sync secret node-pressure-eviction issue-wrangler

Update secret.md
kubernetes · Nov 24, 2023 · 6856308 · 6856308
1 parent 1483479
commit 6856308
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 6 deletions.
diff --git a/content/zh-cn/docs/concepts/configuration/secret.md b/content/zh-cn/docs/concepts/configuration/secret.md
@@ -1579,6 +1579,21 @@ Therefore, one Pod does not have access to the Secrets of another Pod.
 针对同一节点上的多个 Pod 可能有多个 Secret。不过，只有某个 Pod 所请求的 Secret
 才有可能对 Pod 中的容器可见。因此，一个 Pod 不会获得访问其他 Pod 的 Secret 的权限。
 
+<!--
+### Configure least-privilege access to Secrets
+
+To enhance the security measures around Secrets, Kubernetes provides a mechanism: you can
+annotate a ServiceAccount as `kubernetes.io/enforce-mountable-secrets: "true"`.
+
+For more information, you can refer to the [documentation about this annotation](/docs/concepts/security/service-accounts/#enforce-mountable-secrets).
+-->
+### 配置 Secret 资源的最小特权访问
+
+为了加强对 Secret 的安全措施，Kubernetes 提供了一种机制：
+你可以为 ServiceAccount 添加 `kubernetes.io/enforce-mountable-secrets: "true"` 注解。
+
+想了解更多信息，你可以参考[此注解的文档](/zh-cn/docs/concepts/security/service-accounts/#enforce-mountable-secrets)。
+
 {{< warning >}}
 <!--
 Any containers that run with `privileged: true` on a node can access all

diff --git a/content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md b/content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md
@@ -158,7 +158,8 @@ like `free -m`. This is important because `free -m` does not work in a
 container, and if users use the [node allocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 feature, out of resource decisions
 are made local to the end user Pod part of the cgroup hierarchy as well as the
-root node. This [script](/examples/admin/resource/memory-available.sh)
+root node. This [script](/examples/admin/resource/memory-available.sh) or
+[cgroupv2 script](/examples/admin/resource/memory-available-cgroupv2.sh)
 reproduces the same set of steps that the kubelet performs to calculate
 `memory.available`. The kubelet excludes inactive_file (the number of bytes of
 file-backed memory on inactive LRU list) from its calculation as it assumes that
@@ -168,7 +169,8 @@ memory is reclaimable under pressure.
 这很重要，因为 `free -m` 在容器中不起作用，如果用户使用
 [节点可分配资源](/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)
 这一功能特性，资源不足的判定是基于 cgroup 层次结构中的用户 Pod 所处的局部及 cgroup 根节点作出的。
-这个[脚本](/zh-cn/examples/admin/resource/memory-available.sh)
+这个[脚本](/zh-cn/examples/admin/resource/memory-available.sh)或者
+[cgroupv2 脚本](/zh-cn/examples/admin/resource/memory-available-cgroupv2.sh)
 重现了 kubelet 为计算 `memory.available` 而执行的相同步骤。
 kubelet 在其计算中排除了 inactive_file（非活动 LRU 列表上基于文件来虚拟的内存的字节数），
 因为它假定在压力下内存是可回收的。

diff --git a/content/zh-cn/docs/contribute/participate/issue-wrangler.md b/content/zh-cn/docs/contribute/participate/issue-wrangler.md
@@ -14,12 +14,12 @@ weight: 20
 <!--
 Alongside the [PR Wrangler](/docs/contribute/participate/pr-wranglers),formal approvers,
 and reviewers, members of SIG Docs take week long shifts
-[triaging and categorising issues](/docs/contribute/review/for-approvers.md/#triage-and-categorize-issues)
+[triaging and categorising issues](/docs/contribute/review/for-approvers/#triage-and-categorize-issues)
 for the repository.
 -->
 除了承担 [PR 管理者](/zh-cn/docs/contribute/participate/pr-wranglers)的职责外，
 SIG Docs 正式的批准人（Approver）、评审人（Reviewer）和成员（Member）
-按周轮流[归类仓库的 Issue](/zh-cn/docs/contribute/review/for-approvers.md/#triage-and-categorize-issues)。
+按周轮流[归类仓库的 Issue](/zh-cn/docs/contribute/review/for-approvers/#triage-and-categorize-issues)。
 
 <!-- body -->
 
@@ -29,7 +29,7 @@ SIG Docs 正式的批准人（Approver）、评审人（Reviewer）和成员（M
 Each day in a week-long shift the Issue Wrangler will be responsible for:
 
 - Triaging and tagging incoming issues daily. See
-  [Triage and categorize issues](/docs/contribute/review/for-approvers.md/#triage-and-categorize-issues)
+  [Triage and categorize issues](/docs/contribute/review/for-approvers/#triage-and-categorize-issues)
   for guidelines on how SIG Docs uses metadata.
 - Keeping an eye on stale & rotten issues within the kubernetes/website repository.
 - Maintenance of the [Issues board](https://github.com/orgs/kubernetes/projects/72/views/1).
@@ -39,7 +39,7 @@ Each day in a week-long shift the Issue Wrangler will be responsible for:
 在为期一周的轮值期内，Issue 管理者每天负责：
 
 - 对收到的 Issue 进行日常分类和标记。有关 SIG Docs 如何使用元数据的指导说明，
-  参阅[归类 Issue](/zh-cn/docs/contribute/review/for-approvers.md/#triage-and-categorize-issues)。
+  参阅[归类 Issue](/zh-cn/docs/contribute/review/for-approvers/#triage-and-categorize-issues)。
 - 密切关注 kubernetes/website 代码仓库中陈旧和过期的 Issue。
 - 维护 [Issues 看板](https://github.com/orgs/kubernetes/projects/72/views/1)。