Merge pull request #41242 from my-git9/path-23714

[zh-cn] sync config-api/apiserver-audit.v1.md
2023-05-21 16:42:20 -07:00 · 2023-05-21 16:42:20 -07:00 · 4ba80f7f2f
parent c39945d514 e0b2eb65ab
commit 4ba80f7f2f
1 changed files with 91 additions and 65 deletions
--- a/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
+++ b/content/zh-cn/docs/reference/config-api/apiserver-audit.v1.md
@ -69,8 +69,8 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <a href="#audit-k8s-io-v1-Stage"><code>Stage</code></a>
 </td>
 <td>
-   <!--Stage of the request handling when this event instance was generated.-->
   <p>
+   <!--Stage of the request handling when this event instance was generated.-->
   生成此事件时请求的处理阶段。
   </p>
 </td>
@ -80,8 +80,8 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <code>string</code>
 </td>
 <td>
-   <!--RequestURI is the request URI as sent by the client to a server.-->
   <p>
+   <!--RequestURI is the request URI as sent by the client to a server.-->
   requestURI 是客户端发送到服务器端的请求 URI。
   </p>
 </td>
@ -92,9 +92,11 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <code>string</code>
 </td>
 <td>
-   <!--Verb is the kubernetes verb associated with the request.
-   For non-resource requests, this is the lower-cased HTTP method.-->
   <p>
+   <!--
+   Verb is the kubernetes verb associated with the request.
+   For non-resource requests, this is the lower-cased HTTP method.
+   -->
   verb 是与请求对应的 Kubernetes 动词。对于非资源请求，此字段为 HTTP 方法的小写形式。
   </p>
 </td>
@ -104,8 +106,8 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#userinfo-v1-authentication"><code>authentication/v1.UserInfo</code></a>
 </td>
 <td>
-   <!--Authenticated user information.-->
   <p>
+   <!--Authenticated user information.-->
   关于认证用户的信息。
   </p>
 </td>
@ -115,8 +117,8 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#userinfo-v1-authentication"><code>authentication/v1.UserInfo</code></a>
 </td>
 <td>
-   <!--Impersonated user information.-->
   <p>
+   <!--Impersonated user information.-->
   关于所伪装（impersonated）的用户的信息。
   </p>
 </td>
@ -126,11 +128,11 @@ Event 结构包含可出现在 API 审计日志中的所有信息。
 <code>[]string</code>
 </td>
 <td>
+   <p>
   <!--
   Source IPs, from where the request originated and intermediate proxies.
   The source IPs are listed from (in order):
   -->
-   <p>
   发起请求和中间代理的源 IP 地址。
   源 IP 从以下（按顺序）列出：
   </p>
@ -165,9 +167,9 @@ Note: All but the last IP can be arbitrarily set by the client.
 <code>string</code>
 </td>
 <td>
+   <p>
   <!--UserAgent records the user agent string reported by the client.
   Note that the UserAgent is provided by the client, and must not be trusted.-->
-   <p>
   userAgent 中记录客户端所报告的用户代理（User Agent）字符串。
   注意 userAgent 信息是由客户端提供的，一定不要信任。
   </p>
@ -178,9 +180,9 @@ Note: All but the last IP can be arbitrarily set by the client.
 <a href="#audit-k8s-io-v1-ObjectReference"><code>ObjectReference</code></a>
 </td>
 <td>
+   <p>
   <!-- Object reference this request is targeted at.
   Does not apply for List-type requests, or non-resource requests.-->
-   <p>
   此请求所指向的对象引用。对于 List 类型的请求或者非资源请求，此字段可忽略。
   </p>
 </td>
@ -190,10 +192,10 @@ Note: All but the last IP can be arbitrarily set by the client.
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#status-v1-meta"><code>meta/v1.Status</code></a>
 </td>
 <td>
+   <p>
   <!--The response status, populated even when the ResponseObject is not a Status type.
   For successful responses, this will only include the Code and StatusSuccess.
   For non-status type error responses, this will be auto-populated with the error Message.-->
-   <p>
   响应的状态，当 responseObject 不是 Status 类型时被赋值。
   对于成功的请求，此字段仅包含 code 和 statusSuccess。
   对于非 Status 类型的错误响应，此字段会被自动赋值为出错信息。
@ -205,11 +207,13 @@ Note: All but the last IP can be arbitrarily set by the client.
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime#Unknown"><code>k8s.io/apimachinery/pkg/runtime.Unknown</code></a>
 </td>
 <td>
-   <!--API object from the request, in JSON format. The RequestObject is recorded as-is in the request
-(possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
-merging. It is an external versioned object type, and may not be a valid object on its own.
-Omitted for non-resource requests.  Only logged at Request Level and higher.-->
   <p>
+   <!--
+   API object from the request, in JSON format. The RequestObject is recorded as-is in the request
+   (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
+   merging. It is an external versioned object type, and may not be a valid object on its own.
+    Omitted for non-resource requests.  Only logged at Request Level and higher.
+   -->
   来自请求的 API 对象，以 JSON 格式呈现。requestObject 在请求中按原样记录
   （可能会采用 JSON 重新编码），之后会进入版本转换、默认值填充、准入控制以及
   配置信息合并等阶段。此对象为外部版本化的对象类型，甚至其自身可能并不是一个
@ -224,10 +228,12 @@ Omitted for non-resource requests.  Only logged at Request Level and higher.-->
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime#Unknown"><code>k8s.io/apimachinery/pkg/runtime.Unknown</code></a>
 </td>
 <td>
-   <!--API object returned in the response, in JSON. The ResponseObject is recorded after conversion
-to the external type, and serialized as JSON.  Omitted for non-resource requests.  Only logged
-at Response Level.-->
   <p>
+   <!--
+   API object returned in the response, in JSON. The ResponseObject is recorded after conversion
+   to the external type, and serialized as JSON.  Omitted for non-resource requests.  Only logged
+   at Response Level.
+   -->
   响应中包含的 API 对象，以 JSON 格式呈现。requestObject 是在被转换为外部类型
   并序列化为 JSON 格式之后才被记录的。
   对于非资源请求，此字段会被忽略。
@ -251,8 +257,8 @@ at Response Level.-->
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#microtime-v1-meta"><code>meta/v1.MicroTime</code></a>
 </td>
 <td>
-   <!--Time the request reached current audit stage.-->
   <p>
+   <!--Time the request reached current audit stage.-->
   请求到达当前审计阶段时的时间。
   </p>
 </td>
@ -262,13 +268,15 @@ at Response Level.-->
 <code>map[string]string</code>
 </td>
 <td>
-   <!--Annotations is an unstructured key value map stored with an audit event that may be set by
+   <p>
+   <!--
+   Annotations is an unstructured key value map stored with an audit event that may be set by
   plugins invoked in the request serving chain, including authentication, authorization and
   admission plugins. Note that these annotations are for the audit event, and do not correspond
   to the metadata.annotations of the submitted object. Keys should uniquely identify the informing
   component to avoid name collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values
-   should be short. Annotations are included in the Metadata level.-->
-   <p>
+   should be short. Annotations are included in the Metadata level.
+   -->
   annotations 是一个无结构的键-值映射，其中保存的是一个审计事件。
   该事件可以由请求处理链路上的插件来设置，包括身份认证插件、鉴权插件以及
   准入控制插件等。
@ -286,10 +294,10 @@ at Response Level.-->

 ## `EventList`     {#audit-k8s-io-v1-EventList}

+<p>
 <!--    
 EventList is a list of audit Events.
 -->
-<p>
 EventList 是审计事件（Event）的列表。
 </p>

@ -327,11 +335,11 @@ EventList 是审计事件（Event）的列表。

 - [PolicyList](#audit-k8s-io-v1-PolicyList)

+<p>
 <!--
 Policy defines the configuration of audit logging, and the rules for how different request
 categories are logged.
 -->
-<p>
 Policy 定义的是审计日志的配置以及不同类型请求的日志记录规则。
 </p>

@ -346,10 +354,11 @@ Policy 定义的是审计日志的配置以及不同类型请求的日志记录
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a>
 </td>
 <td>
-   <!--ObjectMeta is included for interoperability with API infrastructure.Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field.-->
   <p>
+   <!--ObjectMeta is included for interoperability with API infrastructure.-->
   包含 <code>metadata</code> 字段是为了便于与 API 基础设施之间实现互操作。
   </p>
+   <!--Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field.-->
   参考 Kubernetes API 文档了解 <code>metadata</code> 字段的详细信息。
 </td>
 </tr>
@ -358,11 +367,12 @@ Policy 定义的是审计日志的配置以及不同类型请求的日志记录
 <a href="#audit-k8s-io-v1-PolicyRule"><code>[]PolicyRule</code></a>
 </td>
 <td>
+   <p>
   <!--Rules specify the audit Level a request should be recorded at.
 A request may match multiple rules, in which case the FIRST matching rule is used.
 The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
-PolicyRules are strictly ordered.-->
-   <p>
+PolicyRules are strictly ordered.
+   -->
   字段 rules 设置请求要被记录的审计级别（level）。
   每个请求可能会与多条规则相匹配；发生这种状况时遵从第一条匹配规则。
   默认的审计级别是 None，不过可以在列表的末尾使用一条全抓（catch-all）规则
@ -376,9 +386,11 @@ PolicyRules are strictly ordered.-->
 <a href="#audit-k8s-io-v1-Stage"><code>[]Stage</code></a>
 </td>
 <td>
-   <!--OmitStages is a list of stages for which no events are created. Note that this can also
-   be specified per rule in which case the union of both are omitted.-->
   <p>
+   <!--
+   OmitStages is a list of stages for which no events are created. Note that this can also
+   be specified per rule in which case the union of both are omitted.
+   -->
   字段 omitStages 是一个阶段（Stage）列表，其中包含无须生成事件的阶段。
   注意这一选项也可以通过每条规则来设置。
   审计组件最终会忽略出现在 omitStages 中阶段，也会忽略规则中的阶段。
@ -393,6 +405,7 @@ PolicyRules are strictly ordered.-->
 <code>bool</code>
 </td>
 <td>
+<p>
 <!--
 OmitManagedFields indicates whether to omit the managed fields of the request
 and response bodies from being written to the API audit log.
@ -401,7 +414,6 @@ otherwise the managed fields will be included in the API audit log.
 Note that this can also be specified per rule in which case the value specified
 in a rule will override the global default.
 -->
-<p>
 omitManagedFields 标明将请求和响应主体写入 API 审计日志时，是否省略其托管字段。
 此字段值用作全局默认值 - 'true' 值将省略托管字段，否则托管字段将包含在 API 审计日志中。
 请注意，也可以按规则指定此值，在这种情况下，规则中指定的值将覆盖全局默认值。
@ -482,25 +494,27 @@ GroupResources 代表的是某 API 组中的资源类别。
 <td>
 <!--
 Resources is a list of resources this rule applies to.
-For example:
-'pods' matches pods.
-'pods/log' matches the log subresource of pods.
-'&lowast;' matches all resources and their subresources.
-'pods/&lowast;' matches all subresources of pods.
-'&lowast;/scale' matches all scale subresources.
+<p>For example:</p>
+<ul>
+<li><code>pods</code> matches pods.</li>
+<li><code>pods/log</code> matches the log subresource of pods.</li>
+<li><code>&ast;<code> matches all resources and their subresources.</li>
+<li><code>pods/&ast;</code> matches all subresources of pods.</li>
+<li><code>&ast;/scale</code> matches all scale subresources.</li>
+</ul>
 -->
   <p>
   字段 resources 是此规则所适用的资源的列表。
   </p>
   <br/>
-   <p>
-   例如：<br/>
-   'pods' 匹配 Pods；<br/>
-   'pods/log' 匹配 Pods 的 log 子资源；<br/>
-   '&lowast;' 匹配所有资源及其子资源；<br/>
-   'pods/&lowast;' 匹配 Pods 的所有子资源；<br/>
-   '&lowast;/scale' 匹配所有的 scale 子资源。<br/><br/>
-   </p>
+  <p>例如：</p>
+  <ul>
+  <li><code>pods</code> 匹配 Pod；</li>
+  <li><code>pods/log</code> 匹配 Pod 的 log 子资源；</li>
+  <li><code>&ast;<code> 匹配所有资源及其子资源；</li>
+  <li><code>pods/&ast;</code> 匹配 Pod 的所有子资源；</li>
+  <li><code>&ast;/scale</code> 匹配所有的 scale 子资源。</li>
+  </ul>

   <!--If wildcard is present, the validation rule will ensure resources do not
   overlap with each other.
@ -520,10 +534,12 @@ For example:
 <code>[]string</code>
 </td>
 <td>
-   <!--ResourceNames is a list of resource instance names that the policy matches.
-   Using this field requires Resources to be specified.
-   An empty list implies that every instance of the resource is matched.-->
   <p>
+   <!--
+   ResourceNames is a list of resource instance names that the policy matches.
+   Using this field requires Resources to be specified.
+   An empty list implies that every instance of the resource is matched.
+   -->
   字段 resourceNames 是策略将匹配的资源实例名称列表。
   使用此字段时，<code>resources</code> 必须指定。
   空的 resourceNames 列表意味着资源的所有实例都会匹配到此策略。
@ -658,11 +674,11 @@ ObjectReference 包含的是用来检查或修改所引用对象时将需要的

 - [Policy](#audit-k8s-io-v1-Policy)

+<p>
 <!--
 PolicyRule maps requests based off metadata to an audit Level.
 Requests must match the rules of every field (an intersection of rules).
 -->
-<p>
 PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别。
 请求必须与每个字段所定义的规则都匹配（即 rules 的交集）才被视为匹配。
 </p>
@ -686,9 +702,9 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <code>[]string</code>
 </td>
 <td>
+   <p>
   <!--The users (by authenticated user name) this rule applies to.
   An empty list implies every user.-->
-   <p>
   根据身份认证所确定的用户名的列表，给出此规则所适用的用户。
   空列表意味着适用于所有用户。
   </p>
@ -699,10 +715,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <code>[]string</code>
 </td>
 <td>
+   <p>
   <!--The user groups this rule applies to. A user is considered matching
   if it is a member of any of the UserGroups.
   An empty list implies every user group.-->
-   <p>
   此规则所适用的用户组的列表。如果用户是所列用户组中任一用户组的成员，则视为匹配。
   空列表意味着适用于所有用户组。
   </p>
@ -713,9 +729,11 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <code>[]string</code>
 </td>
 <td>
-   <!--The verbs that match this rule.
-   An empty list implies every verb.-->
   <p>
+   <!--
+   The verbs that match this rule.
+   An empty list implies every verb.
+   -->
   此规则所适用的动词（verb）列表。
   空列表意味着适用于所有动词。
   </p>
@ -738,10 +756,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <code>[]string</code>
 </td>
 <td>
+   <p>
   <!--Namespaces that this rule matches.
   The empty string &quot;&quot; matches non-namespaced resources.
   An empty list implies every namespace.-->
-   <p>
   此规则所适用的名字空间列表。
   空字符串（&quot;&quot;）意味着适用于非名字空间作用域的资源。
   空列表意味着适用于所有名字空间。
@ -753,18 +771,24 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <code>[]string</code>
 </td>
 <td>
-   <!--NonResourceURLs is a set of URL paths that should be audited.
-   &lowast;s are allowed, but only as the full, final step in the path.
-   Examples:
-   "/metrics" - Log requests for apiserver metrics
-   "/healthz&lowast;" - Log all health checks-->
+   <!--
+   NonResourceURLs is a set of URL paths that should be audited.
+   <code>&ast;<code>s are allowed, but only as the full, final step in the path.
+   Examples:</p>
+   <ul>
+   <li>&quot;/metrics&quot; - Log requests for apiserver metrics</li>
+   <li>&quot;/healthz&ast;&quot; - Log all health checks</li>
+   </ul>
+   -->
+
   <p>
   字段 nonResourceURLs 给出一组需要被审计的 URL 路径。
-   允许使用 &lowast;，但只能作为路径中最后一个完整分段。<br/>
-   例如：<br/>
-   "/metrics" - 记录对 API 服务器度量值（metrics）的所有请求；<br/>
-   "/healthz&lowast;" - 记录所有健康检查请求。
+   允许使用 <code>&ast;<code>s，但只能作为路径中最后一个完整分段。
+   例如：
   </p>
+   <li>&quot;/metrics&quot; - 记录对 API 服务器度量值（metrics）的所有请求；</li>
+   <li>&quot;/healthz&ast;&quot; - 记录所有健康检查请求。</li>
+   </ul>
 </td>
 </tr>

@ -772,10 +796,12 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 <a href="#audit-k8s-io-v1-Stage"><code>[]Stage</code></a>
 </td>
 <td>
-   <!--OmitStages is a list of stages for which no events are created. Note that this can also
-   be specified policy wide in which case the union of both are omitted.
-   An empty list means no restrictions will apply.-->
   <p>
+   <!--
+   OmitStages is a list of stages for which no events are created. Note that this can also
+   be specified policy wide in which case the union of both are omitted.
+   An empty list means no restrictions will apply.
+   -->
   字段 omitStages 是一个阶段（Stage）列表，针对所列的阶段服务器不会生成审计事件。
   注意这一选项也可以在策略（Policy）级别指定。服务器审计组件会忽略
   omitStages 中给出的阶段，也会忽略策略中给出的阶段。
@ -832,10 +858,10 @@ PolicyRule 包含一个映射，基于元数据将请求映射到某审计级别
 - [Policy](#audit-k8s-io-v1-Policy)
 - [PolicyRule](#audit-k8s-io-v1-PolicyRule)

+<p>
 <!--
 Stage defines the stages in request handling that audit events may be generated.
 -->
-<p>
 Stage 定义在请求处理过程中可以生成审计事件的阶段。
 </p>