From db9321322b1511273779aca82dd2b9b984effcb5 Mon Sep 17 00:00:00 2001
From: "xin.li" <xin.li@daocloud.io>
Date: Thu, 17 Aug 2023 22:59:44 +0800
Subject: [PATCH] [zh-cn] sync example validatingadmissionpolicy/*

Signed-off-by: xin.li <xin.li@daocloud.io>
---
 .../validating-admission-policy.md            | 356 ++++++++++--------
 ...-matches-namespace-environment.policy.yaml |  29 ++
 ...ebhook-configuration-match-conditions.yaml |  49 +++
 .../basic-example-binding.yaml                |  11 +
 .../basic-example-policy.yaml                 |  14 +
 .../binding-with-param-prod.yaml              |  17 +
 .../binding-with-param.yaml                   |  14 +
 .../failure-policy-ignore.yaml                |   7 +
 .../policy-with-param.yaml                    |  18 +
 .../replicalimit-param-prod.yaml              |   5 +
 .../replicalimit-param.yaml                   |   6 +
 .../typechecking-multiple-match.yaml          |  15 +
 .../typechecking.yaml                         |  15 +
 13 files changed, 393 insertions(+), 163 deletions(-)
 create mode 100644 content/zh-cn/examples/access/image-matches-namespace-environment.policy.yaml
 create mode 100644 content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/basic-example-binding.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/basic-example-policy.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/binding-with-param-prod.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/binding-with-param.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/failure-policy-ignore.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/policy-with-param.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param-prod.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/typechecking-multiple-match.yaml
 create mode 100644 content/zh-cn/examples/validatingadmissionpolicy/typechecking.yaml

diff --git a/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md b/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md
index 2eb745f06c..a7e2a2ac80 100644
--- a/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md
+++ b/content/zh-cn/docs/reference/access-authn-authz/validating-admission-policy.md
@@ -13,7 +13,7 @@ content_type: concept
 
 <!-- overview -->
 
-{{< feature-state state="alpha" for_k8s_version="v1.26" >}}
+{{< feature-state state="beta" for_k8s_version="v1.28" >}}
 
 <!--
 This page provides an overview of Validating Admission Policy.
@@ -79,7 +79,7 @@ At least a `ValidatingAdmissionPolicy` and a corresponding `ValidatingAdmissionP
 must be defined for a policy to have an effect.
 
 If a `ValidatingAdmissionPolicy` does not need to be configured via parameters, simply leave
-`spec.paramKind` in  `ValidatingAdmissionPolicy` unset.
+`spec.paramKind` in  `ValidatingAdmissionPolicy` not specified.
 -->
 至少要定义一个 `ValidatingAdmissionPolicy` 和一个相对应的 `ValidatingAdmissionPolicyBinding` 才能使策略生效。
 
@@ -90,10 +90,10 @@ If a `ValidatingAdmissionPolicy` does not need to be configured via parameters,
 
 <!--
 - Ensure the `ValidatingAdmissionPolicy` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled.
-- Ensure that the `admissionregistration.k8s.io/v1alpha1` API is enabled.
+- Ensure that the `admissionregistration.k8s.io/v1beta1` API is enabled.
 -->
 - 确保 `ValidatingAdmissionPolicy` [特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)被启用。
-- 确保 `admissionregistration.k8s.io/v1alpha1` API 被启用。
+- 确保 `admissionregistration.k8s.io/v1beta1` API 被启用。
 
 <!--
 ## Getting Started with Validating Admission Policy
@@ -115,22 +115,7 @@ The following is an example of a ValidatingAdmissionPolicy.
 
 以下是一个 ValidatingAdmissionPolicy 的示例：
 
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: "demo-policy.example.com"
-spec:
-  failurePolicy: Fail
-  matchConstraints:
-    resourceRules:
-    - apiGroups: ["apps"]
-      apiVersions: ["v1"]
-      operations: ["CREATE", "UPDATE"]
-      resources: ["deployments"]
-  validations:
-    - expression: "object.spec.replicas <= 5"
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/basic-example-policy.yaml" %}}
 
 <!--
 `spec.validations` contains CEL expressions which use the [Common Expression Language (CEL)](https://github.com/google/cel-spec)
@@ -147,19 +132,7 @@ The following is an example of a ValidatingAdmissionPolicyBinding.:
 要配置一个在某集群中使用的验证准入策略，需要一个绑定。
 以下是一个 ValidatingAdmissionPolicyBinding 的示例：
 
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: "demo-binding-test.example.com"
-spec:
-  policyName: "demo-policy.example.com"
-  validationActions: [Deny]
-  matchResources:
-    namespaceSelector:
-      matchLabels:
-        environment: test
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/basic-example-binding.yaml" %}}
 
 <!--
 When trying to create a deployment with replicas set not satisfying the validation expression, an
@@ -221,11 +194,11 @@ API 响应体和 HTTP 警告头中。
 <!--
 A `validation` that evaluates to false is always enforced according to these
 actions. Failures defined by the `failurePolicy` are enforced
-according to these actions only if the `failurePolicy` is set to `Fail` (or unset),
+according to these actions only if the `failurePolicy` is set to `Fail` (or not specified),
 otherwise the failures are ignored.
 -->
 如果 `validation` 求值为 false，则始终根据这些操作执行。
-由 `failurePolicy` 定义的失败仅在 `failurePolicy` 设置为 `Fail`（或未设置）时根据这些操作执行，
+由 `failurePolicy` 定义的失败仅在 `failurePolicy` 设置为 `Fail`（或未指定）时根据这些操作执行，
 否则这些失败将被忽略。
 
 <!-- 
@@ -236,7 +209,7 @@ for more details about the validation failure audit annotation.
 [审计注解：验证失败](/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/#validation-policy-admission-k8s-io-validation_failure)。
 
 <!--
-#### Parameter resources
+### Parameter resources
 
 Parameter resources allow a policy configuration to be separate from its definition.
 A policy can define paramKind, which outlines GVK of the parameter resource,
@@ -245,7 +218,7 @@ and then a policy binding ties a policy by name (via policyName) to a particular
 If parameter configuration is needed, the following is an example of a ValidatingAdmissionPolicy
 with parameter configuration.
 -->
-#### 参数资源
+### 参数资源
 
 参数资源允许策略配置与其定义分开。
 一个策略可以定义 paramKind，给出参数资源的 GVK，
@@ -253,26 +226,7 @@ with parameter configuration.
 
 如果需要参数配置，下面是一个带有参数配置的 ValidatingAdmissionPolicy 的例子：
 
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: "replicalimit-policy.example.com"
-spec:
-  failurePolicy: Fail
-  paramKind:
-    apiVersion: rules.example.com/v1
-    kind: ReplicaLimit
-  matchConstraints:
-    resourceRules:
-    - apiGroups: ["apps"]
-      apiVersions: ["v1"]
-      operations: ["CREATE", "UPDATE"]
-      resources: ["deployments"]
-  validations:
-    - expression: "object.spec.replicas <= params.maxReplicas"
-      reason: Invalid
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/policy-with-param.yaml" %}}
 
 <!--
 The `spec.paramKind` field of the ValidatingAdmissionPolicy specifies the kind of resources used
@@ -295,7 +249,9 @@ validation check is enforced according to the `spec.failurePolicy` field.
 The validating admission policy author is responsible for providing the ReplicaLimit parameter CRD.
 
 To configure an validating admission policy for use in a cluster, a binding and parameter resource
-are created. The following is an example of a ValidatingAdmissionPolicyBinding.
+are created. The following is an example of a ValidatingAdmissionPolicyBinding
+that uses a **cluster-wide** param - the same param will be used to validate
+every resource request that matches the binding:
 -->
 `spec.validations` 字段包含 CEL 表达式。
 如果表达式的计算结果为 false，则根据 `spec.failurePolicy` 字段强制执行验证检查操作。
@@ -303,77 +259,71 @@ are created. The following is an example of a ValidatingAdmissionPolicyBinding.
 验证准入策略的作者负责提供 ReplicaLimit 参数 CRD。
 
 要配置一个在某集群中使用的验证准入策略，需要创建绑定和参数资源。
-以下是 ValidatingAdmissionPolicyBinding 的示例：
+以下是 ValidatingAdmissionPolicyBinding **集群范围**参数的示例 - 相同的参数将用于验证与绑定匹配的每个资源请求：
 
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: "replicalimit-binding-test.example.com"
-spec:
-  policyName: "replicalimit-policy.example.com"
-  validationActions: [Deny]
-  paramRef:
-    name: "replica-limit-test.example.com"
-  matchResources:
-    namespaceSelector:
-      matchLabels:
-        environment: test
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/binding-with-param.yaml" %}}
+
+<!--
+Notice this binding applies a parameter to the policy for all resources which
+are in the `test` environment.
+-->
+请注意，此绑定将参数应用于 `test` 环境中所有资源的策略中。
 
 <!--
 The parameter resource could be as following:
 -->
 参数资源可以如下：
 
-```yaml
-apiVersion: rules.example.com/v1
-kind: ReplicaLimit
-metadata:
-  name: "replica-limit-test.example.com"
-maxReplicas: 3
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/replicalimit-param.yaml" %}}
 
 <!--
-This policy parameter resource limits deployments to a max of 3 replicas in all namespaces in the
-test environment. An admission policy may have multiple bindings. To bind all other environments
-environment to have a maxReplicas limit of 100, create another ValidatingAdmissionPolicyBinding:
+This policy parameter resource limits deployments to a max of 3 replicas.
+An admission policy may have multiple bindings. To bind all other environments
+to have a maxReplicas limit of 100, create another ValidatingAdmissionPolicyBinding:
 -->
-此策略参数资源将限制测试环境所有名字空间中的 Deployment 最多有 3 个副本。
+此策略参数资源将限制 Deployment 最多有 3 个副本。
 一个准入策略可以有多个绑定。
 要绑定所有的其他环境，限制 maxReplicas 为 100，请创建另一个 ValidatingAdmissionPolicyBinding：
 
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicyBinding
-metadata:
-  name: "replicalimit-binding-nontest"
-spec:
-  policyName: "replicalimit-policy.example.com"
-  validationActions: [Deny]
-  paramRef:
-    name: "replica-limit-clusterwide.example.com"
-  matchResources:
-    namespaceSelector:
-      matchExpressions:
-      - key: environment
-        operator: NotIn
-        values:
-        - test
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/binding-with-param-prod.yaml" %}}
 
 <!--
-And have a parameter resource like:
+Notice this binding applies a different parameter to resources which
+are not in the `test` environment.
 -->
-并有一个参数资源，如下：
+请注意，此绑定将不同的参数应用于不在 `test` 环境中的资源。
 
-```yaml
-apiVersion: rules.example.com/v1
-kind: ReplicaLimit
-metadata:
-  name: "replica-limit-clusterwide.example.com"
-maxReplicas: 100
-```
+<!--
+And have a parameter resource:
+-->
+并有一个参数资源：
+
+{{% codenew language="yaml" file="validatingadmissionpolicy/replicalimit-param-prod.yaml" %}}
+
+<!--
+For each admission request, the API server evaluates CEL expressions of each 
+(policy, binding, param) combination that match the request. For a request
+to be admitted it must pass **all** evaluations.
+
+If multiple bindings match the request, the policy will be evaluated for each,
+and they must all pass evaluation for the policy to be considered passed.
+-->
+对于每个准入请求，API 服务器都会评估与请求匹配的每个（策略、绑定、参数）组合的 CEL 表达式。
+要获得准入资格，必须通过**所有**评估。
+
+如果多个绑定与请求匹配，则将为每个绑定评估策略，并且它们必须全部通过评估，策略才会被视为通过。
+
+<!--
+If multiple parameters match a single binding, the policy rules will be evaluated
+for each param, and they too must all pass for the binding to be considered passed.
+Bindings can have overlapping match criteria. The policy is evaluated for each 
+matching binding-parameter combination. A policy may even be evaluated multiple
+times if multiple bindings match it, or a single binding that matches multiple 
+parameters.
+-->
+如果多个参数与同一个绑定匹配，则系统将为每个参数评估策略规则，并且这些规则也必须全部通过才能认为该绑定通过。
+多个绑定之间可以在匹配条件存在重叠。系统针对匹配的绑定参数所有组合来评估策略。如果多个绑定与其匹配，
+或者同一个绑定与多个参数匹配，则策略甚至可以被多次评估。
 
 <!--
 Bindings can have overlapping match criteria. The policy is evaluated for each matching binding.
@@ -401,13 +351,16 @@ spec:
 <!--
 The params object representing a parameter resource will not be set if a parameter resource has
 not been bound, so for policies requiring a parameter resource, it can be useful to add a check to
-ensure one has been bound.
+ensure one has been bound. A parameter resource will not be bound and `params` will be null
+if `paramKind` of the policy, or `paramRef` of the binding are not specified.
 
 For the use cases require parameter configuration, we recommend to add a param check in
 `spec.validations[0].expression`:
 -->
 如果参数资源尚未被绑定，代表参数资源的 params 对象将不会被设置，
 所以对于需要参数资源的策略，添加一个检查来确保参数资源被绑定，这会很有用。
+如果策略的 `paramKind` 未指定或绑定的 `paramRef` 未指定，则不会绑定参数资源，
+并且 `params` 将为空。
 
 对于需要参数配置的场景，我们建议在 `spec.validations[0].expression` 中添加一个参数检查：
 
@@ -417,6 +370,8 @@ For the use cases require parameter configuration, we recommend to add a param c
 ```
 
 <!--
+#### Optional parameters
+
 It can be convenient to be able to have optional parameters as part of a parameter resource, and
 only validate them if present. CEL provides `has()`, which checks if the key passed to it exists.
 CEL also implements Boolean short-circuiting. If the first half of a logical OR evaluates to true,
@@ -424,6 +379,8 @@ it won’t evaluate the other half (since the result of the entire OR will be tr
 
 Combining the two, we can provide a way to validate optional parameters:
 -->
+#### 可选参数
+
 将可选参数作为参数资源的一部分，并且只在参数存在时执行检查操作，这样做会比较方便。
 CEL 提供了 `has()` 方法，它检查传递给它的键是否存在。CEL 还实现了布尔短路逻辑。
 如果逻辑 OR 的前半部分计算为 true，则不会计算另一半（因为无论如何整个 OR 的结果都为真）。
@@ -446,6 +403,64 @@ Here, we first check that the optional parameter is present with `!has(params.op
 - 如果 `optionalNumber` 被定义了，那么将计算 CEL 表达式的后半部分，
   并且 `optionalNumber` 将被检查以确保它包含一个 5 到 10 之间的值（含 5 到 10）。
 
+<!--
+#### Per-namespace Parameters
+
+As the author of a ValidatingAdmissionPolicy and its ValidatingAdmissionPolicyBinding, 
+you can choose to specify cluster-wide, or per-namespace parameters. 
+If you specify a `namespace` for the binding's `paramRef`, the control plane only
+searches for parameters in that namespace.
+-->
+#### 按命名空间设置的参数
+
+作为 ValidatingAdmissionPolicy 及其 ValidatingAdmissionPolicyBinding 的作者，
+你可以选择指定其作用于集群范围还是某个命名空间。如果你为绑定的 `paramRef` 指定 `namespace`，
+则控制平面仅在该名字空间中搜索参数。
+
+<!--
+However, if `namespace` is not specified in the ValidatingAdmissionPolicyBinding, the
+API server can search for relevant parameters in the namespace that a request is against.
+For example, if you make a request to modify a ConfigMap in the `default` namespace and
+there is a relevant ValidatingAdmissionPolicyBinding with no `namespace` set, then the
+API server looks for a parameter object in `default`.
+This design enables policy configuration that depends on the namespace
+of the resource being manipulated, for more fine-tuned control.
+-->
+但是，如果 ValidatingAdmissionPolicyBinding 中未指定 `namespace`，则 API
+服务器可以在请求所针对的命名空间中搜索相关参数。
+例如，如果你请求修改 `default` 命名空间中的 ConfigMap，并且存在未设置 `namespace` 的相关
+ValidatingAdmissionPolicyBinding，则 API 服务器在 `default` 命名空间中查找参数对象。
+此设计支持依赖于所操作资源的命名空间的策略配置，以实现更精细的控制。
+
+<!--
+#### Parameter selector
+
+In addition to specify a parameter in a binding by `name`, you may
+choose instead to specify label selector, such that all resources of the
+policy's `paramKind`, and the param's `namespace` (if applicable) that match the
+label selector are selected for evaluation. See {{< glossary_tooltip text="selector" term_id="selector">}} for more information on how label selectors match resources.
+-->
+#### 参数选择算符
+
+除了在绑定中用 `name` 来指定参数之外，你还可以选择设置标签选择算符，
+这样对于与策略的 `paramKind` 参数匹配，且位于参数的 `namespace`（如果适用）内的所有资源，
+如果与标签选择算符匹配，都会被评估。有关标签选择算符如何匹配资源的更多信息，
+请参阅{{<glossary_tooltip text="选择算符" term_id="selector">}}。
+
+<!--
+If multiple parameters are found to meet the condition, the policy's rules are
+evaluated for each parameter found and the results will be ANDed together.
+
+If `namespace` is provided, only objects of the `paramKind` in the provided
+namespace are eligible for selection. Otherwise, when `namespace` is empty and 
+`paramKind` is namespace-scoped, the `namespace` used in the request being 
+admitted will be used.
+-->
+如果发现多个参数满足条件，则会针对所找到的每个参数来评估策略规则，并将结果进行“与”运算。
+
+如果设置了 `namespace`，则只有所提供的命名空间中类别为 `paramKind` 的对象才会被匹配。
+否则，当 `namespace` 为空且 `paramKind` 为命名空间作用域的资源时，使用被准入请求中指定的 `namespace`。
+
 <!--
 #### Authorization Check
 
@@ -489,15 +504,7 @@ Note that the `failurePolicy` is defined inside `ValidatingAdmissionPolicy`:
 
 请注意，`failurePolicy` 是在 `ValidatingAdmissionPolicy` 中定义的：
 
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicy
-spec:
-...
-failurePolicy: Ignore # 默认值是 "Fail"
-validations:
-- expression: "object.spec.xyz == params.x"
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/failure-policy-ignore.yaml" %}}
 
 <!--
 ### Validation Expression
@@ -511,7 +518,7 @@ variables as well as some other useful variables:
 - 'oldObject' - The existing object. The value is null for CREATE requests.
 - 'request' - Attributes of the [admission request](/docs/reference/config-api/apiserver-admission.v1/#admission-k8s-io-v1-AdmissionRequest).
 - 'params' - Parameter resource referred to by the policy binding being evaluated. The value is
-  null if `ParamKind` is unset.
+  null if `ParamKind` is not specified.
 - `authorizer` - A CEL Authorizer. May be used to perform authorization checks for the principal
   (authenticated user) of the request. See
   [Authz](https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz) in the Kubernetes CEL library
@@ -818,26 +825,7 @@ For example, given the following policy definition:
 
 例如，给定以下策略定义：
 
-<!--
-# should be "object.spec.replicas > 1"
--->
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: "deploy-replica-policy.example.com"
-spec:
-  matchConstraints:
-    resourceRules:
-    - apiGroups:   ["apps"]
-      apiVersions: ["v1"]
-      operations:  ["CREATE", "UPDATE"]
-      resources:   ["deployments"]
-  validations:
-  - expression: "object.replicas > 1" # 应该是 object.spec.replicas > 1
-    message: "must be replicated"
-    reason: Invalid
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/typechecking.yaml" %}}
 
 <!--
 The status will yield the following information:
@@ -862,26 +850,7 @@ For example, the following policy definition
 如果在 `spec.matchConstraints` 中匹配了多个资源，则所有匹配的资源都将进行检查。
 例如，以下策略定义：
 
-<!--
-# should be "object.spec.replicas > 1"
--->
-```yaml
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicy
-metadata:
-  name: "replica-policy.example.com"
-spec:
-  matchConstraints:
-    resourceRules:
-    - apiGroups:   ["apps"]
-      apiVersions: ["v1"]
-      operations:  ["CREATE", "UPDATE"]
-      resources:   ["deployments","replicasets"]
-  validations:
-  - expression: "object.replicas > 1" # 应该是 object.spec.replicas > 1
-    message: "must be replicated"
-    reason: Invalid
-```
+{{% codenew language="yaml" file="validatingadmissionpolicy/typechecking-multiple-match.yaml" %}}
 
 <!--
 will have multiple types and type checking result of each type in the warning message.
@@ -923,3 +892,64 @@ Type Checking has the following limitation:
   如果在评估期间出现错误，则失败策略将决定其结果。
 - 类型检查不适用于 CRD（自定义资源定义），包括匹配的 CRD 类型和 paramKind 的引用。
   对 CRD 的支持将在未来发布中推出。
+
+<!--
+### Variable composition
+
+If an expression grows too complicated, or part of the expression is reusable and computationally expensive to evaluate,
+you can extract some part of the expressions into variables. A variable is a named expression that can be referred later
+in `variables` in other expressions.
+-->
+### 变量组合
+
+如果表达式变得太复杂，或者表达式的一部分可重用且进行评估时计算开销较大，可以将表达式的某些部分提取为变量。
+变量是一个命名表达式，后期可以在其他表达式中的 `variables` 中引用。
+
+```yaml
+spec:
+  variables:
+    - name: foo
+      expression: "'foo' in object.spec.metadata.labels ? object.spec.metadata.labels['foo'] : 'default'"
+  validations:
+    - expression: variables.foo == 'bar'
+```
+
+<!--
+A variable is lazily evaluated when it is first referred. Any error that occurs during the evaluation will be
+reported during the evaluation of the referring expression. Both the result and potential error are memorized and
+count only once towards the runtime cost.
+
+The order of variables are important because a variable can refer to other variables that are defined before it.
+This ordering prevents circular references.
+
+The following is a more complex example of enforcing that image repo names match the environment defined in its namespace.
+-->
+变量在首次引用时会被延迟求值。评估期间发生的任何错误都将在评估引用表达式期间报告，
+结果和可能的错误都会被记录下来，且在运行时开销中仅计为一次。
+
+变量的顺序很重要，因为一个变量可以引用在它之前定义的其他变量。
+对顺序的要求可以防止循环引用。
+
+以下是强制镜像仓库名称与其命名空间中定义的环境相匹配的一个较复杂示例。
+
+{{< codenew file="access/image-matches-namespace-environment.policy.yaml" >}}
+
+<!--
+With the policy bound to the namespace `default`, which is labeled `environment: prod`,
+the following attempt to create a deployment would be rejected.
+-->
+在此策略被绑定到 `default` 命名空间（标签为 `environment: prod`）的情况下，
+以下创建 Deployment 的尝试将被拒绝。
+
+```shell
+kubectl create deploy --image=dev.example.com/nginx invalid
+```
+
+<!--
+The error message is similar to this.
+-->
+错误信息类似于：
+
+```console
+error: failed to create deployment: deployments.apps "invalid" is forbidden: ValidatingAdmissionPolicy 'image-matches-namespace-environment.policy.example.com' with binding 'demo-binding-test.example.com' denied request: only prod images are allowed in namespace default
+```
diff --git a/content/zh-cn/examples/access/image-matches-namespace-environment.policy.yaml b/content/zh-cn/examples/access/image-matches-namespace-environment.policy.yaml
new file mode 100644
index 0000000000..40ece2473e
--- /dev/null
+++ b/content/zh-cn/examples/access/image-matches-namespace-environment.policy.yaml
@@ -0,0 +1,29 @@
+# 此策略强制除 "exempt" Deployment 或任何不属于 “example.com” 组织的容器
+#（例如常见的 sidecar）外的 Deployment 的所有容器的镜像库与其命名空间的环境标签相匹配。
+# 例如，如果命名空间的标签为 {"environment": "staging"}，则所有容器镜像必须是
+# staging.example.com/* 或根本不包含 “example.com”，除非 Deployment 有
+# {"exempt": "true"} 标签。
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "image-matches-namespace-environment.policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  variables:
+  - name: environment
+    expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'"
+  - name: exempt
+    expression: "'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'"
+  - name: containers
+    expression: "object.spec.template.spec.containers"
+  - name: containersToCheck
+    expression: "variables.containers.filter(c, c.image.contains('example.com/'))"
+  validations:
+  - expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))"
+    messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name"
\ No newline at end of file
diff --git a/content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml b/content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml
new file mode 100644
index 0000000000..2465f93a3a
--- /dev/null
+++ b/content/zh-cn/examples/access/validating-webhook-configuration-match-conditions.yaml
@@ -0,0 +1,49 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+webhooks:
+  - name: my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['*']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Ignore' # 打开失败（可选）
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    # 每个 Webhook 最多可以有 64 个 matchConditions
+    matchConditions:
+      - name: 'exclude-leases' # 每个匹配条件必须有唯一的名称
+        expression: '!(request.resource.group == "coordination.k8s.io" && request.resource.resource == "leases")' # 匹配非租约（non-lease）资源
+      - name: 'exclude-kubelet-requests'
+        expression: '!("system:nodes" in request.userInfo.groups)' # 匹配非节点用户发出的请求
+      - name: 'rbac' # 跳过由第二个 Webhook 处理的 RBAC 请求。
+        expression: 'request.resource.group != "rbac.authorization.k8s.io"'
+
+  # 此示例说明了 `authorizer` 的用法。授权检查比简单表达式成本更高，
+  # 因此在本示例中，通过使用第二个 Webhook 将其范围限制为仅 RBAC 请求。
+  # 两个 Webhook 可以由同一 endpoint 提供服务。
+  - name: rbac.my-webhook.example.com
+    matchPolicy: Equivalent
+    rules:
+      - operations: ['CREATE','UPDATE']
+        apiGroups: ['rbac.authorization.k8s.io']
+        apiVersions: ['*']
+        resources: ['*']
+    failurePolicy: 'Fail' # Fail-closed (the default)
+    sideEffects: None
+    clientConfig:
+      service:
+        namespace: my-namespace
+        name: my-webhook
+      caBundle: '<omitted>'
+    # 每个 webhook 最多可以有 64 个 matchConditions
+    matchConditions:
+      - name: 'breakglass'
+        # 跳过被授权在此 Webhook 上 'breakglass' 的用户发出的请求。
+        # 'breakglass' API verb 不需要被排查在该检查之外。
+        expression: '!authorizer.group("admissionregistration.k8s.io").resource("validatingwebhookconfigurations").name("my-webhook.example.com").check("breakglass").allowed()'
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/basic-example-binding.yaml b/content/zh-cn/examples/validatingadmissionpolicy/basic-example-binding.yaml
new file mode 100644
index 0000000000..54b7679aaf
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/basic-example-binding.yaml
@@ -0,0 +1,11 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "demo-binding-test.example.com"
+spec:
+  policyName: "demo-policy.example.com"
+  validationActions: [Deny]
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        environment: test
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/basic-example-policy.yaml b/content/zh-cn/examples/validatingadmissionpolicy/basic-example-policy.yaml
new file mode 100644
index 0000000000..bfdb9ee214
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/basic-example-policy.yaml
@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "demo-policy.example.com"
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 5"
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/binding-with-param-prod.yaml b/content/zh-cn/examples/validatingadmissionpolicy/binding-with-param-prod.yaml
new file mode 100644
index 0000000000..a2186ee862
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/binding-with-param-prod.yaml
@@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-nontest"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
+  paramRef:
+    name: "replica-limit-prod.example.com"
+    namespace: "default"
+  matchResources:
+    namespaceSelector:
+      matchExpressions:
+      - key: environment
+        operator: NotIn
+        values:
+        - test
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/binding-with-param.yaml b/content/zh-cn/examples/validatingadmissionpolicy/binding-with-param.yaml
new file mode 100644
index 0000000000..cad7a5b02f
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/binding-with-param.yaml
@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: "replicalimit-binding-test.example.com"
+spec:
+  policyName: "replicalimit-policy.example.com"
+  validationActions: [Deny]
+  paramRef:
+    name: "replica-limit-test.example.com"
+    namespace: "default"
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        environment: test
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/failure-policy-ignore.yaml b/content/zh-cn/examples/validatingadmissionpolicy/failure-policy-ignore.yaml
new file mode 100644
index 0000000000..53e3990a1f
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/failure-policy-ignore.yaml
@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+spec:
+...
+failurePolicy: Ignore # The default is "Fail"
+validations:
+- expression: "object.spec.xyz == params.x"  
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/policy-with-param.yaml b/content/zh-cn/examples/validatingadmissionpolicy/policy-with-param.yaml
new file mode 100644
index 0000000000..c493115987
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/policy-with-param.yaml
@@ -0,0 +1,18 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "replicalimit-policy.example.com"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: rules.example.com/v1
+    kind: ReplicaLimit
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= params.maxReplicas"
+      reason: Invalid
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param-prod.yaml b/content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param-prod.yaml
new file mode 100644
index 0000000000..ba1832d16a
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param-prod.yaml
@@ -0,0 +1,5 @@
+apiVersion: rules.example.com/v1
+kind: ReplicaLimit
+metadata:
+  name: "replica-limit-prod.example.com"
+maxReplicas: 100
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param.yaml b/content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param.yaml
new file mode 100644
index 0000000000..813bc7b334
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/replicalimit-param.yaml
@@ -0,0 +1,6 @@
+apiVersion: rules.example.com/v1
+kind: ReplicaLimit
+metadata:
+  name: "replica-limit-test.example.com"
+  namesapce: "default"
+maxReplicas: 3
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/typechecking-multiple-match.yaml b/content/zh-cn/examples/validatingadmissionpolicy/typechecking-multiple-match.yaml
new file mode 100644
index 0000000000..77a49d192c
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/typechecking-multiple-match.yaml
@@ -0,0 +1,15 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "replica-policy.example.com"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets"]
+  validations:
+  - expression: "object.replicas > 1" # should be "object.spec.replicas > 1"
+    message: "must be replicated"
+    reason: Invalid
\ No newline at end of file
diff --git a/content/zh-cn/examples/validatingadmissionpolicy/typechecking.yaml b/content/zh-cn/examples/validatingadmissionpolicy/typechecking.yaml
new file mode 100644
index 0000000000..f088420811
--- /dev/null
+++ b/content/zh-cn/examples/validatingadmissionpolicy/typechecking.yaml
@@ -0,0 +1,15 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "deploy-replica-policy.example.com"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+  - expression: "object.replicas > 1" # should be "object.spec.replicas > 1"
+    message: "must be replicated"
+    reason: Invalid
\ No newline at end of file