diff --git a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md b/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
index df303140ce..2004388301 100644
--- a/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
+++ b/content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
@@ -15,11 +15,10 @@ weight: 10
 
 {{< feature-state for_k8s_version="v1.15" state="stable" >}}
 
-<!-- 
-Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year. 
+<!--
+Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year.
 This page explains how to manage certificate renewals with kubeadm. It also covers other tasks related
 to kubeadm certificate management.
-
 -->
 由 [kubeadm](/zh/docs/reference/setup-tools/kubeadm/) 生成的客户端证书在 1 年后到期。
 本页说明如何使用 kubeadm 管理证书续订，同时也涵盖其他与 kubeadm 证书管理相关的说明。
@@ -42,16 +41,16 @@ You can override this behavior by providing your own certificates.
 
 ## 使用自定义的证书 {#custom-certificates}
 
-默认情况下, kubeadm 会生成运行一个集群所需的全部证书。
+默认情况下，kubeadm 会生成运行一个集群所需的全部证书。
 你可以通过提供你自己的证书来改变这个行为策略。
 
 <!--
 To do so, you must place them in whatever directory is specified by the
-`--cert-dir` flag or the `CertificatesDir`field of kubeadm's `ClusterConfiguration` . By default this
-is `/etc/kubernetes/pki`.
+`--cert-dir` flag or the `certificatesDir` field of kubeadm's `ClusterConfiguration`.
+By default this is `/etc/kubernetes/pki`.
 -->
-如果要这样做, 你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
-`CertificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`。
+如果要这样做，你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者 kubeadm 配置中的
+`certificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`。
 
 <!--
 If a given certificate and private key pair exists before running `kubeadm init`,
@@ -60,7 +59,7 @@ CA into `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`,
 and kubeadm will use this CA for signing the rest of the certificates.
 -->
 如果在运行 `kubeadm init` 之前存在给定的证书和私钥对，kubeadm 将不会重写它们。
-例如，这意味着您可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt` 和
+例如，这意味着你可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt` 和
 `/etc/kubernetes/pki/ca.key` 中，而 kubeadm 将使用此 CA 对其余证书进行签名。
 
 <!--
@@ -69,7 +68,8 @@ and kubeadm will use this CA for signing the rest of the certificates.
 It is also possible to provide only the `ca.crt` file and not the
 `ca.key` file (this is only available for the root CA file, not other cert pairs).
 If all other certificates and kubeconfig files are in place, kubeadm recognizes
-this condition and activates the "External CA" mode. kubeadm will proceed without the CA key on disk.
+this condition and activates the "External CA" mode. kubeadm will proceed without the
+CA key on disk.
 -->
 
 ## 外部 CA 模式 {#external-ca-mode}
@@ -83,7 +83,7 @@ this condition and activates the "External CA" mode. kubeadm will proceed withou
 Instead, run the controller-manager standalone with `--controllers=csrsigner` and
 point to the CA certificate and key.
 -->
-否则, kubeadm 将独立运行 controller-manager，附加一个
+否则，kubeadm 将独立运行 controller-manager，附加一个
 `--controllers=csrsigner` 的参数，并且指明 CA 证书和密钥。
 
 <!--
@@ -92,12 +92,12 @@ setting up a cluster to use an external CA.
 -->
 [PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)包括集群使用外部 CA 的设置指南。
 
-<!-- 
-## Check certificate expiration 
+<!--
+## Check certificate expiration
 
 You can use the `check-expiration` subcommand to check when certificates expire:
 -->
-## 检查证书是否过期
+## 检查证书是否过期 {#check-certificate-expiration}
 
 你可以使用 `check-expiration` 子命令来检查证书何时过期
 
@@ -105,8 +105,8 @@ You can use the `check-expiration` subcommand to check when certificates expire:
 kubeadm certs check-expiration
 ```
 
-<!-- 
-The output is similar to this: 
+<!--
+The output is similar to this:
 -->
 输出类似于以下内容：
 
@@ -129,17 +129,17 @@ etcd-ca                 Dec 28, 2029 23:36 UTC   9y              no
 front-proxy-ca          Dec 28, 2029 23:36 UTC   9y              no
 ```
 
-<!-- 
-The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`). 
+<!--
+The command shows expiration/residual time for the client certificates in the `/etc/kubernetes/pki` folder and for the client certificate embedded in the KUBECONFIG files used by kubeadm (`admin.conf`, `controller-manager.conf` and `scheduler.conf`).
 -->
-该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及 
-kubeadm（`admin.conf`, `controller-manager.conf` 和 `scheduler.conf`）
+该命令显示 `/etc/kubernetes/pki` 文件夹中的客户端证书以及
+kubeadm（`admin.conf`、`controller-manager.conf` 和 `scheduler.conf`）
 使用的 KUBECONFIG 文件中嵌入的客户端证书的到期时间/剩余时间。
 
-<!-- 
-Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools. 
+<!--
+Additionally, kubeadm informs the user if the certificate is externally managed; in this case, the user should take care of managing certificate renewal manually/using other tools.
 -->
-另外， kubeadm 会通知用户证书是否由外部管理； 
+另外，kubeadm 会通知用户证书是否由外部管理；
 在这种情况下，用户应该小心的手动/使用其他工具来管理证书更新。
 
 <!--
@@ -149,7 +149,7 @@ Additionally, kubeadm informs the user if the certificate is externally managed;
 `kubeadm` 不能管理由外部 CA 签名的证书
 {{< /warning >}}
 
-<!-- 
+<!--
 `kubelet.conf` is not included in the list above because kubeadm configures kubelet
 for [automatic certificate renewal](/docs/tasks/tls/certificate-rotation/)
 with rotatable certificates under `/var/lib/kubelet/pki`.
@@ -158,7 +158,7 @@ To repair an expired kubelet client certificate see
 -->
 {{< note >}}
 上面的列表中没有包含 `kubelet.conf`，因为 kubeadm 将 kubelet 配置为
-[自动更新证书](/docs/tasks/tls/certificate-rotation/)。
+[自动更新证书](/zh/docs/tasks/tls/certificate-rotation/)。
 轮换的证书位于目录 `/var/lib/kubelet/pki`。
 要修复过期的 kubelet 客户端证书，请参阅
 [kubelet 客户端证书轮换失败](/zh/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/#kubelet-client-cert)。
@@ -183,35 +183,35 @@ client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
 ```
 {{< /warning >}}
 
-<!-- 
+<!--
 ## Automatic certificate renewal
 
-`kubeadm` renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-15/). 
+kubeadm renews all the certificates during control plane [upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
 -->
 
-## 自动更新证书
+## 自动更新证书 {#automatic-certificate-renewal}
 
-`kubeadm` 会在控制面
+kubeadm 会在控制面
 [升级](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)
 的时候更新所有证书。
 
-<!-- 
-This feature is designed for addressing the simplest use cases; 
-if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure. 
+<!--
+This feature is designed for addressing the simplest use cases;
+if you don't have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.
 -->
 这个功能旨在解决最简单的用例；如果你对此类证书的更新没有特殊要求，
 并且定期执行 Kubernetes 版本升级（每次升级之间的间隔时间少于 1 年），
 则 kubeadm 将确保你的集群保持最新状态并保持合理的安全性。
 
-<!-- 
+<!--
 It is a best practice to upgrade your cluster frequently in order to stay secure.
 -->
 {{< note >}}
 最佳的做法是经常升级集群以确保安全。
 {{< /note >}}
 
-<!-- 
-If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`. 
+<!--
+If you have more complex requirements for certificate renewal, you can opt out from the default behavior by passing `--certificate-renewal=false` to `kubeadm upgrade apply` or to `kubeadm upgrade node`.
 -->
 如果你对证书更新有更复杂的需求，则可通过将 `--certificate-renewal=false` 传递给
 `kubeadm upgrade apply` 或者 `kubeadm upgrade node`，从而选择不采用默认行为。
@@ -227,16 +227,16 @@ kubeadm 在 1.17 版本之前有一个[缺陷](https://github.com/kubernetes/kub
 在这种情况下，你需要显式地设置 `--certificate-renewal=true`。
 {{< /warning >}}
 
-<!-- 
-## Manual certificate renewal 
+<!--
+## Manual certificate renewal
 
-You can renew your certificates manually at any time with the `kubeadm certs renew` command. 
+You can renew your certificates manually at any time with the `kubeadm certs renew` command.
 -->
-## 手动更新证书
+## 手动更新证书 {#manual-certificate-renewal}
 
 你能随时通过 `kubeadm certs renew` 命令手动更新你的证书。
 
-<!-- 
+<!--
 This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in `/etc/kubernetes/pki`.
 
 After running the command you should restart the control plane Pods. This is required since
@@ -249,44 +249,43 @@ The kubelet will terminate the Pod if it's no longer in the manifest directory.
 You can then move the file back and after another `fileCheckFrequency` period, the kubelet will recreate
 the Pod and the certificate renewal for the component can complete.
 -->
-此命令用 CA （或者 front-proxy-CA ）证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
+此命令用 CA（或者 front-proxy-CA ）证书和存储在 `/etc/kubernetes/pki` 中的密钥执行更新。
 
 执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持，所有这项操作是必须的。
 [静态 Pods](/zh/docs/tasks/configure-pod-container/static-pod/) 是被本地 kubelet 而不是 API Server 管理，
 所以 kubectl 不能用来删除或重启他们。
 要重启静态 Pod 你可以临时将清单文件从 `/etc/kubernetes/manifests/` 移除并等待 20 秒
-（参考 [KubeletConfiguration 结构](/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值）。
+（参考 [KubeletConfiguration 结构](/zh/docs/reference/config-api/kubelet-config.v1beta1/) 中的`fileCheckFrequency` 值）。
 如果 Pod 不在清单目录里，kubelet 将会终止它。
 在另一个 `fileCheckFrequency` 周期之后你可以将文件移回去，为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。
 
-<!-- 
-If you are running an HA cluster, this command needs to be executed on all the control-plane nodes. 
+<!--
+If you are running an HA cluster, this command needs to be executed on all the control-plane nodes.
 -->
 {{< warning >}}
 如果你运行了一个 HA 集群，这个命令需要在所有控制面板节点上执行。
 {{< /warning >}}
 
-<!-- 
-` certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
+<!--
+`certs renew` uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
 -->
 {{< note >}}
-`certs renew` 使用现有的证书作为属性 (Common Name、Organization、SAN 等) 的权威来源，
-而不是 kubeadm-config ConfigMap 。强烈建议使它们保持同步。
+`certs renew` 使用现有的证书作为属性（Common Name、Organization、SAN 等）的权威来源，
+而不是 kubeadm-config ConfigMap。强烈建议使它们保持同步。
 {{< /note >}}
 
 <!--
 `kubeadm certs renew` provides the following options:
 -->
-`kubeadm certs renew`提供以下选项：
+`kubeadm certs renew` 提供以下选项：
 
 <!--
 The Kubernetes certificates normally reach their expiration date after one year.
 -->
 Kubernetes 证书通常在一年后到期。
 
-<!-- 
-
-- `--csr-only` can be used to renew certificats with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information. 
+<!--
+- `--csr-only` can be used to renew certificates with an external CA by generating certificate signing requests (without actually renewing certificates in place); see next paragraph for more information.
 - It's also possible to renew a single certificate instead of all.
  -->
 
@@ -297,14 +296,14 @@ Kubernetes 证书通常在一年后到期。
 <!--
 ## Renew certificates with the Kubernetes certificates API
 
-This section provide more details about how to execute manual certificate renewal using the Kubernetes certificates API.
+This section provides more details about how to execute manual certificate renewal using the Kubernetes certificates API.
 -->
-## 用 Kubernetes 证书 API 更新证书
+## 用 Kubernetes 证书 API 更新证书 {#renew-certificates-with-the-kubernetes-certificates-api}
 
 本节提供有关如何使用 Kubernetes 证书 API 执行手动证书更新的更多详细信息。
 
-<!-- 
-These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead. 
+<!--
+These are advanced topics for users who need to integrate their organization's certificate infrastructure into a kubeadm-built cluster. If the default kubeadm configuration satisfies your needs, you should let kubeadm manage certificates instead.
 -->
 {{< caution >}}
 这些是针对需要将其组织的证书基础结构集成到 kubeadm 构建的集群中的用户的高级主题。
@@ -317,10 +316,10 @@ These are advanced topics for users who need to integrate their organization's c
 The Kubernetes Certificate Authority does not work out of the box.
 You can configure an external signer such as [cert-manager](https://cert-manager.io/docs/configuration/ca/), or you can use the built-in signer.
 The built-in signer is part of [`kube-controller-manager`](/docs/reference/command-line-tools-reference/kube-controller-manager/).
-To activate the build-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
+To activate the built-in signer, you must pass the `--cluster-signing-cert-file` and `--cluster-signing-key-file` flags.
 -->
 
-### 设置一个签名者（Signer）
+### 设置一个签名者（Signer） {#set-up-a-signer}
 
 Kubernetes 证书颁发机构不是开箱即用。你可以配置外部签名者，例如 [cert-manager](https://cert-manager.io/docs/configuration/ca/)，
 也可以使用内置签名者。
@@ -343,10 +342,10 @@ controllerManager:
     cluster-signing-key-file: /etc/kubernetes/pki/ca.key
 ```
 
-<!-- 
+<!--
 ### Create certificate signing requests (CSR)
 -->
-### 创建证书签名请求 (CSR)
+### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr}
 
 <!--
 See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certificate-signing-requests/#create-certificatesigningrequest) for creating CSRs with the Kubernetes API.
@@ -357,9 +356,9 @@ See [Create CertificateSigningRequest](/docs/reference/access-authn-authz/certif
 <!--
 ## Renew certificates with external CA
 
-This section provides more details about how to execute manual certificate renewal using an external CA.
+This section provide more details about how to execute manual certificate renewal using an external CA.
 -->
-## 通过外部 CA 更新证书
+## 通过外部 CA 更新证书 {#renew-certificates-with-external-ca}
 
 本节提供有关如何使用外部 CA 执行手动更新证书的更多详细信息。
 
@@ -372,8 +371,8 @@ In kubeadm terms, any certificate that would normally be signed by an on-disk CA
 CSR 表示向 CA 请求客户的签名证书。
 在 kubeadm 术语中，通常由磁盘 CA 签名的任何证书都可以作为 CSR 生成。但是，CA 不能作为 CSR 生成。
 
-<!-- 
-### Create certificate signing requests (CSR) 
+<!--
+### Create certificate signing requests (CSR)
 
 You can create certificate signing requests with `kubeadm certs renew --csr-only`.
 
@@ -381,13 +380,13 @@ Both the CSR and the accompanying private key are given in the output.
 You can pass in a directory with `--csr-dir` to output the CSRs to the specified location.
 If `--csr-dir` is not specified, the default certificate directory (`/etc/kubernetes/pki`) is used.
 -->
-### 创建证书签名请求 (CSR)
+### 创建证书签名请求 (CSR) {#create-certificate-signing-requests-csr-1}
 
 你可以通过 `kubeadm certs renew --csr-only` 命令创建证书签名请求。
 
 CSR 和随附的私钥都在输出中给出。
 你可以传入一个带有 `--csr-dir` 的目录，将 CRS 输出到指定位置。
-如果未指定 `--csr-dir` ，则使用默认证书目录（`/etc/kubernetes/pki`）。
+如果未指定 `--csr-dir`，则使用默认证书目录（`/etc/kubernetes/pki`）。
 
 <!--
 Certificates can be renewed with `kubeadm certs renew --csr-only`.
@@ -406,7 +405,7 @@ when issuing a certificate.
 CSR 中包含一个证书的名字，域和 IP，但是未指定用法。
 颁发证书时，CA 有责任指定[正确的证书用法](/zh/docs/setup/best-practices/certificates/#all-certificates)
 
-<!-- 
+<!--
 * In `openssl` this is done with the
   [`openssl ca` command](https://superuser.com/questions/738612/openssl-ca-keyusage-extension).
 * In `cfssl` you specify
@@ -419,8 +418,8 @@ CSR 中包含一个证书的名字，域和 IP，但是未指定用法。
   [在配置文件中指定用法](https://github.com/cloudflare/cfssl/blob/master/doc/cmd/cfssl.txt#L170)
   来完成的。
 
-<!-- 
-After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`). 
+<!--
+After a certificate is signed using your preferred method, the certificate and the private key must be copied to the PKI directory (by default `/etc/kubernetes/pki`).
 -->
 使用首选方法对证书签名后，必须将证书和私钥复制到 PKI 目录（默认为 `/etc/kubernetes/pki` ）。
 
@@ -431,7 +430,7 @@ Kubeadm does not support rotation or replacement of CA certificates out of the b
 
 For more information about manual rotation or replacement of CA, see [manual rotation of CA certificates](/docs/tasks/tls/manual-rotation-of-ca-certificates/).
 -->
-## 证书机构（CA）轮换     {#certificate-authority-rotation}
+## 证书机构（CA）轮换 {#certificate-authority-rotation}
 
 kubeadm 并不直接支持对 CA 证书的轮换或者替换。
 
@@ -449,9 +448,9 @@ kubelet cannot be secured with TLS.
 To configure the kubelets in a new kubeadm cluster to obtain properly signed serving
 certificates you must pass the following minimal configuration to `kubeadm init`:
 -->
-## 启用已签名的 kubelet 服务证书   {#kubelet-serving-certs}
+## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
 
-默认情况下，kubeadm 所部署的 kubelet 服务证书是自签名（Self-Signed））。
+默认情况下，kubeadm 所部署的 kubelet 服务证书是自签名（Self-Signed）。
 这意味着从 [metrics-server](https://github.com/kubernetes-sigs/metrics-server)
 这类外部服务发起向 kubelet 的链接时无法使用 TLS 来完成保护。
 
@@ -501,7 +500,7 @@ These CSRs can be viewed using:
 字段 `serverTLSBootstrap` 将允许启动引导 kubelet 的服务证书，方式
 是从 `certificates.k8s.io` API 处读取。这种方式的一种局限在于这些
 证书的 CSR（证书签名请求）不能被 kube-controller-manager 中默认的
-签名组件 
+签名组件
 [`kubernetes.io/kubelet-serving`](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)
 批准。需要用户或者第三方控制器来执行此操作。
 
@@ -554,7 +553,7 @@ the node identity with an out of band mechanism.
 
 <!--
 Third party custom controllers can be used:
-- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
+- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
 
 Such a controller is not a secure mechanism unless it not only verifies the CommonName
 in the CSR but also verifies the requested IPs and domain names. This would prevent
@@ -563,7 +562,7 @@ CSRs requesting serving certificates for any IP or domain name.
 -->
 也可以使用第三方定制的控制器：
 
-- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
+- [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver)
 
 除非既能够验证 CSR 中的 CommonName，也能检查请求的 IP 和域名，
 这类控制器还算不得安全的机制。
@@ -573,7 +572,7 @@ CSRs requesting serving certificates for any IP or domain name.
 <!--
 ## Generating kubeconfig files for additional users {#kubeconfig-additional-users}
 -->
-##  为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
+## 为其他用户生成 kubeconfig 文件 {#kubeconfig-additional-users}
 
 <!--
 During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
@@ -597,7 +596,7 @@ The generated kubeconfig will be written to stdout and can be piped to a file
 using `kubeadm kubeconfig user ... > somefile.conf`.
 -->
 你要使用 [`kubeadm kubeconfig user`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
-命令为其他用户生成 kubeconfig 文件，这个命令支持命令行参数和 
+命令为其他用户生成 kubeconfig 文件，这个命令支持命令行参数和
 [kubeadm 配置结构](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
 以上命令会将 kubeconfig 打印到终端上，也可以使用 `kubeadm kubeconfig user ... > somefile.conf`
 输出到一个文件中。
@@ -605,7 +604,7 @@ using `kubeadm kubeconfig user ... > somefile.conf`.
 <!--
 Example configuration file that can be used with `--config`:
 -->
-如下 kubeadm 可以 在`--config` 后加的配置文件示例：
+如下 kubeadm 可以在 `--config` 后加的配置文件示例：
 
 ```yaml
 # example.yaml