From 31c962cec86463b7eabb7609a6d975ab88e60d33 Mon Sep 17 00:00:00 2001
From: xin gu <418294249@qq.com>
Date: Tue, 7 May 2024 17:16:31 +0800
Subject: [PATCH] sync control-plane-flags encrypt-data

Update encrypt-data.md
---
 .../tools/kubeadm/control-plane-flags.md      |  6 ++--
 .../tasks/administer-cluster/encrypt-data.md  | 28 ++++++++++++++++---
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
index 638c13405f..bbfcf2101f 100644
--- a/content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
+++ b/content/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags.md
@@ -275,19 +275,19 @@ For example, `kube-apiserver0+merge.yaml` or just `etcd.json`.
 <!--
 - `target` can be one of `kube-apiserver`, `kube-controller-manager`, `kube-scheduler`, `etcd`
 and `kubeletconfiguration`.
+- `suffix` is an optional string that can be used to determine which patches are applied first
+alpha-numerically.
 - `patchtype` can be one of `strategic`, `merge` or `json` and these must match the patching formats
 [supported by kubectl](/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch).
 The default `patchtype` is `strategic`.
 - `extension` must be either `json` or `yaml`.
-- `suffix` is an optional string that can be used to determine which patches are applied first
-alpha-numerically.
 -->
 - `target` 可以是 `kube-apiserver`、`kube-controller-manager`、`kube-scheduler`、`etcd` 和 `kubeletconfiguration` 之一。
+- `suffix` 是一个可选字符串，可用于确定首先按字母数字应用哪些补丁。
 - `patchtype` 可以是 `strategy`、`merge` 或 `json` 之一，并且这些必须匹配
   [kubectl 支持](/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch) 的补丁格式。
   默认补丁类型是 `strategic` 的。
 - `extension` 必须是 `json` 或 `yaml`。
-- `suffix` 是一个可选字符串，可用于确定首先按字母数字应用哪些补丁。
 
 {{< note >}}
 <!--
diff --git a/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
index bb510c8fa9..748456b680 100644
--- a/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
+++ b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
@@ -736,7 +736,7 @@ Generate a 32-byte random key and base64 encode it. You can use this command:
 
 {{< note >}}
 <!--
-Keep the encryption key confidential, including whilst you generate it and
+Keep the encryption key confidential, including while you generate it and
 ideally even after you are no longer actively using it.
 -->
 保持加密密钥的机密性，包括在生成密钥时，甚至理想的情况下在你不再主动使用密钥后也要保密。
@@ -913,14 +913,34 @@ Kubernetes cluster has multiple control plane hosts, so there is more to do.
 
 If you have multiple API servers in your cluster, you should deploy the
 changes in turn to each API server.
-
-Make sure that you use the **same** encryption configuration on each
-control plane host.
 -->
 ### 重新配置其他控制平面主机   {#api-server-config-update-more}
 
 如果你的集群中有多个 API 服务器，应轮流将更改部署到每个 API 服务器。
 
+{{< caution >}}
+<!--
+For cluster configurations with two or more control plane nodes, the encryption configuration
+should be identical across each control plane node.
+
+If there is a difference in the encryption provider configuration between control plane
+nodes, this difference may mean that the kube-apiserver can't decrypt data.
+-->
+对于具有两个或更多控制平面节点的集群配置，每个控制平面节点的加密配置应该是相同的。
+
+如果控制平面节点间的加密驱动配置不一致，这种差异可能导致 kube-apiserver 无法解密数据。
+{{< /caution >}}
+
+<!--
+When you are planning to update the encryption configuration of your cluster, plan this
+so that the API servers in your control plane can always decrypt the stored data
+(even part way through rolling out the change).
+
+Make sure that you use the **same** encryption configuration on each
+control plane host.
+-->
+你在计划更新集群的加密配置时，请确保控制平面中的 API 服务器在任何时候都能解密存储的数据（即使是在更改逐步实施的过程中也是如此）。
+
 确保在每个控制平面主机上使用**相同的**加密配置。
 
 <!--