[zh] sync 1.27 images

content/zh-cn/docs/concepts/containers/images.md

@@ -38,7 +38,7 @@ This page provides an outline of the container image concept.
 <!-- 
 If you are looking for the container images for a Kubernetes
 release (such as v{{< skew latestVersion >}}, the latest minor release),
-visit [Download Kubernetes](https://kubernetes.io/releases/download/). 
+visit [Download Kubernetes](https://kubernetes.io/releases/download/).
 -->
 如果你正在寻找 Kubernetes 某个发行版本（如最新次要版本 v{{< skew latestVersion >}}）
 的容器镜像，请访问[下载 Kubernetes](/zh-cn/releases/download/)。
@@ -55,8 +55,8 @@ and possibly a port number as well; for example: `fictional.registry.example:104
 
 If you don't specify a registry hostname, Kubernetes assumes that you mean the Docker public registry.
 
-After the image name part you can add a _tag_ (in the same way you would when using with commands like `docker` or `podman`).
-Tags let you identify different versions of the same series of images.
+After the image name part you can add a _tag_ (in the same way you would when using with commands
+like `docker` or `podman`).  Tags let you identify different versions of the same series of images.
 -->
 ## 镜像名称    {#image-names}
 
@@ -71,9 +71,9 @@ Tags let you identify different versions of the same series of images.
 
 <!--
 Image tags consist of lowercase and uppercase letters, digits, underscores (`_`),
-periods (`.`), and dashes (`-`).  
+periods (`.`), and dashes (`-`).
 There are additional rules about where you can place the separator
-characters (`_`, `-`, and `.`) inside an image tag.  
+characters (`_`, `-`, and `.`) inside an image tag.
 If you don't specify a tag, Kubernetes assumes you mean the tag `latest`.
 -->
 镜像标签可以包含小写字母、大写字母、数字、下划线（`_`）、句点（`.`）和连字符（`-`）。
@@ -199,7 +199,7 @@ running the same code no matter what tag changes happen at the registry.
 在创建 Pod（和 Pod 模板）时产生变更，这样运行的工作负载就是根据镜像摘要，而不是标签来定义的。
 无论镜像仓库上的标签发生什么变化，你都想确保你所有的工作负载都运行相同的代码，那么指定镜像摘要会很有用。
 
-<!-- 
+<!--
 #### Default image pull policy {#imagepullpolicy-defaulting}
 
 When you (or a controller) submit a new Pod to the API server, your cluster sets the
@@ -293,6 +293,91 @@ which is 300 seconds (5 minutes).
 
 Kubernetes 会增加每次尝试之间的延迟，直到达到编译限制，即 300 秒（5 分钟）。
 
+<!--
+## Serial and parallel image pulls
+-->
+## 串行和并行镜像拉取  {#serial-and-parallel-image-pulls}
+
+<!--
+By default, kubelet pulls images serially. In other words, kubelet sends only
+one image pull request to the image service at a time. Other image pull requests
+have to wait until the one being processed is complete.
+-->
+默认情况下，kubelet 以串行方式拉取镜像。
+也就是说，kubelet 一次只向镜像服务发送一个镜像拉取请求。
+其他镜像拉取请求必须等待，直到正在处理的那个请求完成。
+
+<!--
+Nodes make image pull decisions in isolation. Even when you use serialized image
+pulls, two different nodes can pull the same image in parallel.
+-->
+节点独立地做出镜像拉取的决策。即使你使用串行的镜像拉取，两个不同的节点也可以并行拉取相同的镜像。
+
+<!--
+If you would like to enable parallel image pulls, you can set the field
+`serializeImagePulls` to false in the [kubelet configuration](/docs/reference/config-api/kubelet-config.v1beta1/).
+With `serializeImagePulls` set to false, image pull requests will be sent to the image service immediately,
+and multiple images will be pulled at the same time.
+-->
+如果你想启用并行镜像拉取，可以在 [kubelet 配置](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
+中将字段 `serializeImagePulls` 设置为 false。
+
+当`serializeImagePulls` 设置为 false 时，kubelet 会立即向镜像服务发送镜像拉取请求，多个镜像将同时被拉动。
+
+<!--
+When enabling parallel image pulls, please make sure the image service of your
+container runtime can handle parallel image pulls.
+-->
+启用并行镜像拉取时，请确保你的容器运行时的镜像服务可以处理并行镜像拉取。
+
+<!--
+The kubelet never pulls multiple images in parallel on behalf of one Pod. For example,
+if you have a Pod that has an init container and an application container, the image
+pulls for the two containers will not be parallelized. However, if you have two
+Pods that use different images, the kubelet pulls the images in parallel on
+behalf of the two different Pods, when parallel image pulls is enabled.
+-->
+kubelet 从不代表一个 Pod 并行地拉取多个镜像。
+
+例如，如果你有一个 Pod，它有一个初始容器和一个应用容器，那么这两个容器的镜像拉取将不会并行。
+但是，如果你有两个使用不同镜像的 Pod，当启用并行镜像拉取时，kubelet 会代表两个不同的 Pod 并行拉取镜像。
+
+<!--
+### Maximum parallel image pulls
+-->
+### 最大并行镜像拉取数量  {#maximum-parallel-image-pulls}
+
+{{< feature-state for_k8s_version="v1.27" state="alpha" >}}
+
+<!--
+When `serializeImagePulls` is set to false, the kubelet defaults to no limit on the
+maximum number of images being pulled at the same time. If you would like to
+limit the number of parallel image pulls, you can set the field `maxParallelImagePulls`
+in kubelet configuration. With `maxParallelImagePulls` set to _n_, only _n_ images
+can be pulled at the same time, and any image pull beyond _n_ will have to wait
+until at least one ongoing image pull is complete.
+-->
+当 `serializeImagePulls` 被设置为 false 时，kubelet 默认对同时拉取的最大镜像数量没有限制。
+如果你想限制并行镜像拉取的数量，可以在 kubelet 配置中设置字段 `maxParallelImagePulls`。
+当 `maxParallelImagePulls` 设置为 _n_ 时，只能同时拉取 _n_ 个镜像，
+超过 _n_ 的任何镜像都必须等到至少一个正在进行拉取的镜像拉取完成后，才能拉取。
+
+<!--
+Limiting the number parallel image pulls would prevent image pulling from consuming
+too much network bandwidth or disk I/O, when parallel image pulling is enabled.
+-->
+当启用并行镜像拉取时，限制并行镜像拉取的数量可以防止镜像拉取消耗过多的网络带宽或磁盘 I/O。
+
+<!--
+You can set `maxParallelImagePulls` to a positive number that is greater than or
+equal to 1. If you set `maxParallelImagePulls` to be greater than or equal to 2, you
+must set the `serializeImagePulls` to false. The kubelet will fail to start with invalid
+`maxParallelImagePulls` settings.
+-->
+你可以将 `maxParallelImagePulls` 设置为大于或等于 1 的正数。
+如果将 `maxParallelImagePulls` 设置为大于等于 2，则必须将 `serializeImagePulls` 设置为 false。
+kubelet 在无效的 `maxParallelImagePulls` 设置下会启动失败。
+
 <!--
 ## Multi-architecture images with image indexes
 
@@ -327,7 +412,7 @@ YAML 文件也能兼容。
 <!--
 ## Using a private registry
 
-Private registries may require keys to read images from them.  
+Private registries may require keys to read images from them.
 Credentials can be provided in several ways:
 -->
 ## 使用私有仓库   {#using-a-private-registry}
@@ -340,7 +425,7 @@ Credentials can be provided in several ways:
   - all pods can read any configured private registries
   - requires node configuration by cluster administrator
 - Kubelet Credential Provider to dynamically fetch credentials for private registries
-  - kubelet can be configured to use credential provider exec plugin 
+  - kubelet can be configured to use credential provider exec plugin
     for the respective private registry.
 - Pre-pulled Images
   - all pods can use any images cached on a node
@@ -376,7 +461,7 @@ These options are explained in more detail below.
 Specific instructions for setting credentials depends on the container runtime and registry you
 chose to use. You should refer to your solution's documentation for the most accurate information.
 -->
-### 配置 Node 对私有仓库认证 {#configuring-nodes-to-authenticate-to-a-private-registry}
+### 配置 Node 对私有仓库认证  {#configuring-nodes-to-authenticate-to-a-private-registry}
 
 设置凭据的具体说明取决于你选择使用的容器运行时和仓库。
 你应该参考解决方案的文档来获取最准确的信息。
@@ -390,6 +475,11 @@ task. That example uses a private registry in Docker Hub.
 请参阅任务[从私有镜像库中拉取镜像](/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry)。
 该示例使用 Docker Hub 中的私有镜像仓库。
 
+<!--
+### Kubelet credential provider for authenticated image pulls {#kubelet-credential-provider}
+-->
+### 用于认证镜像拉取的 kubelet 凭据提供程序  {#kubelet-credential-provider}
+
 {{< note >}}
 <!--
 This approach is especially suitable when kubelet needs to fetch registry credentials dynamically.
@@ -470,7 +560,7 @@ term:
     c           匹配字符 c （c 不为 '*', '?', '\\', '['）
     '\\' c      匹配字符 c
 
-字符范围: 
+字符范围:
     c           匹配字符 c （c 不为 '\\', '?', '-', ']'）
     '\\' c      匹配字符 c
     lo '-' hi   匹配字符范围在 lo 到 hi 之间字符
@@ -600,7 +690,7 @@ kubectl create secret docker-registry <name> \
 <!--
 If you already have a Docker credentials file then, rather than using the above
 command, you can import the credentials file as a Kubernetes
-{{< glossary_tooltip text="Secrets" term_id="secret" >}}.  
+{{< glossary_tooltip text="Secrets" term_id="secret" >}}.
 [Create a Secret based on existing Docker credentials](/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials)
 explains how to set this up.
 -->