From 8b1afccd0ab23d4a8441fdebec2cd93a9af44a77 Mon Sep 17 00:00:00 2001
From: "zhenghao.zhu" <zhenghao.zhu@daocloud.io>
Date: Thu, 18 May 2023 22:05:29 +0800
Subject: [PATCH] resync kubeadm-join&cleanup kubeadm-inti

---
 .../setup-tools/kubeadm/kubeadm-init.md       | 50 ++++++++--------
 .../setup-tools/kubeadm/kubeadm-join.md       | 59 ++++++++++++++++---
 2 files changed, 76 insertions(+), 33 deletions(-)

diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md
index 8f255401fa..cb01dae1d2 100644
--- a/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init.md
@@ -126,8 +126,8 @@ following steps:
    - 配置自动签发新的 CSR 请求。
 
    更多相关信息，请查看 [kubeadm join](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/)。
-   
-<!-- 
+
+<!--
 1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
    In Kubernetes version 1.11 and later CoreDNS is the default DNS server.
    Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed.
@@ -148,7 +148,8 @@ following steps:
 
 Kubeadm allows you to create a control-plane node in phases using the `kubeadm init phase` command.
 -->
-### 在 kubeadm 中使用 init 阶段  {#init-phases}
+
+### 在 kubeadm 中使用 init 阶段 {#init-phases}
 
 Kubeadm 允许你使用 `kubeadm init phase` 命令分阶段创建控制平面节点。
 
@@ -213,7 +214,7 @@ will create a control plane node with the custom manifest files.
 
 {{< feature-state for_k8s_version="v1.22" state="beta" >}}
 
-<!-- 
+<!--
 Alternatively, you can use the `skipPhases` field under `InitConfiguration`.
 -->
 或者，你可以使用 `InitConfiguration` 下的 `skipPhases` 字段。
@@ -262,12 +263,12 @@ For more information on the fields and usage of the configuration you can naviga
 
 关于配置的字段和用法的更多信息，你可以访问 [API 参考页面](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/)。
 
-<!-- 
-### Using kubeadm init with feature gates {#feature-gates} 
+<!--
+### Using kubeadm init with feature gates {#feature-gates}
 -->
 ### 使用 kubeadm init 时设置特性门控 {#feature-gates}
 
-<!-- 
+<!--
 Kubeadm supports a set of feature gates that are unique to kubeadm and can only be applied
 during cluster creation with `kubeadm init`. These features can control the behavior
 of the cluster. Feature gates are removed after a feature graduates to GA.
@@ -275,7 +276,7 @@ of the cluster. Feature gates are removed after a feature graduates to GA.
 Kubeadm 支持一组独有的特性门控，只能在 `kubeadm init` 创建集群期间使用。
 这些特性可以控制集群的行为。特性门控会在毕业到 GA 后被移除。
 
-<!-- 
+<!--
 To pass a feature gate you can either use the `--feature-gates` flag for
 `kubeadm init`, or you can add items into the `featureGates` field when you pass
 a [configuration file](/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration)
@@ -285,7 +286,7 @@ using `--config`.
 或者你可以在用 `--config`
 传递[配置文件](/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration)时添加条目到 `featureGates` 字段中。
 
-<!-- 
+<!--
 Passing [feature gates for core Kubernetes components](/docs/reference/command-line-tools-reference/feature-gates)
 directly to kubeadm is not supported. Instead, it is possible to pass them by
 [Customizing components with the kubeadm API](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/).
@@ -293,8 +294,8 @@ directly to kubeadm is not supported. Instead, it is possible to pass them by
 直接传递 [Kubernetes 核心组件的特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates)给 kubeadm 是不支持的。
 相反，可以通过[使用 kubeadm API 的自定义组件](/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)来传递。
 
-<!-- 
-List of feature gates: 
+<!--
+List of feature gates:
 -->
 特性门控的列表：
 
@@ -313,12 +314,12 @@ Once a feature gate goes GA its value becomes locked to `true` by default.
 一旦特性门控变成了 GA，它的值会被默认锁定为 `true`。
 {{< /note >}}
 
-<!-- 
-Feature gate descriptions: 
+<!--
+Feature gate descriptions:
 -->
 特性门控的描述：
 
-<!-- 
+<!--
 `PublicKeysECDSA`
 : Can be used to create a cluster that uses ECDSA certificates instead of the default RSA algorithm.
 Renewal of existing ECDSA certificates is also supported using `kubeadm certs renew`, but you cannot
@@ -329,7 +330,7 @@ switch between the RSA and ECDSA algorithms on the fly or during upgrades.
 支持用 `kubeadm certs renew` 更新现有 ECDSA 证书，
 但你不能在集群运行期间或升级期间切换 RSA 和 ECDSA 算法。
 
-<!-- 
+<!--
 `RootlessControlPlane`
 : Setting this flag configures the kubeadm deployed control plane component static Pod containers
 for `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` to run as non-root users.
@@ -342,7 +343,7 @@ you upgrade to a newer version of Kubernetes.
 如果未设置该标志，则这些组件以 root 身份运行。
 你可以在升级到更新版本的 Kubernetes 之前更改此特性门控的值。
 
-<!-- 
+<!--
 `UnversionedKubeletConfigMap`
 : This flag controls the name of the {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} where kubeadm stores
 kubelet configuration data. With this flag not specified or set to `true`, the ConfigMap is named `kubelet-config`.
@@ -413,15 +414,15 @@ kubeadm config images list
 kubeadm config images pull
 ```
 
-<!-- 
+<!--
 You can pass `--config` to the above commands with a [kubeadm configuration file](#config-file)
 to control the `kubernetesVersion` and `imageRepository` fields.
 -->
 你可以通过 `--config` 把 [kubeadm 配置文件](#config-file) 传递给上述命令来控制
 `kubernetesVersion` 和 `imageRepository` 字段。
 
-<!-- 
-All default `registry.k8s.io` images that kubeadm requires support multiple architectures. 
+<!--
+All default `registry.k8s.io` images that kubeadm requires support multiple architectures.
 -->
 kubeadm 需要的所有默认 `registry.k8s.io` 镜像都支持多种硬件体系结构。
 
@@ -453,7 +454,7 @@ Allowed customization are:
 * 使用其他的 `imageRepository` 来代替 `registry.k8s.io`。
 * 为 etcd 或 CoreDNS 提供特定的 `imageRepository` 和 `imageTag`。
 
-<!-- 
+<!--
 Image paths between the default `registry.k8s.io` and a custom repository specified using
 `imageRepository` may differ for backwards compatibility reasons. For example,
 one image might have a subpath at `registry.k8s.io/subpath/image`, but be defaulted
@@ -463,13 +464,13 @@ to `my.customrepository.io/image` when using a custom repository.
 `registry.k8s.io` 镜像路径不同。例如，某镜像的子路径可能是 `registry.k8s.io/subpath/image`，
 但使用自定义仓库时默认为 `my.customrepository.io/image`。
 
-<!-- 
+<!--
 To ensure you push the images to your custom repository in paths that kubeadm
 can consume, you must:
 -->
 确保将镜像推送到 kubeadm 可以使用的自定义仓库的路径中，你必须：
 
-<!-- 
+<!--
 * Pull images from the defaults paths at `registry.k8s.io` using `kubeadm config images {list|pull}`.
 * Push images to the paths from `kubeadm config images list --config=config.yaml`,
 where `config.yaml` contains the custom `imageRepository`, and/or `imageTag`
@@ -484,7 +485,7 @@ for etcd and CoreDNS.
 <!--
 #### Custom sandbox (pause) images {#custom-pause-image}
 
-To set a custom image for these you need to configure this in your 
+To set a custom image for these you need to configure this in your
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
 to use the image.
 Consult the documentation for your container runtime to find out how to change this setting;
@@ -636,7 +637,7 @@ DNS name or an address of a load balancer.
 -->
 1. 生成一个令牌。这个令牌必须采用的格式为：`<6 个字符的字符串>.<16 个字符的字符串>`。
    更加正式的说法是，它必须符合正则表达式：`[a-z0-9]{6}\.[a-z0-9]{16}`。
-   
+
    kubeadm 可以为你生成一个令牌：
 
    ```shell
@@ -698,4 +699,3 @@ provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/ku
   将 Kubernetes 集群升级到新版本
 * [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   恢复 `kubeadm init` 或 `kubeadm join` 命令对节点所作的变更
-
diff --git a/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md
index 6ceea2a63e..a6ba7de662 100644
--- a/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md
+++ b/content/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join.md
@@ -162,11 +162,16 @@ that the API server certificate is valid under the root CA.
 以及 API 服务器证书在根 CA 下是否有效。
 
 <!--
-The CA key hash has the format `sha256:<hex_encoded_hash>`. By default, the hash value is returned in the `kubeadm join` command printed at the end of `kubeadm init` or in the output of `kubeadm token create --print-join-command`. It is in a standard format (see [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) and can also be calculated by 3rd party tools or provisioning systems. For example, using the OpenSSL CLI:
+The CA key hash has the format `sha256:<hex_encoded_hash>`.
+By default, the hash value is printed at the end of the `kubeadm init` command or
+in the output from the `kubeadm token create --print-join-command` command.
+It is in a standard format (see [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4))
+and can also be calculated by 3rd party tools or provisioning systems.
+For example, using the OpenSSL CLI:
 -->
 CA 键哈希格式为 `sha256:<hex_encoded_hash>`。
-默认情况下，在 `kubeadm init` 最后打印的 `kubeadm join` 命令
-或者 `kubeadm token create --print-join-command` 的输出信息中返回哈希值。
+默认情况下，哈希值会打印在 `kubeadm init` 命令输出的末尾
+或者从 `kubeadm token create --print-join-command` 命令的输出信息中返回。
 它使用标准格式（请参考 [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)）
 并且也能通过第三方工具或者制备系统进行计算。
 例如，使用 OpenSSL CLI：
@@ -354,6 +359,45 @@ In case the discovery file does not contain credentials, the TLS discovery token
   如果发现文件包含凭据，你必须对其保密并通过安全通道进行传输。
   这可能通过你的云提供商或供应工具来实现。
 
+<!--
+#### Use of custom kubelet credentials with `kubeadm join`
+-->
+#### 将自定义 kubelet 凭据与 `kubeadm join` 结合使用
+
+<!--
+To allow `kubeadm join` to use predefined kubelet credentials and skip client TLS bootstrap 
+and CSR approval for a new node:
+-->
+要允许 `kubeadm join` 使用预定义的 kubelet 凭据并跳过客户端 TLS 引导程序和新节点的 CSR 批准：
+
+<!--
+1. From a working control plane node in the cluster that has `/etc/kubernetes/pki/ca.key`
+   execute `kubeadm kubeconfig user --org system:nodes --client-name system:node:$NODE > kubelet.conf`.
+   `$NODE` must be set to the name of the new node.
+2. Modify the resulted `kubelet.conf` manually to adjust the cluster name and the server endpoint,
+   or run `kubeadm kubeconfig user --config` (it accepts `InitConfiguration`). 
+-->
+1. 从集群中带有 `/etc/kubernetes/pki/ca.key` 的工作控制平面节点执行
+   `kubeadm kubeconfig user --org system:nodes --client-name system:node:$NODE > kubelet.conf`。
+   `$NODE` 必须设置为新节点的名称。
+2. 手动修改生成的 `kubelet.conf` 以调整集群名称和服务器端点，
+   或运行 `kubeadm kubeconfig user --config`（它接受 `InitConfiguration`）。
+
+<!--
+If your cluster does not have the `ca.key` file, you must sign the embedded certificates in 
+the `kubelet.conf` externally.
+-->
+如果集群没有 `ca.key` 文件，你必须在外部对 `kubelet.conf` 中嵌入的证书进行签名。
+
+<!--
+1. Copy the resulting `kubelet.conf` to `/etc/kubernetes/kubelet.conf` on the new node.
+2. Execute `kubeadm join` with the flag
+   `--ignore-preflight-errors=FileAvailable--etc-kubernetes-kubelet.conf` on the new node.
+-->
+1. 将生成的 `kubelet.conf` 复制为新节点上的 `/etc/kubernetes/kubelet.conf`。
+2. 在新节点上带着标志
+   `--ignore-preflight-errors=FileAvailable--etc-kubernetes-kubelet.conf` 执行 `kubeadm join`。
+
 <!--
 ### Securing your installation even more {#securing-more}
 -->
@@ -378,7 +422,7 @@ automatically approve kubelet client certs, you can turn it off by executing thi
 -->
 默认情况下，Kubernetes 启用了 CSR 自动批准器，如果在身份验证时使用启动引导令牌，
 它会批准对 kubelet 的任何客户端证书的请求。
-如果不希望集群自动批准kubelet客户端证书，可以通过执行以下命令关闭它：
+如果不希望集群自动批准 kubelet 客户端证书，可以通过执行以下命令关闭它：
 
 ```shell
 kubectl delete clusterrolebinding kubeadm:node-autoapprove-bootstrap
@@ -402,15 +446,15 @@ After that, `kubeadm join` will block until the admin has manually approved the
    The output is similar to this:
    -->
    输出类似于：
-   
+
    ```
    NAME                                                   AGE       REQUESTOR                 CONDITION
    node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ   18s       system:bootstrap:878f07   Pending
    ```
 
 <!--
-2. `kubectl certificate approve` allows the admin to approve CSR. This action tells a certificate signing
-  controller to issue a certificate to the requestor with the attributes requested in the CSR.
+2. `kubectl certificate approve` allows the admin to approve CSR.This action tells a certificate signing
+   controller to issue a certificate to the requestor with the attributes requested in the CSR.
 -->
 2. `kubectl certificate approve` 允许管理员批准 CSR。
    此操作告知证书签名控制器向请求者颁发一个证书，该证书具有 CSR 中所请求的那些属性。
@@ -573,4 +617,3 @@ For more information on the fields and usage of the configuration you can naviga
   管理 `kubeadm join` 的令牌。
 * [kubeadm reset](/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
   将 `kubeadm init` 或 `kubeadm join` 对主机的更改恢复到之前状态。
-