[zh] sync control-plane-node-communication.md

content/zh-cn/docs/concepts/architecture/control-plane-node-communication.md

@@ -3,8 +3,10 @@ title: 节点与控制面之间的通信
 content_type: concept
 weight: 20
 ---
-
 <!--
+reviewers:
+- dchen1107
+- liggitt
 title: Communication between Nodes and the Control Plane
 content_type: concept
 weight: 20
@@ -15,12 +17,14 @@ aliases:
 <!-- overview -->
 
 <!--
-This document catalogs the communication paths between the API server and the Kubernetes cluster.
+This document catalogs the communication paths between the {{< glossary_tooltip term_id="kube-apiserver" text="API server" >}}
+and the Kubernetes {{< glossary_tooltip text="cluster" term_id="cluster" length="all" >}}.
 The intent is to allow users to customize their installation to harden the network configuration
 such that the cluster can be run on an untrusted network (or on fully public IPs on a cloud
 provider).
 -->
-本文列举控制面节点（确切说是 API 服务器）和 Kubernetes 集群之间的通信路径。
+本文列举控制面节点（确切地说是 {{< glossary_tooltip term_id="kube-apiserver" text="API 服务器" >}}）和
+Kubernetes {{< glossary_tooltip text="集群" term_id="cluster" length="all" >}}之间的通信路径。
 目的是为了让用户能够自定义他们的安装，以实现对网络配置的加固，
 使得集群能够在不可信的网络上（或者在一个云服务商完全公开的 IP 上）运行。
 
@@ -51,35 +55,38 @@ API 服务器被配置为在一个安全的 HTTPS 端口（通常为 443）上
 或[服务账户令牌](/zh-cn/docs/reference/access-authn-authz/authentication/#service-account-tokens)的时候。
 
 <!--
-Nodes should be provisioned with the public root certificate for the cluster such that they can
+Nodes should be provisioned with the public root {{< glossary_tooltip text="certificate" term_id="certificate" >}} for the cluster such that they can
 connect securely to the API server along with valid client credentials. A good approach is that the
 client credentials provided to the kubelet are in the form of a client certificate. See
 [kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 for automated provisioning of kubelet client certificates.
 -->
-应该使用集群的公共根证书开通节点，这样它们就能够基于有效的客户端凭据安全地连接 API 服务器。
+应该使用集群的公共根{{< glossary_tooltip text="证书" term_id="certificate" >}}开通节点，
+这样它们就能够基于有效的客户端凭据安全地连接 API 服务器。
 一种好的方法是以客户端证书的形式将客户端凭据提供给 kubelet。
 请查看 [kubelet TLS 启动引导](/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
 以了解如何自动提供 kubelet 客户端证书。
 
 <!--
-Pods that wish to connect to the API server can do so securely by leveraging a service account so
+{{< glossary_tooltip text="Pods" term_id="pod" >}} that wish to connect to the API server can do so securely by leveraging a service account so
 that Kubernetes will automatically inject the public root certificate and a valid bearer token
 into the pod when it is instantiated.
 The `kubernetes` service (in `default` namespace) is configured with a virtual IP address that is
-redirected (via `kube-proxy`) to the HTTPS endpoint on the API server.
+redirected (via `{{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}}`) to the HTTPS endpoint on the API server.
 
 The control plane components also communicate with the API server over the secure port.
 -->
-想要连接到 API 服务器的 Pod 可以使用服务账号安全地进行连接。
+想要连接到 API 服务器的 {{< glossary_tooltip text="Pod" term_id="pod" >}}
+可以使用服务账号安全地进行连接。
 当 Pod 被实例化时，Kubernetes 自动把公共根证书和一个有效的持有者令牌注入到 Pod 里。
 `kubernetes` 服务（位于 `default` 名字空间中）配置了一个虚拟 IP 地址，
-用于（通过 kube-proxy）转发请求到 API 服务器的 HTTPS 末端。
+用于（通过 `{{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}}`）转发请求到
+API 服务器的 HTTPS 末端。
 
 控制面组件也通过安全端口与集群的 API 服务器通信。
 
 <!--
-As a result, the default operating mode for connections from the nodes and pods running on the
+As a result, the default operating mode for connections from the nodes and pod running on the
 nodes to the control plane is secured by default and can run over untrusted and/or public
 networks.
 -->
@@ -90,15 +97,16 @@ networks.
 ## Control plane to node
 
 There are two primary communication paths from the control plane (the API server) to the nodes.
-The first is from the API server to the kubelet process which runs on each node in the cluster.
+The first is from the API server to the {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} process which runs on each node in the cluster.
 The second is from the API server to any node, pod, or service through the API server's _proxy_
 functionality.
 -->
 ## 控制面到节点  {#control-plane-to-node}
 
 从控制面（API 服务器）到节点有两种主要的通信路径。
-第一种是从 API 服务器到集群中每个节点上运行的 kubelet 进程。
-第二种是从 API 服务器通过它的代理功能连接到任何节点、Pod 或者服务。
+第一种是从 API 服务器到集群中每个节点上运行的
+{{< glossary_tooltip text="kubelet" term_id="kubelet" >}} 进程。
+第二种是从 API 服务器通过它的**代理**功能连接到任何节点、Pod 或者服务。
 
 <!--
 ### API server to kubelet
@@ -117,8 +125,8 @@ attacks and **unsafe** to run over untrusted and/or public networks.
 
 从 API 服务器到 kubelet 的连接用于：
 
-* 获取 Pod 日志
-* 挂接（通过 kubectl）到运行中的 Pod
+* 获取 Pod 日志。
+* 挂接（通过 kubectl）到运行中的 Pod。
 * 提供 kubelet 的端口转发功能。
 
 这些连接终止于 kubelet 的 HTTPS 末端。
@@ -167,7 +175,7 @@ connections **are not currently safe** to run over untrusted or public networks.
 <!--
 ### SSH tunnels
 
-Kubernetes supports SSH tunnels to protect the control plane to nodes communication paths. In this
+Kubernetes supports [SSH tunnels](https://www.ssh.com/academy/ssh/tunneling) to protect the control plane to nodes communication paths. In this
 configuration, the API server initiates an SSH tunnel to each node in the cluster (connecting to
 the SSH server listening on port 22) and passes all traffic destined for a kubelet, node, pod, or
 service through the tunnel.
@@ -176,8 +184,9 @@ running.
 -->
 ### SSH 隧道 {#ssh-tunnels}
 
-Kubernetes 支持使用 SSH 隧道来保护从控制面到节点的通信路径。在这种配置下，
-API 服务器建立一个到集群中各节点的 SSH 隧道（连接到在 22 端口监听的 SSH 服务器）
+Kubernetes 支持使用
+[SSH 隧道](https://www.ssh.com/academy/ssh/tunneling)来保护从控制面到节点的通信路径。
+在这种配置下，API 服务器建立一个到集群中各节点的 SSH 隧道（连接到在 22 端口监听的 SSH 服务器）
 并通过这个隧道传输所有到 kubelet、节点、Pod 或服务的请求。
 这一隧道保证通信不会被暴露到集群节点所运行的网络之外。
 
@@ -219,3 +228,22 @@ Konnectivity 代理建立并维持到 Konnectivity 服务器的网络连接。
 请浏览 [Konnectivity 服务任务](/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/)
 在你的集群中配置 Konnectivity 服务。
 
+## {{% heading "whatsnext" %}}
+
+<!--
+* Read about the [Kubernetes control plane components](/docs/concepts/overview/components/#control-plane-components)
+* Learn more about [Hubs and Spoke model](https://book.kubebuilder.io/multiversion-tutorial/conversion-concepts.html#hubs-spokes-and-other-wheel-metaphors)
+* Learn how to [Secure a Cluster](/docs/tasks/administer-cluster/securing-a-cluster/) 
+* Learn more about the [Kubernetes API](/docs/concepts/overview/kubernetes-api/)
+* [Set up Konnectivity service](/docs/tasks/extend-kubernetes/setup-konnectivity/)
+* [Use Port Forwarding to Access Applications in a Cluster](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
+* Learn how to [Fetch logs for Pods](/docs/tasks/debug/debug-application/debug-running-pod/#examine-pod-logs), [use kubectl port-forward](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod)
+-->
+* 阅读 [Kubernetes 控制面组件](/zh-cn/docs/concepts/overview/components/#control-plane-components)
+* 进一步了解 [Hubs and Spoke model](https://book.kubebuilder.io/multiversion-tutorial/conversion-concepts.html#hubs-spokes-and-other-wheel-metaphors)
+* 进一步了解如何[保护集群](/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/)
+* 进一步了解 [Kubernetes API](/zh-cn/docs/concepts/overview/kubernetes-api/)
+* [设置 Konnectivity 服务](/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/)
+* [使用端口转发来访问集群中的应用](/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
+* 学习如何[检查 Pod 的日志](/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/#examine-pod-logs)
+  以及如何[使用 kubectl 端口转发](/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod)