[zh] Fix some 404 links in concepts

content/zh-cn/docs/concepts/overview/working-with-objects/finalizers.md

@@ -87,7 +87,7 @@ Kubernetes 清除 `pv-protection` Finalizer，控制器就会删除该卷。
 ## Owner references, labels, and finalizers {#owners-labels-finalizers}
 
 Like {{<glossary_tooltip text="labels" term_id="label">}},
-[owner references](/concepts/overview/working-with-objects/owners-dependents/)
+[owner references](/docs/concepts/overview/working-with-objects/owners-dependents/)
 describe the relationships between objects in Kubernetes, but are used for a
 different purpose. When a
 {{<glossary_tooltip text="controller" term_id="controller">}} manages objects
@@ -99,7 +99,7 @@ any Pods in the cluster with the same label.
 ## 属主引用、标签和 Finalizers {#owners-labels-finalizers}
 
 与{{<glossary_tooltip text="标签" term_id="label">}}类似，
-[属主引用](/zh-cn/concepts/overview/working-with-objects/owners-dependents/)
+[属主引用](/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/)
 描述了 Kubernetes 中对象之间的关系，但它们作用不同。
 当一个{{<glossary_tooltip text="控制器" term_id="controller">}}
 管理类似于 Pod 的对象时，它使用标签来跟踪相关对象组的变化。
@@ -154,4 +154,3 @@ Finalizers 通常因为特殊原因被添加到资源上，所以强行删除它
   on the Kubernetes blog.
 -->
 * 在 Kubernetes 博客上阅读[使用 Finalizers 控制删除](/blog/2021/05/14/using-finalizers-to-control-deletion/)。
-

content/zh-cn/docs/concepts/security/pod-security-policy.md

@@ -58,7 +58,7 @@ Pod 安全策略允许管理员控制如下方面：
 
 <!--
 | Control Aspect                                      | Field Names                                 |
-| ----------------------------------------------------| ----------------------------------------- |
+| ----------------------------------------------------| ------------------------------------------- |
 | Running of privileged containers                    | [`privileged`](#privileged)                                |
 | Usage of host namespaces                            | [`hostPID`, `hostIPC`](#host-namespaces)    |
 | Usage of host networking and ports                  | [`hostNetwork`, `hostPorts`](#host-namespaces) |
@@ -458,11 +458,11 @@ alias kubectl-user='kubectl --as=system:serviceaccount:psp-example:fake-user -n
 ### Create a policy and a pod
 
 Define the example PodSecurityPolicy object in a file. This is a policy that
-simply prevents the creation of privileged pods.
+prevents the creation of privileged pods.
 The name of a PodSecurityPolicy object must be a valid
 [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
 -->
-### 创建一个策略和一个 Pod
+### 创建一个策略和一个 Pod   {#create-a-policy-and-a-pod}
 
 在一个文件中定义一个示例的 PodSecurityPolicy 对象。
 这里的策略只是用来禁止创建有特权要求的 Pods。
@@ -588,7 +588,7 @@ spec:
 EOF
 ```
 <!--
-The output is similar to this:
+The output is similar to this
 -->
 输出类似于：
 
@@ -791,7 +791,8 @@ several security mechanisms.
 {{< codenew file="policy/restricted-psp.yaml" >}}
 
 <!--
-See [Pod Security Standards](/docs/concepts/security/pod-security-standards/#policy-instantiation) for more examples.
+See [Pod Security Standards](/docs/concepts/security/pod-security-standards/#policy-instantiation)
+for more examples.
 -->
 更多的示例可参考
 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/#policy-instantiation)。
@@ -897,10 +898,10 @@ PodSecurityPolicy 并不限制可以被 `PersistentVolumeClaim` 所引用的
 **FSGroup** - Controls the supplemental group applied to some volumes.
 
 - *MustRunAs* - Requires at least one `range` to be specified. Uses the
-minimum value of the first range as the default. Validates against all ranges.
+  minimum value of the first range as the default. Validates against all ranges.
 - *MayRunAs* - Requires at least one `range` to be specified. Allows
-`FSGroups` to be left unset without providing a default. Validates against
-all ranges if `FSGroups` is set.
+  `FSGroups` to be left unset without providing a default. Validates against
+  all ranges if `FSGroups` is set.
 - *RunAsAny* - No default provided. Allows any `fsGroup` ID to be specified.
 -->
 **FSGroup** - 控制应用到某些卷上的附加用户组。
@@ -1054,7 +1055,7 @@ spec:
 <!--
 **RunAsGroup** - Controls which primary group ID the containers are run with.
 
-- *MustRunAs* - Requires at least one `range` to be specified. Uses the 
+- *MustRunAs* - Requires at least one `range` to be specified. Uses the
   minimum value of the first range as the default. Validates against all ranges.
 - *MayRunAs* - Does not require that RunAsGroup be specified. However, when RunAsGroup
   is specified, they have to fall in the defined range.
@@ -1101,7 +1102,7 @@ required to effectively enforce `MustRunAsNonRoot`.
 -->
 ### 特权提升   {#privilege-escalation}
 
-这一组选项控制容器的`allowPrivilegeEscalation` 属性。该属性直接决定是否为容器进程设置
+这一组选项控制容器的 `allowPrivilegeEscalation` 属性。该属性直接决定是否为容器进程设置
 [`no_new_privs`](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)
 参数。此参数会禁止 `setuid` 属性的可执行文件更改有效用户 ID（EUID），
 并且禁止启用额外权能的文件。例如，`no_new_privs` 会禁止使用 `ping` 工具。
@@ -1140,7 +1141,7 @@ the PodSecurityPolicy. For more details on Linux capabilities, see
 [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html).
 
 The following fields take a list of capabilities, specified as the capability
-name in ALL_CAPS without the `CAP\_` prefix.
+name in ALL_CAPS without the `CAP_` prefix.
 -->
 ### 权能字    {#capabilities}
 
@@ -1176,7 +1177,7 @@ added. Capabilities listed in `RequiredDropCapabilities` must not be included in
 <!--
 **DefaultAddCapabilities** - The capabilities which are added to containers by
 default, in addition to the runtime defaults. See the
-documentation for your container runtime for information on working with Linux capabilities. 
+documentation for your container runtime for information on working with Linux capabilities.
 -->
 **DefaultAddCapabilities** - 默认添加到容器的权能字集合。
 这一集合是作为容器运行时所设值的补充。
@@ -1228,14 +1229,14 @@ denoted as the string `Unmasked`.
 <!--
 ### AppArmor
 
-Controlled via annotations on the PodSecurityPolicy. Refer to the [AppArmor
-documentation](/docs/tutorials/policy/apparmor/#podsecuritypolicy-annotations).
+Controlled via annotations on the PodSecurityPolicy. Refer to the
+[AppArmor documentation](/docs/tutorials/security/apparmor/#podsecuritypolicy-annotations).
 -->
 ### AppArmor
 
 通过 PodSecurityPolicy 上的注解来控制。
 详情请参阅
-[AppArmor 文档](/zh-cn/docs/tutorials/policy/apparmor/#podsecuritypolicy-annotations)。
+[AppArmor 文档](/zh-cn/docs/tutorials/security/apparmor/#podsecuritypolicy-annotations)。
 
 
 <!--
@@ -1270,7 +1271,7 @@ are:
   of Kubernetes 1.11. Use `runtime/default` instead.
 - `localhost/<path>` - Specify a profile as a file on the node located at
   `<seccomp_root>/<path>`, where `<seccomp_root>` is defined via the
-  `-seccomp-profile-root` flag on the Kubelet. If the `--seccomp-profile-root`
+  `--seccomp-profile-root` flag on the Kubelet. If the `--seccomp-profile-root`
   flag is not defined, the default path will be used, which is
   `<root-dir>/seccomp` where `<root-dir>` is specified by the `--root-dir` flag.
 
@@ -1341,20 +1342,21 @@ Refer to the [Sysctl documentation](/docs/tasks/administer-cluster/sysctl-cluste
 ## {{% heading "whatsnext" %}}
 
 <!--
-- See [PodSecurityPolicy Deprecation: Past, Present, and
-  Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/) to learn about
-  the future of pod security policy.
+- See [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)
+  to learn about the future of pod security policy.
 
-- See [Pod Security Standards](/docs/concepts/security/pod-security-standards/) for policy recommendations.
+- See [Pod Security Standards](/docs/concepts/security/pod-security-standards/)
+  for policy recommendations.
 
-- Refer to [Pod Security Policy Reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy) for the api details.
+- Refer to [PodSecurityPolicy reference](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy)
+  for the API details.
 -->
 - 参阅 [PodSecurityPolicy Deprecation: Past, Present, and
   Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/)，
   了解 Pod 安全策略的未来。
 
-- 参阅[Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)，
+- 参阅 [Pod 安全标准](/zh-cn/docs/concepts/security/pod-security-standards/)，
   了解策略建议。
-- 阅读 [Pod 安全策略参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy)，
+- 阅读 [PodSecurityPolicy 参考](/docs/reference/generated/kubernetes-api/{{< param "version" >}}/#podsecuritypolicy-v1beta1-policy)，
   了解 API 细节。
 

content/zh-cn/docs/concepts/windows/intro.md

@@ -468,7 +468,7 @@ The following list documents differences between how Pod specifications work bet
   supported on Windows.
 -->
 * `terminationGracePeriodSeconds` - 这在 Windows 上的 Docker 中没有完全实现，
-  请参考[GitHub issue](https://github.com/moby/moby/issues/25982)。
+  请参考 [GitHub issue](https://github.com/moby/moby/issues/25982)。
   目前的行为是通过 CTRL_SHUTDOWN_EVENT 发送 ENTRYPOINT 进程，然后 Windows 默认等待 5 秒，
   最后使用正常的 Windows 关机行为终止所有进程。
   5 秒默认值实际上位于[容器内](https://github.com/moby/moby/issues/25982#issuecomment-426441183)的 Windows 注册表中，
@@ -637,7 +637,7 @@ Windows Server SAC release
 <!--
 The Kubernetes [version-skew policy](/docs/setup/release/version-skew-policy/) also applies.
 -->
-也适用 Kubernetes [版本偏差策略](/zh-cn/docs/setup/release/version-skew-policy/)。
+也适用 Kubernetes [版本偏差策略](/zh-cn/releases/version-skew-policy/)。
 
 <!--
 ## Getting help and troubleshooting {#troubleshooting}

content/zh-cn/docs/concepts/workloads/controllers/replicationcontroller.md

@@ -7,7 +7,7 @@ feature:
     重新启动失败的容器，在节点死亡时替换并重新调度容器，杀死不响应用户定义的健康检查的容器，并且在它们准备好服务之前不会将它们公布给客户端。
 content_type: concept
 weight: 90
----     
+---
 
 <!--
 reviewers:
@@ -242,8 +242,8 @@ different, and the `.metadata.labels` do not affect the behavior of the Replicat
 ### ReplicationController 上的标签
 
 ReplicationController 本身可以有标签 （`.metadata.labels`）。
-通常，你可以将这些设置为 `.spec.template.metadata.labels`； 
-如果没有指定 `.metadata.labels` 那么它默认为 `.spec.template.metadata.labels`。  
+通常，你可以将这些设置为 `.spec.template.metadata.labels`；
+如果没有指定 `.metadata.labels` 那么它默认为 `.spec.template.metadata.labels`。
 但是，Kubernetes 允许它们是不同的，`.metadata.labels` 不会影响 ReplicationController 的行为。
 
 <!--
@@ -256,7 +256,7 @@ deleted. This allows the ReplicationController to be replaced without affecting
 -->
 ### Pod 选择算符 {#pod-selector}
 
-`.spec.selector` 字段是一个[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)。 
+`.spec.selector` 字段是一个[标签选择算符](/zh-cn/docs/concepts/overview/working-with-objects/labels/#label-selectors)。
 ReplicationController 管理标签与选择算符匹配的所有 Pod。
 它不区分它创建或删除的 Pod 和其他人或进程创建或删除的 Pod。
 这允许在不影响正在运行的 Pod 的情况下替换 ReplicationController。
@@ -299,7 +299,7 @@ If you do not specify `.spec.replicas`, then it defaults to 1.
 你可以通过设置 `.spec.replicas` 来指定应该同时运行多少个 Pod。
 在任何时候，处于运行状态的 Pod 个数都可能高于或者低于设定值。例如，副本个数刚刚被增加或减少时，或者一个 Pod 处于优雅终止过程中而其替代副本已经提前开始创建时。
 
-如果你没有指定 `.spec.replicas` ，那么它默认是 1。
+如果你没有指定 `.spec.replicas`，那么它默认是 1。
 
 <!--
 ## Working with ReplicationControllers
@@ -341,7 +341,7 @@ When using the REST API or [client library](/docs/reference/using-api/client-lib
 
 使用 kubectl，为 [`kubectl delete`](/docs/reference/generated/kubectl/kubectl-commands#delete) 指定 `--cascade=orphan` 选项。
 
-当使用 REST API 或客户端库(/zh-cn/docs/reference/using-api/client-libraries)时，只需删除 ReplicationController 对象。
+当使用 REST API 或[客户端库](/zh-cn/docs/reference/using-api/client-libraries)时，只需删除 ReplicationController 对象。
 
 <!--
 Once the original is deleted, you can create a new ReplicationController to replace it.  As long
@@ -561,9 +561,9 @@ Unlike in the case where a user directly created pods, a ReplicationController r
 ### 裸 Pod
 
 与用户直接创建 Pod 的情况不同，ReplicationController 能够替换因某些原因
-被删除或被终止的 Pod ，例如在节点故障或中断节点维护的情况下，例如内核升级。
+被删除或被终止的 Pod，例如在节点故障或中断节点维护的情况下，例如内核升级。
 因此，我们建议你使用 ReplicationController，即使你的应用程序只需要一个 Pod。
-可以将其看作类似于进程管理器，它只管理跨多个节点的多个 Pod ，而不是单个节点上的单个进程。
+可以将其看作类似于进程管理器，它只管理跨多个节点的多个 Pod，而不是单个节点上的单个进程。
 ReplicationController 将本地容器重启委托给节点上的某个代理(例如，Kubelet 或 Docker)。
 
 <!--