[zh-cn] sync extend-kubernetes node-pressure-eviction pod-security-admission

Signed-off-by: xin.li <xin.li@daocloud.io>
2023-10-29 15:08:34 +08:00 · 2023-10-29 15:08:34 +08:00 · 56be6577cb
parent ee45ad0072
commit 56be6577cb
3 changed files with 37 additions and 18 deletions
--- a/content/zh-cn/docs/concepts/extend-kubernetes/_index.md
+++ b/content/zh-cn/docs/concepts/extend-kubernetes/_index.md
@ -209,7 +209,7 @@ clients that access it.

 <!-- image source: https://docs.google.com/drawings/d/1k2YdJgNTtNfW7_A8moIIkij-DmVgEhNrn3y2OODwqQQ/view -->

-{{< figure src="/docs/concepts/extend-kubernetes/extension-points.png"
+{{< figure src="/docs/concepts/extend-kubernetes/extension-points.svg"
    alt="用符号表示的七个编号的 Kubernetes 扩展点"
    class="diagram-large" caption="Kubernetes 扩展点" >}}

@ -445,8 +445,8 @@ allows calling out to custom code that makes an authorization decision.
 换言之，它不会基于对象的特定字段作出不同的判决。

 如果内置的鉴权选项无法满足你的需要，
-你可以使用[鉴权 Webhook](/zh-cn/docs/reference/access-authn-authz/webhook/) 来调用用户提供的代码，
-执行定制的鉴权决定。
+你可以使用[鉴权 Webhook](/zh-cn/docs/reference/access-authn-authz/webhook/)
+来调用用户提供的代码，执行定制的鉴权决定。

 <!--
 ### Dynamic admission control
@ -645,4 +645,3 @@ not available through the webhook integration.
 * 进一步了解[扩展 API 服务器](/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
 * 进一步了解[动态准入控制](/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/)
 * 进一步了解 [Operator 模式](/zh-cn/docs/concepts/extend-kubernetes/operator/)
-
--- a/content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md
+++ b/content/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction.md
@ -196,23 +196,19 @@ kubelet 会自动发现这些文件系统并忽略节点本地的其它文件系
 <!--
 Some kubelet garbage collection features are deprecated in favor of eviction:

-| Existing Flag | New Flag | Rationale |
-| ------------- | -------- | --------- |
-| `--image-gc-high-threshold` | `--eviction-hard` or `--eviction-soft` | existing eviction signals can trigger image garbage collection |
-| `--image-gc-low-threshold` | `--eviction-minimum-reclaim` | eviction reclaims achieve the same behavior |
-| `--maximum-dead-containers` | - | deprecated once old logs are stored outside of container's context |
-| `--maximum-dead-containers-per-container` | - | deprecated once old logs are stored outside of container's context |
-| `--minimum-container-ttl-duration` | - | deprecated once old logs are stored outside of container's context |
+| Existing Flag | Rationale |
+| ------------- | --------- |
+| `--maximum-dead-containers` | deprecated once old logs are stored outside of container's context |
+| `--maximum-dead-containers-per-container` | deprecated once old logs are stored outside of container's context |
+| `--minimum-container-ttl-duration` | deprecated once old logs are stored outside of container's context |
 -->
 一些 kubelet 垃圾收集功能已被弃用，以鼓励使用驱逐机制。

-| 现有标志 | 新的标志 | 原因 |
-| ------------- | -------- | --------- |
-| `--image-gc-high-threshold` | `--eviction-hard` 或 `--eviction-soft` | 现有的驱逐信号可以触发镜像垃圾收集 |
-| `--image-gc-low-threshold` | `--eviction-minimum-reclaim` | 驱逐回收具有相同的行为 |
-| `--maximum-dead-containers` | - | 一旦旧的日志存储在容器的上下文之外就会被弃用 |
-| `--maximum-dead-containers-per-container` | - | 一旦旧的日志存储在容器的上下文之外就会被弃用 |
-| `--minimum-container-ttl-duration` | - | 一旦旧的日志存储在容器的上下文之外就会被弃用 |
+| 现有标志                                   | 原因                                  |
+| ----------------------------------------- |  ----------------------------------- |
+| `--maximum-dead-containers`               | 一旦旧的日志存储在容器的上下文之外就会被弃用 |
+| `--maximum-dead-containers-per-container` | 一旦旧的日志存储在容器的上下文之外就会被弃用 |
+| `--minimum-container-ttl-duration`        | 一旦旧的日志存储在容器的上下文之外就会被弃用 |

 <!--
 ### Eviction thresholds
--- a/content/zh-cn/docs/concepts/security/pod-security-admission.md
+++ b/content/zh-cn/docs/concepts/security/pod-security-admission.md
@ -246,6 +246,30 @@ current policy level:
 - 对 `.spec.activeDeadlineSeconds` 的合法更新
 - 对 `.spec.tolerations` 的合法更新

+<!--
+## Metrics
+
+Here are the Prometheus metrics exposed by kube-apiserver:
+-->
+## 指标   {#metrics}
+
+以下是 kube-apiserver 公开的 Prometheus 指标：
+
+<!--
+- `pod_security_errors_total`: This metric indicates the number of errors preventing normal evaluation.
+  Non-fatal errors may result in the latest restricted profile being used for enforcement.
+- `pod_security_evaluations_total`: This metric indicates the number of policy evaluations that have occurred,
+  not counting ignored or exempt requests during exporting.
+- `pod_security_exemptions_total`: This metric indicates the number of exempt requests, not counting ignored
+  or out of scope requests.
+-->
+- `pod_security_errors_total`：此指标表示妨碍正常评估的错误数量。
+  如果错误是非致命的，kube-apiserver 可能会强制实施最新的受限配置。
+- `pod_security_evaluations_total`：此指标表示已发生的策略评估的数量，
+  不包括导出期间被忽略或豁免的请求。
+- `pod_security_exemptions_total`：该指标表示豁免请求的数量，
+  不包括被忽略或超出范围的请求。
+
 ## {{% heading "whatsnext" %}}

 <!--