[zh] Add translations to /storage/projected-volumes.md

kubernetes · Dec 15, 2023 · f51c49a · f51c49a
1 parent 751ec13
commit f51c49a
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 8 deletions.
diff --git a/content/zh-cn/docs/concepts/storage/projected-volumes.md b/content/zh-cn/docs/concepts/storage/projected-volumes.md
@@ -3,7 +3,6 @@ title: 投射卷
 content_type: concept
 weight: 21 # 跟在持久卷之后
 ---
-
 <!--
 reviewers:
 - marosset
@@ -35,6 +34,7 @@ Currently, the following types of volume sources can be projected:
 * [`downwardAPI`](/docs/concepts/storage/volumes/#downwardapi)
 * [`configMap`](/docs/concepts/storage/volumes/#configmap)
 * [`serviceAccountToken`](#serviceaccounttoken)
+* [`clusterTrustBundle`](#clustertrustbundle)
 -->
 ## 介绍    {#introduction}
 
@@ -46,6 +46,7 @@ Currently, the following types of volume sources can be projected:
 * [`downwardAPI`](/zh-cn/docs/concepts/storage/volumes/#downwardapi)
 * [`configMap`](/zh-cn/docs/concepts/storage/volumes/#configmap)
 * [`serviceAccountToken`](#serviceaccounttoken)
+* [`clusterTrustBundle`](#clustertrustbundle)
 
 <!--
 All sources are required to be in the same namespace as the Pod. For more details,
@@ -133,6 +134,66 @@ volume mount will not receive updates for those volume sources.
 形式使用投射卷源的容器无法收到对应卷源的更新。
 {{< /note >}}
 
+<!--
+## clusterTrustBundle projected volumes {#clustertrustbundle}
+-->
+## clusterTrustBundle 投射卷    {#clustertrustbundle}
+
+{{<feature-state for_k8s_version="v1.29" state="alpha" >}}
+
+{{< note >}}
+<!--
+To use this feature in Kubernetes {{< skew currentVersion >}}, you must enable support for ClusterTrustBundle objects with the `ClusterTrustBundle` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and `--runtime-config=certificates.k8s.io/v1alpha1/clustertrustbundles=true` kube-apiserver flag, then enable the `ClusterTrustBundleProjection` feature gate.
+-->
+要在 Kubernetes {{< skew currentVersion >}} 中使用此特性，你必须通过 `ClusterTrustBundle`
+[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)和
+`--runtime-config=certificates.k8s.io/v1alpha1/clustertrustbundles=true` kube-apiserver
+标志启用对 ClusterTrustBundle 对象的支持，然后才能启用 `ClusterTrustBundleProjection` 特性门控。
+{{< /note >}}
+
+<!--
+The `clusterTrustBundle` projected volume source injects the contents of one or more [ClusterTrustBundle](/docs/reference/access-authn-authz/certificate-signing-requests#cluster-trust-bundles) objects as an automatically-updating file in the container filesystem.
+-->
+`clusterTrustBundle` 投射卷源将一个或多个
+[ClusterTrustBundle](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests#cluster-trust-bundles)
+对象的内容作为一个自动更新的文件注入到容器文件系统中。
+
+<!--
+ClusterTrustBundles can be selected either by [name](/docs/reference/access-authn-authz/certificate-signing-requests#ctb-signer-unlinked) or by [signer name](/docs/reference/access-authn-authz/certificate-signing-requests#ctb-signer-linked).
+-->
+ClusterTrustBundle 可以通过[名称](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests#ctb-signer-unlinked)
+或[签名者名称](/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests#ctb-signer-linked)被选中。
+
+<!--
+To select by name, use the `name` field to designate a single ClusterTrustBundle object.
+
+To select by signer name, use the `signerName` field (and optionally the
+`labelSelector` field) to designate a set of ClusterTrustBundle objects that use
+the given signer name. If `labelSelector` is not present, then all
+ClusterTrustBundles for that signer are selected.
+-->
+要按名称选择，可以使用 `name` 字段指定单个 ClusterTrustBundle 对象。
+
+要按签名者名称选择，可以使用 `signerName` 字段（也可选用 `labelSelector` 字段）
+指定一组使用给定签名者名称的 ClusterTrustBundle 对象。
+如果 `labelSelector` 不存在，则针对该签名者的所有 ClusterTrustBundles 将被选中。
+
+<!--
+The kubelet deduplicates the certificates in the selected ClusterTrustBundle objects, normalizes the PEM representations (discarding comments and headers), reorders the certificates, and writes them into the file named by `path`. As the set of selected ClusterTrustBundles or their content changes, kubelet keeps the file up-to-date.
+-->
+kubelet 会对所选 ClusterTrustBundle 对象中的证书进行去重，规范化 PEM 表示（丢弃注释和头部），
+重新排序证书，并将这些证书写入由 `path` 指定的文件中。
+随着所选 ClusterTrustBundles 的集合或其内容发生变化，kubelet 会保持更新此文件。
+
+<!--
+By default, the kubelet will prevent the pod from starting if the named ClusterTrustBundle is not found, or if `signerName` / `labelSelector` do not match any ClusterTrustBundles.  If this behavior is not what you want, then set the `optional` field to `true`, and the pod will start up with an empty file at `path`.
+-->
+默认情况下，如果找不到指定的 ClusterTrustBundle，或者 `signerName` / `labelSelector`
+与所有 ClusterTrustBundle 都不匹配，kubelet 将阻止 Pod 启动。如果这不是你想要的行为，
+可以将 `optional` 字段设置为 `true`，Pod 将使用 `path` 处的空白文件启动。
+
+{{% code_sample file="pods/storage/projected-clustertrustbundle.yaml" %}}
+
 <!--
 ## SecurityContext interactions
 -->
@@ -257,4 +318,3 @@ the Linux only `RunAsUser` option with Windows Pods.
 Pod 会一直阻塞在 `ContainerCreating` 状态。因此，建议不要在 Windows
 节点上使用仅针对 Linux 的 `RunAsUser` 选项。
 {{< /note >}}
-
diff --git a/content/zh-cn/docs/concepts/storage/storage-classes.md b/content/zh-cn/docs/concepts/storage/storage-classes.md
@@ -27,29 +27,25 @@ with [volumes](/docs/concepts/storage/volumes/) and
 <!-- body -->
 
 <!--
-## Introduction
-
 A StorageClass provides a way for administrators to describe the "classes" of
 storage they offer. Different classes might map to quality-of-service levels,
 or to backup policies, or to arbitrary policies determined by the cluster
 administrators. Kubernetes itself is unopinionated about what classes
 represent. This concept is sometimes called "profiles" in other storage
 systems.
 -->
-## 介绍 {#introduction}
-
 StorageClass 为管理员提供了描述存储"类"的方法。
 不同的类型可能会映射到不同的服务质量等级或备份策略，或是由集群管理员制定的任意策略。
 Kubernetes 本身并不清楚各种类代表的什么。这个类的概念在其他存储系统中有时被称为"配置文件"。
 
 <!--
-## The StorageClass Resource
+## The StorageClass API
 
 Each StorageClass contains the fields `provisioner`, `parameters`, and
 `reclaimPolicy`, which are used when a PersistentVolume belonging to the
 class needs to be dynamically provisioned.
 -->
-## StorageClass 资源 {#the-storageclass-resource}
+## StorageClass API   {#the-storageclass-api}
 
 每个 StorageClass 都包含 `provisioner`、`parameters` 和 `reclaimPolicy` 字段，
 这些字段会在 StorageClass 需要动态制备 PersistentVolume 时会使用到。

diff --git a/content/zh-cn/examples/pods/storage/projected-clustertrustbundle.yaml b/content/zh-cn/examples/pods/storage/projected-clustertrustbundle.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sa-ctb-name-test
+spec:
+  containers:
+  - name: container-test
+    image: busybox
+    command: ["sleep", "3600"]
+    volumeMounts:
+    - name: token-vol
+      mountPath: "/root-certificates"
+      readOnly: true
+  serviceAccountName: default
+  volumes:
+  - name: root-certificates-vol
+    projected:
+      sources:
+      - clusterTrustBundle:
+          name: example
+          path: example-roots.pem
+      - clusterTrustBundle:
+          signerName: "example.com/mysigner"
+          labelSelector:
+            matchLabels:
+              version: live
+          path: mysigner-roots.pem
+          optional: true