmallMonster <mingming.zhou@daocloud.io>
---
 content/zh-cn/docs/tasks/extend-kubernetes/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/tasks/extend-kubernetes/_index.md b/content/zh-cn/docs/tasks/extend-kubernetes/_index.md
index 3de1e50de61b9..2c52e43cfb082 100644
--- a/content/zh-cn/docs/tasks/extend-kubernetes/_index.md
+++ b/content/zh-cn/docs/tasks/extend-kubernetes/_index.md
@@ -1,5 +1,5 @@
 ---
 title: "扩展 Kubernetes"
 description: 了解针对工作环境需要来调整 Kubernetes 集群的进阶方法。
-weight: 90
+weight: 110
 ---

From dd0aee9466066ecd48716aba0541d36362f2300a Mon Sep 17 00:00:00 2001
From: kinzhi <wei.wang@daocloud.io>
Date: Mon, 20 Mar 2023 15:21:16 +0800
Subject: [PATCH 205/215] [zh-cn] sync task files of task-3 (#40052)

* [zh-cn] sync task files of task-3

[zh-cn] sync task files of task-3

* [zh-cn] sync task files of task-3
---
 .../configure-pod-container/configure-gmsa.md | 20 ++++++++-----
 .../configure-projected-volume-storage.md     | 10 +++----
 .../configure-service-account.md              | 29 +++++++++++--------
 .../pull-image-private-registry.md            |  4 +--
 .../quality-service-pod.md                    | 26 ++++++-----------
 5 files changed, 45 insertions(+), 44 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md
index 3c8ec41a0803c..75b4400cbc69a 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-gmsa.md
@@ -1,12 +1,12 @@
 ---
 title: 为 Windows Pod 和容器配置 GMSA
 content_type: task
-weight: 20
+weight: 30
 ---
 <!--
 title: Configure GMSA for Windows Pods and containers
 content_type: task
-weight: 20
+weight: 30
 -->
 <!-- overview -->
 
@@ -55,6 +55,7 @@ Next, install the CRD with `kubectl apply -f gmsa-crd.yaml`
 
 <!--
 ### Install webhooks to validate GMSA users
+
 Two webhooks need to be configured on the Kubernetes cluster to populate and validate GMSA credential spec references at the Pod or container level:
 
 1. A mutating webhook that expands references to GMSAs (by name from a Pod specification) into the full credential spec in JSON form within the Pod spec.
@@ -79,7 +80,7 @@ Installing the above webhooks and associated objects require the steps below:
 
 1. Install a secret with the certificate from above.
 
-1. Create a deployment for the core webhook logic. 
+1. Create a deployment for the core webhook logic.
 
 1. Create the validating and mutating webhook configurations referring to the deployment. 
 -->
@@ -94,7 +95,7 @@ Installing the above webhooks and associated objects require the steps below:
 1. 创建引用该 Deployment 的 Validating Webhook 和 Mutating Webhook 配置
 
 <!--
-A [script](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/deploy-gmsa-webhook.sh) can be used to deploy and configure the GMSA webhooks and associated objects mentioned above. The script can be run with a `-dry-run=server` option to allow you to review the changes that would be made to your cluster.
+A [script](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/deploy-gmsa-webhook.sh) can be used to deploy and configure the GMSA webhooks and associated objects mentioned above. The script can be run with a ```--dry-run=server``` option to allow you to review the changes that would be made to your cluster.
 
 The [YAML template](https://github.com/kubernetes-sigs/windows-gmsa/blob/master/admission-webhook/deploy/gmsa-webhook.yml.tpl) used by the script may also be used to deploy the webhooks and associated objects manually (with appropriate substitutions for the parameters)
 -->
@@ -142,7 +143,7 @@ Following are the steps for generating a GMSA credential spec YAML manually in J
 
 1. Create a credential spec in JSON format using `New-CredentialSpec`. To create a GMSA credential spec named WebApp1, invoke `New-CredentialSpec -Name WebApp1 -AccountName WebApp1 -Domain $(Get-ADDomain -Current LocalComputer)`
 
-1. Use `Get-CredentialSpec` to show the path of the JSON file. 
+1. Use `Get-CredentialSpec` to show the path of the JSON file.
 
 1. Convert the credspec file from JSON to YAML format and apply the necessary header fields `apiVersion`, `kind`, `metadata` and `credspec` to make it a GMSACredentialSpec custom resource that can be configured in Kubernetes. 
 -->
@@ -258,6 +259,7 @@ rules:
 
 <!--
 ## Assign role to service accounts to use specific GMSA credspecs
+
 A service account (that Pods will be configured with) needs to be bound to the cluster role create above. This authorizes the service account to use the desired GMSA credential spec resource. The following shows the default service account being bound to a cluster role `webapp1-role` to use `gmsa-WebApp1` credential spec resource created above.
 -->
 ## 将角色指派给要使用特定 GMSA 凭据规约的服务账号
@@ -285,6 +287,7 @@ roleRef:
 
 <!--
 ## Configure GMSA credential spec reference in Pod spec
+
 The Pod spec field `securityContext.windowsOptions.gmsaCredentialSpecName` is used to specify references to desired GMSA credential spec custom resources in Pod specs. This configures all containers in the Pod spec to use the specified GMSA. A sample Pod spec with the annotation populated to refer to `gmsa-WebApp1`:
 -->
 ## 在 Pod 规约中配置 GMSA 凭据规约引用
@@ -380,7 +383,11 @@ As Pod specs with GMSA fields populated (as described above) are applied in a cl
 1. 容器运行时为每个 Windows 容器配置所指定的 GMSA 凭据规约，这样容器就可以以
    活动目录中该 GMSA 所代表的身份来执行操作，使用该身份来访问域中的服务。
 
-## 使用主机名或 FQDN 对网络共享进行身份验证 
+<!--
+## Authenticating to network shares using hostname or FQDN
+-->
+## 使用主机名或 FQDN 对网络共享进行身份验证
+
 <!--
 If you are experiencing issues connecting to SMB shares from Pods using hostname or FQDN, but are able to access the shares via their IPv4 address then make sure the following registry key is set on the Windows nodes.
 -->
@@ -512,4 +519,3 @@ If you add the `lifecycle` section show above to your Pod spec, the Pod will exe
 如果你向你的 Pod 规约中添加如上所示的 `lifecycle` 节，则 Pod 会自动执行所
 列举的命令来重启 `netlogon` 服务，直到 `nltest.exe /query`
 命令返回时没有错误信息。
-
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
index d8cf2f7ff27c8..c26e2832ac4de 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage.md
@@ -1,7 +1,7 @@
 ---
 title: 配置 Pod 使用投射卷作存储
 content_type: task
-weight: 70
+weight: 100
 ---
 
 <!--
@@ -10,7 +10,7 @@ reviewers:
 - pmorie
 title: Configure a Pod to Use a Projected Volume for Storage
 content_type: task
-weight: 70
+weight: 100
 -->
 
 <!-- overview -->
@@ -39,9 +39,7 @@ and `serviceAccountToken` volumes can be projected.
 <!--
 ## Configure a projected volume for a pod
 
-In this exercise, you create username and password {{< glossary_tooltip text="Secrets" term_id="secret" >}} from local files. 
-You then create a Pod that runs one container, using a [`projected`](/docs/concepts/storage/volumes/#projected) Volume
-to mount the Secrets into the same shared directory.
+In this exercise, you create username and password {{< glossary_tooltip text="Secrets" term_id="secret" >}} from local files. You then create a Pod that runs one container, using a [`projected`](/docs/concepts/storage/volumes/#projected) Volume to mount the Secrets into the same shared directory.
 
 Here is the configuration file for the Pod:
 -->
@@ -121,7 +119,7 @@ Delete the Pod and the Secrets:
 kubectl delete pod test-projected-volume
 kubectl delete secret user pass
 ```
-   
+
 ## {{% heading "whatsnext" %}}
 
 <!--
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md b/content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md
index 8f2ab826654a5..cfa0080171f8a 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/configure-service-account.md
@@ -1,7 +1,7 @@
 ---
 title: 为 Pod 配置服务账号
 content_type: task
-weight: 90
+weight: 120
 ---
 <!--
 reviewers:
@@ -10,7 +10,7 @@ reviewers:
 - thockin
 title: Configure Service Accounts for Pods
 content_type: task
-weight: 90
+weight: 120
 -->
 
 <!-- overview -->
@@ -134,7 +134,7 @@ automountServiceAccountToken: false
 ...
 ```
 <!--
-You can also opt out of automounting API credentials for a particular pod:
+You can also opt out of automounting API credentials for a particular Pod:
 -->
 你也可以选择不给特定 Pod 自动挂载 API 凭据：
 
@@ -223,7 +223,7 @@ The output is similar to this:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  creationTimestamp: 2015-06-16T00:12:59Z
+  creationTimestamp: 2019-06-16T00:12:34Z
   name: build-robot
   namespace: default
   resourceVersion: "272500"
@@ -235,7 +235,7 @@ You can use authorization plugins to
 [set permissions on service accounts](/docs/reference/access-authn-authz/rbac/#service-account-permissions).
 
 To use a non-default service account, set the `spec.serviceAccountName`
-field of a pod to the name of the service account you wish to use.
+field of a Pod to the name of the ServiceAccount you wish to use.
 -->
 你可以使用鉴权插件来[设置服务账号的访问许可](/zh-cn/docs/reference/access-authn-authz/rbac/#service-account-permissions)。
 
@@ -251,11 +251,11 @@ of a Pod that already exists.
 
 {{< note >}}
 <!--
-The `spec.serviceAccount` field is a deprecated alias for `spec.serviceAccountName`.
+The `.spec.serviceAccount` field is a deprecated alias for `.spec.serviceAccountName`.
 If you want to remove the fields from a workload resource, set both fields to empty explicitly
 on the [pod template](/docs/concepts/workloads/pods#pod-templates).
 -->
-`spec.serviceAccount` 字段是 `spec.serviceAccountName` 的已弃用别名。
+`.spec.serviceAccount` 字段是 `.spec.serviceAccountName` 的已弃用别名。
 如果要从工作负载资源中删除这些字段，请在
 [Pod 模板](/zh-cn/docs/concepts/workloads/pods#pod-templates)上将这两个字段显式设置为空。
 {{< /note >}}
@@ -486,6 +486,11 @@ You can achieve the same outcome by editing the object manually:
 kubectl edit serviceaccount/default
 ```
 
+<!--
+The output of the `sa.yaml` file is similar to this:
+-->
+`sa.yaml` 文件的输出类似于：
+
 <!--
 Your selected text editor will open with a configuration looking something like this:
 -->
@@ -551,7 +556,7 @@ myregistrykey
 ```
 
 <!--
-## Service Account Token Volume Projection
+## ServiceAccount token volume projection
 -->
 ## 服务账号令牌卷投射   {#service-account-token-volume-projection}
 
@@ -619,6 +624,7 @@ command line arguments to `kube-apiserver`:
   Kubernetes API 服务器当做合法的令牌。如果你指定了 `--service-account-issuer`
   参数，但沒有設置 `--api-audiences`，则控制面认为此参数的默认值为一个只有一个元素的列表，
   且该元素为令牌发放者的 URL。
+
 {{< /note >}}
 
 <!--
@@ -718,14 +724,14 @@ registered or accessible.
 {{< /note >}}
 
 <!--
-When enabled, the Kubernetes API server provides an OpenID Provider
+When enabled, the Kubernetes API server publishes an OpenID Provider
 Configuration document via HTTP. The configuration document is published at
 `/.well-known/openid-configuration`.
 The OpenID Provider Configuration is sometimes referred to as the _discovery document_.
 The Kubernetes API server publishes the related
 JSON Web Key Set (JWKS), also via HTTP, at `/openid/v1/jwks`.
 -->
-当此特性被启用时，Kubernetes API 服务器会通过 HTTP 提供一个 OpenID 提供者配置文档。
+当此特性被启用时，Kubernetes API 服务器会通过 HTTP 发布一个 OpenID 提供者配置文档。
 该配置文档发布在 `/.well-known/openid-configuration` 路径。
 这里的 OpenID 提供者配置（OpenID Provider Configuration）有时候也被称作
 “发现文档（Discovery Document）”。
@@ -755,7 +761,7 @@ bind the role to `system:authenticated` or `system:unauthenticated` depending on
 security requirements and which external systems they intend to federate with.
 -->
 使用 {{< glossary_tooltip text="RBAC" term_id="rbac">}} 的集群都包含一个的默认
-RBAC ClusterRole, 名为 `system:service-account-issuer-discovery`。 
+RBAC ClusterRole, 名为 `system:service-account-issuer-discovery`。
 默认的 RBAC ClusterRoleBinding 将此角色分配给 `system:serviceaccounts` 组，
 所有 ServiceAccount 隐式属于该组。这使得集群上运行的 Pod
 能够通过它们所挂载的服务账号令牌访问服务账号发现文档。
@@ -819,4 +825,3 @@ See also:
 - 关于 OIDC 发现的相关背景信息，阅读[服务账号签署密钥检索 KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1393-oidc-discovery)
   这一 Kubernetes 增强提案
 - 阅读 [OIDC 发现规范](https://openid.net/specs/openid-connect-discovery-1_0.html)
-
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md b/content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md
index 21ff6407bdbb3..4177f42d6fedd 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry.md
@@ -1,13 +1,13 @@
 ---
 title: 从私有仓库拉取镜像
 content_type: task
-weight: 100
+weight: 130
 ---
 
 <!--
 title: Pull an Image from a Private Registry
 content_type: task
-weight: 100
+weight: 130
 -->
 
 <!-- overview -->
diff --git a/content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md b/content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md
index 4691bd2079de8..ea542e246bd4f 100644
--- a/content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md
+++ b/content/zh-cn/docs/tasks/configure-pod-container/quality-service-pod.md
@@ -1,13 +1,13 @@
 ---
 title: 配置 Pod 的服务质量
 content_type: task
-weight: 30
+weight: 60
 ---
 
 <!--
 title: Configure Quality of Service for Pods
 content_type: task
-weight: 30
+weight: 60
 -->
 
 <!-- overview -->
@@ -383,20 +383,6 @@ kubectl --namespace=qos-example get pod qos-demo-4 -o jsonpath='{ .status.qosCla
 Burstable
 ```
 
-<!--
-## Clean up
--->
-## 清理  {#clean-up}
-
-<!--
-Delete your Pod:
--->
-删除 Pod：
-
-```shell
-kubectl delete pod qos-demo-4 --namespace=qos-example
-```
-
 <!--
 ## Clean up
 
@@ -428,12 +414,19 @@ kubectl delete namespace qos-example
 ### For cluster administrators
 
 * [Configure Default Memory Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/)
+
 * [Configure Default CPU Requests and Limits for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/)
+
 * [Configure Minimum and Maximum Memory Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/)
+
 * [Configure Minimum and Maximum CPU Constraints for a Namespace](/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/)
+
 * [Configure Memory and CPU Quotas for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/)
+
 * [Configure a Pod Quota for a Namespace](/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
+
 * [Configure Quotas for API Objects](/docs/tasks/administer-cluster/quota-api-object/)
+
 * [Control Topology Management policies on a node](/docs/tasks/administer-cluster/topology-manager/)
 -->
 ### 集群管理员参考
@@ -446,4 +439,3 @@ kubectl delete namespace qos-example
 * [为名字空间配置 Pod 配额](/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/)
 * [为 API 对象配置配额](/zh-cn/docs/tasks/administer-cluster/quota-api-object/)
 * [控制节点上的拓扑管理策略](/zh-cn/docs/tasks/administer-cluster/topology-manager/)
-

From f9d9208995fc07e40806e4d5f2cb21e490a1dc2d Mon Sep 17 00:00:00 2001
From: itsfinn <39669621+itsfinn@users.noreply.github.com>
Date: Mon, 20 Mar 2023 15:23:16 +0800
Subject: [PATCH 206/215] Update endpoints-v1.md (#40140)

* Update endpoints-v1.md

* Update endpoints-v1.md
---
 .../reference/kubernetes-api/service-resources/endpoints-v1.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1.md b/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
index a912c60dbf5ba..df830f54f1bab 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
@@ -205,7 +205,7 @@ Endpoints 是实现实际服务的端点的集合。举例:
     -->
 
     <a name="EndpointPort"></a>
-    **EndpointAddress 是描述单个 IP 地址的元组。**
+    **EndpointPort 是描述单个端口的元组。**
 
     <!--    
     - **subsets.ports.port** (int32), required

From 81e0aa91320e95667a473b4e8c0155b2827af663 Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Mon, 20 Mar 2023 14:31:00 +0800
Subject: [PATCH 207/215] [zh-cn] sync task files of task-12

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 .../access-application-cluster/_index.md      |  7 ++-
 .../access-cluster-services.md                |  6 +++
 ...icate-containers-same-pod-shared-volume.md |  8 ++-
 .../configure-access-multiple-clusters.md     | 52 +++++++++----------
 .../configure-dns-cluster.md                  |  4 +-
 5 files changed, 46 insertions(+), 31 deletions(-)

diff --git a/content/zh-cn/docs/tasks/access-application-cluster/_index.md b/content/zh-cn/docs/tasks/access-application-cluster/_index.md
index 5fb03229b184f..73ad5bb508260 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/_index.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/_index.md
@@ -1,5 +1,10 @@
 ---
 title: 访问集群中的应用程序
-weight: 60
+weight: 100
 description: 配置负载平衡、端口转发或设置防火墙或 DNS 配置，以访问集群中的应用程序。
 ---
+<!--
+title: "Access Applications in a Cluster"
+description: Configure load balancing, port forwarding, or setup firewall or DNS configurations to access applications in a cluster.
+weight: 100
+-->
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md b/content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md
index 336b6d67c1905..91876e13226c4 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/access-cluster-services.md
@@ -1,7 +1,13 @@
 ---
 title: 访问集群上运行的服务
 content_type: task
+weight: 140
 ---
+<!--
+title: Access Services Running on Clusters
+content_type: task
+weight: 140
+-->
 
 <!-- overview -->
 <!--
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md b/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
index 94597e2aeb4a9..ed057170d8600 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume.md
@@ -1,11 +1,12 @@
 ---
 title: 同 Pod 内的容器使用共享卷通信
 content_type: task
+weight: 120
 ---
 <!--
 title: Communicate Between Containers in the Same Pod Using a Shared Volume
 content_type: task
-weight: 110
+weight: 120
 -->
 <!-- overview -->
 
@@ -162,7 +163,10 @@ directory. Use `curl` to send a GET request to the nginx server:
 root@two-containers:/# curl localhost
 ```
 
-输出表示 nginx 提供了 debian 容器写的页面：
+<!--
+The output shows that nginx serves a web page written by the debian container:
+-->
+输出表示 nginx 向外提供了 debian 容器所写就的页面：
 
 ```
 Hello from the debian container
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md b/content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
index 37de6ac9add45..1a482c9568a28 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters.md
@@ -66,24 +66,24 @@ cluster's API server.
 <!--
 ## Define clusters, users, and contexts
 
-Suppose you have two clusters, one for development work and one for scratch work.
+Suppose you have two clusters, one for development work and one for test work.
 In the `development` cluster, your frontend developers work in a namespace called `frontend`,
-and your storage developers work in a namespace called `storage`. In your `scratch` cluster,
+and your storage developers work in a namespace called `storage`. In your `test` cluster,
 developers work in the default namespace, or they create auxiliary namespaces as they
 see fit. Access to the development cluster requires authentication by certificate. Access
-to the scratch cluster requires authentication by username and password.
+to the test cluster requires authentication by username and password.
 
 Create a directory named `config-exercise`. In your
 `config-exercise` directory, create a file named `config-demo` with this content:
 -->
 ## 定义集群、用户和上下文    {#define-clusters-users-and-contexts}
 
-假设用户有两个集群，一个用于正式开发工作，一个用于其它临时用途（scratch）。
+假设用户有两个集群，一个用于开发工作（development），一个用于测试工作（test）。
 在 `development` 集群中，前端开发者在名为 `frontend` 的名字空间下工作，
-存储开发者在名为 `storage` 的名字空间下工作。在 `scratch` 集群中，
+存储开发者在名为 `storage` 的名字空间下工作。在 `test` 集群中，
 开发人员可能在默认名字空间下工作，也可能视情况创建附加的名字空间。
 访问开发集群需要通过证书进行认证。
-访问其它临时用途的集群需要通过用户名和密码进行认证。
+访问测试集群需要通过用户名和密码进行认证。
 
 创建名为 `config-exercise` 的目录。在
 `config-exercise` 目录中，创建名为 `config-demo` 的文件，其内容为：
@@ -97,7 +97,7 @@ clusters:
 - cluster:
   name: development
 - cluster:
-  name: scratch
+  name: test
 
 users:
 - name: developer
@@ -109,7 +109,7 @@ contexts:
 - context:
   name: dev-storage
 - context:
-  name: exp-scratch
+  name: exp-test
 ```
 
 <!--
@@ -126,7 +126,7 @@ your configuration file:
 
 ```shell
 kubectl config --kubeconfig=config-demo set-cluster development --server=https://1.2.3.4 --certificate-authority=fake-ca-file
-kubectl config --kubeconfig=config-demo set-cluster scratch --server=https://5.6.7.8 --insecure-skip-tls-verify
+kubectl config --kubeconfig=config-demo set-cluster test --server=https://5.6.7.8 --insecure-skip-tls-verify
 ```
 
 <!--
@@ -167,7 +167,7 @@ Add context details to your configuration file:
 ```shell
 kubectl config --kubeconfig=config-demo set-context dev-frontend --cluster=development --namespace=frontend --user=developer
 kubectl config --kubeconfig=config-demo set-context dev-storage --cluster=development --namespace=storage --user=developer
-kubectl config --kubeconfig=config-demo set-context exp-scratch --cluster=scratch --namespace=default --user=experimenter
+kubectl config --kubeconfig=config-demo set-context exp-test --cluster=test --namespace=default --user=experimenter
 ```
 
 <!--
@@ -196,7 +196,7 @@ clusters:
 - cluster:
     insecure-skip-tls-verify: true
     server: https://5.6.7.8
-  name: scratch
+  name: test
 contexts:
 - context:
     cluster: development
@@ -209,10 +209,10 @@ contexts:
     user: developer
   name: dev-storage
 - context:
-    cluster: scratch
+    cluster: test
     namespace: default
     user: experimenter
-  name: exp-scratch
+  name: exp-test
 current-context: ""
 kind: Config
 preferences: {}
@@ -310,29 +310,29 @@ users:
 ```
 
 <!--
-Now suppose you want to work for a while in the scratch cluster.
+Now suppose you want to work for a while in the test cluster.
 
-Change the current context to `exp-scratch`:
+Change the current context to `exp-test`:
 -->
-现在假设用户希望在其它临时用途集群中工作一段时间。
+现在假设用户希望在测试集群中工作一段时间。
 
-将当前上下文更改为 `exp-scratch`：
+将当前上下文更改为 `exp-test`：
 
 ```shell
-kubectl config --kubeconfig=config-demo use-context exp-scratch
+kubectl config --kubeconfig=config-demo use-context exp-test
 ```
 
 <!--
 Now any `kubectl` command you give will apply to the default namespace of
-the `scratch` cluster. And the command will use the credentials of the user
-listed in the `exp-scratch` context.
+the `test` cluster. And the command will use the credentials of the user
+listed in the `exp-test` context.
 
-View configuration associated with the new current context, `exp-scratch`.
+View configuration associated with the new current context, `exp-test`.
 -->
-现在你发出的所有 `kubectl` 命令都将应用于 `scratch` 集群的默认名字空间。
-同时，命令会使用 `exp-scratch` 上下文中所列用户的凭证。
+现在你发出的所有 `kubectl` 命令都将应用于 `test` 集群的默认名字空间。
+同时，命令会使用 `exp-test` 上下文中所列用户的凭证。
 
-查看更新后的当前上下文 `exp-scratch` 相关的配置：
+查看更新后的当前上下文 `exp-test` 相关的配置：
 
 ```shell
 kubectl config --kubeconfig=config-demo view --minify
@@ -476,10 +476,10 @@ contexts:
     user: developer
   name: dev-storage
 - context:
-    cluster: scratch
+    cluster: test
     namespace: default
     user: experimenter
-  name: exp-scratch
+  name: exp-test
 ```
 
 <!--
diff --git a/content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md b/content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md
index 4bfd1cc54b28d..7534c914efb46 100644
--- a/content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md
+++ b/content/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster.md
@@ -1,13 +1,13 @@
 ---
 title: 为集群配置 DNS
-weight: 120
+weight: 130
 content_type: concept
 ---
 
 <!--
 ---
 title: Configure DNS for a Cluster
-weight: 120
+weight: 130
 content_type: concept
 ---
 -->

From cd39843b3726bc95b28130e88021683e4c84981a Mon Sep 17 00:00:00 2001
From: Guangwen Feng <fenggw-fnst@fujitsu.com>
Date: Mon, 20 Mar 2023 16:43:42 +0800
Subject: [PATCH 208/215] [zh-cn] Reference files to sync task-6

Signed-off-by: Guangwen Feng <fenggw-fnst@fujitsu.com>
---
 .../labels-annotations-taints/audit-annotations.md         | 6 +++---
 .../zh-cn/docs/reference/networking/service-protocols.md   | 7 -------
 content/zh-cn/docs/reference/scheduling/_index.md          | 4 ++--
 content/zh-cn/docs/reference/scheduling/policies.md        | 2 ++
 content/zh-cn/docs/reference/tools/_index.md               | 6 +++---
 content/zh-cn/docs/reference/tools/map-crictl-dockercli.md | 5 ++++-
 6 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md b/content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md
index 208e92af16aab..2b34ad834dc2f 100644
--- a/content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md
+++ b/content/zh-cn/docs/reference/labels-annotations-taints/audit-annotations.md
@@ -1,10 +1,10 @@
 ---
 title: "审计注解"
-weight: 1
+weight: 10
 ---
 <!--
 title: "Audit Annotations"
-weight: 1
+weight: 10
 -->
 
 <!-- overview -->
@@ -136,7 +136,7 @@ See [Auditing](/docs/tasks/debug/debug-cluster/audit/) for more information.
 
 有关详细信息，请参阅[审计](/zh-cn/docs/tasks/debug/debug-cluster/audit/)。
 
-## missing-san.invalid-cert.kubernetes.io/$hostname {##missing-san-invalid-cert-kubernetes-io-hostname}
+## missing-san.invalid-cert.kubernetes.io/$hostname {#missing-san-invalid-cert-kubernetes-io-hostname}
 
 <!--
 Example: `missing-san.invalid-cert.kubernetes.io/example-svc.example-namespace.svc: "relies on a legacy Common Name field instead of the SAN extension for subject validation"`
diff --git a/content/zh-cn/docs/reference/networking/service-protocols.md b/content/zh-cn/docs/reference/networking/service-protocols.md
index 328b6fcc7b95a..47eac580442ad 100644
--- a/content/zh-cn/docs/reference/networking/service-protocols.md
+++ b/content/zh-cn/docs/reference/networking/service-protocols.md
@@ -89,13 +89,6 @@ NAT for multihomed SCTP associations requires special logic in the corresponding
 
 针对多宿主 SCTP 关联的 NAT 需要在对应的内核模块具有特殊的逻辑。
 
-{{< note >}}
-<!--
-The kube-proxy does not support the management of SCTP associations when it is in userspace mode.
--->
-当 kube-proxy 处于 userspace 模式时不支持管理 SCTP 关联。
-{{< /note >}}
-
 ### `TCP` {#protocol-tcp}
 
 <!--
diff --git a/content/zh-cn/docs/reference/scheduling/_index.md b/content/zh-cn/docs/reference/scheduling/_index.md
index 36e77902fb224..e10751f7d611e 100644
--- a/content/zh-cn/docs/reference/scheduling/_index.md
+++ b/content/zh-cn/docs/reference/scheduling/_index.md
@@ -1,11 +1,11 @@
 ---
 title: 调度
-weight: 70
+weight: 140
 toc-hide: true
 ---
 
 <!--
 title: Scheduling
-weight: 70
+weight: 140
 toc-hide: true
 -->
diff --git a/content/zh-cn/docs/reference/scheduling/policies.md b/content/zh-cn/docs/reference/scheduling/policies.md
index df131a10483df..00774c1dd1193 100644
--- a/content/zh-cn/docs/reference/scheduling/policies.md
+++ b/content/zh-cn/docs/reference/scheduling/policies.md
@@ -3,6 +3,7 @@ title: 调度策略
 content_type: concept
 sitemap:
   priority: 0.2 # Scheduling priorities are deprecated
+weight: 30
 ---
 
 <!--
@@ -10,6 +11,7 @@ title: Scheduling Policies
 content_type: concept
 sitemap:
   priority: 0.2 # Scheduling priorities are deprecated
+weight: 30
 -->
 
 <!-- overview -->
diff --git a/content/zh-cn/docs/reference/tools/_index.md b/content/zh-cn/docs/reference/tools/_index.md
index 6dab3ddb63e34..be9e32f06b7aa 100644
--- a/content/zh-cn/docs/reference/tools/_index.md
+++ b/content/zh-cn/docs/reference/tools/_index.md
@@ -1,7 +1,7 @@
 ---
 title: 其他工具
 content_type: concept
-weight: 80
+weight: 150
 no_list: true
 ---
 
@@ -10,7 +10,7 @@ title: Other Tools
 reviewers:
 - janetkuo
 content_type: concept
-weight: 80
+weight: 150
 no_list: true
 -->
 
@@ -39,7 +39,7 @@ container runtimes.
 [`Dashboard`](/docs/tasks/access-application-cluster/web-ui-dashboard/), the web-based user interface of Kubernetes, allows you to deploy containerized applications
 to a Kubernetes cluster, troubleshoot them, and manage the cluster and its resources itself.
 -->
-## 仪表盘
+## 仪表盘   {#dashboard}
 
 [`Dashboard`](/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/)，
 基于 Web 的 Kubernetes 用户界面，
diff --git a/content/zh-cn/docs/reference/tools/map-crictl-dockercli.md b/content/zh-cn/docs/reference/tools/map-crictl-dockercli.md
index 470c30b528bdb..c8f79f8a18f7c 100644
--- a/content/zh-cn/docs/reference/tools/map-crictl-dockercli.md
+++ b/content/zh-cn/docs/reference/tools/map-crictl-dockercli.md
@@ -1,11 +1,13 @@
 ---
 title: 从 Docker 命令行映射到 crictl
 content_type: reference
+weight: 10
 ---
 
 <!--
 title: Mapping from dockercli to crictl
 content_type: reference
+weight: 10
 -->
 
 {{% thirdparty-content %}}
@@ -64,7 +66,8 @@ command output is being parsed programmatically.
 ### 获得调试信息   {#retrieve-debugging-information}
 
 {{< table caption="docker 命令行与 crictl 的映射 - 获得调试信息" >}}
-<!--docker CLI | crictl | Description | Unsupported Features
+<!--
+docker cli | crictl | Description | Unsupported Features
 -- | -- | -- | --
 `attach` | `attach` | Attach to a running container | `--detach-keys`, `--sig-proxy`
 `exec` | `exec` | Run a command in a running container | `--privileged`, `--user`, `--detach-keys`

From 90081a8b7437631c3fd8afe729d741c15e8a8e5c Mon Sep 17 00:00:00 2001
From: Kagaya <kagaya85@outlook.com>
Date: Mon, 20 Mar 2023 17:19:39 +0800
Subject: [PATCH 209/215] fix translations in
 mutating-webhook-configuration-v1.md

---
 .../extend-resources/mutating-webhook-configuration-v1.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md b/content/zh-cn/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md
index 016a9d18f6cd1..ce4ecee1ca3f7 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1.md
@@ -374,9 +374,9 @@ MutatingWebhookConfiguration 描述准入 Webhook 的配置，该 Webhook 可接
   - **webhooks.rules** ([]RuleWithOperations)
 
     rules 描述了 Webhook 关心的资源/子资源上有哪些操作。Webhook 关心操作是否匹配**任何**rules。
-    但是，为了防止 ValidatingAdmissionWebhooks 和 ValidatingAdmissionWebhooks 将集群置于只能完全禁用插件才能恢复的状态，
-    ValidatingAdmissionWebhooks 和 ValidatingAdmissionWebhooks 永远不会在处理 ValidatingWebhookConfiguration
-    和 ValidatingWebhookConfiguration 对象的准入请求被调用。
+    但是，为了防止 ValidatingAdmissionWebhooks 和 MutatingAdmissionWebhooks 将集群置于只能完全禁用插件才能恢复的状态，
+    ValidatingAdmissionWebhooks 和 MutatingAdmissionWebhooks 永远不会在处理 ValidatingWebhookConfiguration
+    和 MutatingWebhookConfiguration 对象的准入请求时被调用。
 
     <a name="RuleWithOperations"></a>
     **RuleWithOperations 是操作和资源的元组。建议确保所有元组组合都是有效的。**
@@ -1148,4 +1148,4 @@ DELETE /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations
 
 200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
 
-401: Unauthorized
\ No newline at end of file
+401: Unauthorized

From 2d61ea506ae1df1be201d327962e9fbda48c2d52 Mon Sep 17 00:00:00 2001
From: jiecloud <jie.wan@daocloud.io>
Date: Mon, 20 Mar 2023 18:22:21 +0800
Subject: [PATCH 210/215] [zh-cn] update hugo config file

en PR:  https://github.com/kubernetes/website/issues/39632
---
 content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md b/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
index b54b7de0e028c..531c9ea76d365 100644
--- a/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
+++ b/content/zh-cn/docs/contribute/style/hugo-shortcodes/index.md
@@ -582,13 +582,13 @@ before the item, or just below the heading for the specific item.
 
 To generate a version string for inclusion in the documentation, you can choose from
 several version shortcodes. Each version shortcode displays a version string derived from
-the value of a version parameter found in the site configuration file, `config.toml`.
+the value of a version parameter found in the site configuration file, `hugo.toml`.
 The two most commonly used version parameters are `latest` and `version`.
 -->
 ## 版本号信息 {#version-strings}
 
 要在文档中生成版本号信息，可以从以下几种短代码中选择。每个短代码可以基于站点配置文件
-`config.toml` 中的版本参数生成一个版本号取值。最常用的参数为 `latest` 和 `version`。
+`hugo.toml` 中的版本参数生成一个版本号取值。最常用的参数为 `latest` 和 `version`。
 
 <!--
 ### `{{</* param "version" */>}}`

From 2f41caef14b87e0dcb78394217f5c15b57e2c09a Mon Sep 17 00:00:00 2001
From: SSmallMonster <mingming.zhou@daocloud.io>
Date: Mon, 20 Mar 2023 13:42:05 +0800
Subject: [PATCH 211/215] [zh-cn] sync _index.md

Signed-off-by: SSmallMonster <mingming.zhou@daocloud.io>
---
 content/zh-cn/docs/tasks/tls/_index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/zh-cn/docs/tasks/tls/_index.md b/content/zh-cn/docs/tasks/tls/_index.md
index a25b7c5cbe635..812c17cc37f93 100644
--- a/content/zh-cn/docs/tasks/tls/_index.md
+++ b/content/zh-cn/docs/tasks/tls/_index.md
@@ -1,5 +1,5 @@
 ---
 title: "TLS"
-weight: 100
+weight: 120
 description: 了解如何使用传输层安全性（ TLS ）保护集群中的流量。
 ---

From deab01297125fdd71bcff33551e6e024e8db7f57 Mon Sep 17 00:00:00 2001
From: windsonsea <haifeng.yao@daocloud.io>
Date: Thu, 16 Mar 2023 13:04:28 +0800
Subject: [PATCH 212/215] [zh] sync labels-annotations-taints/_index.md

---
 .../labels-annotations-taints/_index.md       | 303 ++++++++++++++++--
 1 file changed, 279 insertions(+), 24 deletions(-)

diff --git a/content/zh-cn/docs/reference/labels-annotations-taints/_index.md b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md
index 0a0a304474a88..9208ab9817361 100644
--- a/content/zh-cn/docs/reference/labels-annotations-taints/_index.md
+++ b/content/zh-cn/docs/reference/labels-annotations-taints/_index.md
@@ -4,7 +4,6 @@ content_type: concept
 weight: 40
 no_list: true
 ---
-
 <!--
 title: Well-Known Labels, Annotations and Taints
 content_type: concept
@@ -41,9 +40,9 @@ One of the [recommended labels](/docs/concepts/overview/working-with-objects/com
 
 ### app.kubernetes.io/component {#app-kubernetes-io-component}
 
-例子: `app.kubernetes.io/component: "database"`
+例子：`app.kubernetes.io/component: "database"`
 
-用于: 所有对象（通常用于[工作负载资源](/zh-cn/docs/reference/kubernetes-api/workload-resources/)）。
+用于：所有对象（通常用于[工作负载资源](/zh-cn/docs/reference/kubernetes-api/workload-resources/)）。
 
 架构中的组件。
 
@@ -314,6 +313,62 @@ This label has been deprecated. Please use `kubernetes.io/os` instead.
 
 此标签已被弃用。请改用 `kubernetes.io/os`。
 
+<!--
+### kube-aggregator.kubernetes.io/automanaged {#kube-aggregator-kubernetesio-automanaged}
+
+Example: `kube-aggregator.kubernetes.io/automanaged: "onstart"`
+
+Used on: APIService
+
+The `kube-apiserver` sets this label on any APIService object that the API server has created automatically. The label marks how the control plane should manage that APIService. You should not add, modify, or remove this label by yourself.
+-->
+### kube-aggregator.kubernetes.io/automanaged {#kube-aggregator-kubernetesio-automanaged}
+
+例子：`kube-aggregator.kubernetes.io/automanaged: "onstart"`
+
+用于：APIService
+
+`kube-apiserver` 会在由 API 服务器自动创建的所有 APIService 对象上设置这个标签。
+该标签标记了控制平面应如何管理该 APIService。你不应自行添加、修改或删除此标签。
+
+{{< note >}}
+<!--
+Automanaged APIService objects are deleted by kube-apiserver when it has no built-in or custom resource API corresponding to the API group/version of the APIService.
+-->
+当自动托管的 APIService 对象没有内置或自定义资源 API 对应于该 APIService 的 API 组/版本时，
+它将被 kube-apiserver 删除。
+{{< /note >}}
+
+<!--
+There are two possible values:
+
+- `onstart`: The APIService should be reconciled when an API server starts up, but not otherwise.
+- `true`: The API server should reconcile this APIService continuously.
+-->
+有两个可能的值：
+
+- `onstart`：API 服务器应在启动时协调 APIService，但在其他时间不会进行协调。
+- `true`：API 服务器应持续协调此 APIService。
+
+<!--
+### service.alpha.kubernetes.io/tolerate-unready-endpoints (deprecated)
+
+Used on: StatefulSet
+
+This annotation on a Service denotes if the Endpoints controller should go ahead and create Endpoints for unready Pods.
+Endpoints of these Services retain their DNS records and continue receiving
+traffic for the Service from the moment the kubelet starts all containers in the pod
+and marks it _Running_, til the kubelet stops all containers and deletes the pod from
+the API server.
+-->
+### service.alpha.kubernetes.io/tolerate-unready-endpoints（已弃用）   {#service-alpha-kubernetes-io-tolerate-unready-endpoints-deprecated}
+
+用于：StatefulSet
+
+Service 上的这个注解表示 Endpoints 控制器是否应该继续为未准备好的 Pod 创建 Endpoints。
+这些 Service 的 Endpoints 保留其 DNS 记录，并从 kubelet 启动 Pod 中的所有容器并将其标记为
+**Running** 的那一刻起继续接收 Service 的流量，直到 kubelet 停止所有容器并从 API 服务器删除 Pod 为止。
+
 <!--
 ### kubernetes.io/hostname {#kubernetesiohostname}
 
@@ -546,13 +601,17 @@ For example, `10M` means 10 megabits per second.
 以[量纲（Quantity）](/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity/)的形式给出。
 例如，`10M` 表示每秒 10 兆比特。
 
-<!-- ### beta.kubernetes.io/instance-type (deprecated) -->
+<!--
+### beta.kubernetes.io/instance-type (deprecated)
+-->
 ### beta.kubernetes.io/instance-type (已弃用) {#beta-kubernetes-io-instance-type}
 
+{{< note >}}
 <!--
 Starting in v1.17, this label is deprecated in favor of [node.kubernetes.io/instance-type](#nodekubernetesioinstance-type).
 -->
-{{< note >}} 从 v1.17 开始，此标签已弃用，取而代之的是 [node.kubernetes.io/instance-type](#nodekubernetesioinstance-type)。 {{< /note >}}
+从 v1.17 开始，此标签已弃用，取而代之的是 [node.kubernetes.io/instance-type](#nodekubernetesioinstance-type)。
+{{< /note >}}
 
 <!--
 ### node.kubernetes.io/instance-type {#nodekubernetesioinstance-type}
@@ -586,10 +645,12 @@ See [topology.kubernetes.io/region](#topologykubernetesioregion).
 
 请参阅 [topology.kubernetes.io/region](#topologykubernetesioregion)。
 
+{{< note >}}
 <!--
 Starting in v1.17, this label is deprecated in favor of [topology.kubernetes.io/region](#topologykubernetesioregion).
 -->
-{{< note >}} 从 v1.17 开始，此标签已弃用，取而代之的是 [topology.kubernetes.io/region](#topologykubernetesioregion)。 {{</note>}}
+从 v1.17 开始，此标签已弃用，取而代之的是 [topology.kubernetes.io/region](#topologykubernetesioregion)。
+{{</note>}}
 
 <!--
 ### failure-domain.beta.kubernetes.io/zone (deprecated) {#failure-domainbetakubernetesiozone}
@@ -600,10 +661,91 @@ See [topology.kubernetes.io/zone](#topologykubernetesiozone).
 
 请参阅 [topology.kubernetes.io/zone](#topologykubernetesiozone)。
 
+{{< note >}}
 <!--
 Starting in v1.17, this label is deprecated in favor of [topology.kubernetes.io/zone](#topologykubernetesiozone). 
 -->
-{{< note >}} 从 v1.17 开始，此标签已弃用，取而代之的是 [topology.kubernetes.io/zone](#topologykubernetesiozone)。 {{</note>}}
+从 v1.17 开始，此标签已弃用，取而代之的是 [topology.kubernetes.io/zone](#topologykubernetesiozone)。
+{{</note>}}
+
+### pv.kubernetes.io/bind-completed {#pv-kubernetesiobind-completed}
+
+<!--
+Example: `pv.kubernetes.io/bind-completed: "yes"`
+
+Used on: PersistentVolumeClaim
+
+When this annotation is set on a PersistentVolumeClaim (PVC), that indicates that the lifecycle
+of the PVC has passed through initial binding setup. When present, that information changes
+how the control plane interprets the state of PVC objects.
+The value of this annotation does not matter to Kubernetes.
+-->
+例子：`pv.kubernetes.io/bind-completed: "yes"`
+
+用于：PersistentVolumeClaim
+
+当在 PersistentVolumeClaim (PVC) 上设置此注解时，表示 PVC 的生命周期已通过初始绑定设置。
+当存在此注解时，该信息会改变控制平面解释 PVC 对象状态的方式。此注解的值对 Kubernetes 无关紧要。
+
+### pv.kubernetes.io/bound-by-controller {#pv-kubernetesioboundby-controller}
+
+<!--
+Example: `pv.kubernetes.io/bound-by-controller: "yes"`
+
+Used on: PersistentVolume, PersistentVolumeClaim
+
+If this annotation is set on a PersistentVolume or PersistentVolumeClaim, it indicates that a storage binding
+(PersistentVolume → PersistentVolumeClaim, or PersistentVolumeClaim → PersistentVolume) was installed
+by the {{< glossary_tooltip text="controller" term_id="controller" >}}.
+If the annotation isn't set, and there is a storage binding in place, the absence of that annotation means that
+the binding was done manually. The value of this annotation does not matter.
+-->
+例子：`pv.kubernetes.io/bound-by-controller: "yes"`
+
+用于：PersistentVolume、PersistentVolumeClaim
+
+如果此注解设置在 PersistentVolume 或 PersistentVolumeClaim 上，则表示存储绑定
+（PersistentVolume → PersistentVolumeClaim，或 PersistentVolumeClaim → PersistentVolume）
+已由{{< glossary_tooltip text="控制器" term_id="controller" >}}配置完毕。
+如果未设置此注解，且存在存储绑定，则缺少该注解意味着绑定是手动完成的。此注解的值无关紧要。
+
+### pv.kubernetes.io/provisioned-by {#pv-kubernetesiodynamically-provisioned}
+
+<!--
+Example: `pv.kubernetes.io/provisioned-by: "kubernetes.io/rbd"`
+
+Used on: PersistentVolume
+
+This annotation is added to a PersistentVolume(PV) that has been dynamically provisioned by Kubernetes.
+Its value is the name of volume plugin that created the volume. It serves both user (to show where a PV
+comes from) and Kubernetes (to recognize dynamically provisioned PVs in its decisions).
+-->
+例子：`pv.kubernetes.io/provisioned-by: "kubernetes.io/rbd"`
+
+用于：PersistentVolume
+
+此注解被添加到已由 Kubernetes 动态制备的 PersistentVolume (PV)。
+它的值是创建卷的卷插件的名称。它同时服务于用户（显示 PV 的来源）和 Kubernetes（识别其决策中动态制备的 PV）。
+
+### pv.kubernetes.io/migrated-to {#pv-kubernetesio-migratedto}
+
+<!--
+Example: `pv.kubernetes.io/migrated-to: pd.csi.storage.gke.io`
+
+Used on: PersistentVolume, PersistentVolumeClaim
+
+It is added to a PersistentVolume(PV) and PersistentVolumeClaim(PVC) that is supposed to be
+dynamically provisioned/deleted by its corresponding CSI driver through the `CSIMigration` feature gate.
+When this annotation is set, the Kubernetes components will "stand-down" and the `external-provisioner`
+will act on the objects.
+-->
+例子：`pv.kubernetes.io/migrated-to: pd.csi.storage.gke.io`
+
+用于：PersistentVolume、PersistentVolumeClaim
+
+它被添加到 PersistentVolume (PV) 和 PersistentVolumeClaim (PVC)，应该由其相应的 CSI
+驱动程序通过 `CSIMigration` 特性门控动态制备/删除。设置此注解后，Kubernetes 组件将“停止”，
+而 `external-provisioner` 将作用于对象。
 
 <!--
 ### statefulset.kubernetes.io/pod-name {#statefulsetkubernetesiopod-name}
@@ -671,11 +813,6 @@ Used on: Node, PersistentVolume
 On Node: The `kubelet` or the external `cloud-controller-manager` populates this with the information as provided by the `cloudprovider`.  This will be set only if you are using a `cloudprovider`. However, you should consider setting this on nodes if it makes sense in your topology.
 
 On PersistentVolume: topology-aware volume provisioners will automatically set node affinity constraints on `PersistentVolumes`.
-
-A zone represents a logical failure domain.  It is common for Kubernetes clusters to span multiple zones for increased availability.  While the exact definition of a zone is left to infrastructure implementations, common properties of a zone include very low network latency within a zone, no-cost network traffic within a zone, and failure independence from other zones.  For example, nodes within a zone might share a network switch, but nodes in different zones should not.
-
-A region represents a larger domain, made up of one or more zones.  It is uncommon for Kubernetes clusters to span multiple regions,  While the exact definition of a zone or region is left to infrastructure implementations, common properties of a region include higher network latency between them than within them, non-zero cost for network traffic between them, and failure independence from other zones or regions.  For example, nodes within a region might share power infrastructure (e.g. a UPS or generator), but nodes in different regions typically would not.
-
 -->
 ### topology.kubernetes.io/zone {#topologykubernetesiozone}
 
@@ -689,6 +826,11 @@ A region represents a larger domain, made up of one or more zones.  It is uncomm
 
 在 PersistentVolume 上：拓扑感知卷配置器将自动在 `PersistentVolume` 上设置 Node 亲和性约束。
 
+<!--
+A zone represents a logical failure domain.  It is common for Kubernetes clusters to span multiple zones for increased availability.  While the exact definition of a zone is left to infrastructure implementations, common properties of a zone include very low network latency within a zone, no-cost network traffic within a zone, and failure independence from other zones.  For example, nodes within a zone might share a network switch, but nodes in different zones should not.
+
+A region represents a larger domain, made up of one or more zones.  It is uncommon for Kubernetes clusters to span multiple regions,  While the exact definition of a zone or region is left to infrastructure implementations, common properties of a region include higher network latency between them than within them, non-zero cost for network traffic between them, and failure independence from other zones or regions.  For example, nodes within a region might share power infrastructure (e.g. a UPS or generator), but nodes in different regions typically would not.
+-->
 一个 Zone 代表一个逻辑故障域。Kubernetes 集群通常跨越多个 Zone 以提高可用性。虽然 Zone 的确切定义留给基础设施实现，
 但 Zone 的常见属性包括 Zone 内非常低的网络延迟、Zone 内的免费网络流量以及与其他 Zone 的故障独立性。
 例如，一个 Zone 内的 Node 可能共享一个网络交换机，但不同 Zone 中的 Node 无法共享交换机。
@@ -708,7 +850,8 @@ Kubernetes 对 Zone 和 Region 的结构做了一些假设：
 
 1. Zone 和 Region 是分层的：Zone 是 Region 的严格子集，没有 Zone 可以在两个 Region 中；
 
-2. Zone 名称跨 Region 是唯一的；例如，Region “africa-east-1” 可能由 Zone “africa-east-1a” 和 “africa-east-1b” 组成。
+2. Zone 名称跨 Region 是唯一的；例如，Region “africa-east-1” 可能由 Zone “africa-east-1a”
+   和 “africa-east-1b” 组成。
 
 <!--
 It should be safe to assume that topology labels do not change.  Even though labels are strictly mutable, consumers of them can assume that a given node is not going to be moved between zones without being destroyed and recreated.
@@ -763,6 +906,33 @@ This annotation has been deprecated.
 
 此注解已被弃用。
 
+<!--
+### volume.beta.kubernetes.io/storage-class (deprecated)
+
+Example: `volume.beta.kubernetes.io/storage-class: "example-class"`
+
+Used on: PersistentVolume, PersistentVolumeClaim
+-->
+### volume.beta.kubernetes.io/storage-class（已弃用）   {#volume-beta-storage-class}
+
+例子：`volume.beta.kubernetes.io/storage-class: "example-class"`
+
+用于：PersistentVolume、PersistentVolumeClaim
+
+<!--
+This annotation can be used for PersistentVolume(PV) or PersistentVolumeClaim(PVC) to specify the name of [StorageClass](/docs/concepts/storage/storage-classes/). When both `storageClassName` attribute and `volume.beta.kubernetes.io/storage-class` annotation are specified, the annotation `volume.beta.kubernetes.io/storage-class` takes precedence over the `storageClassName` attribute.
+
+This annotation has been deprecated. Instead, set the [`storageClassName` field](/docs/concepts/storage/persistent-volumes/#class)
+for the PersistentVolumeClaim or PersistentVolume.
+-->
+此注解可以为 PersistentVolume (PV) 或 PersistentVolumeClaim (PVC) 指定
+[StorageClass](/zh-cn/docs/concepts/storage/storage-classes/)。
+当 `storageClassName` 属性和 `volume.beta.kubernetes.io/storage-class` 注解均被指定时，
+注解 `volume.beta.kubernetes.io/storage-class` 将优先于 `storageClassName` 属性。
+
+此注解已被弃用。作为替代方案，你应该为 PersistentVolumeClaim 或 PersistentVolume 设置
+[`storageClassName` 字段](/zh-cn/docs/concepts/storage/persistent-volumes/#class)。
+
 <!--
 ### volume.beta.kubernetes.io/mount-options (deprecated) {#mount-options}
 
@@ -798,6 +968,44 @@ This annotation will be added to dynamic provisioning required PVC.
 
 此注解将被添加到根据需要动态制备的 PVC 上。
 
+<!--
+### volume.kubernetes.io/selected-node
+
+Used on: PersistentVolumeClaim
+
+This annotation is added to a PVC that is triggered by a scheduler to be dynamically provisioned. Its value is the name of the selected node.
+-->
+### volume.kubernetes.io/selected-node   {#selected-node}
+
+用于：PersistentVolumeClaim
+
+此注解被添加到调度程序所触发的 PVC 上，对应的 PVC 需要被动态制备。注解值是选定节点的名称。
+
+<!--
+### volumes.kubernetes.io/controller-managed-attach-detach
+
+Used on: Node
+
+If a node has set the annotation `volumes.kubernetes.io/controller-managed-attach-detach`
+on itself, then its storage attach and detach operations are being managed
+by the _volume attach/detach_
+{{< glossary_tooltip text="controller" term_id="controller" >}} running within the
+{{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}}.
+
+The value of the annotation isn't important; if this annotation exists on a node,
+then storage attaches and detaches are controller managed.
+-->
+### volumes.kubernetes.io/controller-managed-attach-detach   {#controller-managed-attach-detach}
+
+用于：Node
+
+如果节点已在其自身上设置了注解 `volumes.kubernetes.io/controller-managed-attach-detach`，
+那么它的存储挂接和解除挂接的操作是交由运行在
+{{< glossary_tooltip term_id="kube-controller-manager" text="kube-controller-manager" >}}
+中的**卷挂接/解除挂接**{{< glossary_tooltip text="控制器" term_id="controller" >}}来管理的。
+
+注解的值并不重要；如果节点上存在该注解，则由控制器管理存储挂接和解除挂接的操作。
+
 <!--
 ### node.kubernetes.io/windows-build {#nodekubernetesiowindows-build}
 
@@ -998,11 +1206,11 @@ The annotation is used to run Windows containers with Hyper-V isolation. To use
 注解用于运行具有 Hyper-V 隔离的 Windows 容器。要使用 Hyper-V 隔离功能并创建 Hyper-V
 隔离容器，kubelet 启动时应该需要设置特性门控 HyperVContainer=true。
 
+{{< note >}}
 <!--
 You can only set this annotation on Pods that have a single container.
 Starting from v1.20, this annotation is deprecated. Experimental Hyper-V support was removed in 1.21.
 -->
-{{< note >}}
 你只能在具有单个容器的 Pod 上设置此注解。
 从 v1.20 开始，此注解已弃用。1.21 中删除了实验性 Hyper-V 支持。
 {{</note>}}
@@ -1027,12 +1235,13 @@ When a single IngressClass resource has this annotation set to `"true"`, new Ing
 
 <!--
 ### kubernetes.io/ingress.class (deprecated)
-
-Starting in v1.18, this annotation is deprecated in favor of `spec.ingressClassName`.
 -->
 ### kubernetes.io/ingress.class (已弃用) {#kubernetes-io-ingress-class}
 
 {{< note >}}
+<!--
+Starting in v1.18, this annotation is deprecated in favor of `spec.ingressClassName`.
+-->
 从 v1.18 开始，不推荐使用此注解以鼓励使用 `spec.ingressClassName`。
 {{</note>}}
 
@@ -1111,6 +1320,30 @@ The value of the annotation is the container name that is default for this Pod.
 此注解的值是此 Pod 的默认容器名称。例如，未指定 `-c` 或 `--container` 标志时执行
 `kubectl logs` 或 `kubectl exec` 命令将使用此默认容器。
 
+<!--
+### kubectl.kubernetes.io/default-logs-container (deprecated)
+
+Example: `kubectl.kubernetes.io/default-logs-container: "front-end-app"`
+
+The value of the annotation is the container name that is the default logging container for this Pod. For example, `kubectl logs` without `-c` or `--container` flag will use this default container.
+-->
+### kubectl.kubernetes.io/default-logs-container（已弃用）   {#default-logs-container}
+
+例子：`kubectl.kubernetes.io/default-logs-container: "front-end-app"`
+
+此注解的值是针对此 Pod 的默认日志记录容器的名称。例如，不带 `-c` 或 `--container`
+标志的 `kubectl logs` 将使用此默认容器。
+
+{{< note >}}
+<!--
+This annotation is deprecated. You should use the [`kubectl.kubernetes.io/default-container`](#kubectl-kubernetes-io-default-container) annotation instead.
+Kubernetes versions 1.25 and newer ignore this annotation.
+-->
+此注解已被弃用。取而代之的是使用
+[`kubectl.kubernetes.io/default-container`](#kubectl-kubernetes-io-default-container) 注解。
+Kubernetes v1.25 及更高版本将忽略此注解。
+{{< /note >}}
+
 <!--
 ### endpoints.kubernetes.io/over-capacity
 
@@ -1198,7 +1431,7 @@ Use [Taints and Tolerations](/docs/concepts/scheduling-eviction/taint-and-tolera
 
 **The taints listed below are always used on Nodes**
 -->
-### scheduler.alpha.kubernetes.io/preferAvoidPods (deprecated) {#scheduleralphakubernetesio-preferavoidpods}
+### scheduler.alpha.kubernetes.io/preferAvoidPods（已弃用） {#scheduleralphakubernetesio-preferavoidpods}
 
 用于：Node
 
@@ -1523,6 +1756,30 @@ for more information.
 
 请参阅[在名字空间级别实施 Pod 安全性](/zh-cn/docs/concepts/security/pod-security-admission)了解更多信息。
 
+### rbac.authorization.kubernetes.io/autoupdate
+
+<!--
+Example: `rbac.authorization.kubernetes.io/autoupdate: "false"`
+
+Used on: ClusterRole, ClusterRoleBinding, Role, RoleBinding
+-->
+例子：`rbac.authorization.kubernetes.io/autoupdate: "false"`
+
+用于：ClusterRole、ClusterRoleBinding、Role、RoleBinding
+
+<!--
+When this annotation is set to `"true"` on default RBAC objects created by the kube-apiserver, they are automatically updated at server start to add missing permissions and subjects (extra permissions and subjects are left in place). To prevent autoupdating a particular role or rolebinding, set this annotation to `"false"`.
+If you create your own RBAC objects and set this annotation to `"false"`, `kubectl auth reconcile`
+(which allows reconciling arbitrary RBAC objects in a {{< glossary_tooltip text="manifest" term_id="manifest" >}}) respects this annotation and does not automatically add missing permissions and
+subjects.
+-->
+当在 kube-apiserver 创建的默认 RBAC 对象上将此注解设置为 `"true"` 时，
+这些对象会在服务器启动时自动更新以添加缺少的权限和主体（额外的权限和主体留在原处）。
+要防止自动更新特定的 Role 或 RoleBinding，请将此注解设置为 `"false"`。
+如果你创建自己的 RBAC 对象并将此注解设置为 `"false"`，则 `kubectl auth reconcile`
+（允许协调在{{< glossary_tooltip text="清单" term_id="manifest" >}}中给出的任意 RBAC 对象）
+尊重此注解并且不会自动添加缺少的权限和主体。
+
 <!--
 ### kubernetes.io/psp (deprecated) {#kubernetes-io-psp}
 
@@ -1537,7 +1794,6 @@ When the PodSecurityPolicy admission controller admitted a Pod, the admission co
 modified the Pod to have this annotation.
 The value of the annotation was the name of the PodSecurityPolicy that was used for validation.
 -->
-
 ### kubernetes.io/psp（已弃用） {#kubernetes-io-psp}
 
 例如：`kubernetes.io/psp: restricted`
@@ -1588,13 +1844,13 @@ based on setting `securityContext` within the Pod's `.spec`.
 seccomp 配置文件应用于 Pod 或其容器的步骤。
 该教程介绍了在 Kubernetes 中配置 seccomp 的支持机制，基于在 Pod 的 `.spec` 中设置 `securityContext`。
 
-### snapshot.storage.kubernetes.io/allowVolumeModeChange {#allow-volume-mode-change}
+### snapshot.storage.kubernetes.io/allow-volume-mode-change {#allow-volume-mode-change}
 <!--
-Example: `snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`
+Example: `snapshot.storage.kubernetes.io/allow-volume-mode-change: "true"`
 
 Used on: VolumeSnapshotContent
 -->
-例子：`snapshot.storage.kubernetes.io/allowVolumeModeChange: "true"`
+例子：`snapshot.storage.kubernetes.io/allow-volume-mode-change: "true"`
 
 用于：VolumeSnapshotContent
 
@@ -1607,8 +1863,8 @@ created from a VolumeSnapshot.
 Refer to [Converting the volume mode of a Snapshot](/docs/concepts/storage/volume-snapshots/#convert-volume-mode)
 and the [Kubernetes CSI Developer Documentation](https://kubernetes-csi.github.io/docs/) for more information.
 -->
-值可以是 `true` 或者 `false`。
-这决定了当从 VolumeSnapshot 创建 {{< glossary_tooltip text="PersistentVolumeClaim" term_id="persistent-volume-claim" >}}
+值可以是 `true` 或者 `false`。取值决定了当从 VolumeSnapshot 创建
+{{< glossary_tooltip text="PersistentVolumeClaim" term_id="persistent-volume-claim" >}}
 时，用户是否可以修改源卷的模式。
 
 更多信息请参阅[转换快照的卷模式](/zh-cn/docs/concepts/storage/volume-snapshots/#convert-volume-mode)和
@@ -1787,4 +2043,3 @@ no longer sets or uses this deprecated taint.
 kubeadm 先前应用在控制平面节点上的污点，仅允许在其上调度关键工作负载。
 替换为 [`node-role.kubernetes.io/control-plane`](#node-role-kubernetes-io-control-plane-taint)；
 kubeadm 不再设置或使用这个废弃的污点。
-

From 3ee9fb846732aa261a9cedf5f5a627d68b532401 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Mon, 20 Mar 2023 18:55:51 +0800
Subject: [PATCH 213/215] Reference files to sync task 3

---
 .../common-parameters/common-parameters.md    |  2 +-
 .../policy-resources/network-policy-v1.md     | 24 +++++++++----------
 .../service-resources/endpoint-slice-v1.md    |  6 ++---
 .../service-resources/service-v1.md           | 22 +++++++++--------
 4 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md b/content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md
index 921d7d9d3739a..eb7942fbb6b17 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters.md
@@ -6,7 +6,7 @@ api_metadata:
 content_type: "api_reference"
 description: ""
 title: "常用参数"
-weight: 10
+weight: 11
 auto_generated: true
 ---
 
diff --git a/content/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md b/content/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
index f3fb3768efec1..77c311f5033cc 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
@@ -136,7 +136,7 @@ NetworkPolicySpec 定义特定 NetworkPolicy 所需的所有信息.
       IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
 
       <a name="IPBlock"></a>
-      *IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.*
+      *IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.*
     -->  
 
     - **ingress.from.ipBlock** (IPBlock)
@@ -144,28 +144,28 @@ NetworkPolicySpec 定义特定 NetworkPolicy 所需的所有信息.
       IPBlock 针对特定的 IP CIDR 范围设置策略。如果设置了此字段，则不可以设置其他字段。
 
       <a name="IPBlock"></a>
-      IPBlock 定义一个特定的 CIDR 范围（例如 `192.168.1.1/24`、`2001:db9::/64`），
+      IPBlock 定义一个特定的 CIDR 范围（例如 `192.168.1.0/24`、`2001:db8::/64`），
       来自这个 IP 范围的流量来源将会被允许访问与 NetworkPolicySpec 的 podSelector 匹配的 Pod 集合。
       except 字段则设置应排除在此规则之外的 CIDR 范围。
 
       <!--
       - **ingress.from.ipBlock.cidr** (string), required
 
-        CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+        CIDR is a string representing the IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 
       - **ingress.from.ipBlock.except** ([]string)
 
-        Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
+        Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the CIDR range
       -->
       
       - **ingress.from.ipBlock.cidr** (string)，必需
 
-        CIDR 是指定 IP 组块的字符串，例如 `"192.168.1.1/24"` 或 `"2001:db9::/64"`。
+        CIDR 是指定 IP 组块的字符串，例如 `"192.168.1.0/24"` 或 `"2001:db8::/64"`。
 
       - **ingress.from.ipBlock.except** ([]string)
 
         except 是一个由 CIDR 范围组成的列表，其中指定的 CIDR 都应排除在此 IP 区块范围之外。
-        例如 `"192.168.1.1/24"` 或 `"2001:db9::/64"`。
+        例如 `"192.168.1.0/24"` 或 `"2001:db8::/64"`。
         如果 except 字段的值超出 ipBlock.cidr 的范围则被视为无效策略。
 
     <!--
@@ -302,7 +302,7 @@ NetworkPolicySpec 定义特定 NetworkPolicy 所需的所有信息.
       IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
 
       <a name="IPBlock"></a>
-      *IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.*
+      *IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.*
     -->
 
     - **egress.to.ipBlock** (IPBlock)
@@ -310,27 +310,27 @@ NetworkPolicySpec 定义特定 NetworkPolicy 所需的所有信息.
       ipBlock 针对特定的 IP 区块定义策略。如果设置了此字段，则其他不可以设置其他字段。
 
       <a name="IPBlock"></a>
-      **IPBlock 描述一个特定的 CIDR 范围（例如 `192.168.1.1/24`、`2001:db9::/64`），
+      **IPBlock 描述一个特定的 CIDR 范围（例如 `192.168.1.0/24`、`2001:db8::/64`），
       与 NetworkPolicySpec 的 podSelector 匹配的 Pod 将被允许连接到这个 IP 范围，作为其出口流量目的地。
       except 字段则设置了不被此规则影响的 CIDR 范围。**
 
       <!--
       - **egress.to.ipBlock.cidr** (string), required
 
-        CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+        CIDR is a string representing the IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64"
 
       - **egress.to.ipBlock.except** ([]string)
 
-        Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
+        Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the CIDR range
       -->
 
       - **egress.to.ipBlock.cidr** (string)，必需
 
-        CIDR 是用来表达 IP 组块的字符串，例如 `"192.168.1.1/24"` 或 `"2001:db9::/64"`。
+        CIDR 是用来表达 IP 组块的字符串，例如 `"192.168.1.0/24"` 或 `"2001:db8::/64"`。
 
       - **egress.to.ipBlock.except** ([]string)
 
-        except 定义不应包含在 ipBlock 内的 CIDR 范围列表。例如 `"192.168.1.1/24"` 或 `"2001:db9::/64"`。
+        except 定义不应包含在 ipBlock 内的 CIDR 范围列表。例如 `"192.168.1.0/24"` 或 `"2001:db8::/64"`。
         如果 except 的值超出 ipBlock.cidr 的范围则被拒绝。
 
     <!--
diff --git a/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md b/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
index d72b905dc03a0..b22921d42d390 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
@@ -119,24 +119,22 @@ EndpointSlice 是实现某 Service 的端点的子集。一个 Service 可以有
     - **endpoints.conditions.serving** (boolean)
       
       <!--
-      Serving is identical to ready except that it is set regardless of the terminating state of endpoints. This condition should be set to true for a ready endpoint that is terminating. If nil, consumers should defer to the ready condition. This field can be enabled with the EndpointSliceTerminatingCondition feature gate.
+      Serving is identical to ready except that it is set regardless of the terminating state of endpoints. This condition should be set to true for a ready endpoint that is terminating. If nil, consumers should defer to the ready condition.
       -->
       
       serving 和 ready 非常相似。唯一的不同在于,
       即便某端点的状态为 Terminating 也可以设置 serving。
       对于处在终止过程中的就绪端点，此状况应被设置为 “true”。
       如果设置为 nil，则消费者应该以 ready 值为准。
-      可以在 EndpointSliceTerminatingCondition 特性开关中启用此字段。
 
     - **endpoints.conditions.terminating** (boolean)
       
       <!--
-      terminating indicates that this endpoint is terminating. A nil value indicates an unknown state. Consumers should interpret this unknown state to mean that the endpoint is not terminating. This field can be enabled with the EndpointSliceTerminatingCondition feature gate.
+      terminating indicates that this endpoint is terminating. A nil value indicates an unknown state. Consumers should interpret this unknown state to mean that the endpoint is not terminating.
       -->
       
       terminating 说明当前端点正在终止过程中。nil 值表示状态未知。
       消费者应将这种未知状态视为端点并不处于终止过程中。
-      可以通过 EndpointSliceTerminatingCondition 特性门控启用此字段。
 
   - **endpoints.deprecatedTopology** (map[string]string)
     
diff --git a/content/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1.md b/content/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1.md
index c1a068698c227..cb153038d765f 100644
--- a/content/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1.md
+++ b/content/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1.md
@@ -363,26 +363,27 @@ ServiceSpec 描述用户在服务上创建的属性。
 - **externalTrafficPolicy** (string)
 
   <!-- 
-  externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. "Local" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. "Cluster" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. 
+  externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get "Cluster" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.
   -->
-  externalTrafficPolicy 表示此 Service 是否希望将外部流量路由到节点本地或集群范围的 Endpoint。
-  字段值 “Local” 保留客户端 IP 并可避免 LoadBalancer 和 Nodeport 类型 Service 的第二跳，但存在潜在流量传播不平衡的风险。
-  字段值 “Cluster” 则会掩盖客户端源 IP，可能会导致第二次跳转到另一个节点，但整体流量负载分布较好。
+  externalTrafficPolicy 描述了节点如何分发它们在 Service 的“外部访问”地址（NodePort、ExternalIP 和 LoadBalancer IP）接收到的服务流量。
+  如果设置为“Local”，代理将以一种假设外部负载均衡器将负责在节点之间服务流量负载均衡，因此每个节点将仅向服务的节点本地端点传递流量，而不会伪装客户端源 IP。
+ （将丢弃错误发送到没有端点的节点的流量。）
+  “Cluster”默认值使用负载均衡路由到所有端点的策略（可能会根据拓扑和其他特性进行修改）。
+  请注意，从集群内部发送到 External IP 或 LoadBalancer IP 的流量始终具有“Cluster”语义，但是从集群内部发送到 NodePort 的客户端需要在选择节点时考虑流量路由策略。
 
 - **internalTrafficPolicy** (string)
 
   <!-- 
-  InternalTrafficPolicy specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. "Cluster" routes internal traffic to a Service to all endpoints. "Local" routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is "Cluster". 
+  InternalTrafficPolicy describes how nodes distribute service traffic they receive on the ClusterIP. If set to "Local", the proxy will assume that pods only want to talk to endpoints of the service on the same node as the pod, dropping the traffic if there are no local endpoints. The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features).
   -->
-  internalTrafficPolicy 指定是将集群内部流量路由到所有端点还是仅路由到节点本地的端点。
-  字段值 “Cluster” 将 Service 的内部流量路由到所有端点。
-  字段值 ”Local” 意味着仅将流量路由到节点本地的端点；如果节点本地端点未准备好，则丢弃流量。
-  默认值为 “Cluster”。
+  InternalTrafficPolicy描述节点如何分发它们在ClusterIP上接收到的服务流量。
+  如果设置为"Local"，代理将假定pod只想与在同一节点上的服务端点通信，如果没有本地端点，它将丢弃流量。
+  "Cluster"默认将流量路由到所有端点（可能会根据拓扑和其他特性进行修改）。
 
 - **healthCheckNodePort** (int32)
 
   <!-- 
-  healthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used.  If not specified, a value will be automatically allocated.  External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not.  If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type). 
+  healthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used.  If not specified, a value will be automatically allocated.  External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not.  If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type). This field cannot be updated once set.
   -->
   healthCheckNodePort 指定 Service 的健康检查节点端口。
   仅适用于 type 为 LoadBalancer 且 externalTrafficPolicy 设置为 Local 的情况。
@@ -390,6 +391,7 @@ ServiceSpec 描述用户在服务上创建的属性。
   如果未设置此字段，则自动分配字段值。外部系统（例如负载平衡器）可以使用此端口来确定给定节点是否拥有此服务的端点。
   在创建不需要 healthCheckNodePort 的 Service 时指定了此字段，则 Service 创建会失败。
   要移除 healthCheckNodePort，需要更改 Service 的 type。
+  该字段一旦设置就无法更改。
 
 - **publishNotReadyAddresses** (boolean)
 

From 72d97d88042437dffd91607ae4097b387faee896 Mon Sep 17 00:00:00 2001
From: Arhell <arhell333@gmail.com>
Date: Tue, 21 Mar 2023 01:02:24 +0200
Subject: [PATCH 214/215] [zh] update hugo config file

---
 content/zh-cn/docs/contribute/localization.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/content/zh-cn/docs/contribute/localization.md b/content/zh-cn/docs/contribute/localization.md
index c29f6fc87a027..bb0efbad685dc 100644
--- a/content/zh-cn/docs/contribute/localization.md
+++ b/content/zh-cn/docs/contribute/localization.md
@@ -298,19 +298,19 @@ For an example of adding a label, see the PR for adding the
 
 The Kubernetes website uses Hugo as its web framework. The website's Hugo
 configuration resides in the
-[`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml)
-file. You'll need to modify `config.toml` to support a new localization.
+[`hugo.toml`](https://github.com/kubernetes/website/tree/main/hugo.toml)
+file. You'll need to modify `hugo.toml` to support a new localization.
 
-Add a configuration block for the new language to `config.toml` under the
+Add a configuration block for the new language to `hugo.toml` under the
 existing `[languages]` block. The German block, for example, looks like:
 -->
 ### 修改站点配置 {#configure-the-workflow}
 
 Kubernetes 网站使用 Hugo 作为其 Web 框架。网站的 Hugo 配置位于
-[`config.toml`](https://github.com/kubernetes/website/tree/main/config.toml)文件中。
-为了支持新的本地化，你需要修改 `config.toml`。
+[`hugo.toml`](https://github.com/kubernetes/website/tree/main/hugo.toml)文件中。
+为了支持新的本地化，你需要修改 `hugo.toml`。
 
-在现有的 `[languages]` 下，将新语言的配置添加到 `config.toml` 中。
+在现有的 `[languages]` 下，将新语言的配置添加到 `hugo.toml` 中。
 例如，下面是德语的配置示例：
 
 ```toml

From ad7f0f43bbeecb951a88165ba9906276fc2a1f60 Mon Sep 17 00:00:00 2001
From: SSmallMonster <mingming.zhou@daocloud.io>
Date: Mon, 20 Mar 2023 20:04:32 +0800
Subject: [PATCH 215/215] [zh-cn] sync _index.md

Signed-off-by: SSmallMonster <mingming.zhou@daocloud.io>
---
 content/zh-cn/docs/tasks/configmap-secret/_index.md      | 9 +++++++--
 .../managing-secret-using-config-file.md                 | 1 -
 content/zh-cn/docs/tasks/debug/_index.md                 | 4 ++--
 .../zh-cn/docs/tasks/inject-data-application/_index.md   | 7 ++++++-
 content/zh-cn/docs/tasks/job/_index.md                   | 7 ++++++-
 5 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/content/zh-cn/docs/tasks/configmap-secret/_index.md b/content/zh-cn/docs/tasks/configmap-secret/_index.md
index 3761ba96558a6..605591b916491 100644
--- a/content/zh-cn/docs/tasks/configmap-secret/_index.md
+++ b/content/zh-cn/docs/tasks/configmap-secret/_index.md
@@ -1,5 +1,10 @@
 ---
 title: "管理 Secrets"
-weight: 28
+weight: 60
 description: 使用 Secrets 管理机密配置数据。
----
\ No newline at end of file
+---
+<!--
+title: "Managing Secret"
+weight: 60
+description: Managing confidential settings data using Secrets.
+-->
\ No newline at end of file
diff --git a/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md
index 055f9ddb7b1c0..cab48e2fa0607 100644
--- a/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md
+++ b/content/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file.md
@@ -363,4 +363,3 @@ kubectl delete secret mysecret
 - 进一步阅读 [Secret 概念](/zh-cn/docs/concepts/configuration/secret/)
 - 了解如何[使用 `kubectl` 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/)
 - 了解如何[使用 kustomize 管理 Secret](/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/)
-
diff --git a/content/zh-cn/docs/tasks/debug/_index.md b/content/zh-cn/docs/tasks/debug/_index.md
index 64f7c06e149ab..4efc71034d5ca 100644
--- a/content/zh-cn/docs/tasks/debug/_index.md
+++ b/content/zh-cn/docs/tasks/debug/_index.md
@@ -1,14 +1,14 @@
 ---
 title: 监控、日志和调试
 description: 设置监控和日志记录以对集群进行故障排除或调试容器化应用程序。
-weight: 20
+weight: 40
 content_type: concept
 no_list: true
 ---
 <!-- 
 title: "Monitoring, Logging, and Debugging"
 description: Set up monitoring and logging to troubleshoot a cluster, or debug a containerized application.
-weight: 20
+weight: 40
 reviewers:
 - brendandburns
 - davidopp
diff --git a/content/zh-cn/docs/tasks/inject-data-application/_index.md b/content/zh-cn/docs/tasks/inject-data-application/_index.md
index 8a23b60fc1c63..47a59d46e6465 100644
--- a/content/zh-cn/docs/tasks/inject-data-application/_index.md
+++ b/content/zh-cn/docs/tasks/inject-data-application/_index.md
@@ -1,5 +1,10 @@
 ---
 title: "给应用注入数据"
-weight: 30
+weight: 70
 description: 给你的工作负载 Pod 指定配置和其他数据。
 ---
+<!--
+title: "Inject Data Into Applications"
+description: Specify configuration and other data for the Pods that run your workload.
+weight: 70
+-->
diff --git a/content/zh-cn/docs/tasks/job/_index.md b/content/zh-cn/docs/tasks/job/_index.md
index 3f2ac22fe87fa..29084f9c24fa0 100644
--- a/content/zh-cn/docs/tasks/job/_index.md
+++ b/content/zh-cn/docs/tasks/job/_index.md
@@ -1,5 +1,10 @@
 ---
 title: "运行 Jobs"
-weight: 50
+weight: 90
 description: 使用并行处理运行 Jobs。
 ---
+<!--
+title: "Run Jobs"
+description: Run Jobs using parallel processing.
+weight: 90
+-->