Merge pull request #41901 from windsonsea/encry

[zh] sync encrypt-data.md and install-kubectl-macos.md
kubernetes · Jul 7, 2023 · 6cccb93 · 6cccb93
2 parents 84728c6 + 344ac6e
commit 6cccb93
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 13 deletions.
diff --git a/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md b/content/zh-cn/docs/tasks/administer-cluster/encrypt-data.md
@@ -1,16 +1,14 @@
 ---
-title: 静态加密 Secret 数据
+title: 静态加密机密数据
 content_type: task
-min-kubernetes-server-version: 1.13
 weight: 210
 ---
 <!--
-title: Encrypting Secret Data at Rest
+title: Encrypting Confidential Data at Rest
 reviewers:
 - smarterclayton
 - enj
 content_type: task
-min-kubernetes-server-version: 1.13
 weight: 210
 -->
 
@@ -35,6 +33,7 @@ This page shows how to enable and configure encryption of secret data at rest.
   方式运行在每个控制平面节点上。
 
 * 集群的控制平面**必须**使用 etcd v3.x（主版本 3，任何次要版本）。
+
 <!--
 * To encrypt a custom resource, your cluster must be running Kubernetes v1.26 or newer.
 
@@ -78,18 +77,32 @@ decrypt data stored in the etcd.
 ## 理解静态数据加密    {#understanding-the-encryption-at-rest-configuration}
 
 <!--
-do not encrypt events even though  *.* is specified below
+# CAUTION: this is an example configuration.
+#          Do not use this for your own cluster!
+# This configuration does not provide data confidentiality. The first
+# configured provider is specifying the "identity" mechanism, which
+# stores resources as plain text.
+# plain text, in other words NO encryption
+# do not encrypt Events even though *.* is specified below
+# wildcard match requires Kubernetes 1.27 or later
+# wildcard match requires Kubernetes 1.27 or later
 -->
 ```yaml
+---
+#
+# 注意：这是一个示例配置。请勿将其用于你自己的集群！
+#
 apiVersion: apiserver.config.k8s.io/v1
 kind: EncryptionConfiguration
 resources:
   - resources:
       - secrets
       - configmaps
-      - pandas.awesome.bears.example
+      - pandas.awesome.bears.example # 自定义资源 API
     providers:
-      - identity: {}
+      # 此配置不提供数据机密性。
+      # 第一个配置的 provider 正在指定将资源存储为纯文本的 "identity" 机制。
+      - identity: {} # 纯文本，换言之未加密
       - aesgcm:
           keys:
             - name: key1
@@ -111,14 +124,14 @@ resources:
     providers:
       - identity: {} # 即使如下指定 *.* 也不会加密 events
   - resources:
-      - '*.apps'
+      - '*.apps' # 通配符匹配需要 Kubernetes 1.27 或更高版本
     providers:
       - aescbc:
           keys:
           - name: key2
             secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg==
   - resources:
-      - '*.*'
+      - '*.*' # 通配符匹配需要 Kubernetes 1.27 或更高版本
     providers:
       - aescbc:
           keys:
@@ -429,7 +442,13 @@ Create a new encryption config file:
 
 创建一个新的加密配置文件：
 
+<!--
+# See the following text for more details about the secret value
+# this fallback allows reading unencrypted secrets;
+# for example, during initial migratoin
+-->
 ```yaml
+---
 apiVersion: apiserver.config.k8s.io/v1
 kind: EncryptionConfiguration
 resources:
@@ -441,8 +460,10 @@ resources:
       - aescbc:
           keys:
             - name: key1
+              # 参见以下文本了解有关 Secret 值的详情
               secret: <BASE 64 ENCODED SECRET>
-      - identity: {}
+      - identity: {} # 这个回退允许读取未加密的 Secret；
+                     # 例如，在初始迁移期间
 ```
 
 <!--
@@ -479,17 +500,24 @@ To create a new Secret, perform the following steps:
       代码范例如下：
 
    <!--
-   add this line
+   # This is a fragment of a manifest for a static Pod.
+   # Check whether this is correct for your cluster and for your API server.
+   # add this line
    -->
    ```yaml
+   ---
+   #
+   # 这是一个静态 Pod 的清单片段。
+   # 检查是否适用于你的集群和 API 服务器。
+   #
    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
-       kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.10.30.4:6443
+       kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.20.30.40:443
      creationTimestamp: null
      labels:
-       component: kube-apiserver
+       app.kubernetes.io/component: kube-apiserver
        tier: control-plane
      name: kube-apiserver
      namespace: kube-system
@@ -694,6 +722,7 @@ and restart all `kube-apiserver` processes.
 作为配置中的第一个条目并重新启动所有 `kube-apiserver` 进程。
 
 ```yaml
+---
 apiVersion: apiserver.config.k8s.io/v1
 kind: EncryptionConfiguration
 resources:

diff --git a/content/zh-cn/docs/tasks/tools/install-kubectl-macos.md b/content/zh-cn/docs/tasks/tools/install-kubectl-macos.md
@@ -449,6 +449,56 @@ kubectl 为 Bash、Zsh、Fish 和 PowerShell 提供自动补全功能，可以
    rm kubectl-convert kubectl-convert.sha256
    ```
 
+<!--
+### Uninstall kubectl on macOS
+
+Depending on how you installed `kubectl`, use one of the following methods.
+-->
+### 在 macOS 上卸载 kubectl   {#uninstall-kubectl-on-macos}
+
+根据你安装 `kubectl` 的方式，使用以下某种方法来卸载：
+
+<!--
+### Uninstall kubectl using the command-line
+
+1.  Locate the `kubectl` binary on your system:
+-->
+### 使用命令行卸载 kubectl   {#uninstall-kubectl-using-cli}
+
+1. 找到你系统上的 `kubectl` 可执行文件：
+
+   ```bash
+   where kubectl
+   ```
+
+<!--
+1.  Remove the `kubectl` binary:
+-->
+2. 移除 `kubectl` 可执行文件：
+
+   ```bash
+   sudo rm <path>
+   ```
+
+   <!--
+   Replace `<path>` with the path to the `kubectl` binary from the previous step. For example, `sudo rm /usr/local/bin/kubectl`.
+   -->
+   将 `<path>` 替换为上一步中找到的 `kubectl` 可执行文件的路径。
+   例如，`sudo rm /usr/local/bin/kubectl`。
+
+<!--
+### Uninstall kubectl using homebrew
+
+If you installed `kubectl` using Homebrew, run the following command:
+-->
+### 使用 Homebrew 卸载 kubectl    {#uninstall-kubectl-using-homebrew}
+
+如果你使用 Homebrew 安装了 `kubectl`，运行以下命令：
+
+```bash
+brew remove kubectl
+```
+
 ## {{% heading "whatsnext" %}}
 
 {{< include "included/kubectl-whats-next.md" >}}