From 74449d14596f79da52204683981c16d07b4996ab Mon Sep 17 00:00:00 2001
From: "xin.li" <xin.li@daocloud.io>
Date: Wed, 30 Mar 2022 12:14:28 +0800
Subject: [PATCH] [zh] Update projected-volumes.md

Signed-off-by: xin.li <xin.li@daocloud.io>
---
 .../docs/concepts/storage/projected-volumes.md  | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/content/zh/docs/concepts/storage/projected-volumes.md b/content/zh/docs/concepts/storage/projected-volumes.md
index 15c01c2719..a1cc2a3a72 100644
--- a/content/zh/docs/concepts/storage/projected-volumes.md
+++ b/content/zh/docs/concepts/storage/projected-volumes.md
@@ -34,7 +34,7 @@ Currently, the following types of volume sources can be projected:
 * [`secret`](/docs/concepts/storage/volumes/#secret)
 * [`downwardAPI`](/docs/concepts/storage/volumes/#downwardapi)
 * [`configMap`](/docs/concepts/storage/volumes/#configmap)
-* `serviceAccountToken`
+* [`serviceAccountToken`](#serviceaccounttoken)
 -->
 ## 介绍    {#introduction}
 
@@ -45,7 +45,7 @@ Currently, the following types of volume sources can be projected:
 * [`secret`](/zh/docs/concepts/storage/volumes/#secret)
 * [`downwardAPI`](/zh/docs/concepts/storage/volumes/#downwardapi)
 * [`configMap`](/zh/docs/concepts/storage/volumes/#configmap)
-* `serviceAccountToken`
+* [`serviceAccountToken`](#serviceaccounttoken)
 
 <!--
 All sources are required to be in the same namespace as the Pod. For more details,
@@ -85,10 +85,12 @@ parameters are nearly the same with two exceptions:
   你可以显式地为每个投射单独设置 `mode` 属性。 
 
 <!--
+## serviceAccountToken projected volumes {#serviceaccounttoken}
 When the `TokenRequestProjection` feature is enabled, you can inject the token
 for the current [service account](/docs/reference/access-authn-authz/authentication/#service-account-tokens)
 into a Pod at a specified path. For example:
 -->
+## serviceAccountToken 投射卷 {#serviceaccounttoken}
 当 `TokenRequestProjection` 特性被启用时，你可以将当前
 [服务账号](/zh/docs/reference/access-authn-authz/authentication/#service-account-tokens)
 的令牌注入到 Pod 中特定路径下。例如：
@@ -97,14 +99,17 @@ into a Pod at a specified path. For example:
 
 <!--
 The example Pod has a projected volume containing the injected service account
-token. This token can be used by a Pod's containers to access the Kubernetes API
-server. The `audience` field contains the intended audience of the
+token. Containers in this Pod can use that token to access the Kubernetes API
+server, authenticating with the identity of [the pod's ServiceAccount](/docs/tasks/configure-pod-container/configure-service-account/).
+The `audience` field contains the intended audience of the
 token. A recipient of the token must identify itself with an identifier specified
 in the audience of the token, and otherwise should reject the token. This field
 is optional and it defaults to the identifier of the API server.
 -->
-示例 Pod 中包含一个投射卷，其中包含注入的服务账号令牌。该令牌可以被 Pod
-中的容器用来访问 Kubernetes API 服务器。`audience` 字段包含令牌所针对的受众。
+示例 Pod 中包含一个投射卷，其中包含注入的服务账号令牌。
+此 Pod 中的容器可以使用该令牌访问 Kubernetes API 服务器， 使用 
+[pod 的 ServiceAccount](/zh/docs/tasks/configure-pod-container/configure-service-account/)
+进行身份验证。`audience` 字段包含令牌所针对的受众。
 收到令牌的主体必须使用令牌受众中所指定的某个标识符来标识自身，否则应该拒绝该令牌。
 此字段是可选的，默认值为 API 服务器的标识。